Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
State Space Reduction Techniquesto Verify Business ProcessesNielsLohmann<br />
Correctness of Business Processes<br />Business process models need to be correct!<br />Ramifications of incorrect models:...
Dimensions of Correctness<br />State Space Reduction Techniques<br />11.01.10<br />correctness criteria<br />legal propert...
Model Checking<br />full-automatically check whether a system meets a specification<br />“full-automatically” = no interac...
requires formal model
specification might be complex
state space explosion</li></li></ul><li>State Space Explosion<br />State space can grow exponentially in size of the model...
State Space Explosion<br />reasons for state space explosion:<br />explicit (arbitrary) ordering of unordered events<br />...
Example<br />example business process:<br />66 parallel branches<br />assume each state needs 66 bits to store:<br />4 Zet...
Fight the State Explosion!<br />restrict modeling language (block structure)<br />abstract model (data abstractions)<br />...
Agenda<br />State Space Reduction Techniques<br />11.01.10<br />Introduction✔<br />Partial Order Reduction ☜<br />Symmetry...
Partial Order Reduction<br />Core idea: only fire a small subset of activated transitions<br />State Space Reduction Techn...
Partial Order Reduction<br />Core idea: only fire a subset of activated transitions<br />State Space Reduction Techniques<...
Model Checking with Partial Order Reduction<br />selection idea: postpone firing of independent transitions<br />unselecte...
Partial Order Reduction and Petri Nets<br />selection is guided by Petri net structure<br />deadlock preserving partial or...
Partial Order Reduction: Case Study<br />735 industrial business processes from IBM customers<br />maximal 118 nodes, 66 p...
Case Study: Results<br />LoLA was the fastest tool to decide soundness:<br />maximal 50 ms per process (9 ms on average)<b...
Checking Soundness<br />classical: soundness = short-circuited net is live and bounded<br />naïve: check CTL property “AGE...
Partial Order Reduction in LoLA<br />thefeature in LoLA (#define STUBBORN)<br />adapted versions for several specification...
Agenda<br />Introduction✔<br />Partial Order Reduction ✔<br />Symmetry Reduction☜<br />Lessons Learned<br />State Space Re...
Symmetry Reduction<br />Core idea: symmetric structuredsystems have symmetric behavior<br />State Space Reduction Techniqu...
Symmetries for Petri Nets<br />formally: bijective mapping on Petri net nodes that respects node types and the flow relati...
Representation of Symmetries<br />identity is always a symmetry<br />symmetries are closed underinversion and concatenatio...
Symmetry Reduction: Case Study<br />BPEL4Chor choreography<br />inter-organizational business process with 2+n participant...
Symmetry Reduction: Case Study<br />BPEL4Chor choreography<br />inter-organizational business process with 2+n participant...
Case Study: Results<br />State Space Reduction Techniques<br />11.01.10<br />exponential growth <br /> unreduced<br /> ...
Symmetry Reduction in LoLA<br />adapted versions for several specifications:<br />deadlock freedom<br />reachability, prop...
Agenda<br />State Space Reduction Techniques<br />11.01.10<br />VERIFYING !<br />Introduction✔<br />Partial Order Reductio...
Lessons Learned (1/4): LoLA<br />&gt;10 years of development, 25 KLOC<br />very efficient<br />limit: memory allocation<br...
Lessons Learned (2/4): Model Checking Tools<br />naïve algorithms are quickly implemented, but useless<br />abstract data ...
Lessons Learned (3/4): State Space Reduction<br />active research community<br />group theory, concurrency theory, net the...
Lessons Learned (4/4): Correctness in BPM<br />quality of models is still very low<br />models are rather simple right now...
Thank you! Questions?<br />State Space Reduction Techniques<br />11.01.10<br />NielsLohmannUniversity of Rostockniels.lohm...
Upcoming SlideShare
Loading in …5
×

State Space Reduction Techniques to Verify Business Processes

1,114 views

Published on

Invited presentation given by Niels Lohmann on January 11, 2010 in Potsdam, Germany as invited lecture at the Business Process Management course at the Hasso-Plattner-Institute.

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

State Space Reduction Techniques to Verify Business Processes

  1. 1. State Space Reduction Techniquesto Verify Business ProcessesNielsLohmann<br />
  2. 2. Correctness of Business Processes<br />Business process models need to be correct!<br />Ramifications of incorrect models:<br />execution deadlocks ➙ down times<br />simulation results are wrong ➙ wrong optimizations<br />design-by-contract scenario ➙ legal problems<br />…<br />Faults have business impact!<br />State Space Reduction Techniques<br />11.01.10<br />
  3. 3. Dimensions of Correctness<br />State Space Reduction Techniques<br />11.01.10<br />correctness criteria<br />legal properties (compliance)<br />semantical properties (ontologies)<br />quantitative properties (cost, throughput)<br />control flow (soundness, deadlock freedom)<br />manual<br />domain specific<br />partial (interactive)<br />domain independent<br />full-automatic<br />level of automation<br />correctness approach<br />
  4. 4. Model Checking<br />full-automatically check whether a system meets a specification<br />“full-automatically” = no interaction with expert<br />“check” = mathematically prove by exhaustion<br />“system” = formal model<br />“specification” = formal correctness criterion<br />advantages:<br />complete<br />fast<br />automated<br />cheap<br />provides counterexamples<br />State Space Reduction Techniques<br />11.01.10<br /><ul><li>disadvantages:
  5. 5. requires formal model
  6. 6. specification might be complex
  7. 7. state space explosion</li></li></ul><li>State Space Explosion<br />State space can grow exponentially in size of the model.<br />State Space Reduction Techniques<br />11.01.10<br />211<br />121<br />112<br />311<br />113<br />221<br />212<br />131<br />122<br />213<br />123<br />321<br />231<br />222<br />132<br />312<br />322<br />331<br />232<br />313<br />133<br />223<br />332<br />323<br />233<br />333<br />444<br />3<br />4<br />1<br />2<br />111<br />
  8. 8. State Space Explosion<br />reasons for state space explosion:<br />explicit (arbitrary) ordering of unordered events<br />interleaving of independent components<br />global states<br />global transitions<br />in business processes:<br />parallel branches (AND-Splits)<br />parallel composition<br />refinement<br />asynchronous communication<br />…<br />State Space Reduction Techniques<br />11.01.10<br />3<br />4<br />1<br />2<br />
  9. 9. Example<br />example business process:<br />66 parallel branches<br />assume each state needs 66 bits to store:<br />4 Zettabytes required (…, giga, tera, peta, exa, zetta…)<br />assume a notebook can check 1 state per cycle at 3 GHz:<br />51475 years required<br />energy consumption (50 watts) would be close to 1 megaton TNT<br />unrealistic?<br />real business process model made with IBM Business Modeler<br />models are not state based<br />modeler is not the limiting factor<br />State Space Reduction Techniques<br />11.01.10<br />➙ ≥ 266 ≈ 7.37 ∙ 1019 states<br />
  10. 10. Fight the State Explosion!<br />restrict modeling language (block structure)<br />abstract model (data abstractions)<br />decomposition techniques (SESE)<br />reduce model (structural reduction techniques)<br />compactly represent state space (symbolic techniques)<br />reduce state space (partial order reduction, symmetries, …)<br />…<br />State Space Reduction Techniques<br />11.01.10<br />✕<br />
  11. 11. Agenda<br />State Space Reduction Techniques<br />11.01.10<br />Introduction✔<br />Partial Order Reduction ☜<br />Symmetry Reduction<br />Lessons Learned<br />
  12. 12. Partial Order Reduction<br />Core idea: only fire a small subset of activated transitions<br />State Space Reduction Techniques<br />11.01.10<br />211<br />121<br />112<br />311<br />113<br />221<br />212<br />131<br />122<br />213<br />123<br />321<br />231<br />222<br />132<br />312<br />322<br />331<br />232<br />313<br />133<br />223<br />332<br />323<br />233<br />333<br />444<br />3<br />4<br />1<br />2<br />111<br />
  13. 13. Partial Order Reduction<br />Core idea: only fire a subset of activated transitions<br />State Space Reduction Techniques<br />11.01.10<br />3<br />4<br />1<br />2<br />111<br />121<br />122<br />222<br />223<br />323<br />333<br />444<br />
  14. 14. Model Checking with Partial Order Reduction<br />selection idea: postpone firing of independent transitions<br />unselected transitions cannot activate/deactivate selected transitions<br />the more concurrency, the better!<br />prerequisite: specificationmust be stutter-equivalent(no X-operator)<br />State Space Reduction Techniques<br />11.01.10<br />R := E := ø; dfs(m0);<br />dfs(m):<br />R := R  {m};<br />FOR ALL t: t selected in m DO<br />m&apos; = m – •t + t•<br /> IF m&apos;  R<br />THEN<br /> E := E {[m, m&apos;]}<br /> ELSE<br /> E := E {[m, m&apos;]};<br />dfs(m&apos;);<br /> END<br />END <br />FOR ALL t: t enabled in m DO<br />
  15. 15. Partial Order Reduction and Petri Nets<br />selection is guided by Petri net structure<br />deadlock preserving partial order reduction<br />initially: add an activated transition<br />until fixed point reached: add conflicting transitions<br />example: mutual exclusion<br />not calculated: (c,i,0), (i,c,0)<br />State Space Reduction Techniques<br />11.01.10<br />(i,i,1)<br />t1,t4<br />r<br />r<br />t1,t6<br />(r,i,1)<br />(i,r,1)<br />t6<br />t4,t2<br />t2<br />s<br />c<br />c<br />t4<br />t1<br />i<br />(r,r,1)<br />t2,t6<br />t5<br />t3<br />i<br />(r,c,0)<br />t5<br />(c,r,0)<br />t3<br />
  16. 16. Partial Order Reduction: Case Study<br />735 industrial business processes from IBM customers<br />maximal 118 nodes, 66 parallel branches<br />about 50% were sound<br />comparison between three approaches:<br />LoLA with partial order reduction<br />SESE decomposition as BOM plugin (IBM Research Zurich)<br />Woflan (TU Eindhoven)<br />State Space Reduction Techniques<br />11.01.10<br />
  17. 17. Case Study: Results<br />LoLA was the fastest tool to decide soundness:<br />maximal 50 ms per process (9 ms on average)<br />faster than domain-specific approaches<br />partial order reduction made verification very easy:<br />at most 6467 statesneeded to be analyzed (100 on average)<br />never more than 2 MBof memory needed<br />structural reduction had no impact in runtime<br />nets study available at http://service-technology.org/soundness<br />State Space Reduction Techniques<br />11.01.10<br />
  18. 18. Checking Soundness<br />classical: soundness = short-circuited net is live and bounded<br />naïve: check CTL property “AGEF final”<br />LoLA: use partial order reduction:<br />check AGEF final<br />check boundedness<br />exploit domain knowledge:<br />Free Choice Petri nets + workflow structure:boundedness implies 1-safeness<br />check “EF (p1&gt;1 ∨ … ∨ pn&gt;1)” instead of boundedness<br />State Space Reduction Techniques<br />11.01.10<br />can be paralellized<br />
  19. 19. Partial Order Reduction in LoLA<br />thefeature in LoLA (#define STUBBORN)<br />adapted versions for several specifications:<br />deadlock freedom, reachability<br />reversibility, boundedness, liveness, home markings<br />special state predicates (EF, AGEF, GF, FG, …)<br />CTL<br />always recommended<br />also applicable for random searches<br />State Space Reduction Techniques<br />11.01.10<br />
  20. 20. Agenda<br />Introduction✔<br />Partial Order Reduction ✔<br />Symmetry Reduction☜<br />Lessons Learned<br />State Space Reduction Techniques<br />11.01.10<br />
  21. 21. Symmetry Reduction<br />Core idea: symmetric structuredsystems have symmetric behavior<br />State Space Reduction Techniques<br />11.01.10<br /><ul><li>Prerequisite: specification also needs to be symmetric</li></li></ul><li>Model Checking with Symmetry Reduction<br />result: the more symmetries found, the fewer states to store<br />good and bad news: there exists exponentially many symmetries<br />challenge: find and organize as many symmetries as possible<br />Petri nets allow to derive symmetries from the structure!<br />State Space Reduction Techniques<br />11.01.10<br />R := ø; E := ø; dfs(m0)<br />dfs(m):<br />R := R  {m}<br />FOR ALL t: t enabled in m DO<br />m&apos; = m – •t + t•<br /> IF we find s with s(m&apos;)  R<br />THEN<br /> E := E {[m, s(m&apos;)]}<br /> ELSE<br /> E := E {[m, m&apos;]}<br />dfs(m’)<br /> END<br />END <br />
  22. 22. Symmetries for Petri Nets<br />formally: bijective mapping on Petri net nodes that respects node types and the flow relation (“net automorphism”)<br />markings [r1, i2, s] and [i1, r2, s] are symmetric<br />symmetries can be calculated without prior knowledge<br />State Space Reduction Techniques<br />11.01.10<br />r1<br />r2<br />t6<br />t2<br />s<br />c1<br />c2<br />t4<br />t1<br />i2<br />i1<br />t5<br />t3<br />
  23. 23. Representation of Symmetries<br />identity is always a symmetry<br />symmetries are closed underinversion and concatenation<br />exponential number of symmetries can berepresented by polynomial generator set<br />performs best if system has many components<br />example:<br />5 symmetries<br />full: 242 stats<br />reduced: 50 states<br />State Space Reduction Techniques<br />11.01.10<br />group theory<br />
  24. 24. Symmetry Reduction: Case Study<br />BPEL4Chor choreography<br />inter-organizational business process with 2+n participants<br />State Space Reduction Techniques<br />11.01.10<br />
  25. 25. Symmetry Reduction: Case Study<br />BPEL4Chor choreography<br />inter-organizational business process with 2+n participants<br />State Space Reduction Techniques<br />11.01.10<br />
  26. 26. Case Study: Results<br />State Space Reduction Techniques<br />11.01.10<br />exponential growth <br /> unreduced<br /> symmetry reduction<br /> partial order reduction<br /> symmetry reduction + partial order reduction<br /> overflow (&gt;2 GB)<br />linear growth <br />
  27. 27. Symmetry Reduction in LoLA<br />adapted versions for several specifications:<br />deadlock freedom<br />reachability, properties of transitions/places<br />reversibility, boundedness<br />can be combined with partial order reduction<br />implements several strategies/heuristics to calculate symmetries(#define SYMMETRY)<br />tradeoff between memory/runtime needed for symmetries<br />requires preprocessing time and yields runtime overhead<br />State Space Reduction Techniques<br />11.01.10<br />
  28. 28. Agenda<br />State Space Reduction Techniques<br />11.01.10<br />VERIFYING !<br />Introduction✔<br />Partial Order Reduction ✔<br />Symmetry Reduction ✔<br />Lessons Learned☜<br />
  29. 29. Lessons Learned (1/4): LoLA<br />&gt;10 years of development, 25 KLOC<br />very efficient<br />limit: memory allocation<br />exploits Petri net theory where possible<br />implemented heuristics close to domain knowledge<br />applications in biology, BPM, services, hardware, …<br />CTL model checker, dedicated algorithms for many properties<br />partial order reduction, symmetry, sweep line, invariant compression, …<br />alternative file format: high-level Petri net<br />free software:http://service-technology.org/lola<br />State Space Reduction Techniques<br />11.01.10<br />
  30. 30. Lessons Learned (2/4): Model Checking Tools<br />naïve algorithms are quickly implemented, but useless<br />abstract data types are key to success<br />understand your algorithm and the lifecycle of each variable<br />understand the assumptions<br />theory is your friend<br />usability ≠ tool is extendible, user-friendly, …<br />usability = tool performs on realistic models<br />memory management, data structures, object lifecycleGo back 20 years and do it all yourself!<br />a special discipline of software engineering:Ignore design patterns and best practices!<br />State Space Reduction Techniques<br />11.01.10<br />
  31. 31. Lessons Learned (3/4): State Space Reduction<br />active research community<br />group theory, concurrency theory, net theory, coding theory, …<br />technology transfer very hard<br />key to success: Don’t be afraid of worst-case complexity!<br />understand verification problem<br />decompose specification to several easier properties<br />only model relevant properties<br />State Space Reduction Techniques<br />11.01.10<br />
  32. 32. Lessons Learned (4/4): Correctness in BPM<br />quality of models is still very low<br />models are rather simple right now<br />many features of BPM languages are not yet used<br />correctness notions are rather simple<br />domainunspecific tools are still competitive<br />control flow verification solved<br />more to come:<br />inter-organizational business processes<br />Web services<br />SOA<br />Cloud Computing<br />State Space Reduction Techniques<br />11.01.10<br />
  33. 33. Thank you! Questions?<br />State Space Reduction Techniques<br />11.01.10<br />NielsLohmannUniversity of Rostockniels.lohmann@uni-rostock.dehttp://service-technology.org/tools<br />
  34. 34. Copyrights<br />Public domain:http://commons.wikimedia.org/wiki/File:Castle_Romeo.jpghttp://en.wikipedia.org/wiki/File:Colossus.jpg<br />CC Attribution-NonCommercial 2.5:http://xkcd.com/303/ - image byRandallMunroe<br />http://11.media.tumblr.com/tumblr_kqs9kyN2fE1qzma4ho1_400.jpg<br />GNU FDL 1.2:http://en.wikipedia.org/wiki/File:Rubik%27s_cube.svg<br />State Space Reduction Techniques<br />11.01.10<br />

×