Verification with LoLA   Niels Lohmann and Karsten Wolf   The Blue Angel   Germany, 1930                 Run Lola Run      ...
What is LoLA?• Explicit state space generation• Place/Transition nets• Focus on standard properties• Many reduction techni...
Where does it come           from?• INA - Integrated Net Analyzer by Peter Starke •   grown for long time •   state space ...
Purpose• Generate competitive “experimental results”  tables• Explore impact of basic design decisions• ... Ship as tool
Milestones• 1998: 1st release• 1998-2005: State space reduction techniques• 2000: Presentation at Petri Nets• 2005-: Case ...
Basic Design Decisions• No GUI • Realistic nets are generated, not    painted  • GUI blocks portability  • Many GUIs avail...
Basic Design Decisions• One property, one state space • as opposed to query languages on state    spaces • One property, o...
Basic Design Decisions• Configuration at compile time • property class, search strategy, reductions • #define instead of if(...
Featured Properties•   Boundedness (place)        •   Reversibility•   Boundedness                •   Home states•   Reach...
Featured Reductions•   Stubborn Sets                     •   Reduction based on S/T                                       ...
Goal of Tutorial• Can LoLA help you?• Where (and why) does it perform well?• How to (optimally) use it, to integrate it
Outline• Introduction         • Input Language    • Motivation,      • State Space      background,        Techniques     ...
Basic notions: net•   Net:        [P,T,F,W,m0]     •     P,T finite, nonempty, disjoint     •     F ⊆(P x T) ∪ (T x P)     ...
Basic notions: properties•   Place p is ...      •   bounded iff there is a k such that, for all reachable m, m(p) < k•   ...
Basic notions: Temporal Logic•   LTL: infinite path (starting in m0) satisfies ...     •   F φ : is satisfied at least once  ...
Basic notions: State Space• Strongly connected component                            (scc)    •   max set of mutually reach...
Basic notions: Search• Depth first   •   can be extended easily for detecting cycles and scc   •   tends to yield long path...
2. The LoLA Input Language
Plan• Place/Transition nets• Verification task• High-Level nets• Demo
Place/Transition NetsN = [P,T,F,W,m0]               treated as variablesPLACE p1, p2, p3, p4;                            c...
IdentifiersMany special characters permitted, eg.p4 23 message[x=13,from=”bla”]Reason: easier for tools to generate suchnames
Storage directivesIf bounds for some places are known:   PLACE                      default, #CAPACITY in   p0;           ...
Fairness Constraintsneeded for the LTL properties only(fair CTL is not supported so far)TRANSITION t1 STRONG FAIR...TRANSI...
Verification Task Input• Can be specified inline or as separate file• For boundedness of places: ANALYSE PLACE p1• For dead t...
High Level Net Input• Main purpose: To obtain scalable sequences of models• Deprecated for translation from other formalis...
Algebraic Petri Nets• Signature: sorts + sorted operation symbols    •   Interpretation: sets of values, n-ary functions• ...
Signature: Sorts and           their interpretationSORT a = [ 1 , 5 ];         { 1,2,3,4,5 } b = BOOLEAN;               { ...
Signature: operations         and their interpretationSORT phils = [1 , 5 ]; forks = [1 , 5];FUNCTION leftfork (x : phils)...
Statements in function body EXIT                          leave function RETURN E                      add value of E to r...
Expressions in function body                                                                 pointwise for X      X[a + b]...
Example: NetworkSORT dimensions = [ 1 , 3 ];          row = [ 1 , 3 ];           agent = ARRAY dimensions OF row ;      me...
per value           HL Places                                                tokens of sort forks   PLACE     SAFE p1 : ph...
HL Initial Marking                                        multiterm                                     without variable  ...
HL Transitions                                               valid for allTRANSITION receive WEAK FAIR                    ...
HL Verification tasks                  parentheses                  compulsoryEXISTS x : phils : ( eating . ( x ) > 0 ) AND...
3. State Space Reduction
Plan• Stubborn sets    [Petri Nets 1999]• Symmetry         [Acta Informatica 2000]• Invariants       [TACAS 2003]• Sweep-L...
The Stubborn Set Method                     38
Diamonds from concurrency       a     b       b             a                      39
Diamonds from concurrency             s1         a        b     s                s’         b             s2   a          ...
State Explosion by Concurrency   Process A         Process B         Process C                      internal         inter...
Stubborn Sets                     111         211          121               112   311       221    131     212     122   ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)                     111      ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system:   ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system:   ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system:   ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system:   ...
Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system:   ...
Reduced Transition System          111           121                   122            222                              223...
How to Preserve PropertiesCore principle:                              outside stubborn(m)                       m2 implie...
How to Preserve PropertiesCore principle:                               outside stubborn(m)m      w1         m1 t   m2 imp...
How to Preserve PropertiesCore principle:                               outside stubborn(m)m      w1         m1 t   m2 imp...
Preservation of DeadlocksCore principle +                            impliesProof:                                      44
Preservation of Deadlocks Core principle +                                implies Proof:Let       m         w       d     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                  implies Proof:Let       m     ...
Preservation of Deadlocks Core principle +                                                   implies Proof:Let       m    ...
Preservation of Deadlocks Core principle +                                                   implies Proof:Let       m    ...
Preservation of Deadlocks Core principle + m              w                           m’                                  ...
Preservation of Deadlocks Core principle + m              w                           m’                                  ...
Preservation of Deadlocks Core principle + m              w                             m’                                ...
Preservation of LTL/CTLLTLX:Core principle+Visibility: all transitions in stubborn(m) invisible to φ or             stubbo...
LoLA’s ApproachesLet φ be state predicate     Assume m does not satisfy φ         wrup(m, φ ) = some set of transitions su...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                            φ            red.   ...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                            φ            red.   ...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                                   φ            ...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                                             φ  ...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                                              φ ...
TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m)    orig.                                                ...
Effect• Can be applied to global predicates• Astonishing goal-orientation• Has been relaxed by Kristensen/Valmari (wrup mu...
TSCC based propertiesValmari:core principle+ weak proviso: Every transition in stubborn(m) atleast once in every tscc of r...
TSCC based propertiesIdea:- Construct Valmari’s tscc-preserving state space- Pick one element of each tscc of reduced stat...
CTL/LTL properties•   CTL: Separate search space for each subformula     •   Use wrup for EF and AG     •   Use traditiona...
Symmetries
Symmetric Behavior    Goal: symmetry in transition systemσ is symmetry if:                               ΣTS: set of allσ ...
Equivalence of States          54
Equivalence of StatesHave to detect symmetries prior to state space generation,           typically cannot deduce all of t...
Equivalence of StatesHave to detect symmetries prior to state space generation,           typically cannot deduce all of t...
Equivalence of StatesHave to detect symmetries prior to state space generation,           typically cannot deduce all of t...
Equivalence of StatesHave to detect symmetries prior to state space generation,           typically cannot deduce all of t...
Reduced Transition System              TSΣ = [R(m0)/~ , EΣ , [m0]Σ]EΣ = { [ [s],[s’] ] | ex. s ∈ [s], ex. s’ ∈ [s’] : [s,s...
Σ = { Id, σ}                     Example                σ([x,y,z]) =           [y,x,z]                        (i,i,1)     ...
Example Σ = { Id, σ} σ([x,y,z]) =            [y,x,z]                        (i,i,1)          (r,i,1)(c,i,0)               ...
Construction of reduced R := E := ø; dfs(m0); dfs(m)                                Approximation  R := R ∪ {m};  FOR ALL ...
“Traditional” Symmetry         Tools• Depend on “scalar set” data type   • =, ≠, arrays, for each, no constant• Cannot mod...
PN automorphismsBijection σ: P∪T → P∪T is PN automorphism,iff, for all x,y ∈ P∪T:- m0(x) = m0(σ(x))- If [x,y] ∈ F then [σ(...
Example                   2         3                   1         411   11   12   12        13   13   14   1422  ...
Schreier-Sims generating set         U1   U2 U3     subgroup induces partition of whole group        pick one element of e...
Example                        2         3                         1        411        11   12    12       13   13  ...
2      3                    Example 1     4E={2 id, 3      2   ,3   2        3,       2   3                               ...
Another Example        8        7    5       6        4        3        g = g1 o g2 o g3   1         21.        Layer: 1 →...
Orbit Problem: Approximation                             id                    idg11 g12 g13                 g14-1   g21 g...
Orbit Problem: Approximation                                  id                idg11 g12 g13                  g14-1   g21...
Orbit Problem: Approximation                                   id               idg11 g12 g13                  g14-1   g21...
Orbit Problem: Approximation                                   id               idg11 g12 g13                  g14-1   g21...
Orbit Problem: Approximation                                   id                          idg11 g12 g13                  ...
Orbit Problem: Approximation                                   id                       idg11 g12 g13                  g14...
2       3                                     Example                                      2                        2     ...
2       3                                     Example                                      2                        2     ...
2           3                        2                                      Example                                       ...
2           3                        2                                      Example                                       ...
Summary Symmetriessymmetries   69
Summary Symmetriescalculation of symmetries, exact solution of orbit problem:           equivalent to graph isomorphism (N...
Summary Symmetriescalculation of symmetries, exact solution of orbit problem:           equivalent to graph isomorphism (N...
Using Petri net invariants     in state space
Two approachescompress states (use place invariants)    save space and timeexempt states from storage (use transition inva...
First approach: use place invariants                 72
First approach: use place invariantsLet i be place invariant:.For all reachable m:i • m = i • m0                          ...
First approach: use place invariants  Let i be place invariant:.  For all reachable m:  i • m = i • m0                    ...
Example                              3       2 invariant 1: [ 1 1 0 0 0 ]       invariant 2: [ 0 0 0 1 1 ]that is, for all...
Overheadpreprocessing   - time   - space state spaceconstruction   - time                   74
Overhead                  appears to be:preprocessing   - time       compute invariants   - space        |inv| • |places| ...
Overhead                  appears to be:            actually is:preprocessing   - time       compute invariants   compute ...
State space construction                    state                     yes/no             state                    pointer ...
State space construction                  state                  yes/no                 state                 pointer     ...
Upper triangular form    1 -1 0 0              1   0     0   0    .   .   -1 1 0 0              -1   0     0   0    0   1 ...
Results1. Space reduction 30% - 55%2. Preprocessing time insignificant3. Run time reduction proportional to space reduction...
Second approach:       78
Second approach:  what happens if some states are  removed from the depository?           78
Second approach:  what happens if some states are  removed from the depository?           78
Second approach:    what happens if some states are    removed from the depository?  construction still terminates as long...
Second approach:    what happens if some states are    removed from the depository?  construction still terminates as long...
Transition invariantscycle in state space corresponds to transition                   invariant                       79
Transition invariants    cycle in state space corresponds to transition                       invariantAssume: Set U of tr...
Example                   3         2    transition invariant: [2,2,3,3]                U = {t}store only states where t...
Problems:1. Too many states enable transitions in U   Solution: combine with partial order reduction2. Unacceptable run ti...
Ad 1: Full vs. Partial    full state space              82
Ad 1: Full vs. Partial    stubborn set reduced state space              83
Ad 2: store additional states                    k                    k              84
Results1. Controllable   space/time trade-off2. Combination    with partial order reduction compulsory3. Combination    wi...
The Sweep-Line Method
Road mapThe sweep-line method (basic/extended)Calculation of a progress measureDiscussion      - Combination with other re...
The sweep-line method (Basic)Idea: state s →     progress value p(s)with         s [t> s‘      p(s) > p(s’)         Unproc...
The sweep-line method (Basic)Idea: state s →     progress value p(s)with         s [t> s‘      p(s) > p(s’)         Unproc...
The sweep-line method (Basic)Idea: state s →     progress value p(s)with         s [t> s‘      p(s) > p(s’)         Unproc...
The sweep-line method (Basic)Idea: state s →     progress value p(s)with         s [t> s‘      p(s) > p(s’)         Unproc...
The sweep-line method (Basic)Idea: state s →     progress value p(s)with         s [t> s‘      p(s) > p(s’)         Unproc...
The sweep-line method (extended)If p is not monotonous:                   t            s’                          s   p(s...
The sweep-line method (extended)If p is not monotonous:                   t            s’                          s      ...
The sweep-line method (extended)    If p is not monotonous:                       t                s’                     ...
Setting for LoLA’s measure-incremental: “transition offsets”       Δ p(t) : m [t> m‘      p(m’) = p(m) + Δ p(t)-not necess...
The measurepartition T into U and TUin U: all transitions linear independentin TU: all transitions linear dependent of U  ...
U               ExamplesTU      1            1          12         -2              1      1            1          0
Geometric interpretationp2          s     p3                                 p1 sweep
Geometric interpretationp2            s       p3U                                   p1    sweep
Geometric interpretationp2            s       p3U                                   p1    sweep
Geometric interpretation                   progressp2            s       p3U                                   p1    sweep
Geometric interpretation                       progressp2            s                p(s)       p3U                      ...
Geometric interpretation                       progressp2            s                p(s)       p3        1U             ...
4. Using LoLA
You will learn how• to choose and manage LoLA configurations• to ask the right verification questions• to optimally model a ...
LoLA Configurations   • Get LoLA:    • http://service-technology.org/files/lola   • Standard Workflow:    • edit userconfig.H ...
userconfig.H     • What to check?     • Which reduction       techniques to use?     • Other parameters
The optimal configuration1. Know your net!  • Is it bounded? Do you know the bound? Is it safe?  • Do you have a feeling on...
Analysis Tasks• DEADLOCK• REACHABILITY, FINDPATH, STATEPREDICATE• BOUNDEDPLACE, BOUNDEDNET• DEADTRANSITION• REVERSIBILITY,...
Reduction Techniques• STUBBORN - stubborn sets• PREDUCTION - invariant-based compression• SYMMETRY - symmetry reduction• C...
Stubborn Sets• STUBBORN• when to use: always• compatibility: all other techniques• switch RELAXED to chose more efficient  ...
Invariant-based Compression    • PREDUCTION    • when to use: always    • compatibility: not with sweep-line method preduc...
Symmetries• SYMMETRY• when to use: net is made of several  symmetric components• runtime overhead• compatibility: not with...
Coverability Graph• COVER• when to use: mostly clear from the context• compatibility: stubborn sets and symmetry• use with...
Cycle Coverage• CYCLE• when to use: can help sometimes• runtime overhead• use with stubborn sets to reduce number  of succ...
Sweep-line• SWEEP• when to use: behavior has several acyclic  stages - always worth a try• compatibility: stubborn set met...
Small State Representation  • SMALLSTATE  • when to use: only for simple reachability    questions  • compatibility: all o...
Reduction techniques               Not all               combinations               make sense!               LoLA takes  ...
Other parameters• BREADTH_FIRST: search strategy• CAPACITY: fix a maximal number of tokens per place• CHECKCAPACITY: check ...
Manage configurations   • one binary for each configuration   • fight complexity:    • ask LoLA for its configuration    • pre...
Ask LoLA
Predefined configurations             several reasonable                  standard               configurations
Generate offspring        generate a userconfig.H          for the given binary
Build script    downloads the sources   and generate a configured   binary with random name
You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions• to optimally model ...
Ask the right questions• be as specific as possible• ask one aspect at a time• exploit all knowledge• transform complex que...
Be specific!  • most questions can be formulated with CTL  • LoLA has dedicated routines:   • EF φ - use STATEPREDICATE   •...
Ask one aspect at a time!• Garavel’s challenge: check quasiliveness of a  net with 776 transitions• naive way: build one s...
Use all knowledge!                   end of a procedure, see Figure 1. The tasks are modeled by transit                   ...
Transform your problem!• original question: relaxed soundness (every  transition fires in at least one terminating run)• st...
Problem hierarchy•   MODELCHECKING (CTL algorithms, hardly any reduction possible)•   BOUNDEDNET (coverability graph)•   S...
You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally mode...
“optimal” Petri nets• have verification in mind• don’t use expensive constructs (reset arcs)• don’t spoil the reduction tec...
High-level guards   • use guards to exclude implausible transition bindings   • results in quicker unfoldingTRANSITION Man...
Concurrency• use concurrency where possible• avoid unnecessary ordering of events• makes symmetry/stubborn sets applicable...
erformed only if scope Q is allowed to continue its normal p             Avoid global statesop, the core action of X is by...
Flexible model generation    • model with verification question in mind    • for each question have a dedicated model      ...
Scale by structure• when possible, scale model by structure,  not by the number of tokens• in LoLA: just increase sort• ra...
You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally mode...
Script LoLA• LoLA follows the UNIX philosophy • every tool does one thing    (and that thing right)  • tools communicate w...
LoLA’s exit codes• 0: specified state or deadlock found/net or place  unbounded/home marking exists/net is reversible/  pre...
LoLA’s exit codes• exit code allow for simple workflows in the shell• (lola1 net.lola && lola2 net.lola && echo  “OK”) || e...
Example: Scripting• Garavel’s challenge• quasiliveness of 776 transitions checked in 776 runs• shell script:    1. extract...
Example: Makefile• check for relaxed soundness• for each transition:    1. create manipulated net    2. generate analysis t...
You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally mode...
Integrating LoLA into Wendy• Wendy: a tool to synthesize partners for services• algorithm needs a lot of small state space...
Integrating LoLA• integration is easy when using C: const char *c = "lola-full tempfile.lola -M"; FILE *pipe = popen(c, "r"...
You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally mode...
5. Case Studies    Niels Lohmann
Exploring biochemical   The ErbB Network    (CARTOON FORM)   reaction chains
Reaction chains• Domain: symbolic system biology• “Symbolic systems biology is the  qualitative and quantitative study of ...
Mcf2-act            Rhob-GDP                   Ngef-reloc            Trio-act                                             ...
Reaction chains• “For reachability queries on our nets,  answering a reachability query that would  have taken hours using...
Finding Hazards in  GALS Circuits
GALS circuits• Domain: asynchronous/  synchronous hardware design• prototype for IEEE-802.11 chip• asynchronous hardware i...
Glitch                P(a) = 1a                    AND          P(c) = 0                                              cb  ...
Glitch                P(a) = 1            0a                    AND          P(c) = 0                                     ...
Glitch                P(a) = 1 0            0a                    AND          P(c) = 0 0                                 ...
Glitch                P(a) = 1 0            0a                    AND          P(c) = 0 0            1                    ...
Glitch                P(a) = 1 0            0a                    AND          P(c) = 0 0 0            1                  ...
Glitch                P(a) = 1a                    AND          P(c) = 0                                              cb  ...
Glitch                P(a) = 1a                    AND          P(c) = 0            1                                 cb  ...
Glitch                P(a) = 1a                    AND          P(c) = 0 1            1                                  c...
Glitch                P(a) = 1            0a                    AND          P(c) = 0 1            1                      ...
Glitch                P(a) = 1 0            0a                    AND          P(c) = 0 1 0            1                  ...
Glitch                P(a) = 1 0            0a                    AND          P(c) = 0 1 0            1                  ...
Petri Net Model of AND
Petri Net Model of AND           a• Events            c• Level• Logics           b
Petri Net Model of AND                 (P(a),P(b))           a        01• Events            11                           c...
Petri Net Model of AND                 (P(a),P(b))           a        01• Events            11                           c...
Petri Net Model of AND                 (P(a),P(b))           a        01• Events            11                           c...
Petri Net Model of AND
Petri Net Model of AND
Petri Net Model of AND
Petri Net Model of AND
Petri Net Model of AND
Petri Net Model of AND
Petri Net Model of AND
GALS circuits   • Property: reachability   • Problem:    • partial order reduction not effective         enough in isolati...
Verifying ServiceChoreographies
Service Choreography• Domain: service-oriented  architectures• Original model: BPEL4Chor• translation: compiler  BPEL2oWFN...
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreography• ein Reisenderer, ein Reisebüro, mehrere  Fluglinien
Service Choreographybpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service Choreography   • Komposition kann verklemmen!bpel4chor
Service ChoreographyCase Study                               airline instances                                            ...
Service ChoreographyCase Study                               airline instances                                            ...
Service ChoreographyCase Study                               airline instances                                            ...
Soundness ofBusiness Processes             M2  M1                  J1        F1
Soundness• 735 real-world business processes  from IBM customers• original formalism: UML dialect  from the IBM Websphere ...
Soundness
Soundness• “IBM Soundness” = absence of • lack of synchronization (= unsafe marking) • deadlock (= deadlock) • + certain a...
Soundness            for each SESE fragment        choice depends on SESE fragment           always perform both checks   ...
Soundness   • execution scheduled and optimized using     Makefiles   • max. 50 ms per check   • “analysis on demand”   • o...
Verification ofConcurrent Programs
Concurrent Programs• concurrent processes• shared and global variables• goal: find Aa. small-model roening, and T . Wahl   ...
Concurrent Programs   • problem can be solved by checking for      reachable states in a coverability graph   • challenge:...
Solving AI Planning Problems
AI Planning• setting: smart conference room• several projectors, canvases, documents,  and lamps• AI planning problem: Con...
AI Planning • straightforward translation to state predicateGoals:                     FORMULA( LightOn 1 Lamp1 );        ...
6. Integrating LoLA
• soundness checks: • classical soundness • weak soundness • relaxed soundness• integration as Web service
• http://oryx-project.org/oryx/editor;petrinet• http://esla.informatik.uni-rostock.de/  service-tech/.lola
• generic plugin for standard Petri net  properties• nets are translated from PNML to LoLA  format• LoLA is called as syst...
7. Implementation
Plan•   Firing a transition•   Evaluating a state predicate•   Managing the state space•   Organizing search•   Detecting ...
Firing transitionsMarking changed via list of pre-, list of post-places effort does not depend on size of netAfter firing,...
Checking state predicates• predicate = boolean combination of     • p {><=≤≥≠} k• stored in negation-free normal form     ...
Managing the state space1st state = bit vector      




















   






   



   




   




















...
Managing the state space find/insert a marking: one integrated process  




















   






   



   




   

...
Organizing search  General remarksSearch consists of - fire transitions ✔ - find/insert marking ✔  - backtracking: fire trans...
Organizing searchb) Depth-first search: ability to detect SCCc) Breadth-first search:Simulated by bounded depth-first search ...
Detecting strongly connected             components    • Traditional approach: Tarjan‘s algorithm         4               ...
Detecting strongly connected             components    • LoLA approach: simplified lowlink         4                       ...
Reduction techniques
Stubborn Sets  • Crucial: Core principle  • Simple method:    –If t enabled, add conflicting transitions    –If t disabled,...
The sweep-line method• constant change  successors lie in a small window of  progress values                             ...
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Verification with LoLA
Upcoming SlideShare
Loading in …5
×

Verification with LoLA

637 views
573 views

Published on

The goal of the tutorial is that participants understand the capabilities of LoLA and can assess the applicability of the tool in their context. They learn how to optimally exploit the available state space reduction techniques. They learn about several opportunities for linking LoLA to their problem domain.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
637
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze -&gt; triviale Idee\nFlankenpl&amp;#xE4;tze -&gt; D. Gomm\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • Pegelpl&amp;#xE4;tze: LL-Netz reicht aus\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Verification with LoLA

    1. 1. Verification with LoLA Niels Lohmann and Karsten Wolf The Blue Angel Germany, 1930 Run Lola Run Germany,1998
    2. 2. What is LoLA?• Explicit state space generation• Place/Transition nets• Focus on standard properties• Many reduction techniques, unique features• Stream based interface• Open source
    3. 3. Where does it come from?• INA - Integrated Net Analyzer by Peter Starke • grown for long time • state space and structural techniques • several net classes • suboptimal design decisions • MODULA 2• Papers needed tables with absolute run times
    4. 4. Purpose• Generate competitive “experimental results” tables• Explore impact of basic design decisions• ... Ship as tool
    5. 5. Milestones• 1998: 1st release• 1998-2005: State space reduction techniques• 2000: Presentation at Petri Nets• 2005-: Case studies, integration• 2007: Invited talk at Petri Nets• since 2008: Implementation of software development processes
    6. 6. Basic Design Decisions• No GUI • Realistic nets are generated, not painted • GUI blocks portability • Many GUIs available, simple connection possible • Do not want user interaction during verification
    7. 7. Basic Design Decisions• One property, one state space • as opposed to query languages on state spaces • One property, one dedicated reduction • Benefit from on-the-fly verification • Generation faster than loading
    8. 8. Basic Design Decisions• Configuration at compile time • property class, search strategy, reductions • #define instead of if() • repeated runs in same configuration
    9. 9. Featured Properties• Boundedness (place) • Reversibility• Boundedness • Home states• Reachability (marking) • LTL properties F φ, GF φ, FG φ (predicate)• Reachability (predicate) • CTL (formula)• Deadlocks• Death (transition)• Liveness (predicate)
    10. 10. Featured Reductions• Stubborn Sets • Reduction based on S/T invariants • unique: dedicated techniques for standard properties • unique.• Symmetries • Coverability graphs • unique: automated • unique: combination with other reductions determination of symmetries in low level net• Sweep-Line • unique: automated calculation of a progress measure
    11. 11. Goal of Tutorial• Can LoLA help you?• Where (and why) does it perform well?• How to (optimally) use it, to integrate it
    12. 12. Outline• Introduction • Input Language • Motivation, • State Space background, Techniques history • Using LoLA • Preview and outline • Case Studies • Basic notions • Integrating LoLA • First demo • Implementation
    13. 13. Basic notions: net• Net: [P,T,F,W,m0] • P,T finite, nonempty, disjoint • F ⊆(P x T) ∪ (T x P) • W: F →N+ • m0: P →N• Firing • t activated in m: (p,t) ∈ F m(p) ≥ W(p,t) • firing; m [t> m’: m’(p) = m(p) - W(p,t) + W(t,p)• State space: • states: reachable markings • edges: m[t>m’
    14. 14. Basic notions: properties• Place p is ... • bounded iff there is a k such that, for all reachable m, m(p) < k• Transition t is ... • dead iff it is not activated in any reachable marking• State predicate φ (p <>≤≥=≠ k, φ∧φ, φ∨φ,¬φ) is ... • reachable iff some reachable marking satisfies v • live iff, from every reachable marking, a marking is reachable that satisfies φ• Net ... • is bounded iff all places are • is reversible iff the initial marking is reachable from all reachable marking • has home states iff some marking is reachable from all reachable markings • is deadlock-free iff every reachable marking activates at least one transition
    15. 15. Basic notions: Temporal Logic• LTL: infinite path (starting in m0) satisfies ... • F φ : is satisfied at least once • GF φ: φ is satisfied in infinitely many markings • FG φ: φ is satisfied forever from some marking on• CTL: marking m satisfies ... • AX (EX) φ: φ holds in all (some) immediate successor marking • AF (EF) φ: every (some) path from m contains a marking satisfying φ • AG (EG) φ: on every (some) path from m, φ holds in all markings • A(E) φ U ψ: on every (some) path starting in m, there is a marking that satisfies ψ such that all preceding markings satisfy φ
    16. 16. Basic notions: State Space• Strongly connected component (scc) • max set of mutually reachable states • partitions state space • form acyclic graph, maximal elements: terminal scc (tscc)• Properties vs scc: • reversible: net has one scc • home states: net has one tscc • live: satisfiable in all tscc
    17. 17. Basic notions: Search• Depth first • can be extended easily for detecting cycles and scc • tends to yield long paths• Breadth first • difficult to detect cycles and scc • yields shortest path
    18. 18. 2. The LoLA Input Language
    19. 19. Plan• Place/Transition nets• Verification task• High-Level nets• Demo
    20. 20. Place/Transition NetsN = [P,T,F,W,m0] treated as variablesPLACE p1, p2, p3, p4; can be replaced as a wholeMARKING p1:2, p3:1, p1:1; compatible with computed markings{ this is a comment }TRANSITION t1 CONSUME p1:3, p2: 1; PRODUCE p3: 2, p1 : 2; treated as procedures TRANSITION t2 CONSUME p3 : 1; PRODUCE ; only one reference per arc
    21. 21. IdentifiersMany special characters permitted, eg.p4 23 message[x=13,from=”bla”]Reason: easier for tools to generate suchnames
    22. 22. Storage directivesIf bounds for some places are known: PLACE default, #CAPACITY in p0; userconfig.H SAFE 3: p1, p2; SAFE 7: p3, p4; SAFE: p5; = SAFE 1Only for internal memory allocation, nocapacity!
    23. 23. Fairness Constraintsneeded for the LTL properties only(fair CTL is not supported so far)TRANSITION t1 STRONG FAIR...TRANSITION t2 WEAK FAIR...TRANSITION t3...
    24. 24. Verification Task Input• Can be specified inline or as separate file• For boundedness of places: ANALYSE PLACE p1• For dead transitions: ANALYSE TRANSITION t2• For all properties involving state predicate: FORMULA (p1 > 3 OR p2 <= 7) AND NOT p6 = 1• For CTL model checking: • FORMULA EXPATH ALWAYS ALLPATH EVENTUALLY p1 > 3 • FORMULA EXPATH (p1 > 7 UNTIL p2 < 3)
    25. 25. High Level Net Input• Main purpose: To obtain scalable sequences of models• Deprecated for translation from other formalisms (problem: semantic conformance)• Will be unfolded into place/transition net anyway• Experience: Parsing from UNIX pipe no time issue• Style: algebraic Petri nets with explicit interpretation
    26. 26. Algebraic Petri Nets• Signature: sorts + sorted operation symbols • Interpretation: sets of values, n-ary functions• Places: annotated with sort (type) symbol • interpretation: set of values (colors)• Transitions: annotated with set of variables, guard expression • interpretation: every valid assignment is firing mode• Arcs: annotated with terms over the transition variables • interpretation: map from firing mode of transition into color set of place• Marking: written as multiset of terms
    27. 27. Signature: Sorts and their interpretationSORT a = [ 1 , 5 ]; { 1,2,3,4,5 } b = BOOLEAN; { TRUE, FALSE } c = ENUMERATE red blue green END; { red, blue, green } “successor” canonically defined on each value set scalar arbitrary each value has unique text d = ARRAY [1,3] OF BOOLEAN; representation { [FALSE|FALSE|FALSE], ... , [TRUE|TRUE|TRUE] } e = RECORD receiver : a; sender : b; END ; { <1|FALSE>, ...., <3|TRUE> }
    28. 28. Signature: operations and their interpretationSORT phils = [1 , 5 ]; forks = [1 , 5];FUNCTION leftfork (x : phils) : forks signatureBEGIN RETURN xEND interpretationFUNCTION rightfork(x : phils): forksBEGIN RETURN x + 1 expressions evaluateEND on all integers,FUNCTION allthinking () : phils assignments align toVAR x : phils;BEGIN value set (modulo FOR ALL x DO arithmetic) RETURN x ENDEND result is multiset
    29. 29. Statements in function body EXIT leave function RETURN E add value of E to return multiset, continue L = E assignment S1 ; S2 sequential composition WHILE E DO S END while loop REPEAT S UNTIL E END until loop FOR x := E1 TO E2 DO S END for loop in canonical order of values FOR ALL x DO S END for loop through all elements of sort of x IF E THEN s1 [ELSE S2] END branch statement SWITCH E CASE E1: S1 ... CASE En: Sn ELSE S END multibranch statement
    30. 30. Expressions in function body pointwise for X X[a + b] X.c[a + b] arrays and records 645 TRUE FALSE A <-> B A -> B A AND B A OR B NOT A A<B A <= B A>B A >= B A=B A <> B A#B A+B A*B A-B A/B A MOD B (E) [ E1 | E2 | .... | En ] no modulo bla ( E1, ...., En) before function must assignment return exactly one value
    31. 31. Example: NetworkSORT dimensions = [ 1 , 3 ]; row = [ 1 , 3 ]; agent = ARRAY dimensions OF row ; message = RECORD receiver : agent; sender : agent; END;FUNCTION X (a:agent;b:agent):message VAR m : message;BEGIN m . receiver = a; m . sender = b; RETURN mENDFUNCTION N(z:agent):agentVAR l : dimensions; low : row; high : row;BEGIN low = 1; high = low - 1; { remind canonical order } FOR ALL l DO IF z [ l ] > 1ow THEN z [ l ] = z [ l ] - 1; RETURN z; z[l]=z[l]+1 END; IF z [ l ] < high THEN z [ l ] = z [ l ] + 1; RETURN z; z[l]=z[l]-1 END ENDEND
    32. 32. per value HL Places tokens of sort forks PLACE SAFE p1 : phils, p2 : forks , p3 ; ...tokens of sort phils low level place unfolded to: PLACE SAFE p1.1, p1.2, p1.3, p1.4, p1.5, p2.1, p2.2, p2.3, p2.4, p2.5, p3;
    33. 33. HL Initial Marking multiterm without variable sorts must fitMARKING th : allphilosophers(), fo : L(allphilosophers()), unfolded name th.2 : 3, p3 : 5; low level place
    34. 34. HL Transitions valid for allTRANSITION receive WEAK FAIR instancesVAR sender , receiver : agent;GUARD is_neighbour( sender , receiver) firing modeCONSUME channe1 : X ( sender, receiver )PRODUCE channel : X (N(sender),sender), internal :receiver multitermsunfolded toTRANSITION receive.[sender=1,receiver=2] WEAK FAIRCONSUME ....Only instances with satisfied guards are generatedIsolated places are finally removed
    35. 35. HL Verification tasks parentheses compulsoryEXISTS x : phils : ( eating . ( x ) > 0 ) AND thinking.1 = 0ALL y : phils : ( [y = 1] OR fo . ( L(y) ) = 0 ) any expression
    36. 36. 3. State Space Reduction
    37. 37. Plan• Stubborn sets [Petri Nets 1999]• Symmetry [Acta Informatica 2000]• Invariants [TACAS 2003]• Sweep-Line [TACAS 2004]
    38. 38. The Stubborn Set Method 38
    39. 39. Diamonds from concurrency a b b a 39
    40. 40. Diamonds from concurrency s1 a b s s’ b s2 a 39
    41. 41. State Explosion by Concurrency Process A Process B Process C internal internal 1 internal internal internal 2 internal sync sync sync 3 4 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 444 40
    42. 42. Stubborn Sets 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    43. 43. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m) 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    44. 44. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system: 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    45. 45. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system: 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    46. 46. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system: 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    47. 47. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system: 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    48. 48. Stubborn SetsIn every marking m:stubborn(m) ⊆ Tfire only activated transitions in stubborn(m)reduced transition system: 111 211 121 112 311 221 131 212 122 113312 321 231 222 132 213 123 322 331 232 313 133 223 332 323 233 333 41 444
    49. 49. Reduced Transition System 111 121 122 222 223 323 333 42 444
    50. 50. How to Preserve PropertiesCore principle: outside stubborn(m) m2 implies in stubborn(m) plus property specific requirements presence of right path justifies absence of left path 43
    51. 51. How to Preserve PropertiesCore principle: outside stubborn(m)m w1 m1 t m2 implies in stubborn(m) plus property specific requirements presence of right path justifies absence of left path 43
    52. 52. How to Preserve PropertiesCore principle: outside stubborn(m)m w1 m1 t m2 implies m t m1 ’ w1 m2 in stubborn(m) plus property specific requirements presence of right path justifies absence of left path 43
    53. 53. Preservation of DeadlocksCore principle + impliesProof: 44
    54. 54. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min 44
    55. 55. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w 44
    56. 56. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d 44
    57. 57. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m t m1 ’ w1 m2 w2 d 44
    58. 58. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d! 44
    59. 59. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w 44
    60. 60. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d 44
    61. 61. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t 44
    62. 62. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t t 44
    63. 63. Preservation of Deadlocks Core principle + implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t d not a t 44 deadlock!
    64. 64. Preservation of Deadlocks Core principle + m w m’ implies Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t d not a t 44 deadlock!
    65. 65. Preservation of Deadlocks Core principle + m w m’ implies t Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t d not a t 44 deadlock!
    66. 66. Preservation of Deadlocks Core principle + m w m’ implies t t Proof:Let m w d length(w) = min1st case: some t of stubborn(m) occurs in w m w1 s1 t m2 w2 d m1’ in red. TS, m t m1 ’ w1 m2 w2 d closer to d!2nd case: no t of stubborn(m) occurs in w m w d t d not a t 44 deadlock!
    67. 67. Preservation of LTL/CTLLTLX:Core principle+Visibility: all transitions in stubborn(m) invisible to φ or stubborn(m) = T+Proviso: Once in every cycle: stubborn(m) = TCTLX:LTL+ |stubborn(m)| = 1 or stubborn(m) = TConsequences:- only local properties yield reduction- Proviso avoids infinite stuttering- Proviso known to cause explosion- Proviso requires cycle detection (e.g. depth first)- CTL only performant when number of conflicts is small
    68. 68. LoLA’s ApproachesLet φ be state predicate Assume m does not satisfy φ wrup(m, φ ) = some set of transitions such that every path to an m’ that satisfies φ contains at least one transition of wrup(m, φ ).Examples:wrup(m, “m* reached”) = •p, for some p with m(p) < m*(p) = p•, for some p with m(p) > m*(p)wrup(m,p>k) = wrup(m,p≥k) = •pwrup(m,p<k) = wrup(m,p≤k) = p•wrup(m, φ1 ∧φ2) = wrup(m, φ1) if m does not satisfy φ1 = wrup(m, φ2) if m does not satisfy φ2wrup(m, φ1 ∨φ2) = wrup(m, φ1)∪ wrup(m, φ2)wrup(m, t not dead) = {t} 46
    69. 69. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. m m0 47
    70. 70. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. m m0 47
    71. 71. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. in wrup(m, φ) m m0 47
    72. 72. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. in wrup(m, φ) t 1st in ample(m) m m0 47
    73. 73. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. in wrup(m, φ) m1 t 1st in ample(m) m m0 47
    74. 74. TheoremReachability of φ:core principle+ wrup(m, φ) ⊆ stubborn(m) orig. φ red. in wrup(m, φ) m1 t 1st in ample(m) m m1 closer to m’ than m m0 47
    75. 75. Effect• Can be applied to global predicates• Astonishing goal-orientation• Has been relaxed by Kristensen/Valmari (wrup must be contained only once in an scc) • They perform better if predicate unreachable • Unrelaxed method better if predicate reachable• Can be extended to boundedness: • Bounded net: wrup(m) = {t : |t•|>|•t|} • Bounded place: wrup(m,p) = •prelaxed
    76. 76. TSCC based propertiesValmari:core principle+ weak proviso: Every transition in stubborn(m) atleast once in every tscc of reduced system:every tscc of original state space visited in reducedstate space
    77. 77. TSCC based propertiesIdea:- Construct Valmari’s tscc-preserving state space- Pick one element of each tscc of reduced state space - check mutual reachability for home state - check reachability of m0 for reversibility - check rechability of φ for liveness of φ userconfig.H:twophase TWOPHASE
    78. 78. CTL/LTL properties• CTL: Separate search space for each subformula • Use wrup for EF and AG • Use traditional CTL method for other operators• LTL: search counterexample path: F φ ➪ G¬φ, GF φ ➪ FG¬φ, FGφ ➪ GF¬φ • G ¬φ LTL preserving, but drop Proviso • FG¬φ,GF¬φ: • drop Proviso if m satisfies ¬φ • wrup(m,¬φ) if m satisfies φ
    79. 79. Symmetries
    80. 80. Symmetric Behavior Goal: symmetry in transition systemσ is symmetry if: ΣTS: set of allσ is bijection R(m0)  R(m0) symmetries in R(m0)m [t> m’ iff ex. t’: σ(m) t’> σ(m’)σ(m0) = m0 by induction: m0 m1 m2 ... path  σ(m0) σ(m1) σ(m2) ... path as well -Id is always symmetry [ΣTS,o] is -If σ symmetry, so is σ-1 group -If σ1 and σ2 symmetries, so is σ1 o σ2 53
    81. 81. Equivalence of States 54
    82. 82. Equivalence of StatesHave to detect symmetries prior to state space generation, typically cannot deduce all of thembut: can always close under inversion and composition 54
    83. 83. Equivalence of StatesHave to detect symmetries prior to state space generation, typically cannot deduce all of thembut: can always close under inversion and compositionfix some subgroup Σ ⊆ ΣTS 54
    84. 84. Equivalence of StatesHave to detect symmetries prior to state space generation, typically cannot deduce all of thembut: can always close under inversion and compositionfix some subgroup Σ ⊆ ΣTSm ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’ 54
    85. 85. Equivalence of StatesHave to detect symmetries prior to state space generation, typically cannot deduce all of thembut: can always close under inversion and compositionfix some subgroup Σ ⊆ ΣTSm ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’ ~ is equivalence relation 54
    86. 86. Reduced Transition System TSΣ = [R(m0)/~ , EΣ , [m0]Σ]EΣ = { [ [s],[s’] ] | ex. s ∈ [s], ex. s’ ∈ [s’] : [s,s’] ∈ E} Size of reduced system:| R(m0)/~ | ≥ | R(m0) | / | Σ ||Σ | can be exponential in size of Petri net 55
    87. 87. Σ = { Id, σ} Example σ([x,y,z]) = [y,x,z] (i,i,1) (r,i,1) (i,r,1) g1(c,i,0) (r,r,1) (i,c,0) (c,r,0) (r,c,0) 56
    88. 88. Example Σ = { Id, σ} σ([x,y,z]) = [y,x,z] (i,i,1) (r,i,1)(c,i,0) (r,r,1) (c,r,0) 57
    89. 89. Construction of reduced R := E := ø; dfs(m0); dfs(m) Approximation R := R ∪ {m}; FOR ALL t: activated in m DO m’ = m + Δt; IF can find σ with σ(m’)∈ R THEN E := E ∪{[m, t, σ(m’) ]}; The “Orbit- ELSE Problem” E := E ∪{[m,t, m’ ]}; dfs(m’); END END 58
    90. 90. “Traditional” Symmetry Tools• Depend on “scalar set” data type • =, ≠, arrays, for each, no constant• Cannot model networks other than cliques• LoLA: can handle all kinds of symmetry in the net structure
    91. 91. PN automorphismsBijection σ: P∪T → P∪T is PN automorphism,iff, for all x,y ∈ P∪T:- m0(x) = m0(σ(x))- If [x,y] ∈ F then [σ(x),σ(y)] ∈ F and W([x,y]) = W([σ(x),σ(y)]) Every PN automorphism induces symmetry in state space: σ(m)(σ(p)) = m(p) 60
    92. 92. Example 2 3 1 411 11 12 12 13 13 14 1422 24 21 23 22 24 21 2333 33 34 34 31 31 32 3244 42 43 41 44 42 43 41 id 61
    93. 93. Schreier-Sims generating set U1 U2 U3 subgroup induces partition of whole group pick one element of each class (“orbit”)Group: all automorphismsU1: all automorphisms that map p1 to p1U2: all automorphisms that map p1 to p1, p2 to p2...Un: Idhas O(n^2) elements
    94. 94. Example 2 3 1 411 11 12 12 13 13 14 1422 24 21 23 22 24 21 2333 33 34 34 31 31 32 3244 42 43 41 44 42 43 41 id U1U2 63
    95. 95. 2 3 Example 1 4E={2 id, 3 2 ,3 2 3, 2 3 ; id, } 1 g1 4 1 g2 4 1 g3 4 1 g4 4 id o id = id g2 o id = id o g4 = g2 o g4 = g1 o id = g3 o id = g1 o g4 = g3 o g4 = 64
    96. 96. Another Example 8 7 5 6 4 3 g = g1 o g2 o g3 1 21. Layer: 1 →1 ... 82. Layer 1 → 1, 2 → 2,4,53. Layer 1 → 1, 2 → 2, 3 → 3,67 + 2 + 1 = 10 generators for8 x 3 x 2 = 48 automorphisms 65
    97. 97. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m) 66
    98. 98. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m)1. m1 := MIN{g1i-1(m), i = ...} 66
    99. 99. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m)1. m1 := MIN{g1i-1(m), i = ...}2. m2 := MIN{g2i-1(m1), i = ...} 66
    100. 100. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m)1. m1 := MIN{g1i-1(m), i = ...}2. m2 := MIN{g2i-1(m1), i = ...}3. m3 := MIN{g3i-1(m2), i = ...} 66
    101. 101. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m)1. m1 := MIN{g1i-1(m), i = ...} ........2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}3. m3 := MIN{g3i-1(m2), i = ...} 66
    102. 102. Orbit Problem: Approximation id idg11 g12 g13 g14-1 g21 g22 g23 g31 g32 g14 given: m searched: canonical representative(m)1. m1 := MIN{g1i-1(m), i = ...} ........2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}3. m3 := MIN{g3i-1(m2), i = ...} canrep(m) := mn 66
    103. 103. 2 3 Example 2 2 2 2 3 3 3 3 1 4 E={ , , ; } 1 4 1 4 1 4 1 4 g12 g13 g14 g223 2 2 3 m 32 32 id-1(m) = id(m) = 1 4 11 411 1 12 31 -1(m) = (m) = 31 42 32 31 -1(m) = (m) = 21 41 12 33 -1(m) = (m) = 11 4 2 67
    104. 104. 2 3 Example 2 2 2 2 3 3 3 3 1 4 E={ , , ; } 1 4 1 4 1 4 1 4 g12 g13 g14 g223 2 2 3 m 32 32 id-1(m) = id(m) = 1 4 11 411 1 12 31 -1(m) = (m) = 31 42 32 31 -1(m) = (m) = 21 41 12 33 -1(m) = (m) = ≠ m1 11 4 2 67
    105. 105. 2 3 2 Example 2 2 2 3 3 3 3 1 4 E={ , , ; } 1 4 1 4 1 4 1 4 g12 g13 g14 g22 3 2 2 3 s 12 33 id-1(m1) = id(m1) = 1 4 11 42 1 1x = 12 3x = 3 22 33 s1 -1(m) = (m) =x=11 4x = 2 11 41 12 32 Result ≠ canrep(m) = (m) = 1 1 43
    106. 106. 2 3 2 Example 2 2 2 3 3 3 3 1 4 E={ , , ; } 1 4 1 4 1 4 1 4 g12 g13 g14 g22 3 2 2 3 s 12 33 id-1(m1) = id(m1) = Result 1 4 11 42 1 1x = 12 3x = 3 22 33 s1 -1(m) = (m) =x=11 4x = 2 11 41 12 32 Result ≠ canrep(m) = (m) = 1 1 43
    107. 107. Summary Symmetriessymmetries 69
    108. 108. Summary Symmetriescalculation of symmetries, exact solution of orbit problem: equivalent to graph isomorphism (NP) symmetries 69
    109. 109. Summary Symmetriescalculation of symmetries, exact solution of orbit problem: equivalent to graph isomorphism (NP)Many other orbit algorithms available in LoLA, even more by Tommi Junttila best choice depends on structure of symmetry group symmetries 69
    110. 110. Using Petri net invariants in state space
    111. 111. Two approachescompress states (use place invariants) save space and timeexempt states from storage (use transition invariants) space/time tradeoff 71
    112. 112. First approach: use place invariants 72
    113. 113. First approach: use place invariantsLet i be place invariant:.For all reachable m:i • m = i • m0 72
    114. 114. First approach: use place invariants Let i be place invariant:. For all reachable m: i • m = i • m0 i • m0 – Σp’≠p i(p’) • m(p’).... and, for a place p with i(p) ≠ 0: m(p) = i(p) 72
    115. 115. Example 3 2 invariant 1: [ 1 1 0 0 0 ] invariant 2: [ 0 0 0 1 1 ]that is, for all reachable markings m: m(p1) = 1 – m(p2) m(p5) = 2 – m(p4) only p2,p3,p4 need to be stored (40 % compression) 73
    116. 116. Overheadpreprocessing - time - space state spaceconstruction - time 74
    117. 117. Overhead appears to be:preprocessing - time compute invariants - space |inv| • |places| state spaceconstruction - time recover saved components 74
    118. 118. Overhead appears to be: actually is:preprocessing - time compute invariants compute upper triangular form - space |inv| • |places| 1bit • |places| state spaceconstruction - time recover saved search, insert performed components on smaller vectors 74
    119. 119. State space construction state yes/no state pointer depository (short vectors) state (recover removed components) 1 0 1 0 0 0 = 1 0 - -2 -1 = 3 1 2 1 1 75
    120. 120. State space construction state yes/no state pointer depository (short vectors) state (recover removed components) 1 0 1 Observe: 0 0 0 = 1 0 - -2 -1 = 3 1 values of i irrelevant, 2 1 1 supp(i) sufficient! 75
    121. 121. Upper triangular form 1 -1 0 0 1 0 0 0 . . -1 1 0 0 -1 0 0 0 0 1 0 3 -2 0 0 1 0 0 . . 0 0 -1 1 0 0 -1 0 . . 0 0 1 -1 0 0 1 0 1 0incidence matrix triangular form invariants m(p2),m(p5) can be calculated from m(p1), m(p3), m(p4) 76
    122. 122. Results1. Space reduction 30% - 55%2. Preprocessing time insignificant3. Run time reduction proportional to space reduction Reason: search and insert operations take 80 – 95 % of overall run time ... are now performed on shorter vectors4. combination with most other reduction techniques possible preduction 77
    123. 123. Second approach: 78
    124. 124. Second approach: what happens if some states are removed from the depository? 78
    125. 125. Second approach: what happens if some states are removed from the depository? 78
    126. 126. Second approach: what happens if some states are removed from the depository? construction still terminates as long as removed states do not form cycles! 78
    127. 127. Second approach: what happens if some states are removed from the depository? construction still terminates as long as removed states do not form cycles! use structural knowledge about cycles 78
    128. 128. Transition invariantscycle in state space corresponds to transition invariant 79
    129. 129. Transition invariants cycle in state space corresponds to transition invariantAssume: Set U of transitions s.t. for every transition invariant i: U ∩ supp(i) ≠∅ Then: store states that enable transitions in U do not store other states U can be determined from triangular form 79
    130. 130. Example 3 2 transition invariant: [2,2,3,3] U = {t}store only states where t is enabled 80
    131. 131. Problems:1. Too many states enable transitions in U Solution: combine with partial order reduction2. Unacceptable run time overhead Solution 1: heuristically store additional states Solution 2: remove only non-branching states 81
    132. 132. Ad 1: Full vs. Partial full state space 82
    133. 133. Ad 1: Full vs. Partial stubborn set reduced state space 83
    134. 134. Ad 2: store additional states k k 84
    135. 135. Results1. Controllable space/time trade-off2. Combination with partial order reduction compulsory3. Combination with a few other reduction techniques possible4. Only simple properties can be verified (no access to graph structure of the state space) 85
    136. 136. The Sweep-Line Method
    137. 137. Road mapThe sweep-line method (basic/extended)Calculation of a progress measureDiscussion - Combination with other reduction techniques
    138. 138. The sweep-line method (Basic)Idea: state s → progress value p(s)with s [t> s‘ p(s) > p(s’) Unprocessed sweep-line
    139. 139. The sweep-line method (Basic)Idea: state s → progress value p(s)with s [t> s‘ p(s) > p(s’) Unprocessed sweep-line p
    140. 140. The sweep-line method (Basic)Idea: state s → progress value p(s)with s [t> s‘ p(s) > p(s’) Unprocessed Processed sweep-line p
    141. 141. The sweep-line method (Basic)Idea: state s → progress value p(s)with s [t> s‘ p(s) > p(s’) Unprocessed Not yet seen Processed sweep-line p
    142. 142. The sweep-line method (Basic)Idea: state s → progress value p(s)with s [t> s‘ p(s) > p(s’) Unprocessed  Not yet seen Processed sweep-line p
    143. 143. The sweep-line method (extended)If p is not monotonous: t s’ s p(s’) < p(s)
    144. 144. The sweep-line method (extended)If p is not monotonous: t s’ s p(s’) < p(s) -mark s’ “persistent” -start new sweep from s’
    145. 145. The sweep-line method (extended) If p is not monotonous: t s’ s p(s’) < p(s) -mark s’ “persistent” -start new sweep from s’Consequently: not too often p(s’) < p(s)
    146. 146. Setting for LoLA’s measure-incremental: “transition offsets” Δ p(t) : m [t> m‘ p(m’) = p(m) + Δ p(t)-not necessarily monotonous (in every cycle: one negative Δ p or all Δ p = 0)
    147. 147. The measurepartition T into U and TUin U: all transitions linear independentin TU: all transitions linear dependent of U i.e. |U| = rank(C)-for t in U: Δ p (t) := 1-for t in TU: Δ p(t) determined by (unique) lin. combination of U (for t in TU: Δ p(t) >0, =0, <0 )typical size: |U| 60% - 100% of |T|
    148. 148. U ExamplesTU 1 1 12 -2 1 1 1 0
    149. 149. Geometric interpretationp2 s p3 p1 sweep
    150. 150. Geometric interpretationp2 s p3U p1 sweep
    151. 151. Geometric interpretationp2 s p3U p1 sweep
    152. 152. Geometric interpretation progressp2 s p3U p1 sweep
    153. 153. Geometric interpretation progressp2 s p(s) p3U p1 sweep
    154. 154. Geometric interpretation progressp2 s p(s) p3 1U p1 sweep
    155. 155. 4. Using LoLA
    156. 156. You will learn how• to choose and manage LoLA configurations• to ask the right verification questions• to optimally model a Petri net• to employ scripts, makefiles, etc.• to call LoLA from another tool
    157. 157. LoLA Configurations • Get LoLA: • http://service-technology.org/files/lola • Standard Workflow: • edit userconfig.H • compile LoLAsetup
    158. 158. userconfig.H • What to check? • Which reduction techniques to use? • Other parameters
    159. 159. The optimal configuration1. Know your net! • Is it bounded? Do you know the bound? Is it safe? • Do you have a feeling on the outcome? • Is the net made of several components? • Does the net have a lot of concurrency?2. Experiment!
    160. 160. Analysis Tasks• DEADLOCK• REACHABILITY, FINDPATH, STATEPREDICATE• BOUNDEDPLACE, BOUNDEDNET• DEADTRANSITION• REVERSIBILITY, HOME• LIVEPROP, FAIRPROP, STABLEPROP, EVENTUALLYPROP• MODELCHECKING• FULL, NONE
    161. 161. Reduction Techniques• STUBBORN - stubborn sets• PREDUCTION - invariant-based compression• SYMMETRY - symmetry reduction• COVER - coverability graph• CYCLE - cycle coverage• SWEEP - sweep-line method• SMALLSTATE - internal representation
    162. 162. Stubborn Sets• STUBBORN• when to use: always• compatibility: all other techniques• switch RELAXED to chose more efficient technique if state/predicate is unreachable
    163. 163. Invariant-based Compression • PREDUCTION • when to use: always • compatibility: not with sweep-line method preduction
    164. 164. Symmetries• SYMMETRY• when to use: net is made of several symmetric components• runtime overhead• compatibility: not with sweep-line method• switch SYMMINTEGRATION and MAXATTEMPT to control time/memory trade-off
    165. 165. Coverability Graph• COVER• when to use: mostly clear from the context• compatibility: stubborn sets and symmetry• use with BREADTH_FIRST to have shorter paths to check
    166. 166. Cycle Coverage• CYCLE• when to use: can help sometimes• runtime overhead• use with stubborn sets to reduce number of successors• Switches NONBRANCHINGONLY and MAXUNSAVED to control memory/time tradeoff
    167. 167. Sweep-line• SWEEP• when to use: behavior has several acyclic stages - always worth a try• compatibility: stubborn set method• in fact: only use with stubborn set method to avoid a lot of regress transitions
    168. 168. Small State Representation • SMALLSTATE • when to use: only for simple reachability questions • compatibility: all other techniques
    169. 169. Reduction techniques Not all combinations make sense! LoLA takes care about this.
    170. 170. Other parameters• BREADTH_FIRST: search strategy• CAPACITY: fix a maximal number of tokens per place• CHECKCAPACITY: check capacity and abort• MAXPATH: maximal length of paths for FINDPATH• REPORTFREQUENCY: report firing of transitions• HASHSIZE: number of hash buckets• MAXIMALSTATES: maximal size of the statespace maximalstates
    171. 171. Manage configurations • one binary for each configuration • fight complexity: • ask LoLA for its configuration • predefined standard configurations • offspring generationconfigurations
    172. 172. Ask LoLA
    173. 173. Predefined configurations several reasonable standard configurations
    174. 174. Generate offspring generate a userconfig.H for the given binary
    175. 175. Build script downloads the sources and generate a configured binary with random name
    176. 176. You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions• to optimally model a Petri net• to employ scripts, makefiles, etc.• to call LoLA from another tool
    177. 177. Ask the right questions• be as specific as possible• ask one aspect at a time• exploit all knowledge• transform complex questions
    178. 178. Be specific! • most questions can be formulated with CTL • LoLA has dedicated routines: • EF φ - use STATEPREDICATE • AG EF φ - use LIVEPROP • yields more efficient reductionspecific
    179. 179. Ask one aspect at a time!• Garavel’s challenge: check quasiliveness of a net with 776 transitions• naive way: build one statespace and check each transition • Problem: 9794739147610899087361 states• clever way: build 776 statespaces and check each transition independently • all but two state spaces have < 20000 states
    180. 180. Use all knowledge! end of a procedure, see Figure 1. The tasks are modeled by transit ordering of tasks is modeled by places connecting these transitions.• original question: soundness of workflow nets• naive: AG EF φ i WF-net o• Petri-netty: liveness and Fig. 1. A procedure modeled by a W F-net. boundedness of short-circuited net The processing of a case starts the moment we put a token in plac• Knowledge: net is free-choice and built from the moment a token appears in place o. One of the main properties should satisfy is the following: standard patterns For any case, the procedure will terminate eventually, and at t• boundedness boils down to 1-safeness procedure terminates there is a token in place o and all the ot empty. This property is called the soundness property. In this paper we p• clever way: two checks: liveness and 1-safeness to verify this property using standard Petri-net tools. If we restric choice Petri nets (cf. Best [8], Desel and Esparza [12]), this propert polynomial time. W F-nets have some interesting properties. For example, it turns ou
    181. 181. Transform your problem!• original question: relaxed soundness (every transition fires in at least one terminating run)• standard algorithm: build statespace, remove nonterminating behavior and check transitions t• clever way: create special net for each transition t and check for reachability of marking [o, pt]
    182. 182. Problem hierarchy• MODELCHECKING (CTL algorithms, hardly any reduction possible)• BOUNDEDNET (coverability graph)• STABLEPROP, EVENTUALLYPROP, FAIRPROP (strongly connected sets)• HOMESTATE (mutual reachability of TSCCs)• LIVEPROP, REVERSIBILITY (reachability within TSCC)• REACHABILITY (global property)• BOUNDEDPLACE (overhead for coverability check)• STATEPREDICATE (possibly local property)• DEADTRANSITION (local property)• DEADLOCK (best stubborn sets available)• FINDPATH (memoryless exploration)
    183. 183. You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally model a Petri net• to employ scripts, makefiles, etc.• to call LoLA from another tool
    184. 184. “optimal” Petri nets• have verification in mind• don’t use expensive constructs (reset arcs)• don’t spoil the reduction techniques• help LoLA help you
    185. 185. High-level guards • use guards to exclude implausible transition bindings • results in quicker unfoldingTRANSITION ManInTheMiddle VAR bob : bobAgents; alice : aliceAgents; bobKey : bobKeys; aliceKey : aliceKeys; GUARD alice <> getMaliceAlice() AND bob <> getMaliceBob() AND isSessionKeyForAlice(alice,bob,aliceKey) AND isSessionKeyForBob(bob,alice,bobKey) CONSUME connStateAlice : makeConnectionState(alice,bob,aliceKey,bobKey), mGoalBobKeys : bobKey; PRODUCE goal : 1;
    186. 186. Concurrency• use concurrency where possible• avoid unnecessary ordering of events• makes symmetry/stubborn sets applicable ... initialize initialize initialize component 1 component 2 component 3
    187. 187. erformed only if scope Q is allowed to continue its normal p Avoid global statesop, the core action of X is bypassed, as captured by the τ -tr bypassing a normal event can be defined in a similar way. •n a fault occurs in scope Q,synchronization changes from to co avoid excessive the status of Q or “global state places” rX X to_stopQ X sX to_continueQ "bypass" X C cX fX • such nets13. Terminationconcurrency Figure have no real of a basic activity.
    188. 188. Flexible model generation • model with verification question in mind • for each question have a dedicated model with proper abstractions • implemented in compiler BPEL2oWFNflexible
    189. 189. Scale by structure• when possible, scale model by structure, not by the number of tokens• in LoLA: just increase sort• rationale: symmetry and stubborn sets SORT dimensions = [ 1 , 3 ]; row = [ 1 , 3 ];
    190. 190. You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally model a Petri net ✔• to employ scripts, makefiles, etc.• to call LoLA from another tool
    191. 191. Script LoLA• LoLA follows the UNIX philosophy • every tool does one thing (and that thing right) • tools communicate with files/streams • exit codes tell about outcome of LoLA• this all allows to quickly build powerful tool chains
    192. 192. LoLA’s exit codes• 0: specified state or deadlock found/net or place unbounded/home marking exists/net is reversible/ predicate is live/CTL formula true/transition not dead/liveness property does not hold• 1: the opposite verification result• rule of thumb, if the outcome of a verification result can be supported by a counterexample or witness path, that case corresponds to return value 0exit
    193. 193. LoLA’s exit codes• exit code allow for simple workflows in the shell• (lola1 net.lola && lola2 net.lola && echo “OK”) || echo “not OK”)• translation: • execute lola1 • if the exit code is 0, execute lola2 • if the exit code is again 0, print “OK” • otherwise, print “not OK”
    194. 194. Example: Scripting• Garavel’s challenge• quasiliveness of 776 transitions checked in 776 runs• shell script: 1. extract transitions from net 2. generate analysis task for DEADTRANSITION ("ANALYZE TRANSITION t1") 3. call LoLA 4. evaluate exit code• DEADTRANSITION succeeds in all but 2 cases• then use FINDPATHgaravel
    195. 195. Example: Makefile• check for relaxed soundness• for each transition: 1. create manipulated net 2. generate analysis task for STATEPREDICATE ("FORMULA (pt = 1 AND o = 1)") 3. call LoLA 4. evaluate exit code• use Makefile to collect the results• benefit: parallel executionrelaxed
    196. 196. You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally model a Petri net ✔• to employ scripts, makefiles, etc. ✔• to call LoLA from another tool
    197. 197. Integrating LoLA into Wendy• Wendy: a tool to synthesize partners for services• algorithm needs a lot of small state spaces• before: calculate them on-the-fly• now: calculate one big one in advance and preprocess - helps to avoid “bad” states• tool of choice for this: LoLA (lola-full)• benefits: • modularity • get Tarjan numbers for free • interprocess concurrency wendy
    198. 198. Integrating LoLA• integration is easy when using C: const char *c = "lola-full tempfile.lola -M"; FILE *pipe = popen(c, "r"); parse_pipe(); pclose(pipe);• UNIX streams allow parallel generation and parsing of the state space
    199. 199. You will learn how• to choose and manage LoLA configurations ✔• to ask the right verification questions ✔• to optimally model a Petri net ✔• to employ scripts, makefiles, etc. ✔• to call LoLA from another tool ✔
    200. 200. 5. Case Studies Niels Lohmann
    201. 201. Exploring biochemical The ErbB Network (CARTOON FORM) reaction chains
    202. 202. Reaction chains• Domain: symbolic system biology• “Symbolic systems biology is the qualitative and quantitative study of biological processes as integrated systems rather than as isolated parts.”• Property: reachability
    203. 203. Mcf2-act Rhob-GDP Ngef-reloc Trio-act 221-2 798-2 807-2 Cit Prkcl1 Rhob-GTP Diaph1 Rock1 Ktn1 591-2 581-2 680-2 679-4 700-2f1-act Crkl-reloc Erk2 Prkcl1-act Diaph1-act Diaph1-act Limk1 Myl9 Rock1-act PP1 Ktn1-03 672 238 671 697 Actin-mono Pfn1 Arp23-act Srf Limk1-act Myl9-phos PP1-inhib 11 732 58 Pxn Vasp Actinin Tns1 Tln-act Integrins-clustered Actin-poly Srf-act Vcl Zyx Ilk: 165 764 713 601 813 1076 1075 Pxn Vasp Src-act Actinin Ptk2-act Tns1 Vcl Zyx Ilk:Lims1:Parva 434
    204. 204. Reaction chains• “For reachability queries on our nets, answering a reachability query that would have taken hours using a general purpose model-checking tool takes on the order of a second in LoLA — fast enough to permit interactive use.”
    205. 205. Finding Hazards in GALS Circuits
    206. 206. GALS circuits• Domain: asynchronous/ synchronous hardware design• prototype for IEEE-802.11 chip• asynchronous hardware is not clocked - order/timing of events makes a difference• problem: glitch
    207. 207. Glitch P(a) = 1a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 147
    208. 208. Glitch P(a) = 1 0a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 147
    209. 209. Glitch P(a) = 1 0 0a AND P(c) = 0 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 147
    210. 210. Glitch P(a) = 1 0 0a AND P(c) = 0 0 1 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 147
    211. 211. Glitch P(a) = 1 0 0a AND P(c) = 0 0 0 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 147
    212. 212. Glitch P(a) = 1a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    213. 213. Glitch P(a) = 1a AND P(c) = 0 1 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    214. 214. Glitch P(a) = 1a AND P(c) = 0 1 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    215. 215. Glitch P(a) = 1 0a AND P(c) = 0 1 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    216. 216. Glitch P(a) = 1 0 0a AND P(c) = 0 1 0 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    217. 217. Glitch P(a) = 1 0 0a AND P(c) = 0 1 0 1 cb Gate P(b) = 0 1 Hazard 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 148
    218. 218. Petri Net Model of AND
    219. 219. Petri Net Model of AND a• Events c• Level• Logics b
    220. 220. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    221. 221. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    222. 222. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    223. 223. Petri Net Model of AND
    224. 224. Petri Net Model of AND
    225. 225. Petri Net Model of AND
    226. 226. Petri Net Model of AND
    227. 227. Petri Net Model of AND
    228. 228. Petri Net Model of AND
    229. 229. Petri Net Model of AND
    230. 230. GALS circuits • Property: reachability • Problem: • partial order reduction not effective enough in isolation • sweep line helped • initial model: 204 places/368 transitions; manual abstractions necessary • found 8 hazards, 2 were actual problemsgals
    231. 231. Verifying ServiceChoreographies
    232. 232. Service Choreography• Domain: service-oriented architectures• Original model: BPEL4Chor• translation: compiler BPEL2oWFN• Design flaw in chorgrography model.• Property: deadlock freedom
    233. 233. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    234. 234. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    235. 235. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    236. 236. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    237. 237. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    238. 238. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    239. 239. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    240. 240. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    241. 241. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    242. 242. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    243. 243. Service Choreographybpel4chor
    244. 244. Service Choreography • Komposition kann verklemmen!bpel4chor
    245. 245. Service Choreography • Komposition kann verklemmen!bpel4chor
    246. 246. Service Choreography • Komposition kann verklemmen!bpel4chor
    247. 247. Service Choreography • Komposition kann verklemmen!bpel4chor
    248. 248. Service Choreography • Komposition kann verklemmen!bpel4chor
    249. 249. Service Choreography • Komposition kann verklemmen!bpel4chor
    250. 250. Service Choreography • Komposition kann verklemmen!bpel4chor
    251. 251. Service Choreography • Komposition kann verklemmen!bpel4chor
    252. 252. Service Choreography • Komposition kann verklemmen!bpel4chor
    253. 253. Service Choreography • Komposition kann verklemmen!bpel4chor
    254. 254. Service Choreography • Komposition kann verklemmen!bpel4chor
    255. 255. Service Choreography • Komposition kann verklemmen!bpel4chor
    256. 256. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states 14 3483 9806583 states 14 561 378096 states 11 86 261 18061 1752867 states 11 30 50 410 4010  complete complete/unreduced  symmetries  stubbornreduction symmetry sets  symmetriesreduction partial order and stubborn sets  overflow reduction and partial order reduction symmetry (>2 GB)
    257. 257. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states 14 3483 9806583 exponential states 14 561 378096 growth  states 11 86 261 18061 1752867 states 11 30 50 410 4010  complete complete/unreduced  symmetries  stubbornreduction symmetry sets  symmetriesreduction partial order and stubborn sets  overflow reduction and partial order reduction symmetry (>2 GB)
    258. 258. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states 14 3483 9806583 exponential states 14 561 378096 growth  states 11 86 261 18061 1752867 states 11 30 50 410 4010  complete linear complete/unreduced  symmetries symmetry reduction growth   stubborn sets  symmetriesreduction partial order and stubborn sets  overflow reduction and partial order reduction symmetry (>2 GB)
    259. 259. Soundness ofBusiness Processes M2 M1 J1 F1
    260. 260. Soundness• 735 real-world business processes from IBM customers• original formalism: UML dialect from the IBM Websphere Business Modeler• translation: compiler UML2oWFN• original question: can soundness be verified using model checking techniques
    261. 261. Soundness
    262. 262. Soundness• “IBM Soundness” = absence of • lack of synchronization (= unsafe marking) • deadlock (= deadlock) • + certain assumptions on the structure• for LoLA: two checks • Is the final marking life? • Is the net safe?
    263. 263. Soundness for each SESE fragment choice depends on SESE fragment always perform both checks choice depends on net structure
    264. 264. Soundness • execution scheduled and optimized using Makefiles • max. 50 ms per check • “analysis on demand” • observed effect: structural reduction techniques do not pay off when using stubborn setssoundness
    265. 265. Verification ofConcurrent Programs
    266. 266. Concurrent Programs• concurrent processes• shared and global variables• goal: find Aa. small-model roening, and T . Wahl 650 K aiser, D . K property to make a statement on the correctness of an arbitrary number of instances |R n | |R| |R| (a) (b) n m c
    267. 267. Concurrent Programs • problem can be solved by checking for reachable states in a coverability graph • challenge: number of places = number of states of a process • concurrency only through tokens • it took a while to beat LoLAconcurrent
    268. 268. Solving AI Planning Problems
    269. 269. AI Planning• setting: smart conference room• several projectors, canvases, documents, and lamps• AI planning problem: Configure the room to display document A on that canvas.• original formalism: proprietary planning language; manually translated
    270. 270. AI Planning • straightforward translation to state predicateGoals: FORMULA( LightOn 1 Lamp1 ); LightOn.<Lamp1|TRUE> = 1 AND( LightOn 1 Lamp2 ); LightOn.<Lamp2|TRUE> = 1 AND( DocShown 1 Doc1 LW3 ); DocShown.<Doc1|LW3|TRUE> = 1 AND( DocShown 1 Doc2 LW1 ); DocShown.<Doc2|LW1|TRUE> = 1 AND( CanvasDown 1 VD1 ); CanvasDown.<VD1|TRUE> = 1 • system is extremely concurrent • depth-first search actually finds shortest path planner
    271. 271. 6. Integrating LoLA
    272. 272. • soundness checks: • classical soundness • weak soundness • relaxed soundness• integration as Web service
    273. 273. • http://oryx-project.org/oryx/editor;petrinet• http://esla.informatik.uni-rostock.de/ service-tech/.lola
    274. 274. • generic plugin for standard Petri net properties• nets are translated from PNML to LoLA format• LoLA is called as system call
    275. 275. 7. Implementation
    276. 276. Plan• Firing a transition• Evaluating a state predicate• Managing the state space• Organizing search• Detecting strongly connected components
    277. 277. Firing transitionsMarking changed via list of pre-, list of post-places effort does not depend on size of netAfter firing, only some transitions are checked forenabledness previously enabled transitions that lost tokens previously disabled transitions that gained tokens ... managed through explicitly stored lists
 
 
 
 
 
 
 

    278. 278. Checking state predicates• predicate = boolean combination of • p {><=≤≥≠} k• stored in negation-free normal form φ φ φ φ φ 
 

    279. 279. Managing the state space1st state = bit vector 




















 






 



 




 























 


other states = bit vector +decision record 
 

    280. 280. Managing the state space find/insert a marking: one integrated process 




















 






 



 




 























 


 dive down into decision tree on mismatch: at decision point: switch to next vector
 at end: found, no insert 
 between decision points: insert at point of mismatch decision records form tree
    281. 281. Organizing search General remarksSearch consists of - fire transitions ✔ - find/insert marking ✔ - backtracking: fire transition backwards  only „constant“ time search stack consists of reference to transition + list of enabled transitions  state space is „write-only“ memory
    282. 282. Organizing searchb) Depth-first search: ability to detect SCCc) Breadth-first search:Simulated by bounded depth-first search with incrementally increased bound Update of current marking, list of enabled transitions, etc. through sequence of transition occurrences
    283. 283. Detecting strongly connected components • Traditional approach: Tarjan‘s algorithm 4 
 
4 6 21 
 
 
 
 
 
 
5 44 






 
 
 
 
 






 
 
 
 
 
 
 
 33 11 00 
 
 
 
 
 
 
 
 
 
 
 

    284. 284. Detecting strongly connected components • LoLA approach: simplified lowlink 4 
 
4 6 21 
 
 
 
 
 
 
5 41 






 
 
 
 
 






 
 
 
 
 
 
 
 31 11 00 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

    285. 285. Reduction techniques
    286. 286. Stubborn Sets • Crucial: Core principle • Simple method: –If t enabled, add conflicting transitions –If t disabled, add pre-transitions of some unmarked pre-place place pre-transitions must be includedtransition conflicting updated at enabledness check
    287. 287. The sweep-line method• constant change  successors lie in a small window of progress values 
 
 
 


    ×