Verification with LoLA: 5 Case Studies

751 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
751
On SlideShare
0
From Embeds
0
Number of Embeds
163
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • Problem hier: delta T wird beliebig klein \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze -> triviale Idee\nFlankenplätze -> D. Gomm\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • Pegelplätze: LL-Netz reicht aus\n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Verification with LoLA: 5 Case Studies

    1. 1. 5. Case Studies Niels Lohmann
    2. 2. Exploring biochemical The ErbB Network (CARTOON FORM) reaction chains
    3. 3. Reaction chains• Domain: symbolic system biology• “Symbolic systems biology is the qualitative and quantitative study of biological processes as integrated systems rather than as isolated parts.”• Property: reachability
    4. 4. Mcf2-act Rhob-GDP Ngef-reloc Trio-act 221-2 798-2 807-2 Cit Prkcl1 Rhob-GTP Diaph1 Rock1 Ktn1 591-2 581-2 680-2 679-4 700-2f1-act Crkl-reloc Erk2 Prkcl1-act Diaph1-act Diaph1-act Limk1 Myl9 Rock1-act PP1 Ktn1-03 672 238 671 697 Actin-mono Pfn1 Arp23-act Srf Limk1-act Myl9-phos PP1-inhib 11 732 58 Pxn Vasp Actinin Tns1 Tln-act Integrins-clustered Actin-poly Srf-act Vcl Zyx Ilk: 165 764 713 601 813 1076 1075 Pxn Vasp Src-act Actinin Ptk2-act Tns1 Vcl Zyx Ilk:Lims1:Parva 434
    5. 5. Reaction chains• “For reachability queries on our nets, answering a reachability query that would have taken hours using a general purpose model-checking tool takes on the order of a second in LoLA — fast enough to permit interactive use.”
    6. 6. Finding Hazards in GALS Circuits
    7. 7. GALS circuits• Domain: asynchronous/ synchronous hardware design• prototype for IEEE-802.11 chip• asynchronous hardware is not clocked - order/timing of events makes a difference• problem: glitch
    8. 8. Glitch P(a) = 1a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 9
    9. 9. Glitch P(a) = 1 0a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 9
    10. 10. Glitch P(a) = 1 0 0a AND P(c) = 0 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 9
    11. 11. Glitch P(a) = 1 0 0a AND P(c) = 0 0 1 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 9
    12. 12. Glitch P(a) = 1 0 0a AND P(c) = 0 0 0 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 9
    13. 13. Glitch P(a) = 1a AND P(c) = 0 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    14. 14. Glitch P(a) = 1a AND P(c) = 0 1 cb Gate P(b) = 0 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    15. 15. Glitch P(a) = 1a AND P(c) = 0 1 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    16. 16. Glitch P(a) = 1 0a AND P(c) = 0 1 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    17. 17. Glitch P(a) = 1 0 0a AND P(c) = 0 1 0 1 cb Gate P(b) = 0 1 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    18. 18. Glitch P(a) = 1 0 0a AND P(c) = 0 1 0 1 cb Gate P(b) = 0 1 Hazard 1 P(a): 0 1 P(c): 0 P(b): 1 0 ΔT 10
    19. 19. Petri Net Model of AND
    20. 20. Petri Net Model of AND a• Events c• Level• Logics b
    21. 21. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    22. 22. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    23. 23. Petri Net Model of AND (P(a),P(b)) a 01• Events 11 c• Level• Logics 00 b 10
    24. 24. Petri Net Model of AND
    25. 25. Petri Net Model of AND
    26. 26. Petri Net Model of AND
    27. 27. Petri Net Model of AND
    28. 28. Petri Net Model of AND
    29. 29. Petri Net Model of AND
    30. 30. Petri Net Model of AND
    31. 31. GALS circuits • Property: reachability • Problem: • partial order reduction not effective enough in isolation • sweep line helped • initial model: 204 places/368 transitions; manual abstractions necessary • found 8 hazards, 2 were actual problemsgals
    32. 32. Verifying ServiceChoreographies
    33. 33. Service Choreography• Domain: service-oriented architectures• Original model: BPEL4Chor• translation: compiler BPEL2oWFN• Design flaw in chorgrography model.• Property: deadlock freedom
    34. 34. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    35. 35. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    36. 36. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    37. 37. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    38. 38. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    39. 39. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    40. 40. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    41. 41. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    42. 42. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    43. 43. Service Choreography• ein Reisenderer, ein Reisebüro, mehrere Fluglinien
    44. 44. Service Choreographybpel4chor
    45. 45. Service Choreography • Komposition kann verklemmen!bpel4chor
    46. 46. Service Choreography • Komposition kann verklemmen!bpel4chor
    47. 47. Service Choreography • Komposition kann verklemmen!bpel4chor
    48. 48. Service Choreography • Komposition kann verklemmen!bpel4chor
    49. 49. Service Choreography • Komposition kann verklemmen!bpel4chor
    50. 50. Service Choreography • Komposition kann verklemmen!bpel4chor
    51. 51. Service Choreography • Komposition kann verklemmen!bpel4chor
    52. 52. Service Choreography • Komposition kann verklemmen!bpel4chor
    53. 53. Service Choreography • Komposition kann verklemmen!bpel4chor
    54. 54. Service Choreography • Komposition kann verklemmen!bpel4chor
    55. 55. Service Choreography • Komposition kann verklemmen!bpel4chor
    56. 56. Service Choreography • Komposition kann verklemmen!bpel4chor
    57. 57. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states ! 14 3483 9806583 % % states " 14 561 378096 % % states # 11 86 261 18061 1752867 states $ 11 30 50 410 4010  complete complete/unreduced!  symmetries"  stubbornreduction symmetry sets#  symmetriesreduction partial order and stubborn sets$  overflow reduction and partial order reduction symmetry (>2 GB)
    58. 58. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states ! 14 3483 9806583 %exponential % states " 14 561 378096 % growth  % states # 11 86 261 18061 1752867 states $ 11 30 50 410 4010  complete complete/unreduced!  symmetries"  stubbornreduction symmetry sets#  symmetriesreduction partial order and stubborn sets$  overflow reduction and partial order reduction symmetry (>2 GB)
    59. 59. Service ChoreographyCase Study airline instances Analyzing BPEL4Chor - Verification and Partner Synthesis 1 5 10 100 1000 places 20 63 113 1013 10013 transitions 10 41 76 706 7006 states ! 14 3483 9806583 %exponential % states " 14 561 378096 % growth  % states # 11 86 261 18061 1752867 states $ 11 30 50 410 4010  complete linear complete/unreduced!  symmetries"  stubbornreduction symmetry sets growth #  symmetriesreduction partial order and stubborn sets$  overflow reduction and partial order reduction symmetry (>2 GB)
    60. 60. Soundness ofBusiness Processes M2 M1 J1 F1
    61. 61. Soundness• 735 real-world business processes from IBM customers• original formalism: UML dialect from the IBM Websphere Business Modeler• translation: compiler UML2oWFN• original question: can soundness be verified using model checking techniques
    62. 62. Soundness
    63. 63. Soundness• “IBM Soundness” = absence of • lack of synchronization (= unsafe marking) • deadlock (= deadlock) • + certain assumptions on the structure• for LoLA: two checks • Is the final marking life? • Is the net safe?
    64. 64. Soundness for each SESE fragment matches " structural heuristics? !/ A B SESE " translation C decomposition sound counterexample business process model workflow graph SESE fragments soundness check analysis result (plain state space) choice depends on SESE fragment IBM WebSphere Business Modeler / SESE approach liveness check !/ (reduced state space) translation " sound counterexample Petri net safeness check analysis result (reduced state space) always perform both checks LoLA trivial workflow net? ! sound extension to structural analysis result workflow net reduction workflow net reduced workflow net soundness check (structure and state space) !/ sound " structural information analysis resultCompiler Woflan choice depends on net structure
    65. 65. Soundness • execution scheduled and optimized using Makefiles • max. 50 ms per check • “analysis on demand” • observed effect: structural reduction techniques do not pay off when using stubborn setssoundness
    66. 66. Verification ofConcurrent Programs
    67. 67. Concurrent Programs• concurrent processes• shared and global variables• goal: find Aa. small-model roening, and T . Wahl 650 K aiser, D . K property to make a statement on the correctness of an arbitrary number of instances |R n | |R| |R| (a) (b) n m c
    68. 68. Concurrent Programs • problem can be solved by checking for reachable states in a coverability graph • challenge: number of places = number of states of a process • concurrency only through tokens • it took a while to beat LoLAconcurrent
    69. 69. Solving AI Planning Problems
    70. 70. AI Planning• setting: smart conference room• several projectors, canvases, documents, and lamps• AI planning problem: Configure the room to display document A on that canvas.• original formalism: proprietary planning language; manually translated
    71. 71. AI Planning • straightforward translation to state predicateGoals: FORMULA( LightOn 1 Lamp1 ); LightOn.<Lamp1|TRUE> = 1 AND( LightOn 1 Lamp2 ); LightOn.<Lamp2|TRUE> = 1 AND( DocShown 1 Doc1 LW3 ); DocShown.<Doc1|LW3|TRUE> = 1 AND( DocShown 1 Doc2 LW1 ); DocShown.<Doc2|LW1|TRUE> = 1 AND( CanvasDown 1 VD1 ); CanvasDown.<VD1|TRUE> = 1 • system is extremely concurrent • depth-first search actually finds shortest path planner

    ×