Invited presentation given by Niels Lohmann on January 11, 2010 in Potsdam, Germany as invited lecture at the Business Process Management course at the Hasso-Plattner-Institute.

1. State Space Reduction Techniquesto Verify Business ProcessesNielsLohmann

2. Correctness of Business Processes Business process models need to be correct! Ramifications of incorrect models: execution deadlocks ➙ down times simulation results are wrong ➙ wrong optimizations design-by-contract scenario ➙ legal problems … Faults have business impact! State Space Reduction Techniques 11.01.10

3. Dimensions of Correctness State Space Reduction Techniques 11.01.10 correctness criteria legal properties (compliance) semantical properties (ontologies) quantitative properties (cost, throughput) control flow (soundness, deadlock freedom) manual domain specific partial (interactive) domain independent full-automatic level of automation correctness approach

5. requires formal model

6. specification might be complex

8. State Space Explosion reasons for state space explosion: explicit (arbitrary) ordering of unordered events interleaving of independent components global states global transitions in business processes: parallel branches (AND-Splits) parallel composition refinement asynchronous communication … State Space Reduction Techniques 11.01.10 3 4 1 2

9. Example example business process: 66 parallel branches assume each state needs 66 bits to store: 4 Zettabytes required (…, giga, tera, peta, exa, zetta…) assume a notebook can check 1 state per cycle at 3 GHz: 51475 years required energy consumption (50 watts) would be close to 1 megaton TNT unrealistic? real business process model made with IBM Business Modeler models are not state based modeler is not the limiting factor State Space Reduction Techniques 11.01.10 ➙ ≥ 266 ≈ 7.37 ∙ 1019 states

10. Fight the State Explosion! restrict modeling language (block structure) abstract model (data abstractions) decomposition techniques (SESE) reduce model (structural reduction techniques) compactly represent state space (symbolic techniques) reduce state space (partial order reduction, symmetries, …) … State Space Reduction Techniques 11.01.10 ✕

11. Agenda State Space Reduction Techniques 11.01.10 Introduction✔ Partial Order Reduction ☜ Symmetry Reduction Lessons Learned

12. Partial Order Reduction Core idea: only fire a small subset of activated transitions State Space Reduction Techniques 11.01.10 211 121 112 311 113 221 212 131 122 213 123 321 231 222 132 312 322 331 232 313 133 223 332 323 233 333 444 3 4 1 2 111

13. Partial Order Reduction Core idea: only fire a subset of activated transitions State Space Reduction Techniques 11.01.10 3 4 1 2 111 121 122 222 223 323 333 444

14. Model Checking with Partial Order Reduction selection idea: postpone firing of independent transitions unselected transitions cannot activate/deactivate selected transitions the more concurrency, the better! prerequisite: specificationmust be stutter-equivalent(no X-operator) State Space Reduction Techniques 11.01.10 R := E := ø; dfs(m0); dfs(m): R := R  {m}; FOR ALL t: t selected in m DO m' = m – •t + t• IF m'  R THEN E := E {[m, m']} ELSE E := E {[m, m']}; dfs(m'); END END FOR ALL t: t enabled in m DO

15. Partial Order Reduction and Petri Nets selection is guided by Petri net structure deadlock preserving partial order reduction initially: add an activated transition until fixed point reached: add conflicting transitions example: mutual exclusion not calculated: (c,i,0), (i,c,0) State Space Reduction Techniques 11.01.10 (i,i,1) t1,t4 r r t1,t6 (r,i,1) (i,r,1) t6 t4,t2 t2 s c c t4 t1 i (r,r,1) t2,t6 t5 t3 i (r,c,0) t5 (c,r,0) t3

16. Partial Order Reduction: Case Study 735 industrial business processes from IBM customers maximal 118 nodes, 66 parallel branches about 50% were sound comparison between three approaches: LoLA with partial order reduction SESE decomposition as BOM plugin (IBM Research Zurich) Woflan (TU Eindhoven) State Space Reduction Techniques 11.01.10

17. Case Study: Results LoLA was the fastest tool to decide soundness: maximal 50 ms per process (9 ms on average) faster than domain-specific approaches partial order reduction made verification very easy: at most 6467 statesneeded to be analyzed (100 on average) never more than 2 MBof memory needed structural reduction had no impact in runtime nets study available at http://service-technology.org/soundness State Space Reduction Techniques 11.01.10

18. Checking Soundness classical: soundness = short-circuited net is live and bounded naïve: check CTL property “AGEF final” LoLA: use partial order reduction: check AGEF final check boundedness exploit domain knowledge: Free Choice Petri nets + workflow structure:boundedness implies 1-safeness check “EF (p1>1 ∨ … ∨ pn>1)” instead of boundedness State Space Reduction Techniques 11.01.10 can be paralellized

19. Partial Order Reduction in LoLA thefeature in LoLA (#define STUBBORN) adapted versions for several specifications: deadlock freedom, reachability reversibility, boundedness, liveness, home markings special state predicates (EF, AGEF, GF, FG, …) CTL always recommended also applicable for random searches State Space Reduction Techniques 11.01.10

20. Agenda Introduction✔ Partial Order Reduction ✔ Symmetry Reduction☜ Lessons Learned State Space Reduction Techniques 11.01.10

22. Symmetries for Petri Nets formally: bijective mapping on Petri net nodes that respects node types and the flow relation (“net automorphism”) markings [r1, i2, s] and [i1, r2, s] are symmetric symmetries can be calculated without prior knowledge State Space Reduction Techniques 11.01.10 r1 r2 t6 t2 s c1 c2 t4 t1 i2 i1 t5 t3

23. Representation of Symmetries identity is always a symmetry symmetries are closed underinversion and concatenation exponential number of symmetries can berepresented by polynomial generator set performs best if system has many components example: 5 symmetries full: 242 stats reduced: 50 states State Space Reduction Techniques 11.01.10 group theory

24. Symmetry Reduction: Case Study BPEL4Chor choreography inter-organizational business process with 2+n participants State Space Reduction Techniques 11.01.10

25. Symmetry Reduction: Case Study BPEL4Chor choreography inter-organizational business process with 2+n participants State Space Reduction Techniques 11.01.10

26. Case Study: Results State Space Reduction Techniques 11.01.10 exponential growth   unreduced  symmetry reduction  partial order reduction  symmetry reduction + partial order reduction  overflow (>2 GB) linear growth 

27. Symmetry Reduction in LoLA adapted versions for several specifications: deadlock freedom reachability, properties of transitions/places reversibility, boundedness can be combined with partial order reduction implements several strategies/heuristics to calculate symmetries(#define SYMMETRY) tradeoff between memory/runtime needed for symmetries requires preprocessing time and yields runtime overhead State Space Reduction Techniques 11.01.10

28. Agenda State Space Reduction Techniques 11.01.10 VERIFYING ! Introduction✔ Partial Order Reduction ✔ Symmetry Reduction ✔ Lessons Learned☜

29. Lessons Learned (1/4): LoLA >10 years of development, 25 KLOC very efficient limit: memory allocation exploits Petri net theory where possible implemented heuristics close to domain knowledge applications in biology, BPM, services, hardware, … CTL model checker, dedicated algorithms for many properties partial order reduction, symmetry, sweep line, invariant compression, … alternative file format: high-level Petri net free software:http://service-technology.org/lola State Space Reduction Techniques 11.01.10

30. Lessons Learned (2/4): Model Checking Tools naïve algorithms are quickly implemented, but useless abstract data types are key to success understand your algorithm and the lifecycle of each variable understand the assumptions theory is your friend usability ≠ tool is extendible, user-friendly, … usability = tool performs on realistic models memory management, data structures, object lifecycleGo back 20 years and do it all yourself! a special discipline of software engineering:Ignore design patterns and best practices! State Space Reduction Techniques 11.01.10

31. Lessons Learned (3/4): State Space Reduction active research community group theory, concurrency theory, net theory, coding theory, … technology transfer very hard key to success: Don’t be afraid of worst-case complexity! understand verification problem decompose specification to several easier properties only model relevant properties State Space Reduction Techniques 11.01.10

32. Lessons Learned (4/4): Correctness in BPM quality of models is still very low models are rather simple right now many features of BPM languages are not yet used correctness notions are rather simple domainunspecific tools are still competitive control flow verification solved more to come: inter-organizational business processes Web services SOA Cloud Computing State Space Reduction Techniques 11.01.10

33. Thank you! Questions? State Space Reduction Techniques 11.01.10 NielsLohmannUniversity of Rostockniels.lohmann@uni-rostock.dehttp://service-technology.org/tools

34. Copyrights Public domain:http://commons.wikimedia.org/wiki/File:Castle_Romeo.jpghttp://en.wikipedia.org/wiki/File:Colossus.jpg CC Attribution-NonCommercial 2.5:http://xkcd.com/303/ - image byRandallMunroe http://11.media.tumblr.com/tumblr_kqs9kyN2fE1qzma4ho1_400.jpg GNU FDL 1.2:http://en.wikipedia.org/wiki/File:Rubik%27s_cube.svg State Space Reduction Techniques 11.01.10