Inside LoLA - Experiences from building a state space tool for place transition nets

520 views

Published on

CPN Workshop 2006

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
520
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Pegelplätze: LL-Netz reicht aus
  • P(c) ergibt sich aus P(a) und P(c) Wert des Events errechnet sich aus den Pegeln Im Modell wird von Zeit abstrahiert -> Events treten nebenläufig auf Können nichts über Gleichzeitigkeit sagen bzw. welcher Event vor welchem eintritt -> genau das Setting für hazards
  • Markierungen oftmals schon nach kurzer Suche gefunden bzw. Markierung mittels sweepline und dann Markierung vergrössert und mittels stubborn sets Zeugenpfad
  • What are interesting properties? -> deadlock, dead activities, will the customer always get an answer Other approaches are either not feature complete or have to much modelling power (ASMs) and they cannot be verified
  • Model properties that are informally specified in the BPEL specification
  • Remove the tokens
  • Inside LoLA - Experiences from building a state space tool for place transition nets

    1. 1. Inside LoLA Experiences from building a State Space Tool for Place Transition Nets Karsten Wolf Universität Rostock
    2. 2. 1. Introduction
    3. 3. History <ul><li>Started in 1998 - after some years experience with INA </li></ul><ul><li>Goal: convincing performance for own reduction </li></ul><ul><li>techniques </li></ul><ul><li>2000: First presented in PN Conference </li></ul><ul><li>Since then: Integration (PNK, CPN-AMI, MC Kit) </li></ul><ul><li>Applications </li></ul>
    4. 4. Properties & Reduction Techniques <ul><li>Boundedness </li></ul><ul><li>Reachability EF  </li></ul><ul><li>Deadlocks </li></ul><ul><li>Dead transitions </li></ul><ul><li>Liveness AG EF  </li></ul><ul><li>Reversibility </li></ul><ul><li>Home states </li></ul><ul><li>Progress GF  </li></ul><ul><li>Stability FG  </li></ul><ul><li>Eventually F  </li></ul><ul><li>CTL Model Checking </li></ul>Stubborn sets Symmetries Coverability Sweep-Line Cycle coverage State compression Goal-oriented execution Distributed version Abstraction refinement
    5. 5. Plan <ul><li>Applications </li></ul><ul><li>Implementation of core functionality </li></ul><ul><li>Reduction techniques </li></ul>
    6. 6. Application: GALS wrapper <ul><li>Background: </li></ul><ul><li>Cooperation with semiconductor institute in Frankfurt/O </li></ul><ul><li>Chip for coding/decoding 802.11 signals </li></ul><ul><li>GALS technology (globally asynchronous/locally synchronous) </li></ul><ul><li>Synchr. components embedded in asynchronous wrapper </li></ul><ul><li>Goal: Search for hazards in wrapper </li></ul>
    7. 7. Hazard AND a b c 0 1 P(b) = 0 P(a) = 1 P(c) = 0 1 1 0 0 1 0 1 0  T 1 0 P(a): P(b): P(c): Hazard
    8. 8. The Wrapper
    9. 9. Size of wrapper <ul><li>5 Components </li></ul><ul><li>5 Gate types </li></ul><ul><ul><li>AND, OR, NOR </li></ul></ul><ul><ul><li>Muller-C Element </li></ul></ul><ul><ul><li>FlipFlop </li></ul></ul><ul><ul><li>Counter </li></ul></ul><ul><ul><li>Mutex </li></ul></ul><ul><li>28 Gates </li></ul><ul><li>28 Signals </li></ul>
    10. 10. Model: AND
    11. 11. Hazard is Marking! P(a) = 1 P(b) = 0 P(c) = 0 E(a) E(b)
    12. 12. Verification <ul><li>Reachability problem (EF Hazard_Marking) </li></ul><ul><li> LoLA </li></ul><ul><li>286 Places + 466 Transitions </li></ul><ul><li>State explosion (2 P ) </li></ul>
    13. 13. Reduction <ul><li>Check hazards gate by gate, assume absence of hazards in remaining gates </li></ul><ul><li>Abstract other components </li></ul>AND AND OR a b c d e a b c d e
    14. 14. LoLA <ul><ul><li>Clock Control: 26 states </li></ul></ul><ul><ul><li>Pausable Clock Generator: 17 states </li></ul></ul><ul><ul><li>Timeout Generator: 100 states </li></ul></ul><ul><ul><li>Input Port: 10232 states </li></ul></ul><ul><ul><li>Output Port: 201 states </li></ul></ul><ul><ul><li>Reduction techniques: Stubborn sets, Sweep-Line </li></ul></ul>
    15. 15. Results <ul><li>2 real Hazards found </li></ul><ul><li>6 further hazards in the model, excluded by engineers, due to timing constraints </li></ul>
    16. 16. Application: Validation of PN Semantics for BPEL <ul><li>BPEL: </li></ul><ul><li>modelling language for business processes </li></ul><ul><li>BPEL process can be huge </li></ul><ul><li> formal verification of BPEL processes needed </li></ul><ul><li>problems: </li></ul><ul><li>BPEL is specified informally </li></ul><ul><li>formal verification of BPEL processes not possible </li></ul>
    17. 17. Process Sequence Flow A C D Switch B E Fault Handler Compensation Handler
    18. 18. Idea of the Petri net semantics <ul><li>Complete Petri net semantics for BPEL v1.1 </li></ul>Sequence A E Flow <ul><li>Petri net patterns </li></ul><ul><li>interface </li></ul>
    19. 19. Example: receive (cont.)
    20. 20. Analysis results Stubborn sets, Sweep-line 6,300,000 10,000 states 440,000 1,300 red. states 1,069 249 transitions 410 158 places 53 17 activities Online Shop Purchase Order
    21. 21. Application: H. Garavel‘s challenge <ul><li>Petri net distributed in PN mailing list (4 responses) </li></ul><ul><li>485 Places, 776 Transitions, almost 10 22 states </li></ul><ul><li>Example stems from LOTOS specification </li></ul><ul><li>Problem: Quasi-Liveness </li></ul><ul><li>LoLA solution: 776 state spaces, each checking </li></ul><ul><li>whether one single transition is dead </li></ul><ul><li>most state spaces trivial, due to goal orientation, </li></ul><ul><li>2 state spaces out of memory, but solved through </li></ul><ul><li>goal-oriented execution </li></ul><ul><li>Longest trace: almost 6000 transitions </li></ul>
    22. 22. Conclusion, Part I <ul><li>easy to integrate, easy to use LoLA </li></ul><ul><li>broad range of application areas </li></ul><ul><li>competitive run-time + reduction power </li></ul><ul><li>Most reliable reduction techniques: stubborn sets + sweep-line method </li></ul><ul><li>Divide specification into as many as possible calls to LoLA </li></ul><ul><li>abstract </li></ul>
    23. 23. 2. Implementation of core units
    24. 24. Core units <ul><li>Unfolding HL nets </li></ul><ul><li>Firing a transition </li></ul><ul><li>Evaluating a state predicate </li></ul><ul><li>Managing the state space </li></ul><ul><li>Organizing search </li></ul><ul><li>Detecting strongly connected components </li></ul>
    25. 25. 1. Unfolding HL nets <ul><li>Problem: An LL net stemming from an HL net contains many spurious elements. </li></ul><ul><li>Example: </li></ul>mailbox Proc x Proc tokens actually only for [x,y] with x N y Solutions: Maria: unfold HL net on-the-fly LoLA: propose redundant guards x N y x y mailbox
    26. 26. 2. Firing transitions <ul><li>Marking changed via list of pre-, list of post-places  effort does not depend on size of net </li></ul><ul><li>After firing, only some transitions are checked for enabledness </li></ul><ul><ul><li>previously enabled transitions that lost tokens </li></ul></ul><ul><ul><li>previously disabled transitions that gained tokens </li></ul></ul><ul><ul><li>... managed through explicitly stored lists </li></ul></ul>For nets exhibiting locality, only „constant“ effort for firing
    27. 27. 3. Checking state predicates <ul><li>predicate = boolean combination of p {><= ≤≥≠} k </li></ul><ul><li>stored in negation-free normal form </li></ul>  1  2  3  n ...  „ constant“ effort AND/OR true false
    28. 28. 4. Managing the state space <ul><li>1st state = bit vector </li></ul><ul><li>other states = bit vector +decision record </li></ul><ul><li>decision records form tree </li></ul>... p 1 p 2 p 3 p 4 p 5 p 6 ... ... nr: 6
    29. 29. 4 .Managing the state space <ul><li>find/insert a marking: one integrated process </li></ul><ul><li>dive done into decision tree </li></ul><ul><li>on mismatch: </li></ul><ul><ul><ul><ul><ul><li>at decision point: switch to next vector </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>at end: found, no insert </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>between decision points: insert at point of mismatch </li></ul></ul></ul></ul></ul><ul><li>decision records form tree </li></ul>... p 1 p 2 p 3 p 4 p 5 p 6 ... ... nr: 6
    30. 30. 5. Organizing search <ul><li>General remarks </li></ul><ul><li>Search consists of </li></ul><ul><li>- fire transitions ✔ </li></ul><ul><li>- find/insert marking ✔ </li></ul><ul><li>- backtracking: fire transition backwards </li></ul><ul><li> only „constant“ time </li></ul><ul><li> search stack consists of reference to transition + </li></ul><ul><li> list of enabled transitions </li></ul><ul><li> state space is „write-only“ memory </li></ul>
    31. 31. 5. Organizing search <ul><li>b) Depth-first search: ability to detect SCC </li></ul><ul><li>c) Breadth-first search: </li></ul><ul><li>Simulated by bounded depth-first search with incrementally increased bound </li></ul><ul><li> Update of current marking, list of enabled transitions, etc. through sequence of transition occurrences </li></ul>
    32. 32. 6. Detecting strongly connected components <ul><li>Traditional approach: Tarjan‘s algorithm </li></ul>Tree edge Forward edge Backward edge Cross edge <ul><li>consecutive dfs number </li></ul><ul><li>v.lowlink = min {v‘.dfs | v  *v‘ via </li></ul><ul><li>- arbitrarily many tree edges </li></ul><ul><li>- + one other edge within same scc } </li></ul><ul><li>roots of scc hold: dfs = lowlink </li></ul><ul><li>implementation: second stack </li></ul>0 3 2 6 1 5 4 0 1 1 3 4 4 4
    33. 33. 6. Detecting strongly connected components <ul><li>LoLA approach: simplified lowlink </li></ul>Tree edge Forward edge Backward edge Cross edge <ul><li>consecutive dfs number </li></ul><ul><li>v.lowlink = min {v‘.dfs | v  *v‘ via </li></ul><ul><li>- arbitrarily many tree edges </li></ul><ul><li>- + one other edge within same scc } </li></ul><ul><li>roots of terminal scc hold: dfs = lowlink </li></ul><ul><li>no second stack necessary </li></ul><ul><li>terminal scc sufficient for liveness, </li></ul><ul><li>reversibility, ... </li></ul>0 3 2 6 1 5 4 0 1 1 1 1 4 4
    34. 34. Conclusion, Part II <ul><li>LoLA is a Petri net tool </li></ul><ul><li>Locality: „constant“ effort for many core tasks </li></ul><ul><li>Linearity: Backtracking through backward firing </li></ul><ul><li>Monotonicity: narrowed set of transitions to be checked for enabledness </li></ul>
    35. 35. Conclusion, Part II <ul><li>LoLA is a Place Transition net tool </li></ul><ul><li>simple data structures, just numbers </li></ul><ul><li>Backtracking through backward firing </li></ul><ul><li>only few sources for automated abstraction </li></ul><ul><li>some nets cannot be handled due to size of net </li></ul>
    36. 36. Reduction techniques
    37. 37. 1. Linear algebra <ul><li>The invariant calculus </li></ul><ul><ul><li>originally invented for replacing state spaces </li></ul></ul><ul><ul><li>in LoLA: used for optimizing state spaces </li></ul></ul>Place invariant: token weights attached to places, weighted sum constant for all reachable markings Transition invariant: firing vector of a potential cycle
    38. 38. 1. Linear algebra <ul><li>Place invariants </li></ul><ul><li> linear dependancy between places </li></ul><ul><li>Knowing invariants, marking of some places can be expressed in terms of other places </li></ul><ul><li> those places need not be stored </li></ul><ul><li> search/insert can be restricted to significant places </li></ul><ul><li>reduction 30-70% of space and time </li></ul>
    39. 39. 1. Linear algebra <ul><li>Transition invariants </li></ul><ul><li>for termination sufficient: store one state per cycle of occurrence graph </li></ul><ul><li>implementation in LoLA: </li></ul><ul><li>transition invariants  set of transitions that occur in every cycle  store states where those transitions enabled </li></ul><ul><li>saves space, if applied in connection with stubborn sets, costs time </li></ul>
    40. 40. 2. The sweep-line method <ul><li>Relies on progress measure </li></ul><ul><li>LoLA computes measure automatically, based on </li></ul><ul><li>transition invariants </li></ul><ul><li>Idea: - Every transition changes progress value by constant </li></ul><ul><li>- Sum of changes must be 0 on every transition invariant </li></ul><ul><li> simple system of linear equations </li></ul>
    41. 41. 2. The sweep-line method <ul><li>constant change  successors lie in a small window of progress values </li></ul>current state - + load persistent states from previous sweep store states marked persistent
    42. 42. 3. The symmetry method <ul><li>LoLA: A symmetry = a graph automorphism of the PT-Net </li></ul><ul><li>All graph automorphisms = a group (up to exponentially many members) </li></ul><ul><li> stored in LoLA: polynomial generating set </li></ul><ul><li>A marking class: all markings that can be transformed into each other by symmetry </li></ul><ul><li> executed in LoLA: polynomial time approximation </li></ul>
    43. 43. 3. The symmetry method <ul><li>Generating set: </li></ul>1 2 3 4 5 6 7 8 1st part: for every possibility to move node 1, insert one automorphism: (1 2 3 4) (5 6 7 8) (1 3) (2 4) (5 7) (6 8) (1 4 3 2) (5 8 7 6) (1 5 8 4) (2 6 7 3) (1 6) (2 5) (3 8) (4 7) (1 7) (2 8) (3 5) (4 6) (1 8) (2 7) (3 6) (4 5) 2nd part: fix 1, try to move node 2: (1) (2 4 5) (3 8 6) (7) (1) (2 5 4) (3 6 8) (7) 3rd part: fix 1,2, try to move node 3: (1) (2) (3 6) (4 5) (7) (8)
    44. 44. 3. The symmetry method <ul><li>compute canonical representative </li></ul><ul><li>Canonical representative = lexicographically smallest </li></ul><ul><li>member of marking class </li></ul><ul><li>Approximation: </li></ul><ul><li>Use 1st part to sort smallest value to 1st component </li></ul><ul><li>Use 2nd part to sort smallest value to 2nd component </li></ul><ul><li>... </li></ul>
    45. 45. 4. Stubborn set method <ul><li>Dedicated method for each property </li></ul><ul><li>traditional LTL-preserving method: </li></ul><ul><li>- one enabled transition </li></ul><ul><li>- the basic stubborness principal (  next slide) </li></ul><ul><li>- only invisible transitions </li></ul><ul><li>- at least once, on every cycle, all enabled transitions </li></ul><ul><li>LoLA: </li></ul><ul><li>- can avoid some of the criteria, depending on property </li></ul>
    46. 46. 4. The stubborn set method <ul><li>The basic stubborness principal </li></ul><ul><li>If t activated, insert all conflicting transitions </li></ul><ul><li>If t deactivated, insert all pre-transitions of an insufficiently marked place (the scapegoat) </li></ul><ul><li>LoLA: Every transition object holds list of all conflicting t </li></ul><ul><li>Every place holds list of all pre-transitions </li></ul><ul><li>Every transition holds reference to one of the lists, </li></ul><ul><li>updated during enabledness check </li></ul>Prod has more sophisticated, but slower techniques
    47. 47. Combination of techniques currentmarking := initial marking compute firing list do if firing list empty then take care of scc check property backtrack else fire element of firing list search & insert if new check property compute firing list else backtrack Symmetries Stubborn sets Linear algebra
    48. 48. Conclusion Part III <ul><li>PT approach  automatic computation of structural information necessary + possible </li></ul><ul><li>Most techniques compatible with each other </li></ul><ul><li>Dedicated methods for particular properties beat generic approaches </li></ul>
    49. 49. PTN versus CPN verification with significant knowledge of the model verification with little knowledge of the model Target group easier difficult Abstraction difficult to use easy to use Linear algebra manual or user-assisted automatic Additional information CPN PTN
    50. 50. General conclusion <ul><li>For success </li></ul><ul><ul><li>abstract </li></ul></ul><ul><ul><li>split into many verification tasks </li></ul></ul><ul><ul><li>use dedicated techniques </li></ul></ul><ul><ul><li>insert structural information </li></ul></ul><ul><ul><li>trade space (explicit information about net) for run time (state space) </li></ul></ul>
    51. 51. Future of LoLA <ul><li>Counterexample guided abstraction refinement </li></ul><ul><ul><li>decolouring of HL nets </li></ul></ul><ul><ul><li>on the coverability graph </li></ul></ul><ul><li>Distributed version </li></ul><ul><li>Modular state spaces </li></ul><ul><li>Support of more properties </li></ul><ul><li>Fiona: Operating guidelines for services </li></ul>
    52. 52. More information <ul><li>LoLA: ICATPN 2000 </li></ul><ul><li>Fiona: BPM 2006 </li></ul><ul><li>Stubborn sets: ICATPN 1999, Fundamenta Informaticae 2000 </li></ul><ul><li>Symmetries: Acta Informatica 2000, TACAS 2000 </li></ul><ul><li>Linear Algebra: TACAS 2003 </li></ul><ul><li>Sweep-Line: TACAS 2004+STTT </li></ul><ul><li>Coverability graphs: FMSD 1999 </li></ul><ul><li>Distributed verification: Fundamenta Informaticae 2003 </li></ul><ul><li>Services: BPM 2005 </li></ul><ul><li>GALS: ASYNC 2005 </li></ul>

    ×