theoretical foundations of the uml lecture 5+6 ... · outline 1 a non-decomposable msc 2...

Theoretical Foundations of the UML

Lecture 5+6: Compositional Message Sequence Graphs

Joost-Pieter Katoen

Lehrstuhl für Informatik 2Software Modeling and Verification Group

moves.rwth-aachen.de/teaching/ss-20/fuml/

May 4, 2020

Joost-Pieter Katoen Theoretical Foundations of the UML 1/29

0

Be

BEE

Outline

1 A non-decomposable MSC

2 Compositional Message Sequence Charts

3 Compositional Message Sequence Graphs

4 Safe Compositional Message Sequence Graphs

5 Existence of Safe Paths

6 Universality of Safe Paths


} two decision problem ,

Undecidable

decidable

B•

Compositional MSCs [Gunter, Muscholl, Peled 2001]

Solution: drop restriction that e and m(e) belong to the same MSC

(= allow for incomplete message transfer)

Definition (Compositional MSC)M = (P, E, C, l,m,�) is a compositional MSC (CMSC, for short)

where P, E, C and l are defined as before, and

m : E! ! E? is a partial, injective function such that (as before):

m(e) = e0 ^ l(e) = !(p, q, a) implies l(e0) = ?(q, p, a)

� =�S

p2P <p [ {(e,m(e)) | e 2 dom(m)| {z }domain of m| {z }

“m(e) is defined”

}�⇤

Note:An MSC is a CMSC where m is total and bijective.


.

--

egad

CMSC example

m(e2) = e3e1 /2 dom(m)e4 /2 rng(m)


÷i÷÷÷÷:÷÷÷zydeco

Paths

Let G = (V,!, v0, F,�) be a CMSG.

Definition (Path in a CMSG)A path ⇡ of G is a finite sequence

⇡ = u0 u1 . . . un with ui 2 V (0 i n) and ui ! ui+1 (0 i < n)

Definition (Accepting path of a CMSG)Path ⇡ = u0 . . . un is accepting if: u0 = v0 and un 2 F .

Definition (CMSC of a path)The CMSC of a path ⇡ = u0 . . . un is:

M(⇡) = (. . . (�(u0) • �(u1)) • �(u2) . . .) • �(un)

where CMSC concatenation is left associative.


X : V → EM

- -

- un - -

ft

The MSC language of a CMSG

Definition (Language of a CMSG)The (MSC) language of CMSG G is defined by:

L(G) = { M(⇡) 2 M| {z }only “real” MSCs

| ⇡ is an accepting path of G}.

Note: Accepting paths that give rise to an CMSC (which is not an MSC) are

not part of L(G).

Joost-Pieter Katoen Theoretical Foundations of the UML 15/29Egg

I 2 r 2

aCMSG

a→

f- . → > b→ - D 8

Uo ✓ U,

accepting a 2

path : IT -- You ,MCT ) →

C- IM →thus Mct ) E Lcg)

acceptingr 2

pathIT '= 4044 ,

MCIT ') a-

→¢ IM

⑦MCT '7¢LCg ).

Yannakakis’ example as compositional MSG

This MSC cannot be modeled for n > 1 by:

M = M1 •M2 • . . . •Mn with Mi 2 M

Thus it cannot be modeled by a MSG.

But it can be modeled as compositional MSG:

Joost-Pieter Katoen Theoretical Foundations of the UML 16/29Egos

CMS G

g :

Pi P2Msc M

,E LCG ) -

t• .

a

-

} Vo

In .

2

j ..

2 safe

-

a

± In?Evey accepting path IT for G iMCT)isan_rise→ Mcm ) c- Llg )

C MSG g is called safe

Safe paths and CMSGs

Definition (Safe path)Path ⇡ of CMSG G is safe whenever M(⇡) 2 M.

Definition (Safe CMSG)CMSG G is safe if for every accepting path ⇡ of G, M(⇡) is an MSC.

So:CMSG G is safe if on any of its accepting paths there are no unmatched

sends and receipts, i.e., if any of its accepting paths is indeed an MSC.


n•EBMiE"↳

Existence of a safe accepting path

Theorem: undecidability of existence of a safe pathThe decision problem “does CMSG G have at least one safe, accepting

path?” is undecidable.

Proof.By a reduction from Post’s Correspondence Problem (PCP).

. . . black board . . .

The complement decision problem “does CMSG G have no safe, accepting

path?” is undecidable too.


Universality of safe accepting paths

Theorem: undecidability of existence of a safe pathThe decision problem “does CMSG G have at least one safe, accepting

path?” is undecidable.

Theorem: decidability of universality of safe pathsThe decision problem “are all accepting paths of CMSG G safe?” is

decidable in PTIME.

Proof.Polynomial reduction to reachability problem in (non-deterministic)

pushdown automata.

. . . see details on the next slides . . .


Pushdown automata

Definition (Pushdown automaton)A pushdown automaton (PDA, for short) K = (Q, q0,�,⌃,�) with

Q, a finite set of control states

q0 2 Q, the initial state

�, a finite stack alphabet

⌃, a finite input alphabet

� ✓ Q⇥ ⌃⇥ �⇥Q⇥ �⇤, the transition relation.

Transition relation(q, a, �, q0, pop) 2 � means: in state q, on reading input symbol a and

top of stack is symbol �, change to q0 and pop � from the stack.


#which symbols can be put

on the stack

- a,

b,

C

Inext stackI I

next stolecontentt

.c- ret

Inext ip.ee ( at the top )

stele

symbol that symbolis to be read of the

steak

Pushdown automata

Definition (Pushdown automaton)A pushdown automaton (PDA, for short) K = (Q, q0,�,⌃,�) with

Q, a finite set of control states

q0 2 Q, the initial state

�, a finite stack alphabet

⌃, a finite input alphabet

� ✓ Q⇥ ⌃⇥ �⇥Q⇥ �⇤, the transition relation.

Transition relation(q, a, �, q0, pop) 2 � means: in state q, on reading input symbol a and

top of stack is symbol �, change to q0 and pop � from the stack.


O

L = { oh"

In > o } on EL

Oona C- L

on Cfl010 of L

Construct a PDA K such that K accepts the language L

Intuition-

• PDA K starts in initial control state Io

• if input word we E or if w start with a"

s"

i reject

• otherwise,

"

scan

"

all Os and push them on the stack

•

on reading the first "a "

,move to control stele I ,

t

pop O from the stack

6 6• in 9

, ,on reading a 9 "

awe pop a O from the stack

• in I,

i reject if a

"

O"

is read,

or if input word is d-

but the stack is not-

hr .

of Os > Is• in S

, ;

acceptif input word and

the stack are both empty .

0, #

,O

"

push o" evokes

#

f) " bottom of stack"

→ 0 OF.ae①a (

"

pop O" "

pop O"

O,

O,

00-

( "

push O"

Q= { so,

I, ) transitions : Ceo

,7

,O

,a

, ,E ) C- D

-

Z= { on )( So ,

0,0 , so,

00 ) EA

r = I o,

# )( oh ,

1,

O, oh

, ,E ) ← A

go = 9- o

( So 10 , #, So

,o ) C- A

Example configurations :

⇐' II '¥ . c a. ¥

4k¥

Change of configuration

( a- o , gon,

# ) t ( a- o ,

on,

0 ) I - Cao, 11,00 ) 1-

Can,

r,

o ) 1- ( oh , e. e)Is ( oh

,E

,E ) reachable

from ( so,

ooh,

# ) ?

Reachability in pushdown automata

DefinitionA configuration c is a triple (state q, stack content Z, rest input w).

DefinitionGiven a transition in �, a (direct) successor configuration c0 of c is

obtained: c ` c0.

Reachability problemFor configuration c, and initial configuration c0: c0 `⇤ c?

Theorem: [Esparza et al. 2000]

The reachability problem for PDA is decidable in PTIME.


'

fControl




obtained: c ` c0.





0




obtained: c ` c0.





. Reek : Dyck language

E = { E,

] ) square brackets

"receive

"

Dyck language

y"

send"

y{ we 2*1 all prefixes of u contain no more

"I

"

- than"

E"

,and the number of

linearization "E

"

egads the member of " T"

in u }=

Exercise construct a PDA that accepts the-

Dyck language .

Ceo,

00in,

# ) 1- Ceo,

ooh,

o )-

¥ L 1- ( So,

on,

00 )

1- ( so ,an

,ooo )

1- ( a, ,

r,

00 )

1- Ce, ,

E,

o )"

reject"

Sometimes"

reject"

is modeled explicitly by a

separate control stele Ierr ; similarly

"accept "

by a

control state If

In our example this means that there are transitions :

( a-o ,

1, #

, 9-err ,

# )

( a, ,

0, #

,9-

err ,# )

( at ,O

,O

, 9- em ,# )

etcetera .

Checking whether a CMSG is safe is decidable

Consider any ordered pair (pi, pj) of processes in CMSG G

Proof idea: construct a PDA Ki,j = (Q, q0,�,⌃,�) such that

CMSG G is not safe wrt. (pi, pj) iff PDA Ki,j accepts

For accepting path u0 . . . uk in G, feed Ki,j with the word

⇢0 . . . ⇢k where ⇢i 2 Lin(�(ui))

such that unmatched sends (of some type) precede all unmatched

receipts (of the same type)

Possible violations that Ki,j may encounter:

1 nr. of unmatched !(pi, pj , ·) > nr. of unmatched ?(pj , pi, ·)2 type of k-th unmatched send 6= type of k-th unmatched receive

3 non-FIFO communication


-(is every accepting path of G safe ?

I 2 3 4- - - - ( m2 ) ( as ) ( ah )

( za ) ( 3,1 ) C 4. D

( 2,3 ) ( 3,2 ) ( 3G )- - -

- ⇐h ) ( a. 2 ) I 4. d)






⇢0 . . . ⇢k where ⇢i 2 Lin(�(ui))







-

(in fact

"

not closed"

kij is going check

for possible violations

ofbeingsafe

Definition C left - closed CMSC )-

A CMSC is left - closed if it does not contain-

unmatched receive events,

or any send events that

are rot yet matched and precede other matched

send events ( of the same type ) .

Exaptes7 2 7 2 7 2 I 2

a a a a

→ → →

→ It . # H→

is not not left - left - left -

left - closed closed closed closed

( unsafe ) ( unsafe ,( and safe ) ( not - safe )

accept accept reject reject






⇢0 . . . ⇢k where ⇢i 2 Lin(�(ui))







rake=

BE s

--

- -

+ assume that↳ not a restriction

, because such

matched events arelinearis atoms do away s exist

indicated explicitly! ? l p , I ,

a )






⇢0 . . . ⇢k where ⇢i 2 Lin(�(ui))







Bea

Beat s

✓← I → J

b at j

✓ from i

The nondeterministic PDA Ki,j

Let {a1, . . . , ak} be the message contents in CMSG G for (pi, pj).

Nondeterministic PDA Ki,j = (Q, q0,�,⌃,�) where:

Control states Q = {q0, qa1 , . . . , qak , qerr , qF }

Stack alphabet � = {1,#}

1 counts nr. of unmatched !(pi, pj , am), and # is bottom of stack

Input alphabet

⌃ =

8<

:

unmatched action !(pi, pj , am)unmatched action ?(pj , pi, am)matched actions !?(pi, pj , am), ?!(pj , pi, am)

Transition function � is described on next slide


O

-

all message in CMSG gsend from i to j ,

or

received at j from i.







Input alphabet

⌃ =

8<

:




/-

I \initial reject

accept







Input alphabet

⌃ =

8<

:




-







Input alphabet

⌃ =

8<

:




- possible symbols inthe linearis atoms

BEEBE







Input alphabet

⌃ =

8<

:




Safeness of CMSGs (2)

Initial configuration is (q0,#, w)w is linearization of actions at pi and pj on an accepting path of G

On reading !(pi, pj , am) in q0, push 1 on stack

nondeterministically move to state qam or stay in q0

On reading ?(pj , pi, am) in q0, proceed as follows:

if 1 is on stack, pop it

otherwise, i.e., if stack is empty, accept (i.e., move to qF )

On reading matched send !?(pi, pj , ak) in q0stack empty (i.e., equal to #)? ignore input; otherwise, accept

Ignore the following inputs in state q0:matched send events !?(pj , pi, ak), and

unmatched sends or receipts not related to pi and pj

Remaining input w empty? Accept, if stack non-empty; else reject














- - -

- -("

sees an unmatched send

from pi to pj with

content am"













Ipending unmatched send p ; → pj

-

I✓

not left - closed













-

-

- - -

tnot left - closed













-













0 OO -

left -

closed.

×


The behaviour in state qam for 0 < m 6 k:

Ignore all actions except ?(pj , pi, a`) for all 0 < ` 6 k

On reading ?(pj , pi, a`) (for some 0 < ` 6 k) in state qam do:

if 1 is on top of stack, pop it

If stack is empty:

if last receive differs from am, accept

otherwise reject, while ignoring the rest (if any) of the input


E- -






If stack is empty:




-






If stack is empty:




#not left - closed

→

( left - closed

Example I.

C MSG G , y z n 2

>

a

D- . . →

Uo Up

Ceo,

#,

!a?a?a ) 1- ( Ea ,a

,?a?a )

-

initial configuration T

T ( Ea,

#,

?a )

Ceo,

r ,?a?a ) reject

T

( so ,#

, Ia ) accept

Thus the PDA Ky ,zaccepts the

input word ⇒ g ,is not

left - closed

Eionplez CMSG gz :

2 2 n 2 safe.

aa

→ →

D- be ,

→± ts

7 2

HotPDA kn ,z

b

( so ,#

,! a !b?a?b ) 1- ( aah ,

t.to?a?b )

T T

( so,

n,

lb ?a?b ) ( a-a ,

r,

? a ?b )

T T t

( a- a,

If,

?b )Ceo ,

rn,

?a?b ) ( ab ,n ,

?a?b )p

T T

( 8,1 ,?b ) Cab

,,

,?b )

( a-as #

,E )rejectT T

( so ,#

,e ) Cats

,# se )

reject reject-

-

PDA kn ,zhas no accepting run on t.cn?b?a?b

and thus CMSG Gz is left - closed-

Example-

Crisco g ,

7 2 7 2

→ a

D- →→ - A

Uo U>

PDA Kaz

Ceo, # ,

t.at?b?a) 1- leo

,n

,! ?b?a )

T accept

I ea,

n,

! ?b?a ) → violation of

T Fro property .

( Ea,

a,

? a)ppa K

, ,z acceptsT

( Ea,

#,

e ) ⇒ CMSG g ,is not

rejectleft - closed

⇒ is not safe.


It follows: PDA Ki,j accepts iff CMSG G is not safe wrt. (pi, pj)

=) CMSG G is not safe wrt. (pi, pj) iff configuration (qF , ·, ·) is

reachable.

=) reachability of a configuration in a PDA is in PTIME, hence

checking safeness wrt. (pi, pj) is in PTIME.

Time complexityThe worst-case time complexity of checking whether CMSG G is safe is

in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.

Proof.Checking reachability in PDA Ki,j is in O(L·|E|

2). The number of

PDAs is k2, as we consider ordered pairs in P. The number of paths in

the CMSG G for each pair that need to be checked is in O(N2), as a

single traversal for each loop in G suffices.


delleALI-

accept




reachable.




in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.


2). The number of





GoBa

\Esparza et at

.




reachable.




in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.


2). The number of





BEEBE

- - - - Ila




reachable.




in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.


2).

The number of





I




reachable.




in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.


2). The number of

PDAs is k2, as we consider ordered pairs in P.

The number of paths in




I




reachable.




in O(k2·N2·L·|E|

2) where k = |P|, N = |V |, and L = |C|.


2). The number of





-

Lo

-

theoretical foundations of the uml lecture 5+6 ... · outline 1 a non-decomposable msc 2...

Documents