dániel varró budapest university of technology and economics
DESCRIPTION
Towards Automated Formal Verification of Visual Modeling Langauges by Model Checking (The CheckVML approach). Dániel Varró Budapest University of Technology and Economics Department of Measurement and Information Systems. Model checking in a modeling language. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/1.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 1
Towards Automated Formal Verification of
Visual Modeling Langauges by Model Checking
(The CheckVML approach)
Dániel Varró
Budapest University of Technology and Economics
Department of Measurement and Information Systems
![Page 2: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/2.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 2
Model checking in a modeling language
• Formal verification of UML models– to decide automatically whether the system
meets its (functional) requirements – source: statecharts– target: model checkers (e.g., SPIN)
• BUT: there is life beyond statecharts…
• Model checking visual modeling languages– UML: activity models, interaction diagrams– formal analysis: Petri nets, dataflow nets, …– future modeling languages
![Page 3: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/3.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 3
Problem statement and Objective
• Traditional approach: precise knowledge of– the semantics of the modeling language– the technicalities of the model checker
(at least its low-level input language)
• Problem: it is very difficult and expensive– to map new languages to model checkers– to maintain existing tools (e.g. UML 1.x 2.0)
• Objective: a mapping into model checkers parameterized by the semantics of the language– hide the technicalities from domain engineers
![Page 4: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/4.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 4
Outline of the talk
• Defining visual modeling languages– syntax: metamodeling– semantics: graph transformation systems (GTS)
• Transition systems (TS) and model checking
• A language-level encoding from GTS to TS
• The CheckVML tool
• Experimental results
• Conclusions and future work
![Page 5: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/5.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 5
Defining Visual Modeling Languages
![Page 6: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/6.jpg)
Metamodels and instance models
StateAccState Transition
Automata
from
to
transitionsstatescurrent
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
Abstract syntax Concrete syntax
Meta-level
Model-level
color:{R,G,B}
![Page 7: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/7.jpg)
Metamodels and instance models
StateAccState Transition
Automata
from
to
transitionsstatescurrent
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
Abstract syntax Concrete syntax
Meta-level
Model-level
Dynamic concept: potentially modified during model execution
Static concept: never modified during model execution
![Page 8: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/8.jpg)
Graph transformation
Graph transformation = meta-level (language level) operational semantics for modeling languages
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
LHS RHS
Diagrams to define dynamic behavior of a language are missing from the UML 2.0 Infrastructure !!!
![Page 9: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/9.jpg)
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
Initial state
![Page 10: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/10.jpg)
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
Pattern matching
![Page 11: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/11.jpg)
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
Non-determinism!
![Page 12: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/12.jpg)
Deletion
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
![Page 13: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/13.jpg)
Gluing
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
![Page 14: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/14.jpg)
Final state
Application of a rule
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
s2
s3
s1
t1
t2
t3a1
![Page 15: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/15.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 15
Model Checking Transitions Systems
![Page 16: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/16.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 16
Transition systems
• State variablespc : {odd, even}
x : int
• Initializationpc = even
x = 0
• Transitions / Guarded commandspc = odd -> pc’ := even; x’ := x + 1
pc = even -> pc’ := odd; x’ := x + 1
Transition systems Low-level C-like programming language
Guard Action
![Page 17: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/17.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 17
Model checking transition systems
• The model checking problem– Given a finite state transition system and
a property (some temporal logic expression)– Decide whether the property holds in the system
by traversing the entire state space
• Typical properties– safety: a bad thing will never happen– liveness: each request is served eventually
• Practical limitations– state variables must have finite domains (at compile time) 300 state variables
![Page 18: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/18.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 18
CheckVML: Problem definition
• Input: meta-level specification– a metamodel of the modeling language– a set of graph transformation rules as
operational semantics of the language– an instance model of the language
• Output:model-level specification– a transition system that behaves equivalently to
the original (graph transformation) system
![Page 19: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/19.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 19
From Graph Transformation Systems to Transition Systems
![Page 20: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/20.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 20
Overview: From GTS to TS
States
Transitions
![Page 21: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/21.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 21
Type declarations, State variables• State variables: For each dynamic...
– class: one dimensional state variable array of bools– association: two dimensional state variable array of bools– attribute: one dimensional state variable array of an
enumeration type
• Optimization for static concepts:– they never change no state variables are required
• Restrictions for type declarations:– finite domains for enumeration– a priori (compile time) bounded number of nodes– associations are handled as relations
![Page 22: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/22.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 22
Initialization
• Each object in the model has a unique id
• Evaluation: – class[x] = TRUE if there exists (initially) an
object x of type class, otherwise FALSE – assoc[x][y] = TRUE if there exists a link of
type assoc between nodes x and y – attr[x] = val if the slot of type attr at
node x has value val
• State of the TS: defined by the current evaluation of these predicates
![Page 23: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/23.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 23
Example: Type declarations, InitializationNaive approach
AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; ColorType : TYPE = {R,G,B}; automaton : ARRAY AutID OF Boolean state : ARRAY AutID OF Boolean states : ARRAY AutID OF ARRAY StateID OF Boolean current : ARRAY AutID OF ARRAY StateID OF Boolean color: ARRAY StateID OF ColorTypeINITIALIZATION automaton[a1] = TRUE; states[a1][s1] = TRUE; ... current[a1][s1] = TRUE; current[a1][s2] = FALSE; ... color[s1] = "R"; ...
![Page 24: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/24.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 24
Example: Type declarations, InitializationOptimized approach: (after filtering static part)
AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; current : ARRAY AutID OF ARRAY StateID OF BooleanINITIALIZATION current[a1][s1] = TRUE; current[a1][s2] = FALSE; ...
![Page 25: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/25.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 25
Translating a GT rule into transitions
1 Find all matchings of the static parts of the rule– these are partial matches of the entire rule– overapproximation: no more potential matches
(as static parts do not change)
2 Extend partial matchings by dynamic parts in all possible (type compliant) combinations
3 Generate guarded commands– static parts are not included– only dynamic parts appear in guards and actions
![Page 26: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/26.jpg)
Example: Generating transitions
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
![Page 27: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/27.jpg)
Find static matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
![Page 28: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/28.jpg)
Find static matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
![Page 29: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/29.jpg)
Find static matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
stst
st trtrfr
frto
to
tofrcurr
![Page 30: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/30.jpg)
Extend partial matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
curr
curr
curr
current[a1][s1] = TRUE -> current’[a1][s1] = FALSE current’[a1][s2] = TRUE
![Page 31: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/31.jpg)
Extend partial matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
curr
curr
curr
current[a1][s2] = TRUE -> current’[a1][s2] = FALSE current’[a1][s3] = TRUE
![Page 32: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/32.jpg)
Extend partial matchings
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
T1:TransS1:State S2:State
A1:Autom
from to
states
states transitions
current
t1 s2 t2
s1 a1 s3
t3
curr
curr
curr
current[a1][s1] = TRUE -> current’[a1][s1] = FALSE current’[a1][s3] = TRUE
![Page 33: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/33.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 33
Summary of the example AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; current : ARRAY AutID OF ARRAY StateID OF BooleanINITIALIZATION current[a1][s1] = TRUE; current[a1][s2] = FALSE; current[a1][s2] = FALSE;TRANSITION current[a1][s1] = TRUE ->
current’[a1][s1] = FALSE; current’[a1][s2] = TRUE[] current[a1][s2] = TRUE ->
current’[a1][s2] = FALSE; current’[a1][s3] = TRUE[] current[a1][s1] = TRUE ->
current’[a1][s1] = FALSE; current’[a1][s3] = TRUE
![Page 34: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/34.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 34
CheckVML: A Tool for Model Checking Visual Modeling Languages
![Page 35: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/35.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 35
CheckVML: Tool architecture
Metamodel graph
Metamodel of trans. systems
Transition system
MC input (Promela)
Model checker (SPIN)
CheckVML
Model graph
Rule graphs (Lhs, Rhs)
Metamodel
(GXL)
Instance model
(GXL)
(GXL + XML)
GraTra rules
Property
(GXL)
Yes / No + counter example
![Page 36: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/36.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 36
Benchmarks (with and before CheckVML)• Modeling + Verification benchmarks:
for metamodeling + graph transformation– dining philosophers (a common benchmark to assess the
performance of MC tools)• safety, deadlock freedom
– UML statecharts, Petri nets, ...(at Budapest University of Technology and Economics)
• safety, liveness
– modeling and analysis architectural styles (in cooperation with L. Baresi, R. Heckel, S. Thöne)
• reachability
• Using model checkers SPIN, Murphi, SALDetailed information: D. Varró: Automated Formal Verification of Visual Modeling Languages by Model Checking. To appear soon in the Journal of Software and Systems Modeling, Springer.
![Page 37: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/37.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 37
Conclusion and Future work• Good news:
– model checking parameterized with a modeling language is possible and now supported by a prototype tool
– CheckVML: transformation into the input of a MC is much faster than the actual MC process
• Bad news:– model checking terminates within acceptable run-time
only for relatively small models(12 dining philosophers >256MB of memory)
• Future:– further optimizations driven by static well-formedness
constraints of a language
![Page 38: Dániel Varró Budapest University of Technology and Economics](https://reader031.vdocument.in/reader031/viewer/2022032207/5681359b550346895d9d0def/html5/thumbnails/38.jpg)
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 38
Thank You for Your Kind Attention
and many thanks toÁkos Schmidt (BUTE - for tooling CheckVML)
Sebastian Thöne (UPB - for testing CheckVML)