Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
A
RD
a
ARRAA
KSMGG
I
wtaabasf
isghtiva[ti
r
h1
Down
Applied Soft Computing 24 (2014) 169–180
Contents lists available at ScienceDirect
Applied Soft Computing
j ourna l h o mepage: www.elsev ier .com/ locate /asoc
heuristic solution for model checking graph transformation systems
osa Yousefian, Vahid Rafe ∗, Mohsen Rahmaniepartment of Computer Engineering, Faculty of Engineering, Arak University, Arak 38156-8-8349, Iran
r t i c l e i n f o
rticle history:eceived 24 April 2013eceived in revised form 5 April 2014ccepted 27 June 2014vailable online 12 July 2014
a b s t r a c t
One of the commonly used techniques to verify software and hardware systems which have been specifiedthrough graph transformation system (GTS), especially safety critical ones, is model checking. However,the model checking of large and complex systems suffers from the state space explosion problem. Sincegenetic algorithm (GA) is a heuristic technique which can be used to search the state space intelligentlyinstead of using exhaustive methods, in this paper, we propose a heuristic approach based on GA to find
eywords:tate space explosionodel checkingraph transformation systemsenetic algorithm
error states, such as deadlocks, in systems specified through GTS with extra large state space. To do so, ineach step of space exploration our algorithm determines which state and path should be explored. Theproposed approach is implemented in GROOVE, a tool for model checking graph transformation systems.The experimental results show that our approach outperforms significantly in comparison with existingtechniques in discovering error states of models with large state space.
© 2014 Elsevier B.V. All rights reserved.
ntroduction
Correctness is one of the most desirable properties for any soft-are system. A great part of each developing approach is devoted
o assess the correctness of the system; however, faults and errorsre common. The sooner errors are found the better results can bechieved [1]. Hence, model-based verification techniques shoulde used before implementation to decrease the cost and the risknd also to increase the quality of the product. To do so, it is neces-ary to use an accurate approach to specify models, and thus, usingormal methods for this purpose can be one of the best solutions.
Graphs and diagrams provide a very useful, direct, and intu-tive means to describe software systems [2]. Graph transformationystems (GTS) [2,3] provide the formal foundations to convertraphs and diagrams into formal specifications. Even though GTSas not been very popular for years, it is able to capture the sys-ems behavior naturally and succinctly. However, modeling per-ses not enough. Proper verification solutions are mandatory to con-ince people of the actual benefits provided by modeling. Differentpproaches already exist to verify GTS through model checking4–6]. All these approaches only deal with a priori bounded transi-
ion systems because of the nature of model checking techniquesn general. However, in many cases, the transition system tends to∗ Corresponding author. Tel.: +98 86 32625524.E-mail addresses: [email protected] (R. Yousefian), [email protected],
[email protected] (V. Rafe), [email protected] (M. Rahmani).
ttp://dx.doi.org/10.1016/j.asoc.2014.06.055568-4946/© 2014 Elsevier B.V. All rights reserved.
loaded from http://www.elearnica.ir
be too large. Thus, the state space explosion problem occurs. In thiscase the usual verification approaches like [4–11] cannot be useful.
Although there exists different approaches, like symbolic verifi-cation [12,13], partial order reduction [14,15], symmetry checkingmethods [16–19] and scenario-driven model checking [1] for thesystems specified through GTS, almost all of these methods useexhaustive search on the state space and thus suffer from the stateexplosion problem. For the cases in which the usual approachescannot be employed due to the size of the state space, using heuris-tic approaches like GA can be a proper solution.
Genetic algorithms are usually used for optimization problemsbut in this work, we propose a method using GA to find errorssuch as deadlocks in systems specified through GTS. Since it isnot possible to search all the states, our approach chooses a sub-set of them to be explored using GA. We implement the proposedapproach through GROOVE [20,21], a toolset to generate state spacefor GTS specification. In this paper, we concentrate more on search-ing deadlocks which are a sort of safety properties.
The rest of the paper is organized as follows. In Related worksSection, we review some of the already proposed solutions fordealing with state space explosion. In Background Section, webriefly introduce the required background. Proposed method Sec-tion presents our proposed approach to exploration of the statespace using GA. Our algorithm implementation is described inImplementation Section. In Evaluation Section, we employ the pro-
posed method for several known problems and consequently wediscuss the results of our experiments. Finally, we conclude thepaper and highlight the future works in Conclusion and futureworks Section.1 oft Co
R
ef
C
itomibt
S
wotlmimepaFtuc
M
upas
sfivat
amltr
consiituio
70 R. Yousefian et al. / Applied S
elated works
Generally, proposed approaches for overcome the state spacexplosion that can be found in the literature fall into one of theollowing four broad categories:
lassic approaches
To cope with the state space explosion problem in model check-ng systems, some classic solutions like the ones based on reducinghe size of the model’s state space [17–19,22–27] and those basedn memory saving [28–32] have been presented. There also existodel abstraction techniques that reduce the state space by reduc-
ng the size of the model. The general idea in methods which areased on memory saving is to use various algorithms for reducinghe memory space required for saving the states.
imple heuristic approaches
A simple heuristic search algorithm is the best-first search,hich is applied for protocol validation to achieve significant gains
ver depth-first search [33]. Heuristics for choosing a search orderhat favors visiting first successor states that are most likely toead to an error are discussed in [34] in the context of symbolic
odel checking and in [35] in the context of explicit model check-ng. A best-first search with binary decision diagram (BDD) based
odel checking within the Murф tool has been used in [36]. Bloemt al. [37] used heuristics to reduce the bottlenecks of image com-utation in symbolic model checking. In another work [38], theuthors proposed an OBDD-based version of the A* algorithm.riedman et al. [39] applied a Coverage First Search related to struc-ural heuristics to generate test suites. Ganai and Aziz [40] alsosed coverage-based techniques to guide a state-space search forontrol-dependent hardware.
eta heuristic approaches
In recent years, some artificial intelligence algorithms have beensed to improve the memory utilization. To bring up a few exam-les, frameworks based on reinforcement learning [41], ant colonylgorithm [42–44] and GA in studying and exploring the large statepace models can be mentioned.
A framework based on reinforcement learning has been pre-ented for checking the linear temporal properties [41]. In thisramework, the goal is to improve the memory utilization throughncreasing the probability of occurrence of the paths that lead toiolation of the properties. In reinforcement learning algorithm thegent learns about the concepts by interacting with its environmenthrough rewards and punishments.
By using the ant colony algorithm, inspired by the efforts ofnts in searching for the shortest path to the food resources,odel checking systems can explore the state space of the prob-
em [42–44]. By using this algorithm, they have been able to findhe optimal solution for the problem with the least amount ofesources.
Most of the researches that have been conducted for modelhecking systems in the field of GA, for example [45,46], are basedn the textual modeling. Godefroid and Khurshid [46] introduce aew framework for reducing the state space in concurrent reactiveystems. This framework directs us into the error states by utiliz-ng heuristic practical programs that use the GA. This frameworks implemented using Verisoft [47] which is a tool for exploring
he systems’ state space. This framework, by using the GA andtilizing some heuristic methods, guides a search engine into find-ng errors such as deadlock and assertion violations in state spacef a concurrent reactive system [46]. In Java Pathfinder a model
mputing 24 (2014) 169–180
checking system has been implemented that can identify thedeadlocks [45]. For more details about other heuristic approachesinterested readers can refer to [48].
Heuristic approaches on GTS
In [49] the authors have formalized a framework for the appli-cation of heuristic search in order to analyze structural propertiesof systems modeled by graph transition systems. They believe thatheuristic search is intended to reduce the analysis effort and alsoto deliver shorter solutions, (i.e. shorter paths in graph transitionsystems). To do so, they use A* algorithm. This framework is imple-mented in HSF-SPIN a heuristic model checker compatible with thesuccessful model checker SPIN [50].
Most of the heuristic approaches mentioned till now are exhaus-tive search approaches. In fact, the employed heuristic approachhelps the traversing algorithm to find the error states faster, butthe state space explosion still can occur. In this paper, we proposea solution in which only a subset of the state space is considered tobe searched.
Another important issue is that GTS is a graphical formal lan-guage which is used in different software development phases(e.g. meta-modeling [51], architectural style representation [52],refinement [53], refactoring [54], model transformation [55], per-formance analysis [56], etc.). So, it is very useful to propose a novelapproach to overcome the state space explosion problem in GTS.
Background
Model checking
Utilization of formal methods as an efficient way for qualityassurance and correctness checking of a designed system is highlynecessary. Model checking is an automatic method for studying theproperties given to a system and their verification. In model check-ing, properties can be classified into different groups like safety andliveness.
The safety property, informally, claims that “no bad event shouldoccur” in a system or a “good incident” should always happen in asystem. To find a state that leads into the violation of safety prop-erty, it is necessary to find a finite path into a violating state (e.g.deadlock state) [57].
If all states are valid, it becomes clear that this property is validin the system and if it is rejected, the model checking approach candemonstrate the violated path and state.
Liveness properties assert that “something good” will happeneventually. In order to find a Liveness property violation, it isneeded to find an infinite path in which a desired state never occurs(i.e. the expected good never happened) [58].
Since model checking needs to generate all the possible statespace of the model to verify its validity and the given properties,the model must be relatively small. In other words, model checkingof large models faces the problem of memory resource limitationwhich causes the state space explosion problem.
Graph transformation system
Graph transformation is a graphical formal language for systemmodeling. The mathematical foundation of graph transformationsystems returns to more than 40 years ago in response to short-comings in the expressiveness of classical approaches to rewriting
(e.g. Chomsky grammars) to deal with nonlinear grammars [59].Graphs are suitable tools for explanation and modeling the struc-ture of complex systems. One of the most fundamental features ofthe GTS is its formal and accurate mathematical basis [2].R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 171
of the
istaoHHt
PiKtmbm
trirai
G
ou(
n
Fig. 1. Four Stages
An attributed GTS is determined as a triple: AGT = (TG, HG, R)n which TG is the type graph, HG is the host graph, and R is theet of rules. Type graph is a tuple: TG = (TGN, TGE, src, trg), withwo functions src: TGE→ TGN and trg: TGE→ TGN. These functionsssign each edge a source and a target node. TGN and TGE are a setf node types and a set of edge types, respectively. A host graphG over TG, is a graph equipped with a graph morphism typeG:G → TG that assigns a type to every node and edge in HG. A graph
ransformation rule P over an attributed type graph TG is given by
= (Ll←−K
r−→R, type, NAC), where Ll←−K
r−→R is a rule span withnjective graph morphisms l, r and graphs L (left hand side or LHS),
(gluing graph) and R (right hand side or RHS) typed over TG,ype = (typeL: L → TG, typeK: K → TG, typeR: R → TG) is a triple of
orphisms, and NAC is a set of triples nac = (N, n, typeN) with Neing a graph, n: L → N a graph morphism, and typeN: N → TG aorphism [60].The model checking of systems specified through GTS was first
heoretically described by Heckel [61] in which each host graphepresents a state, by applying each rule on a host graph a new states formed; a transition system is generated by applying all enabledules to all generated states (host graphs). For more informationbout GTS and its verification through model checking techniques,nterested readers can refer to [2].
enetic algorithm
Genetic algorithm (GA) has been utilized in a wide variety ofptimization problems. A GA starts with a random initial pop-
lation of the coded solutions which are called chromosomesinitialization step).In the selection step, suitable chromosomes are chosen for theext reproduction. The selection process needs to calculate the
while (not EOF Iterations){If (IsFirstIteration){
chromosomes = createNewRandomChromo}else{
previousChromosomes = chromosomeschromosomes.Clear()
chromosomes.Add(previousChromosomechromosomes.Add(previousChromosomeschromosomes.Add(previousChromosomes
}foreach(chromosome in c hromosomes){
chromosome.CalculateFitnessValue()if (chromosome.FinalStates > 0)
AnswerFound_StopGeneticAlg}
}
Fig. 2. The operation o
genetic algorithm.
suitability of the chromosomes. This is performed in a fitnessfunction. If an acceptable solution (i.e. chromosome) is found, theprocess is directed to the termination step, otherwise, in reproduc-tion step, the competent chromosomes are selected according toa suitable fitness function to be the best parents for generatingthe next generation. The selected chromosomes participate in thecrossover and mutation process and the new offspring for the futuregenerations are created. The chosen parents, as selected based onthe approach explained above, and the new offspring will repeatthe process for generating the new populations [62]. This processis described in Fig. 1.
GA does not guarantee to find the optimal solution. Therefore,the challenge is to maximize the probability of finding a suitablesolution through a genetic process.
The fitness function, selection, crossover, and mutation opera-tions are usually performed until reaching an acceptable solutionor, a predetermined number of iterations are executed. Selection,crossover and mutation are among the general operations whichare utilized in every GA and have been studied in many differentarticles. Two of the most critical problems that should be consid-ered in GA are chromosome encoding and the way that the fitnessfunction is defined. Other parameters including the size of the initialpopulation, mutation rate (the number of chromosomes that mustparticipate in the mutation operation) and also the crossover rate(the number of chromosomes participating in the crossover oper-ation) must be determined properly for each problem. A standardGA is depicted in Fig. 2.
In GROOVE toolset, to detect the final state of a GTS there is
a function called “getfinalstates()” which returns a value greaterthan zero when it encounters a deadlock state. This function isnamed “FinalState” in our pseudo code. Thus, if a chromosome doesnot contain a deadlock state the returned value is zero; otherwisesomes(population)
s.TakeTopChromosomesBasedOnFitnessValue()).Mutate()).CrossOverOnPairs())
orithm()
f a standard GA.
172 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180
ach fo
is
P
iisTs
fItetwlasefiei
uFfttcmp
C
ai[
Fig. 3. The proposed appro
ts output will be greater than zero and the algorithm will betopped.
roposed method
The general idea of our method is to create a partial state spacenstead of a whole state space. In GTS, the state space has a uniquenitial state. The selected solutions are the finite sequences of tran-itions in a state space that were generated from this initial state.hese solutions, which are used for generating and exploring thetate space, are defined by chromosomes.
The way a model checking system works is as follows. It startsrom an initial state (S0) and generates and explores the state space.n every state, the number of possible transitions is determined, andhen the GA decides which transition must be selected for the nextxploration (see Applying genetic algorithm in model checking Sec-ion). After the selection, the model checking system determineshether the next state is a desirable state or not (to detect dead-
ock a desirable state has no transition and, for safety properties it isn erroneous state). If a desirable state is found, the current path isaved and the user will be informed of the error in the model; oth-rwise the model checking system continues its operation until itnds a desirable state or, a predetermined number of iterations arexecuted. Fig. 3 elaborates this process. All steps will be discussedn detail in the rest of the paper.
It should be considered that the implemented algorithm can besed to find error states in a given problem which is modeled in GTS.urthermore, as mentioned before, one of the most important dif-erences of the GA-based approach with the classical techniques ishat the state space is not fully generated and explored. Obviously,he advantage of using this approach is mostly for large cases whichannot be explored due to the state space explosion. We imple-ented our approach in GROOVE by adding a new strategy, so it is
ossible for each modeled system on GROOVE to be explored.
hromosome encoding
Encoding chromosomes is one of the problems that should beddressed when you are starting to solve a problem with GA. Encod-ng is very problem dependent. There are four types of encoding63,64]:
r heuristic model checking.
• Binary encoding is the most common, mainly because initialresearch efforts on GA used this type of encoding. In binary encod-ing every chromosome is a string of bits, 0 or 1.• Permutation encoding is mainly used in ordering problems. In per-
mutation encoding, every chromosome is a string of numbers,which represents number in a sequence. Given n unique objects,n! permutations of the object exist.• Value encoding is an approach in which each chromosome is rep-
resented as the string of some values. These values can be integer,real number, character, or some object. Values can be anythingconnected to the problem.• Tree encoding is used mainly for evolving programs or expres-
sions. In tree encoding every chromosome is a tree of someobjects, such as functions or commands in programming lan-guage.
In our approach, given the structure of the problem, valueencoding is employed. Each gene in a chromosome is a numberbetween 0 and the maximum number of possible outgoing transi-tions of a state in a particular problem. A gene is the representativeof a transition in each stage. Since the maximum number of tran-sitions for each problem is different, we need to determine itaccording to the nature of the problem as an input parameter. How-ever, this number is not always easy to figure out. For example, themaximum number of possible outgoing transitions in each state ofN-Phil problem is equal to N; similarly it is always 4 for N-Puzzleproblem. An example of encoding a finite path in a graph by a chro-mosome is shown in Fig. 4. The chromosome ‘1312′ encodes thepath that visits the colored states (following the colored edges) inthe state space.
The effective length of the chromosomes is considered to bedynamic based on the type of the problem. The effective length isequal to the search depth in model checking. We pick it in advanceand then pick a larger value if no deadlock state could be found. Forinstance, as seen in Fig. 4, the effective length of the chromosomeis 4.
Cost function
There are many different approaches to define the fitness func-tion. In this work, we need a way to define a function to show asimilarity between what we are searching to find (i.e. the deadlock
R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 173
Fs
saalpcptfif
uvsdogf
F
nid
C
mboep
rate which is specified as an input parameter.Using these two methods for choosing the chromosome helps
all chromosomes to have the chance of being selected which also
ig. 4. The encoding method for a solution using the GA, the path ‘1312′ in the statepace is found by GROOVE.
tate) and what we are currently traversing (i.e. different pathsnd states). For example, hamming distance is used in differentpproaches to represent similarity. As we are searching for dead-ocks (state with no outgoing transition), the best similarity is aath in which outgoing transitions of the states are decreasing. Wehose this method because if there is less number of transitions in aath, it seems more likely to lead to a deadlock, i.e., a state in whichhere is no output. The goal is to minimize the output value of thetness function; hence, we refer to the fitness function as the cost
unction in the rest of the paper.The cost function is defined to find the best chromosomes to
se in the next generations. The goal is to minimize the outputalue of the cost function. In this algorithm, the cost function is theum of all the outputs that have been generated in a given path toetect a deadlock which is shown in (1). EL is the effective lengthf the chromosomes (i.e. the depth search) and, Li is the sum of theenerated states in ith depth. For instance in Fig. 4, the cost valueor the explored path is 14 (F(x) = 14).
(x) =EL∑
i=1
Li (1)
The goal of this GA is to minimize F(x) to find paths with lowerumber of transitions to be involved in the next generation, hop-
ng to reach a state without an output through one of the pathsetermined by the chromosomes.
rossover and mutation
Crossover is a genetic operator that combines two parent chro-osomes to produce a new chromosome (offspring). The idea
ehind crossover is that the new offspring may be better than bothf the parents if it takes the best characteristics of each of the par-nts. Three different forms of crossover are One point crossover, Noint crossover, and Uniform crossover.
Fig. 5. The crossover operation.
In our implementation, a single-point crossover is utilized. Asmentioned in [65], this method is commonly used to combine chro-mosomes that are independent (i.e. are not similar). In our proposedapproach, each chromosome indicates a path in the state space, andthus, they have no dependency on each other.
In a single-point crossover, a specified position – which is aninput parameter – is chosen for each two parents, and then swapsthe genes after that position to form the offspring. An example of acrossover is depicted in Fig. 5.
Mutation also is a basic operator in GA. It alters one or more genevalues in a chromosome from its initial state. With these new genevalues, the genetic algorithm may be able to arrive at a better solu-tion. Mutation is an important part of the genetic search as it helpsto prevent the population from stagnating at any local optima. Somedifferent types of mutation are boundary, non-uniform, uniform,and Gaussian. In the implementation, uniform method is employed.This is a simple method that is appropriate for the problem. Asshown in Fig. 6, in mutation operation some genes are randomlyreplaced by new random values. These random values are selectedfrom a range between the user-specified upper and lower boundsfor that gene.
Creating new generation
To produce a new generation, chromosomes from the previ-ous generation are transmitted, unchanged, to the next generation,according to the crossover and mutation rate, specified as the ini-tial parameters of GA algorithm. The selection process in GA is doneby three known methods: Elitism [63], Tournament [63], and Ran-dom. A number of chromosomes selected by Elitism method, whichis choosing the best chromosomes based on the cost function,are transmitted to the next generation unchanged. The numberof chromosomes is identified based on the crossover and muta-tion rate. According to the crossover rate, chromosome pairs areselected by Tournament method to participate in the crossoverprocess. The number of participating chromosomes in the tour-nament algorithm is also specified as an input parameter. Finally,Random selection method is used for selecting chromosomes inthe mutation process. Chromosomes are randomly selected fromthe chromosome pool, then mutation is performed on them andthey are transmitted to the new generation. The number of selectedchromosomes for the mutation process depends on the mutation
Fig. 6. The mutation operation.
174 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180
e of th
aa
A
sdsbpetiaafgsosatwmeetetdrc
mti
I
i
erator Engine produces the initial population of chromosomes andplaces them in the Chromosome Pool. To improve the performanceof the algorithm, all chromosomes are unique in this generation.Chromosome Iterator sends chromosomes one by one as a file to
Fig. 7. The architectur
llows less-qualified chromosomes to be chosen, with a lower prob-bility, to prevent stagnation.
pplying genetic algorithm in model checking
In our approach, the search space to be explored is the statepace of a system. The state space has a unique initial state. Candi-ate solutions are finite sequences of transitions in the state spacetarting from this initial state. Each candidate solution is encodedy a chromosome, i.e., a finite array of integer. How to encode finiteaths in a graph using chromosomes is discussed in Chromosomencoding Section in details. To evaluate the cost of a chromosome,he GA generates the path encoded by the chromosome then passest to the model checker. Afterwards, the cost values are calculatednd returned back to the GA. This is done by combining the geneticlgorithm with a model checker. To do this, the model checker ised by a chromosome generated by our proposed GA. Elements (i.e.enes) of a chromosome tell the model checker which transitionhould be selected in each step of the space exploration. If the valuef a gene is larger than the possible transitions from the currenttate, the model checker generates a random number between 0nd the maximum number of possible transitions of that state forhe rest of exploration. In addition, the value of the gene is replacedith this new random number for the rest of the process. This actionust be calculated in the model checker because GA does not have
nough information about the number of out-going transitions inach state. Since a chromosome can only encode a finite number ofransitions, the state space is explored up to a fixed depth. When-ver the model checker has explored a path, it prompts the GAo evaluate the cost of the current chromosome. This operation isiscussed further in the rest of the paper. Once the cost of the cur-ent chromosome has been computed, another chromosome of theurrent population is evaluated using the same process.
The implemented algorithm can determine whether the GAust stop after reaching the first error state or it must continue
o find more error states. The latter helps us to find all error statesn a given model.
mplementation
The algorithm is implemented in two phases. The first phases implemented with Java programming language in GROOVE and
e proposed approach.
the second phase is implemented in .Net environment using C#.Netentitled as Director. Fig. 7 shows the architecture of the proposedmethod in two environments and demonstrates how they are con-nected to each other.
In the first phase, a new strategy, called GA, is added to the exist-ing strategies of the GROOVE and also a new capability is createdfor receiving a chromosome as an input file. Hence, we manipulatedthe files Simulator.jar and Generator.jar.
In the second phase, the input parameters of the problem suchas the model, the initial number of the chromosome population, thedesired depth for limiting the exploration, crossover rate, mutationrate, and etc. are determined. In execution time, Chromosome Gen-
Fig. 8. Host graph of dinning philosophers problem with 5 philosophers and 5 forks.
oft Computing 24 (2014) 169–180 175
ttcciFcp
mds
ssiscipGpss
E
DfDspoA
T
inasegSiutp
P
Gs4
imoiPfMl
Table 1The parameters for studying and exploring the state space with GA.
Population 50Iteration 50Crossover rate 50%
R. Yousefian et al. / Applied S
he GROOVE. GROOVE evaluates the input path and returns backhe results to the Director. In case of finding an error state theorresponding chromosome is identified with a flag. Now, the exe-ution can be continued to find another error state until the definedteration or, stopped. This option is specified in input parameters.urthermore, Chromosome Manipulator Engine is responsible forreating new chromosomes for the next generations based on theroposed GA.
At the end of the execution, the erroneous files for all the chro-osomes are saved. Moreover, the path to the error state can be
epicted in GROOVE and the host graph can be seen in an erroneoustatus as well.
We can also change the model’s rules for studying the otherafety or liveness properties in such a way that the desiredtate is converted into a deadlock state. For instance, if theres a rule ‘R’ which tells two philosophers cannot take one forkimultaneously, we can change the model’s rules in which R isonsidered as deadlock. After the execution of the algorithm,f an error state is found it can be concluded that the desiredroperty in this model is satisfied. The modified version of theROOVE, the Director program along with the case studiesresented in the next section can be downloaded from http://ourceforge.net/projects/groovedirector/files/latest/download?ource=files.
valuation
The experiments using GROOVE were carried out on a Core 2uo 2.4 GHz processor with 4 GB of RAM. To identify the deadlocks,
our known case studies in model checking systems were used: theinning philosophers, Pac-Man, 8-Puzzle, and Car Platoon. In this
ection, we present the results of our experiments, comparing theerformance of our approach with exhaustive existing strategiesf GROOVE (specifically DFS, BFS) and the simple heuristic method*.
he dining philosophers
The dining philosophers problem [66] is an example in which byncreasing the number of philosophers the state space grows expo-entially. This problem includes a number of philosophers sittinground a table; each philosopher thinks and then gets hungry. Totart eating, he first picks up the left fork and then the right fork andats. Next, he puts down the left and the right fork on the table andoes into thinking mode. This process is repeated infinite times.ince several philosophers are sitting around a table and each forks shared by two adjacent philosophers, they compete for pickingp the forks. If all the philosophers pick up their left forks, the sys-em faces a deadlock. Fig. 8 illustrates the host graph of dinninghilosophers problem which has been modeled in GROOVE.
ac-Man
The second problem is the Pac-Man game which is modeled byROOVE. This problem, similar to dinning philosophers, has a largetate space. The field dimension of our model varies and starts from
× 4.The Pac-Man video game [67] is as follows: there are two agents
nvolved in this game, the Pac-Man and the Ghost both of which canove to an adjacent box in each stage of the game based on a set
f given rules. If Pac-Man moves to an adjacent box with a marblenside, it will eat it. If the ghost moves to an adjacent box in which
ac-Man already is, then the ghost will kill Pac-Man. The conditionor game termination is either all the marbles must be eaten by Pac-an (you win) or the Pac-Man should be killed by the ghost (youose). In both cases, a deadlock state is generated. The host graph
Mutation rate 30%Position of crossover Middle of the chromosome
of Pac-Man problem which is modeled in GROOVE is depicted inFig. 9.
8-Puzzle
In 8-puzzle problem there are 9 boxes in which the 8 pieces ofthe game can move around. The goal is to insert the pieces in theircorrect position. Fig. 10 shows a definition of this problem whichhas been modeled in GROOVE. As it can be expected, generatingthe complete state space is not possible. In this puzzle, when allthe game pieces are placed in their correct place, a deadlock stateis reached.
Car Platoon
The Platoon system was designed by researchers at theCalifornia PATH program to show how vehicle automation tech-nology can be used to make a major contribution to relieving trafficcongestion [68]. Car platooning system consists of several cars driv-ing on a highway with constant speed and constant distance fromeach other. There is always one car in a platoon acts as a Leader andthe others follow it which are called Followers. In our case studythere are 25 cars each represented as a Process. The Followers areconnected to the leader through a channel. The property we intendto check is that the channel must not be created between two fol-lowers. To do this we should check if a free process (i.e. a new carwhich is not a part of the any platoons) sends a join request to afollower, then it must not receive acknowledgment. Moreover, weshould also check either if a follower is able to send a join requestto another follower or acknowledge a join request which is alreadysent by another leader. Hence these situations are not deadlock andour method can only find error states. Thus, as mentioned before,we should consider these rules in the model as deadlock. That is, ifany of the two mentioned situations happen a deadlock is occurred.A specification of this problem which has been modeled in GROOVEis depicted in Fig. 11.
Results
The initial parameters for studying and exploring the state spacewith GA are constant for all case studies and are shown in Table 1.
We considered different values as input parameters, specificallyfor mutation rate and crossover rate. However, all of the experi-ment results are almost the same and the effect of changing theseparameters, in our case, is negligible.
In verifying each model, we show the maximum search depthfor exploring the state space (Depth searched) and the average timefor reaching an error state after 10 runs (Result time). In addition, theminimum and maximum time (Min Time, Max Time) for reachingthe first error state in the total execution runs is presented. We alsoshow the depth of finding the first error state (first error depth).
Table 2 shows the comparison of our proposed GA strategy withothers for dinning philosopher problem. As shown in Table 2, the
results of running our algorithm after 8-phil is much better thanother approaches. A* strategy also suffers from state space explo-sion because, in the worst case scenario, it must exhaustively searchevery possible solution in the state space.176 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180
roble
p
daescl
Fig. 9. Host graph of Pac-Man p
The amount of used memory in the largest model, that is 30hilosophers, is 35 MB.
The Pac-Man problem was studied for three different fields ofimensions. In all models, 4 ghosts and 3 marbles were considerednd this resulted in a very large state space. Since there are multiple
rror states in this problem, the time for reaching the goal is veryhort. The results can be seen in Table 3. As it can be seen in thisase study, GA works better even when the state space is not veryarge because of the great number of error states.Fig. 10. Host graph of 8
m with a 4 × 4 field dimension.
Finding the goal and execution time of the algorithm in 8-puzzleproblem is highly impressed by how we initially set the numbers inthe host graph. As illustrated in Table 4, it is clear that by disorga-nizing the host graph, the solution becomes more time consumingas it requires sliding more numbers around to achieve a given con-
figuration.In this case study, GA does not work as good as the other strate-gies. As the error states are generally in the first levels of the statespace, A* and BFS outperform GA.
-Puzzle problem.
R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180 177
Fig. 11. Host graph of Car Platoon problem.
Table 2The results of executing the proposed GA for dinning philosophers.
Number of phil GA A* BFS/DFS
Depthsearched
Result time(s)
Min time(s)
Max time(s)
# Runs/#errors
First errordepth
Result time(s)
First errordepth
Result time(s)
8 Phil 20 52 1.6 98 10/10 17 1477.287 17 269 Phil 25 75 14.8 113.8 10/10 19
Out ofmemory
15 Phil 45 335 44 815 10/10 3116 Phil 40 624 247 1205 10/10 33 Out of memory20 Phil 70 585 45 1204 10/10 4630 Phil 140 2409 444 5775 10/10 91
Table 3The results of executing the proposed GA for PacMan problem.
Pac-Man GA A* BFS DFS
Depthsearched
Resulttime (s)
Min time(s)
Maxtime (s)
# Runs/#errors
Firsterrordepth
Resulttime (s)
Firsterrordepth
Resulttime (s)
Resulttime (s)
4 × 4 100 3 1.7 14.1 10/10 5 18.56 13 6 44 × 5 120 11 2.3 30.2 10/10 19 Out of
memoryOut ofmemory
4.5
6 × 5 150 23 2.9 79 10/10 21 Out ofmemory
Table 4The results of executing the proposed GA for 8-puzzle.
8-Puzzle GA A* DFS BFS
Depthsearched
Resulttime (s)
Mintime (s)
Maxtime (s)
#Runs/#errors
Firsterrordepth
Resulttime (s)
Firsterrordepth
Resulttime (s)
Resulttime (s)
50 5.8 2 22.4 10/10 3 0.046 3Out ofmemory
0.5
50 15 2.4 27.5 10/10 4 0.037 4 0.55
50 380 72.7 794.6 10/10 8 0.27 8 0.6
50 612 82.6 1130.5 10/10 11 0.59 11 0.7
178 R. Yousefian et al. / Applied Soft Computing 24 (2014) 169–180
Table 5The results of executing the proposed GA for Car Platoon.
Car platoon GA A* BFS DFS
Depthsearched
Resulttime (s)
Mintime (s)
Maxtime (s)
#Runs/#errors
Firsterrordepth
Resulttime (s)
Firsterrordepth
Resulttime (s)
Resulttime (s)
6 Cars 20 0.05 0.02 0.09 10/10 7 0.56 7 0.04 0.19 Cars 25 0.08 0.4 1.3 10/10 13 227.42 16
Out ofmemory
0.1512 Cars 30 1 0.5 1.7 10/10 13 Out of
mem-ory
0.2
25 Cars 50 1.2 0.5 2 10/10 26 3
Table 6The results of executing the multi-thread system on dinning philosophers problem.
Number of Phil Depth Result time (s) Min time (s) Max time (s) # Runs/# errors
15 Phil 50 115 29.9 155 10/1016 Phil 50 150 32.3 320 10/1020 Phil 70 281 1.1 409 10/10
odra
M
atatcntcXrTf
it
mtuaooptbhwsrwetm
30 Phil 140 1107
Table 5 compares the results of executing our method with thether algorithms on car platoon system. As it is seen in the table,eadlocks cannot be detected in some cases using typical algo-ithms such as A* and BFS due to the state space explosion. But DFSnd our proposed method could find all error states successfully.
ulti-threading implementation
To improve the execution time of the algorithm we also builtnother implementation of our work by utilizing multi-threadingechnique [69] in which in every generation, all the chromosomes of
generation can be executed synchronously. In situations in whichhe state space is large and execution time is long, we can use thisapability to drastically reduce the model checking time. It is worthoting that the hardware of the system in use must have morehan one CPU or Cores. In case the state space is very large andomplicated, the experiments are executed on a system of Intel(R)eon TM with a 3.00 GHz processor, 8 cores and 2 GB of RAM. Theesults show an improvement in the time for reaching the goal.able 6 shows the performance of executing a multi-thread systemor the dining philosophers problem.
A comparison on the results in Tables 2 and 6 shows that by tak-ng advantage of multi-threading technique, the model checking’sime will be reduced.
In other case studies mentioned before, run time has been opti-ized by using multi-threading as well. However for evaluating
his algorithm, speed up ratio and cost must be calculated. Speedp is calculated with S = T1/TN, where T1 is the time it takes to run
code on one processor, and the time it takes to run the same coden N processors is TN. In our experiments the speed up was 2.8. Inur case, we have moved from a two core processor to an eight corerocessor (resulting in a cost of 4). Given the cost of four, it seemshat the speed up does not meet our expectations. The reason cane explained through Fig. 7. As it is shown, our implementationas two major components: Director and Generator. The first oneas written in .Net by us and it is an iterative program while the
econd one was written in Java by the GROOVE team and it is aecursive program. When preparing the multi-threaded version,
e rewrite the director, while it is not possible to implement Gen-rator as a multi-threaded program and it has a negative impact onhe speed up. Hence, the total speed up of the approach is not too
uch.
228 1604 10/10
Conclusion and future works
The main idea of this article is to cope with the problem of statespace explosion in model checking of graph transformation sys-tems. It must be mentioned that despite the proposed techniques,the problem of state space explosion, especially in problems withlarge size and high complexity, has not been completely resolvedyet and the problem of state space explosion still remains a criticalissue.
As it is seen, using the GA makes possible solving problems withlarge or infinite state space. Studying the properties and errors ofsuch problems can be impossible by using existing conventionalmethods. By considering the results, it is noticed that the proposedalgorithm makes it possible to check models with very large statespace that the existing tools like GROOVE could not initially check.However, in cases in which our approach does not report any error,we cannot be completely sure that the system is correct, but incases in which it finds an error, certainly the model is incorrect.
The proposed algorithm is implemented in order to detect dead-locks. It is also able to check the liveness property with minorchanges in the set of rules. Further research can still be done toimprove the algorithm. It is possible to define a new cost func-tion in the proposed algorithm to be used in the detection of otherproperties (currently, to verify these properties the designer shouldchange the model to convert these properties to a deadlock prop-erty). This issue will be further investigated in the future.
Acknowledgement
We would like to thank Prof. Arend Rensink and Amir Hos-sein Ghamarian (University of Twente) for their valuable commentson using GROOVE. Additionally, we would like to thank Dr. AminNikanjam (K.N Toosi University) for his valuable comments on GA.Last but not least, we also thank the anonymous reviewers for theiruseful comments to improve the paper.
References
[1] V. Rafe, Scenario-driven analysis of systems specified through graph transfor-mations, Vis. Lang. Comput. 24 (2) (2013) 136–145.
[2] L. Baresi, R. Heckel, Tutorial introduction to graph transformation: a softwareengineering perspective, in: First International Conference on Graph Transfor-mation (ICGT), 2002, pp. 402–429.
oft Com
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
[
R. Yousefian et al. / Applied S
[3] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer, Fundamentals of Algebraic GraphTransformation, in: EATCS Monographs in TCS, Springer, Heidelberg, 2006.
[4] A. Rensink, The GROOVE simulator: a tool for state space generation, applica-tions of graph transformations with industrial relevance (AGTIVE), LNCS 3062(2003) 479–485.
[5] L. Baresi, V. Rafe, A.T. Rahmani, P. Spoletini, An efficient solution for modelchecking graph transformation systems, Electron. Notes Theor. Comput. Sci.213 (2008) 3–21.
[6] A. Schmidt, D. Varró, CheckVML: a tool for model checking visual modelinglanguages, in: UML 2003: 6th International Conference on the Unified ModelingLanguage, Springer, 2003, pp. 92–95.
[7] A. Boronat, R. Heckel, J. Meseguer, Rewriting logic semantics and verification ofmodel transformations, in: FASE’09 Proceedings of the 12th International Con-ference on Fundamental Approaches to Software Engineering, Springer, 2009,pp. 18–33.
[8] P. Baldan, A. Corradini, B. König, Verifying finite-state graph grammars: anunfolding-based approach, in: International Conference on Concurrency The-ory (CONCUR), Springer, 2004.
[9] A.P.L. Ferreira, L. Foss, L. Ribeiro, Formal verification of object-oriented graphgrammars specifications, Electron. Notes Theor. Comput. Sci. (ENTCS) 175(2007) 101–114.
10] L. Baresi, P. Spoletini, On the use of alloy to analyze graph transformationsystems, in: Third International Conference on Graph Transformations (ICGT),2006, pp. 306–320.
11] V. Rafe, A.T. Rahmani, L. Baresi, P. Spoletini, Towards automated verifi-cation of layered graph transformation specifications, IET Softw. 3 (2009)276–291.
12] E.M. Clarke, K.L. McMillan, S.V.A. Campos, V.I. Hartonas-Garmhausen, Symbolicmodel checking, Comput. Aided Verif. 1102 (1996) 419–422.
13] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, L.J. Hwang, Symbolicmodel checking: 1020 states and beyond, Inform. Comput. 98 (1992)142–170.
14] S. Edelkamp, S. Leue, A.L. Lafuente, Directed explicit-state model checking inthe validation of communication protocols, Int. J. Softw. Tools Technol. 5 (2004)247–267.
15] D. Bosnacki, S. Leue, A.L. Lafuente, Partial-order reduction for general stateexploring algorithms, Int. J. Softw. Tools Technol. Transf. (STTT) 11 (2009)39–51.
16] A.L. Lafuente, Symmetry reduction and heuristic search for error detection inmodel checking, in: Workshop on Model Checking and Artificial Intelligence,2003.
17] E.A. Emerson, A.P. Sistla, Symmetry and model checking, Formal Methods Syst.Des. 9 (1996) 105–131 (Special issue on symmetry in automatic verification).
18] E.M. Clarke, R. Enders, T. Filkorn, S. Jha, Exploiting symmetry in temporal logicmodel checking, Formal Methods Syst. Des. 9 (1996) 77–104 (Special issue onsymmetry in automatic verification).
19] V. Gyuris, A.P. Sistla, On-the-fly model checking under fairness that exploitssymmetry, Formal Methods Syst. Des. 15 (1999) 217–238.
20] H. Kastenberg, A. Rensink, Model checking dynamic states in GROOVE, in: 13thInternational Conference on Model Checking Software, Springer-Verlag, Berlin,Heidelberg, 2006, pp. 299–305.
21] A. Rensink, I. Boneva, H. Kastenberg, T. Staijen, User manual for the GROOVEtool set, 2010, Available from: http://groove.cs.utwente.nl/wp-content/uploads/usermanual1.pdf
22] A. Valmari, Error detection by reduced reachability graph generation, in: Appli-cation and Theory of Petri Nets – APN, Venice, Italy, 1988.
23] A. Valmari, Heuristics for lazy state generation speeds up analysis of concurrentsystems, in: Finnish Artificial Intelligence Symposium STeP-88, Helsinki, 1988,pp. 640–650.
24] P. Godefroid, P. Wolper, Using partial orders for the efficient verification ofdeadlock freedom and safety properties, Formal Methods Syst. Des. 2 (1991)149–164 (Special issue on computer-aided verification: special methods II).
25] P. Godefroid, Using partial orders to improve automatic verification methods,in: 2nd International Workshop on Computer Aided Verification, Springer-Verlag, London, UK, 1991, pp. 176–185.
26] P. Willem, de Roever, The need for compositional proof systems: a survey, in:COMPOS’97 Revised Lectures from the International Symposium on Compo-sitionality: The Significant Difference, Springer-Verlag, London, UK, 1998, pp.1–22.
27] H. Peng, S. Tahar, A survey on compositional verification, 1998, Available from:http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.29.4911&rep=rep1&type=pdf
28] C. Courcoubetis, M. Vardi, P. Wolper, M. Yannakakis, Memory efficient algo-rithms for the verification of temporal properties, Formal Methods Syst. Des. 1(1992) 275–288 (Special issue on computer-aided verification).
29] U. Stern, D.L. Dill, Improved probabilistic verification by hash compaction,in: IFIP WG 10.5 Advanced Research Working Conference on Correct Hard-ware Design and Verification Methods, Springer-Verlag, London, UK, 1995, pp.206–224.
30] U. Stern, D.L. Dill, A new scheme for memory-efficient probabilistic verification,in: On Formal Description Techniques IX/Protocol Specification, Testing and
Verification XVI on Formal Description Techniques IX: Theory, Application andTools: Theory, Application and Tools, Chapman & Hall, Ltd., London, UK, 1996,pp. 333–348.31] P. Wolper, D. Leroy, Reliable hashing without collision detection, in: ComputerAided Verification, 5th International Conference, 1993, pp. 59–70.
[
puting 24 (2014) 169–180 179
32] H. Sivaraj, G. Gopalakrishnan, Random walk based heuristic algorithms for dis-tributed memory model checking, Electron. Notes Theor. Comput. Sci. (ENTCS)89 (2003) 51–67.
33] F.J. Lin, P.M. Chu, M.T. Liu, Protocol verification using reachability anal-ysis: the state space explosion problem and relief strategies, in: ACMWorkshop on Frontiers in Computer Communications Technology, 1987,pp. 126–135.
34] C.H. Yang, Prioritized Model Checking, Stanford University, 1998.35] S. Edelkamp, A.L. Lafuente, S. Leue, Directed explicit model checking with HSF-
SPIN, in: SPIN Workshop, 2001, pp. 57–79.36] C.H. Yang, D.L. Dill, Validation with guided search of the state space, in: DAC’98
Proceedings of the 35th Annual Design Automation Conference, 1998, pp.599–604.
37] R. Bloem, K. Ravi, F. Somenzi, Symbolic guided search for CTL model checking,Des. Autom. (2000) 29–34.
38] S. Edelkamp, F. Reffel, OBDDs in Heuristic Search, in: KI, volume 1504 of LectureNotes in Computer Science, Springer-Verlag, 1998, pp. 81–92.
39] G. Friedman, A. Hartman, K. Nagin, T. Shiran, Projected state machine coveragefor software testing, in: ACM SIGSOFT International Symposium on SoftwareTesting and Analysis, 2002, pp. 134–143.
40] M.K. Ganai, A. Aziz, Efficient coverage directed state space search, in: Interna-tional Workshop on Logic Synthesis, 1998.
41] R. Behjati, M. Sirjani, M.N. Ahmadabadi, Bounded rational search for on-the-fly model checking of LTL properties, in: Third IPM International Conferenceon Fundamentals of Software Engineering, Springer-Verlag Berlin, Heidelberg,2010, pp. 292–307.
42] L.M. Duarte, L. Foss, F.R. Wagner, T. Heimfarth, Model checking the ant colonyoptimisation, Comput. Sci. 329 (2010) 221–232.
43] F. Chicano, E. Alba, Ant colony optimization in model checking, in: 11th Interna-tional Conference on Computer Aided Systems Theory, Springer-Verlag, Berlin,Heidelberg, 2007, pp. 523–530.
44] G. Francesca, A. Santone, G. Vaglini, M.L. Villani, Ant colony optimization fordeadlock detection in concurrent systems, in: 2011 IEEE 35th Annual ComputerSoftware and Applications Conference, IEEE Computer Society, Washington,DC, USA, 2011, pp. 108–117.
45] E. Alba, F. Chicano, M. Ferreira, J.G. Pulido, Finding deadlocks in largeconcurrent java programs using genetic algorithms, in: 10th Annual Confer-ence on Genetic and Evolutionary Computation, New York, NY, USA, 2008,pp. 1735–1742.
46] P. Godefroid, S. Khurshid, Exploring very large state spaces using genetic algo-rithms, Softw. Tools Technol. Transf. (STTT) 6 (2004) 117–127 (Special sectionon tools and algorithms for the construction and analysis of systems).
47] P. Godefroid, Model checking for programming languages using VeriSoft, in:POPL’97 Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Princi-ples of Programming Languages, 1997, pp. 174–186.
48] A. Groce, W. Visser, Heuristics for model checking java programs, Int. J. Softw.Tools Technol. Transf. 6 (2004) 260–276.
49] S. Edelkamp, S. Jabbar, A.L. Lafuente, Heuristic search for the analysis of graphtransition systems, in: Graph Transformation (ICGT), 2006.
50] G.J. Holzmann, The model checker SPIN, IEEE Trans. Softw. Eng. 23 (1997)279–295.
51] G. Engels, J.H. Hausmann, R. Heckel, S. Sauer, Dynamic meta modeling: a graph-ical approach to the operational semantics of behavioral diagrams in UML, in:3rd International Conference on The Unified Modeling Language: Advancingthe Standard (UML’00), Springer, 2000, pp. 323–337.
52] L. Baresi, R. Heckel, S. Thöne, D. Varro, Modeling and validation of service-oriented architectures: application vs. style, in: 9th European SoftwareEngineering Conference held jointly with 11th ACM SIGSOFT InternationalSymposium on Foundations of Software Engineering (ESEC/FSE-11), 2003, pp.68–77.
53] R. Heckel, S. Thöne, Behavioral refinement of graph transformation-based mod-els, Electron. Notes Theor. Comput. Sci. (ENTCS) 127 (2005) 101–111.
54] T. Mens, On the use of graph transformations for model refactoring, in: Gen-erative and Transformational Techniques in Software Engineering (GTTSE’05),Springer, 2005, pp. 219–257.
55] G. Taentzer, K. Ehrig, E. Guerra, J. de Lara, L. Lengyel, T. Levendovszky, et al.,Model transformation by graph transformation: a comparative study, in:Workshop Model Transformation in Practice, Software and System modelings(Sosym), 2005.
56] M.R. Naddaf, V. Rafe, Performance modeling and analysis of software archi-tectures specified through graph transformations, Comput. Inform. 32 (2013)797–826.
57] L. Lamport, Verification and Specification of Concurrent Programs, A Decade ofConcurrency – Reflexions and Perspectives Lecture notes in computer science,vol. 803, Springer Verlag, 1993, pp. 347–374.
58] G. Gopalakrishnan, Computation Engineering: Applied Automata Theory andLogic, Springer Verlag, Berlin, Heidelberg, 2006.
59] H. Ehrig, G. Engels, H.J. Kreowski, G. Rozenberg, Handbook of graph grammarsand computing by graph transformation: applications, Lang. Tools (1999).
60] H. Ehrig, M. Pfender, H.J. Schneider, Graph-Grammars: An Algebraic Approach,in: Proceeding SWAT ‘73 Proceedings of the 14th Annual Symposium on
Switching and Automata Theory, IEEE Computer Society, swat 1973, pp.167–180.61] R. Heckel, Compositional verification of reactive systems specified by graphtransformation, Fundament. Approaches Softw. Eng. (FASE) 1382 (1998)138–153.
1 oft Co
[
[
[
[
[
[
[
CTIT Workshop Proceedings, Vol. WP10-03, University of Twente, Enschede,
80 R. Yousefian et al. / Applied S
62] R.L. Haupt, S.E. Haupt, Practical Genetic Algorithms, John Wiley & Sons, Inc.,New York, NY, USA, 2004.
63] M. Mitchell, An Introduction to Genetic Algorithms, MIT Press Cambridge, MA,USA, 1999.
64] A. Kumar, Encoding schemes in genetic algorithm, Int. J. Adv. Res. IT Eng. 2
(March) (2013).65] K.A. De Jong, W.M. Spears, A formal analysis of the role of multi-point crossoverin genetic algorithms, Ann. Math. Artif. Intell. 5 (1992) 1–26.
66] Á. Schmidt, Model Checking of Visual Modeling Languages, Budapest Universityof Technology, Hungary, 2004.
[
mputing 24 (2014) 169–180
67] R. Heckel, Graph transformation in a nutshell, Electron. Notes Theor. Comput.Sci. (ENTCS) 148 (2006) 187–198.
68] P. Backes, J. Reineke, A Graph Transformation Case Study for the Topology Anal-ysis of Dynamic Communication System, in: Transformation Tool Contest 2010,
2010, pp. 107–118.69] R.H. Carver, K.C. Tai, Modern Multithreading: Implementing, Testing, and
Debugging Multithreaded Java and C++/Pthreads/Win32 Programs, John Wiley& Sons, Inc., New York, NY, USA, 2005.