Upload
universitaet-rostock
View
1.342
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Workshop presentation given by Niels Lohmann on February 22, 2011 in Karlsruhe, Germany at the Third Central-European Workshop on Services and their Composition (ZEUS 2011).
Citation preview
Niels Lohmann
INTERNALBEHAVIORREDUCTIONFORPARTNERSYNTHESIS
PARTNER SYNTHESIS 1
SYNTHESIS✔
SERVICE / SERVICE COMPOSITION
PARTNER SYNTHESIS 1
SYNTHESIS✔
INTERFACE
SERVICE / SERVICE COMPOSITION
PARTNER SYNTHESIS 1
SYNTHESIS✔
PARTNERINTERFACE
SERVICE / SERVICE COMPOSITION
PARTNER SYNTHESIS 1
SYNTHESIS✔
PARTNER SYNTHESIS 2MODELINGSUPPORT
TEST CASEGENERATION
VALIDATIONAND DIAGNOSIS
ADAPTERSYNTHESIS
PARTNER SYNTHESIS 2MODELINGSUPPORT
TEST CASEGENERATION
VALIDATIONAND DIAGNOSIS
ADAPTERSYNTHESIS
♥
COMPLEXITY 3
SIZE OFPARTNER
SERVICE’SSTATES
SIZE OFINTERFACE
2+
≤
COMPLEXITY 3
SIZE OFPARTNER
SERVICE’SSTATES
SIZE OFINTERFACE
2+
≤SIZE OFSERVICEMODEL
2
COMPLEXITY 3
SIZE OFPARTNER
SERVICE’SSTATES
SIZE OFINTERFACE
2+
≤SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
STRUCTURALREDUCTION
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
ON-THE-FLYREDUCTION
STRUCTURALREDUCTION
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
A POSTERIORIREDUCTIONON-THE-FLY
REDUCTION
STRUCTURALREDUCTION
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
A POSTERIORIREDUCTIONON-THE-FLY
REDUCTION
STRUCTURALREDUCTION
HEURISTICS
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
A POSTERIORIREDUCTIONON-THE-FLY
REDUCTION
STRUCTURALREDUCTION
HEURISTICS
SYMBOLICREPRESENTATION
REDUCTION TECHNIQUES 4
SIZE OFSERVICEMODEL
2SIZE OFPARTNER
SIZE OFINTERFACE
2+
≤
A POSTERIORIREDUCTIONON-THE-FLY
REDUCTION
STRUCTURALREDUCTION
HEURISTICS
SYMBOLICREPRESENTATION
EXTERNAL VS. INTERNAL ACTIONS 5
WEIGH AND CHECK COIN
INSERT COINCHOOSE REFRESHING BEVERAGE
TAKE ICE COLD CAN
GUIDE COIN TO COIN BASKETEVALUATE CHOICECHECK TEMPERATURE
TRIGGER CAN EJECTIONDISPLAY “THANK YOU”
FILL CAN SLOT
EXTERNAL ACTIONS:
INTERNAL ACTIONS:
EXTERNAL VS. INTERNAL ACTIONS 5
WEIGH AND CHECK COIN
INSERT COINCHOOSE REFRESHING BEVERAGE
TAKE ICE COLD CAN
GUIDE COIN TO COIN BASKETEVALUATE CHOICECHECK TEMPERATURE
TRIGGER CAN EJECTIONDISPLAY “THANK YOU”
FILL CAN SLOT
EXTERNAL ACTIONS:
INTERNAL ACTIONS:
✘
REDUCTION OF INTERNAL BEHAVIOR 6
4148 states13832 transitions (9288 internal)
150 states397 transitions (12 internal)
REDUCTION RULES 7
Compositional Verification of Concurrent
Systems Using Petri-Net-BasedCondensation Rules
ERIC Y.T. JUAN, JEFFREY J.P. TSAI, and TADAO MURATA
University of Illinois at Chicago
The state-explosion problem of formal verification has obstructed its application to large-scale
software systems. In this article, we introduce a set of new condensation theories: IOT-failure
equivalence, IOT-state equivalence, and firing-dependence theory to cope with this problem.
Our condensation theories are much weaker than current theories used for the compositional
verification of Petri nets. More significantly, our new condensation theories can eliminate the
interleaved behaviors caused by asynchronously sending actions. Therefore, our technique
provides a much more powerful means for the compositional verification of asynchronous
processes. Our technique can efficiently analyze several state-based properties: boundedness,
reachable markings, reachable submarkings, and deadlock states. Based on the notion of our
new theories, we develop a set of condensation rules for efficient verification of large-scale
software systems. The experimental results show a significant improvement in the analysis of
large-scale concurrent systems.
Categories and Subject Descriptors: D.2.4 [Software Engineering]: Program Verification;
F.3.1 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about
Programs—mechanical verification
General Terms: Algorithms, Experimentation, Reliability, Theory, Verification
Additional Key Words and Phrases: Boundedness, compositional verification, deadlock states,
Petri nets, reachability analysis, reachability graphs, reachable markings
1. INTRODUCTION
Petri nets have been widely recognized as a suitable tool for modeling and
analyzing concurrent systems [Murata 1989; Silva 1989; Tsai and Weigert
1993; Tsai et al. 1996; Yoeli 1987]. However, because of the complexity of
the state-space explosion [Lipton 1976], efficient analysis by using reach-
ability graphs is restricted to small system models. To deal with the state
J. Tsai was supported by NSF and DARPA under grant CCR-9633536.
Authors’ address: Department of Electrical Engineering and Computer Science, University of
Illinois at Chicago, 851 South Morgan Street, Chicago, IL 60607; {juan; tsai; murata}@eecs.
uic.edu.Permission to make digital / hard copy of part or all of this work for personal or classroom use
is granted without fee provided that the copies are not made or distributed for profit or
commercial advantage, the copyright notice, the title of the publication, and its date appear,
and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to
republish, to post on servers, or to redistribute to lists, requires prior specific permission
and / or a fee.© 1998 ACM 0164-0925/98/0900–0917 $5.00
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998, Pages 917–979.
transitional Petri-net reduction rules because the condensation is per-formed hierarchically on IO-graphs which capture the dynamic behaviors ofsystems.Rules 1 and 2 below preserve IOT-state equivalence and IOT-failureequivalence. Therefore, Rules 1 and 2 can be applied for the analysis ofreachable markings, boundedness, and deadlock states. Rule 1 removesedges which are parallel and have identical IO-edge-labels. Rule 2 suggeststhat vertices which are linked by a loop of internal edges can be fused intoa macrovertex. In Rule 2, every vertex vi involved in the loop of internaledges is not IOT-stable because vertex vi has one out-edge ei whose inputedge-label is empty. Nevertheless, the macrovertex v in the condensedIO-graph may be IOT-stable. This problem can be solved if we add oneself-loop-internal edge to vertex v. Nevertheless, this approach will causeoverhead in verifying the preconditions of other rules in practice, e.g.,Rules 5, 6, and 7 below. Therefore, we use a boolean function BF-nonstableto indicate that the macrovertex v is not IOT-stable, i.e., BF-nonstable(v) !“ON.” As a result, we redefine the stability of vertices as shown inDefinition 8.1 below. Boolean function BF-nonstable has been considered inthe proofs and the parallel composition algorithm in the Appendix.
Rule 1 (Redundant Parallel Edges) (IOT-State Equivalence, IOT-FailureEquivalence, and Boundedness). If two edges have an identical (1) start-ing vertex, (2) ending vertex, and (3) IO-edge-labels, then one of the twoedges can be removed.
Definition 8.1 (IOT-Stable Vertices (States) of IO-Graphs with BooleanFunction BF-Nonstable). A vertex ! of an IO-graph is IOT-stable if BF-nonstable(!) " “ON” and vertex ! has no outgoing edge e such that e.IEL !", where BF-nonstable is a boolean function. Otherwise, vertex v is notIOT-stable.
Definition 8.2 (Deadlock States of IO-Graphs). For an IO-graph G, amarking M is a deadlock state of G if and only if M is a reachable markingof G; M has no outgoing edge; and boolean function BF-nonstable(!) !“OFF,” where ! is the vertex of M.Rule 2 (Fusion of Internal Loops) (IOT-State Equivalence, IOT-FailureEquivalence, and Boundedness). If vertices are linked by an (internal)loop p ! {!1 e1 !2 . . . !n en !1} (n # 1) such that @ei ! p (1 $ i $ n): ei
Fig. 23. Application of Rule 1 (Redundant Parallel Edges) and Rule 2 (Fusion of InternalLoops).
946 • Eric Y. T. Juan et al.
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998.
REDUCTION RULES 7
x x x τ τ τ
τ
x
xx
y
y
y
IMPLEMENTATION 8
SERVICE PARTNERFULLSTATESPACE
REDUCEDSTATESPACE
service-technology.org/wendy
IMPLEMENTATION 8
SERVICE PARTNERFULLSTATESPACE
REDUCEDSTATESPACE
service-technology.org/wendy
IMPLEMENTATION 8
SERVICE PARTNERFULLSTATESPACE
REDUCEDSTATESPACE
service-technology.org/wendy
IMPLEMENTATION 8
SERVICE PARTNERFULLSTATESPACE
REDUCEDSTATESPACE
service-technology.org/wendy
EXPERIMENTAL RESULTS: REDUCTION 9
1
10
100
1.000
10.000
100.000
deliver goods car analysis identity card product order SMTP philosophers
1968323381
504
25
420150
9220626667
1499014569113814148
STATES
1
10
100
1.000
10.000
100.000
1.000.000
deliver goods car analysis identity card product order SMTP philosophers
70464
135164
12
1130238013734159
6650027231
9288
INTERNAL TRANSITIONS
0 0
EXPERIMENTAL RESULTS: PARTNER SYNTHESIS 10
1 s
10 s
100 s
1.000 s
10.000 s
deliver goods car analysis identity card product order SMTP philosophers
7236
2101
10410864
3
4098
210299
8875
3
TIME CONSUMPTION
0
2 0 12
35
EXPERIMENTAL RESULTS: PARTNER SYNTHESIS 10
1 s
10 s
100 s
1.000 s
10.000 s
deliver goods car analysis identity card product order SMTP philosophers
7236
2101
10410864
3
4098
210299
8875
3
TIME CONSUMPTION
1 MB
10 MB
100 MB
1.000 MB
10.000 MB
deliver goods car analysis identity card product order SMTP philosophers
9875
2
13
3
6078
249
1467
427368
18
MEMORY CONSUMPTION
0
2 0 12
35
NEXT STEPS 11
transitional Petri-net reduction rules because the condensation is per-formed hierarchically on IO-graphs which capture the dynamic behaviors ofsystems.
Rules 1 and 2 below preserve IOT-state equivalence and IOT-failureequivalence. Therefore, Rules 1 and 2 can be applied for the analysis ofreachable markings, boundedness, and deadlock states. Rule 1 removesedges which are parallel and have identical IO-edge-labels. Rule 2 suggeststhat vertices which are linked by a loop of internal edges can be fused intoa macrovertex. In Rule 2, every vertex vi involved in the loop of internaledges is not IOT-stable because vertex vi has one out-edge ei whose inputedge-label is empty. Nevertheless, the macrovertex v in the condensedIO-graph may be IOT-stable. This problem can be solved if we add oneself-loop-internal edge to vertex v. Nevertheless, this approach will causeoverhead in verifying the preconditions of other rules in practice, e.g.,Rules 5, 6, and 7 below. Therefore, we use a boolean function BF-nonstableto indicate that the macrovertex v is not IOT-stable, i.e., BF-nonstable(v) !“ON.” As a result, we redefine the stability of vertices as shown inDefinition 8.1 below. Boolean function BF-nonstable has been considered inthe proofs and the parallel composition algorithm in the Appendix.
Rule 1 (Redundant Parallel Edges) (IOT-State Equivalence, IOT-FailureEquivalence, and Boundedness). If two edges have an identical (1) start-ing vertex, (2) ending vertex, and (3) IO-edge-labels, then one of the twoedges can be removed.
Definition 8.1 (IOT-Stable Vertices (States) of IO-Graphs with BooleanFunction BF-Nonstable). A vertex ! of an IO-graph is IOT-stable if BF-nonstable(!) " “ON” and vertex ! has no outgoing edge e such that e.IEL !", where BF-nonstable is a boolean function. Otherwise, vertex v is notIOT-stable.
Definition 8.2 (Deadlock States of IO-Graphs). For an IO-graph G, amarking M is a deadlock state of G if and only if M is a reachable markingof G; M has no outgoing edge; and boolean function BF-nonstable(!) !“OFF,” where ! is the vertex of M.
Rule 2 (Fusion of Internal Loops) (IOT-State Equivalence, IOT-FailureEquivalence, and Boundedness). If vertices are linked by an (internal)loop p ! {!1 e1 !2 . . . !n en !1} (n # 1) such that @ei ! p (1 $ i $ n): ei
Fig. 23. Application of Rule 1 (Redundant Parallel Edges) and Rule 2 (Fusion of InternalLoops).
946 • Eric Y. T. Juan et al.
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998.
vertices !1 and !2 are fused into one macrovertex ! by Rule A (VertexFusion); (2) redundant parallel in-edges and out-edges of vertex ! areremoved by Rule 1; and (3) redundant self-loop internal edges are removedby Rule 2.
Rule 5 is applied to remove redundant initial vertices and internal edges.Rule 5 preserves IOT-failure equivalence (deadlock states) and the propertyof boundedness.
Rule 5 (Redundant Initial Vertices and Internal Edges) (IOT-FailureEquivalence and Boundedness). If (1) vertex !1 is the initial vertex, (2)vertex !1 has no in-edge and has a unique out-edge erm, (3) edge erm is aninternal edge (erm.IEL ! " and erm.OEL ! "), and (4) the starting vertexand ending vertex of edge erm are different (erm is not a self-loop edge),then vertex !1 and edge erm can be removed, and the initial vertex ischanged to the ending vertex of edge erm.
Rule 6 provides conditions, under which one of two vertices linked by aninternal edge can be removed. Redundant internal edges and parallel edgesare removed as well. For simplicity, subconditions of Condition (3) can bediscussed separately as shown in Figure 25. Rule 6 preserves IOT-failureequivalence (deadlock states) and the property of boundedness.
Rule 6 (Redundant Vertices Linked by an Internal Edge) (IOT-FailureEquivalence and Boundedness). If there exist two distinct vertices !1 and!2 such that (1) vertex !1 has one out-edge erm which is an internal edge(erm.IEL ! " and erm.OEL ! "), (2) !2 is the ending vertex of erm, and (3)@ out-edges e1"i of vertex !1 (e1"i # erm): ? an out-edge e2"j of vertex !2and one of the following conditions is satisfied—(a) !2 is not the initialvertex, erm is the unique in-edge of !2, and e1"i.IEL ! e2"j.IEL; (b)e1"i.IEL ! e2"j.IEL, e1"i.OEL ! e2"j.OEL, and edges e1"i and e2"jshare an ending vertex; (c) e1"i.IEL ! e2"j.IEL, e1"i.OEL ! e2"j.OEL,and edges e1"i and e2"j are self-loop edges; and (d) e1"i.IEL ! e2"j.IEL,e1"i.OEL ! e2"j.OEL; !2 is the ending vertex of e1"i; and !1 is the endingvertex of e2"j—then (1) each in-edge (!a, !1) of vertex !1 becomes (!a, !2),(2) each out-edge e ! (!1, !b) of vertex !1 (e # erm) becomes (!2, !b), (3)vertex !2 becomes the initial vertex if vertex !1 is the initial vertex, (4)
Fig. 25. Illustration of Rule 6 (Redundant Vertices Linked by an Internal Edge). Top left:Condition (a). Top right: Condition (b). Bottom left: Condition (c). Bottom right: Condition (d).
948 • Eric Y. T. Juan et al.
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998.
is an internal edge (ei.IEL ! ! and ei.OEL ! !), then all edges in loop pare removed; all vertices in loop p are fused into one macrovertex " by RuleA (Vertex Fusion) below; and boolean function BF-nonstable(") is set to“ON.”
Rule A (Vertex Fusion) (Fusing a Set of Vertices {"1, "2, . . . , "n} (n # 2)into a Macrovertex "). (1) Each in-edge ("a, "i) of vertex " i becomes ("a,"), and each out-edge (" i, "b) of vertex " i becomes (", "b), where (1 $ i $n); (2) one of the vertices {"1, "2, . . . , "n} is the initial vertex, then "becomes the initial vertex; (3) vertex " represents the markings of allvertices {"1, "2, . . . , "n}; and (4) all vertices {"1, "2, . . . , "n} are removed.
Rules 3 and 4 are applied to fuse in-equivalent vertices. Rule 3 preservesIOT-state equivalence and hence the properties of boundedness and reach-able markings. Rule 4 is similar to Rule 3, but Rule 4 preserves IOT-statefailure and therefore the reachability analysis of deadlock states. Rule 4also preserves the property of boundedness.
Definition 8.3 (In-Equivalent Vertices). Two vertices "1 and "2 are saidto be in-equivalent, if vertex "1 has at least one in-edge and for each in-edgee1 of vertex "1, either (1) edge e1 is an internal edge (e1.IEL ! ! ande1.OEL ! !) and vertex "2 is the starting vertex of edge e1 or (2) thereexists an in-edge e2 of vertex "2 such that edges e1 and e2 have an identicalstarting vertex and identical IO-edge-labels (e1.IEL ! e2.IEL ande1.OEL ! e2.OEL), and vice versa for vertex "2.
Rule 3 (Fusion of In-Equivalent Vertices) (IOT-State Equivalence andBoundedness). If there exist two vertices "1 and "2 such that "1 and "2 arein-equivalent and neither "1 nor "2 is the initial vertex, then (1) vertices "1and "2 are fused into one macrovertex " by Rule A (Vertex Fusion); (2)redundant parallel in-edges and out-edges of vertex " are removed by Rule1; and (3) redundant self-loop internal edges are removed by Rule 2.
Rule 4 (Fusion of In-Equivalent Vertices) (IOT-Failure Equivalence andBoundedness). If there exist two vertices "1 and "2 such that (1) "1 and "2are in-equivalent, (2) neither "1 nor "2 is the initial vertex, and (3) either(a) or (b) is satisfied—(a) both vertices "1 and "2 are not IOT-stable; (b)boolean function BF-nonstable("1) is equal to BF-nonstable("2) and for eachout-edge e1 of vertex "1 there exists an out-edge e2 of vertex "2 such thatedges e1 and e2 have identical IO-edge-labels (e1.IEL ! e2.IEL ande1.OEL ! e2.OEL), and vice versa for each out-edge of vertex "2—then (1)
Fig. 24. Application of Rules 3, 4 (Fusion of In-Equivalent Vertices), and Rule 5 (RedundantInitial Vertices).
Compositional Verification of Concurrent Systems • 947
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998.
vertex !1 and edge erm are removed, and (5) redundant parallel edges areremoved by Rule 1.
Rule 7 is used to efficiently condense two-edge paths into single-edgepaths and remove one vertex !rm (if !rm is not the initial vertex). Rule 7preserves IOT-failure equivalence (deadlock states) and the property ofboundedness.
Rule 7 (Condensation of Edges in Series) (IOT-Failure Equivalence andBoundedness). If there exists a vertex !rm such that (1) !rm has at leastone in-edge and at least one out-edge, (2) !rm has no self-loop edge, and (3)for each out-edge eoutj of !rm, the input edge-label of eoutj is null (eoutj.IEL !"), then (1) for each in-edge eini ! (!si, !rm) and each out-edge eoutj !(!rm, !ej), a new edge neij ! (!si, !ej) is created, where neij.IEL !eini.IEL and neij.OEL ! eini.OEL " eoutj.OEL (see Definition A.4 inAppendix A for the sum of IO-edge-labels); (2) if !rm is not the initialvertex, then !rm and all in-edges and out-edges of !rm are removed (Rule7.1); and (3) if !rm is the initial vertex, then all in-edges of !rm are removed(Rule 7.2).
9. FIRING-DEPENDENCE THEORIES AND RULES FOR IO-GRAPHS
In this section, we show how to further condense IO-graphs based on thenotion of path firing-dependence. We first give notations and arithmetic ofIO-path-labels which will be used throughout this section. Recall that aninput edge-label (IEL) specifies tokens demanded from IO-places in order toenable an edge, while an output edge-label (OEL) specifies tokens addedinto IO-places after firing an edge. Similar to IO-edge-labels, we useIO-path-labels to specify the effect of path firing upon IO-places. Theinput/output path-label (IPL/OPL) of a path # is a sum of input/outputedge-labels (IELs/OELs) of all edges in path #. (See Definition A.4 inAppendix A for the sum of IO-edge-labels and IO-path-labels.) The firingsof IO-equivalent paths have the same overall effect upon IO-places.
Definition 9.1 (Labels, IO-Equivalence, and Parallelism of Paths). Letpath # ! {!1 e1 . . . en#1 !n} (n $ 2). #.IPL ! $ei.IEL and #.OPL !$ei.OEL, where 1 % i % n # 1. Paths #1 and #2 are IO-equivalent iff#1.IPL " #1.OPL ! #2.IPL " #2.OPL. Paths #1 and #2 are parallel iffthey have an identical starting vertex, an identical ending vertex, and noedge in common.
Fig. 26. Application of Rules 7.1 and 7.2 (Condensation and Edges in Series).
Compositional Verification of Concurrent Systems • 949
ACM Transactions on Programming Languages and Systems, Vol. 20, No. 5, September 1998.
IMPROVE RUNTIME
IMPLEMENT MOREREDUCTION RULES
REMOVEBUGS
TAKE HOME POINTS 12
SIMPLE TECHNIQUES CANSOLVE COMPLEX PROBLEMS!
HAVE EXPERIMENTAL RESULTSEARLY!
DON’T BE AFRAIDOF COMPLEXITY!
MODULAR ARCHITECTURESEASE PROTOTYPING!
service-technology.org/wendy
INTERNALBEHAVIORREDUCTIONFORPARTNERSYNTHESIS
http://about.me/nlohmann
Niels Lohmann