Transcript Diapositiva 1 - uni

Verification of Graph
Transformation
Systems
Arman Sheikholeslami
[email protected]
Graph and GTS
• Directed Graph 𝐺 = 𝑉, 𝐸
– 𝑉 is set of vertices.
– 𝐸 is set of edges.
– often used to model static characteristics of a system.
• Graph Transformation System 𝐺𝑇𝑆 = 𝐺0 , 𝑅
– used to model behavior of a dynamic system.
– 𝐺0 as initial graph.
– 𝑅 as a set of transformation rules.
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
2
Chess
Transformed!
Rook
A8
B8
Pawn
A7
B7
Transformed!
A6
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Rook
Pawn
A8
B8
A7
B7
A6
3
How Transformation works?
1. Find a matching of 𝐿𝐻𝑆 in 𝐺.
2. Delete all vertices 𝑉 and edges 𝐸 in 𝐺 s.t. 𝑉, 𝐸 ∈ 𝐿𝐻𝑆 \ 𝑅𝐻𝑆.
3. Add all vertices 𝑉 and edges 𝐸 to 𝐻 s.t. 𝑉, 𝐸 ∈ 𝑅𝐻𝑆 \ 𝐿𝐻𝑆.
A7
A6
Pawn
A7
Pawn
A6
LHS
RHS
Pawn
A7
A7
Pawn
A6
A6
A5
A5
G
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
H
4
Formalization of GTS
• Algebraic approach
A7
– Single push-out (SPO)
• If node deletion causes
dangling edge, node is
deleted along with dangled
edge.
Pawn
LHS
A7
A7
RHS
Pawn
A7
A6
A6
G
H
– Double push-out (DPO)
• If node deletion causes
dangling edge, the rule is
not applied.
• Not applicable in chess!
A7
Pawn
LHS
A7
Pawn
RHS
Pawn
Pawn
A6
A6
G
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
H
5
Transition System using SPO
A7
Pawn
A6
A5
Knight
B5
Pawn
Rule X
A7
Knight
LHS
Rule Z
RHS
P
A7
A6
A6
A5
A5
LHS
A7
Pawn
A7
Knight
B5
RHS
A6
A7
A5
P
Rule Y
Pawn
A6
P
Rule X
B5
A7
Rule Y
A7
A6
A6
A6
A5
P
A7
A5
B5
K
A6
A5
A7
P
B5
P
A6
A5
LHS
B5
RHS
Rule Z
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
6
Verification of GTS
• Verification is to determine if behavior of system
(semantic) to conform with specifications (properties).
• Properties of GTS
– conditions and restrains a GTS should satisfy.
• Semantic of GTS
– producible transition system.
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
7
Properties of GTS
• Which properties of GTS can be
verified?
– Safety
• something bad will never happen.
• e.g. a forbidden pattern (sub-graph) is
never reached.
– Liveness
• something good will eventually happen.
• e.g. Deadlock-freedom, security
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Pawn
A7
Knight
A6
A5
B5
Knight hit by
Pawn!
Unsafe!
8
Intuitively…
A7
Pawn
Knight
A6
A5
B5
Hit pattern,
Unsafe!
Pawn
Rule X
A7
Knight
LHS
RHS
P
A7
K
A6
A5
A7
P
A6
A5
B5
B5
LHS
A7
Pawn
A6
A5
RHS
Rule Y
Pawn
A7
P
Rule X
B5
Rule Z
A7
A6
A6
A6
A5
P
A7
A6
B5
A5
A7
K
A6
B5
A5
A7
P
B5
P
A6
A5
LHS
B5
RHS
Rule Z
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
9
Technically…
A
Chess play
Transition
System
B
C
D
Semantics
Properties
Kripke
Structure
Temporal
Logic
Avoid
getting hit!
E
LTL:
□￢B

Model
Checker




Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
10
State space explosion
• Problem statement
x,y
– several variables in a system
with range of possible values.
– a state assigned to each
possible concrete combination
of variables.
– set of possible states is too
large.
𝑥, 𝑦 ∈ 𝑖𝑛𝑡𝑒𝑔𝑒𝑟
𝑥, 𝑦 ∈ {1,2, … , 232 }
232 × 232
= 18,446,744,073,709,551,616
• This happens in almost every
system
– That’s why we cannot have a
complete verification of large
systems e.g. OS.
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
11
Infinite State Space
• A worse case of State Space
Explosion problem.
LHS
RHS
• Occurs when state set of
system is endless.
• Infinite state space is created
by application of rules in which
LHS can be found in RHS.
G
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
H
12
Solutions
• Under-approximation
– An abstraction (subset) of original graph (state set) satisfying
less properties.
• Bounded Model Checking
• Over-approximation
– An abstraction (superset) of original graph (state set) satisfying
more properties.
• Shape Graphs
• Inductive Invariance
• Applicable to both State Space Explosion and Infinite
State Space problems
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
13
Bounded Model Checking
• 𝐵 is the pre-defined
absolute bound.
• Look for a bad pattern in 𝐾bounded execution length.
• If no bad pattern found,
increment 𝐾 (0 ≤ 𝐾 ≤ 𝐵)
until a bad pattern is found.
• If 𝐾 = 𝐵 and no bad pattern
found, verification stops.
– system is not necessarily safe
(under-approx.)
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
𝐾=1
𝐾=2
𝐵
Only movements
of one level are
modeled!
(K=1)
14
Shape Graphs
• To shrink state space by abstraction
– information is discarded.
– how to retrieve it to create concrete instances?
• Local Shape Logic (LSL)
– a way to express additional information about nodes and edges
in a graph.
• Shape graph is an abstract model
– concrete instances are built based on shape constraints.
• Still more than one precise instance can be produced
(over-approx.).
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
15
Shape Graphs (example)
Rook
A8
B8
Pawn
A7
B7
King
Abstraction
Cell
Rook
Bishop
SG
A6
Queen
Knight
Pawn
Constraints:
• There is exactly one Pawn
G
In 𝑳𝑺𝑳𝑻 :
1
•
𝑃𝑎𝑤𝑛 ˄∀𝑃𝑎𝑤𝑛 1 𝑃𝑎𝑤𝑛
Rook
Pawn
A8
A7
Rook
A8
B8
Pawn
A7
B7
𝐴7
B8
B7
A6
Pawn
A6
G
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
G
16
Inductive Invariance
• Investigate if transition from a safe state to an error state
(forbidden pattern) is possible
– Apply the rules backwards from forbidden pattern.
– if safe state reached, the property is can be violated (it’s NOT
Inductive Invariant).
• Instead of the whole graph, only borders are investigated
(abstraction).
A7
Pawn
A6
A5
Knight
B5
A7
Pawn
A6
A5
Knight
B5
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
17
Inductive Invariant (cont.)
• If the property is inductive invariant
– no rule can be used to reach forbidden pattern from a state is not
forbidden pattern.
– the system is safe.
• If the property is not inductive invariant
– the system still might be safe.
– forbidden pattern can be reached given any starting graph (overapprox.).
D5
Bishop
Pawn
C3
C2
D8
D7
D4
E5
Bishop
Bishop
D3
C1
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
E4
E3
18
Extensions
• What if we need to differentiate
elements of graphs from each other?
– we need to use attributes to specify
differences.
– Typed Attributed Graphs (TAG)
introduces as extension.
• What if time has specific effect on
the system?
– simple graphs do not care about time!
– Timed Graphs introduces as extension
(also and extension to TAG).
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
19
Typed Attributed GTS
• A graph with vertices and edges having an attribute
– 𝐴𝐺(𝐺, 𝐷) where 𝐺 is a graph and 𝐷 data vertices in 𝐺.
– node attribute as data node with an edge from graph node to
data node.
– edge attribute as data node with an edge from graph edge to
data node.
Rook
A8
B8
Pawn
A7
B7
Black
A data node
indicating
color
A6
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
20
Timed GTS
• Contains 3 rules to perform TGT
1. Clock Instance Rule
• adds clock instances to graph.
• by using discrete- or dense-time model (timed automata), passing of
time can be expressed.
2. Invariant Rule
• restrict the execution of the rule to a specific time interval.
3. Timed Graph Transformation Rule
• normal graph transformation rule.
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
21
Timed GTS (example)
Rook
A8
P
A7
A7
LHS
1
A8
P
A6
A6
Pawn
Rook
A7
Apply
Clock
Instance
rule
A7
RHS
Rule X
Pawn
A6
A6
CI
A8
Apply
Transformation
rule
3
Yes
Rook
A7
Pawn
A6
R
A8
CI
LHS
No
A8
A7
A7
𝐶𝐼 ≤ 10
R
RHS
Rule Y
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
2
Apply
Invariant
rule
22
Verification of TGTS
• There are many studies about model
checking of TCTL over timed automata.
• To reduce model checking TGTS to
model checking of timed automata.
– to benefit from existing theories and tools.
Timed GTS
FO-TCTL
Property
2
1
𝐺𝑡 Automaton
TCTL
Property
3
•
To do that
1.
2.
3.
produce TS for TGTS (𝐺𝑡 -automaton).
reduce First Order-TCTL to TCTL.
label 𝐺𝑡 -automaton with atomic
propositions holding in states.
Labeled 𝐺𝑡 Automaton
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
TCTL Model
Checker
23
Verification of TGTS (example)
Inv: 𝐶𝐼 ≤ 10
A8
Rook
FO-TCTL
A7
A7
Pawn
Pawn
𝐴𝐺≤10 (∀𝑥)(𝐶𝐼(𝑥))
A6
A6
CI
CI
A8
Rook
Timed
GTS
A8
Rook
Rook
A7
A8
A7
Pawn
A6
𝐴𝐺≤10 (𝐶𝐼_𝑥)
𝐺𝑡 -Automaton
Pawn
A6
𝐶𝐼 ≤ 10CI
CI
𝐶𝐼 ≤ 10
TCTL
A8
Rook
Rook
A7
A7
Pawn
Pawn
A6
CI
A8
CI_x
𝐶𝐼 ≤ 10
𝐶𝐼 ≤ 10CI
𝐶𝐼 ≤ 10
A6
CI_x
TCTL Model Checker
Labeled 𝐺𝑡 Automaton
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
24
Question?!
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
25