Where did I go wrong? Explaining errors in process models

387 views

Published on

Workshop presentation given by Niels Lohmann on February 20, 2014 in Potsdam, Germany at the Sixth Central-European Workshop on Services and their Composition (ZEUS 2014).

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
387
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Where did I go wrong? Explaining errors in process models

  1. 1. Where did I go wrong? Explaining errors in process models Niels Lohmann
  2. 2. Verification of processes and services WS-Adressing WSDM WS-CDL WSCI WS-TX WSRM WS-AT WS-C BPEL4People WS-TX WSRF WSFL WS-Policy WS-BPEL WS-Routing - more aspects and domains = new languages and checks - domain-specific approaches are not flexible - moving target 2
  3. 3. Model checking general purpose verification approach: 1. formalize model and specification* 2. push a button * can be
 hidden from the user 3
  4. 4. Effectiveness and efficiency - model checking works in reality - successful applications in many domains ! ! ! ! ! - “verify while you model” 4
  5. 5. Diagnosis - in case of error: outputs target state and produce a witness path - describes how target state can be reached - operational semantics: can be simulated target state witness path 5
  6. 6. Diagnosis: the bad - paths can become very long - length correlates with
 size of the model - reports all events equally: disregarding importance 6
  7. 7. Reasons for useless paths detours interleavings indisputable parts depth-first search concurrency bootstrapping 7
  8. 8. process in Fig. 2 and to which we added a start and an end event. This process model contains a lack of synchronization error as well as a local deadlock, which are not so easy to spot in the first place. Running example M2 M1 J1 F1 lack of synchronization Fig. 4: Workflow graph with deadlock and lack of synchronization errors. t4 p1 t1 t3 p5 t5 p6 p4 t6 p7 p10 t11 t7 p2 A local deadlockt2is a p3 reachable state s of the process that has a token on p8 incoman p9 t13 p13 t9 t10 ing edge et8 of an AND-join such that each state that is in turn reachable from s also p11 6 t12 p12 t14 p14 8
  9. 9. Reduction: obvious parts - assumption: progress - classification of transitions* - only report decisions t4 p1 t1 t3 p2 t2 p5 t5 p6 p4 p10 p3 p7 t11 t7 t9 t13 t10 p11 * not just XOR-gateways! t12 p8 p13 t14 t8 p9 t6 p14 p12 9
  10. 10. Reduction: obvious parts - assumption: progress - classification of transitions* - only report decisions t4 p1 t1 t3 p2 t2 p5 t5 p6 p4 p10 p3 p7 t11 t7 t9 t13 t10 p11 * not just XOR-gateways! t12 p8 p13 t14 t8 p9 t6 p14 p12 9
  11. 11. Reduction: obvious parts t4 t1 p1 t3 p2 t2 p5 t5 p6 p4 p10 p3 p7 t11 t7 t9 t13 t10 p11 t1 t2 t9 t10 t11 t12 t14 p14 p12 t12 t8 p8 p13 t14 t8 p9 t6 t2 t3 t4 t5 10
  12. 12. Reduction: obvious parts t4 t1 p1 t3 p2 t2 p5 t5 p6 p4 p10 p3 p7 t11 t7 t9 t13 t10 p11 t1 t2 t9 t10 “down” t11 t12 t14 “down” p14 p12 t12 t8 p8 p13 t14 t8 p9 t6 t2 t3 “up” t4 t5 10
  13. 13. Table 1. Paths from the checks for local deadlocks Reduction: obvious checks for local deadlocks Table 1. Paths from the parts library A avg. path length before / after max. path length before / after library sum of path lengths before / after avg. path length before / after reduction max. path length before / after sum of path lengths before / after B1 B2 B3 C 17.51 / 1.83 53 / 8 A 1699 / 178 17.51 / 1.83 89.52 % 53 / 8 1699 / 178 17.52 / 2.11 66 / 7 B1 1419 / 171 17.52 / 2.11 87.95 % 66 / 7 1419 / 171 16.06 / 1.54 56 / 6 B2 1349 / 129 16.06 / 1.54 90.44 % 56 / 6 1349 / 129 20.34 / 1.67 54 / 5 B3 1688 / 139 20.34 / 1.67 91.77 % 54 / 5 1688 / 139 13.40 / 2.30 21 / 3 C 134 / 23 13.40 / 2.30 82.84 % 21 / 3 134 / 23 reduction Table 2. Paths 89.52 % checks for lack of90.44 % from the synchronization % 87.95 % 91.77 library A B1 B2 B3 Table 2. Paths from the checks for lack of synchronization 82.84 % C avg. path length before / after 30.83 / 3.17 10.47 / 0.66 12.16 / 0.68 11.50 / 0.59 51.00 / 7.57 max. path length before / after 89 / 13 52 / 7 100 / 8 103 / 14 120 / 17 library A B1 B2 B3 C sum of path lengths before / after 1079 / 111 1047 / 66 1459 / 82 1507 / 77 357 / 53 avg. path length before / after 30.83 3.17 10.47 / Table 3. Paths /from the 93.70 0.66 noninterference94.89 0.59 51.00 / 7.57 checks for 12.16 / 0.68 11.50 / % reduction 89.71 % % 94.38 % 85.15 % max. path length before / after 89 / 13 52 / 7 100 / 8 103 / 14 120 / 17 sum of path lengths before / after 1079 / 111 1047 / 66 1459 / 82 1507 / 77 357 / 53 library A B1 B2 B3 C reduction 89.71 % 93.70 % 94.38 % 94.89 % 85.15 % avg. path length before / after 12.06 / 2.79 13.82 / 2.55 18.13 / 2.33 14.27 / 2.55 11.27 / 2.33 Information flow security. Furthermore, the/ same business process models were used max. path length before / after 44 / 7 70 7 95 / 7 95 / 7 27 / 3 suma recent report [12] on information flow/ security. In / this case study, noninterfer169 / 35 in of path lengths before / after 19699 / 4557 5707 1054 13835 1777 17494 / 3130 ence [13] wasflow security. correctness criterion ensures that decisions from a secure reduction 76.87 % 87.16 % 82.11 % 79.29 % Information verified. This Furthermore,81.53same business process models were used the % domain cannot be reproduced by investigating public runtime case study, noninterferin a recent report [12] on information flow security. In this information of the busi- 11
  14. 14. Table 1. Paths from the checks for local deadlocks Reduction: obvious checks for local deadlocks Table 1. Paths from the parts library A avg. path length before / after max. path length before / after library sum of path lengths before / after avg. path length before / after reduction max. path length before / after sum of path lengths before / after B1 B2 B3 C 17.51 / 1.83 53 / 8 A 1699 / 178 17.51 / 1.83 89.52 % 53 / 8 1699 / 178 17.52 / 2.11 66 / 7 B1 1419 / 171 17.52 / 2.11 87.95 % 66 / 7 1419 / 171 16.06 / 1.54 56 / 6 B2 1349 / 129 16.06 / 1.54 90.44 % 56 / 6 1349 / 129 20.34 / 1.67 54 / 5 B3 1688 / 139 20.34 / 1.67 91.77 % 54 / 5 1688 / 139 13.40 / 2.30 21 / 3 C 134 / 23 13.40 / 2.30 82.84 % 21 / 3 134 / 23 reduction Table 2. Paths 89.52 % checks for lack of90.44 % from the synchronization % 87.95 % 91.77 library A B1 B2 B3 Table 2. Paths from the checks for lack of synchronization 82.84 % C avg. path length before / after 30.83 / 3.17 10.47 / 0.66 12.16 / 0.68 11.50 / 0.59 51.00 / 7.57 max. path length before / after 89 / 13 52 / 7 100 / 8 103 / 14 120 / 17 library A B1 B2 B3 C sum of path lengths before / after 1079 / 111 1047 / 66 1459 / 82 1507 / 77 357 / 53 avg. path length before / after 30.83 3.17 10.47 / Table 3. Paths /from the 93.70 0.66 noninterference94.89 0.59 51.00 / 7.57 checks for 12.16 / 0.68 11.50 / % reduction 89.71 % % 94.38 % 85.15 % max. path length before / after 89 / 13 52 / 7 100 / 8 103 / 14 120 / 17 sum of path lengths before / after 1079 / 111 1047 / 66 1459 / 82 1507 / 77 357 / 53 library A B1 B2 B3 C reduction 89.71 % 93.70 % 94.38 % 94.89 % 85.15 % avg. path length before / after 12.06 / 2.79 13.82 / 2.55 18.13 / 2.33 14.27 / 2.55 11.27 / 2.33 Information flow security. Furthermore, the/ same business process models were used max. path length before / after 44 / 7 70 7 95 / 7 95 / 7 27 / 3 suma recent report [12] on information flow/ security. In / this case study, noninterfer169 / 35 in of path lengths before / after 19699 / 4557 5707 1054 13835 1777 17494 / 3130 ence [13] wasflow security. correctness criterion ensures that decisions from a secure reduction 76.87 % 87.16 % 82.11 % 79.29 % Information verified. This Furthermore,81.53same business process models were used the % domain cannot be reproduced by investigating public runtime case study, noninterferin a recent report [12] on information flow security. In this information of the busi- 11
  15. 15. Reduction: spurious decisions p2 p5 p5 p3 p1 p3 p6 p1 p6 p4 - some decisions determine others - often occurs in non-free choice models - can be model checked 12
  16. 16. Reduction: spurious decisions p2 p5 p5 p3 p1 p3 p6 p1 p6 p4 - some decisions determine others - often occurs in non-free choice models - can be model checked 12
  17. 17. Table 4. Reduced paths from the checks for local deadlocks Reduction: spurious decisions library Table 4. Reduced A paths from the checks for local deadlocks B1 B2 B3 avg. path length before / after max. path length before / after library sum of path lengths before / after avg. path length before / after reduction length before / after max. path abortedpath lengths before / after sum of checks 1.84 / 0.91 8 A2 / 178 / 88 1.84 / 0.91 50.562% 8/ 1 178 / 88 2.11 / 0.67 7B1 /1 171 / 54 2.11 / 0.67 68.421% 7/ 0 171 / 54 1.54 / 0.57 6B2 /1 129 / 49 1.54 / 0.57 62.79 % 6/1 1290/ 49 1.67 / 0.41 5B3 /1 139 / 34 1.67 / 0.41 75.54 % 5/1 1390/ 34 reduction aborted checks Table 5. Reduced 50.56 % 1 paths from 68.42 % 0 the checks for library Table 5. Reduced paths from the checks for lack B2 synchronization of A B1 B3 62.79 % 75.54 % 0 0 lack of synchronization avg. path length before / after 3.17 / 0.86 0.66 / 0.17 0.68 / 0.14 0.59 / 0.09 max. path length before / after 13A 2 / 7B1 /2 8B2 /2 14 / 2 library B3 sum of path lengths before / after 111 / 30 66 / 17 82 / 17 72 / 12 avg. path length before / after 3.17 / 0.86 0.66 / 0.17 0.68 / 0.14 0.59 / 0.09 reduction length before / after 72.97 2 54.552% 79.27 % 84.42 2 max. path 13 / % 7/ 8/2 14 / % abortedpath lengths before / after 1 sum of checks 111 / 30 82 0 17 / 72 0 / Table 6. Reduced paths from 66 4 checks for noninterference 12 the/ 17 reduction aborted checks library 72.97 % 1 A 54.55 % 4 B1 79.27 % 0 B2 84.42 % 0 B3 C 2.30 / 0.90 3C1 / 23 / 10 2.30 / 0.90 60.87 % 3/1 23 0 10 / 60.87 % 0 C 7.57 / 1.00 17 / 2 C 53 / 7 7.57 / 1.00 86.792 17 / % 534/ 7 86.79 % 4 C could exploitbefore Petri net structure to calculate conflict /clusters 2.55identify 2.33 / 0.40 to / 0.63 possible avg. path length the / after 2.79 / 0.99 2.55 / 0.75 2.33 0.55 max. path length before / after 7/2 7/2 7/2 7/2 3/1 conflict transitions. This allowed / for a quick check whether a transition is actually a sum of path lengths before / after 4557 1614 1054 / 310 1777 / 423 3130 / 772 35 / 6 could exploit the Petri net structure to calculate conflict clusters to identify possible conflict. reduction 64.58 % 70.59 % 76.20 % 75.34 % 82.86 % conflict transitions. This allowed for aas a sequences of transitions leading to the0goal However, we still considered 12 paths quick 4check whether a transition is actually a aborted checks 4 7 conflict. state. As discussed earlier, this sequence may be an arbitrary linearization of originally 13
  18. 18. Reduction: unorder transitions - Petri nets have explicit locality - exploit to derive concurrency - helps to “distribute” actions to components - makes synchronization points (milestones) explicit 14
  19. 19. Reduction: unorder transitions t4 t1 p1 t3 p2 t2 p5 t5 p6 p4 p10 p3 p7 t11 t7 t9 t13 t10 p11 t1 t2 t9 t10 t11 t12 t14 t12 t8 p8 p13 t14 t8 p9 t6 p14 p12 t2 t3 t4 t5 p10 p1 t1 p2 t2 p3 t9 p9 t10 p11 t12 p12 t14 p14 t8 p2 t2 p3 t3 p4 t4 t11 p6 p5 t5 p6 15
  20. 20. Reduction: unorder transitions 16
  21. 21. Summary - paths can be shortened and uncluttered - result is a partial order of important decisions - applicable to any verification goal
 Open issues - error localization vs. explanation - cyclic behavior - How should a good diagnosis for $problem look like? 17
  22. 22. Where did I go wrong? Explaining errors in process models Niels Lohmann

×