Budapest University of Technology and Economics Dagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification of Visual Modeling Langauges by Model Checking (The CheckVML approach) Dániel Varró Budapest University of Technology and Economics Department of Measurement and Information Systems
38
Embed
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 1
Towards Automated Formal Verification of
Visual Modeling Langauges by Model Checking
(The CheckVML approach)
Dániel Varró
Budapest University of Technology and Economics
Department of Measurement and Information Systems
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 2
Model checking in a modeling language
• Formal verification of UML models– to decide automatically whether the system
meets its (functional) requirements – source: statecharts– target: model checkers (e.g., SPIN)
• BUT: there is life beyond statecharts…
• Model checking visual modeling languages– UML: activity models, interaction diagrams– formal analysis: Petri nets, dataflow nets, …– future modeling languages
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 3
Problem statement and Objective
• Traditional approach: precise knowledge of– the semantics of the modeling language– the technicalities of the model checker
(at least its low-level input language)
• Problem: it is very difficult and expensive– to map new languages to model checkers– to maintain existing tools (e.g. UML 1.x 2.0)
• Objective: a mapping into model checkers parameterized by the semantics of the language– hide the technicalities from domain engineers
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 4
Transition systems Low-level C-like programming language
Guard Action
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 17
Model checking transition systems
• The model checking problem– Given a finite state transition system and
a property (some temporal logic expression)– Decide whether the property holds in the system
by traversing the entire state space
• Typical properties– safety: a bad thing will never happen– liveness: each request is served eventually
• Practical limitations– state variables must have finite domains (at compile time) 300 state variables
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 18
CheckVML: Problem definition
• Input: meta-level specification– a metamodel of the modeling language– a set of graph transformation rules as
operational semantics of the language– an instance model of the language
• Output:model-level specification– a transition system that behaves equivalently to
the original (graph transformation) system
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 19
From Graph Transformation Systems to Transition Systems
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 20
Overview: From GTS to TS
States
Transitions
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 21
Type declarations, State variables• State variables: For each dynamic...
– class: one dimensional state variable array of bools– association: two dimensional state variable array of bools– attribute: one dimensional state variable array of an
enumeration type
• Optimization for static concepts:– they never change no state variables are required
• Restrictions for type declarations:– finite domains for enumeration– a priori (compile time) bounded number of nodes– associations are handled as relations
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 22
Initialization
• Each object in the model has a unique id
• Evaluation: – class[x] = TRUE if there exists (initially) an
object x of type class, otherwise FALSE – assoc[x][y] = TRUE if there exists a link of
type assoc between nodes x and y – attr[x] = val if the slot of type attr at
node x has value val
• State of the TS: defined by the current evaluation of these predicates
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 23
Example: Type declarations, InitializationNaive approach
AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; ColorType : TYPE = {R,G,B}; automaton : ARRAY AutID OF Boolean state : ARRAY AutID OF Boolean states : ARRAY AutID OF ARRAY StateID OF Boolean current : ARRAY AutID OF ARRAY StateID OF Boolean color: ARRAY StateID OF ColorTypeINITIALIZATION automaton[a1] = TRUE; states[a1][s1] = TRUE; ... current[a1][s1] = TRUE; current[a1][s2] = FALSE; ... color[s1] = "R"; ...
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 24
Example: Type declarations, InitializationOptimized approach: (after filtering static part)
AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; current : ARRAY AutID OF ARRAY StateID OF BooleanINITIALIZATION current[a1][s1] = TRUE; current[a1][s2] = FALSE; ...
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 25
Translating a GT rule into transitions
1 Find all matchings of the static parts of the rule– these are partial matches of the entire rule– overapproximation: no more potential matches
(as static parts do not change)
2 Extend partial matchings by dynamic parts in all possible (type compliant) combinations
3 Generate guarded commands– static parts are not included– only dynamic parts appear in guards and actions
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 33
Summary of the example AutID : TYPE = {a1}; StateID : TYPE = {s1, s2, s3}; current : ARRAY AutID OF ARRAY StateID OF BooleanINITIALIZATION current[a1][s1] = TRUE; current[a1][s2] = FALSE; current[a1][s2] = FALSE;TRANSITION current[a1][s1] = TRUE ->
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 34
CheckVML: A Tool for Model Checking Visual Modeling Languages
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 35
CheckVML: Tool architecture
Metamodel graph
Metamodel of trans. systems
Transition system
MC input (Promela)
Model checker (SPIN)
CheckVML
Model graph
Rule graphs (Lhs, Rhs)
Metamodel
(GXL)
Instance model
(GXL)
(GXL + XML)
GraTra rules
Property
(GXL)
Yes / No + counter example
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 36
Benchmarks (with and before CheckVML)• Modeling + Verification benchmarks:
for metamodeling + graph transformation– dining philosophers (a common benchmark to assess the
performance of MC tools)• safety, deadlock freedom
– UML statecharts, Petri nets, ...(at Budapest University of Technology and Economics)
• safety, liveness
– modeling and analysis architectural styles (in cooperation with L. Baresi, R. Heckel, S. Thöne)
• reachability
• Using model checkers SPIN, Murphi, SALDetailed information: D. Varró: Automated Formal Verification of Visual Modeling Languages by Model Checking. To appear soon in the Journal of Software and Systems Modeling, Springer.
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 37
Conclusion and Future work• Good news:
– model checking parameterized with a modeling language is possible and now supported by a prototype tool
– CheckVML: transformation into the input of a MC is much faster than the actual MC process
• Bad news:– model checking terminates within acceptable run-time
only for relatively small models(12 dining philosophers >256MB of memory)
• Future:– further optimizations driven by static well-formedness
constraints of a language
Budapest University of Technology and Economics Dagstuhl 2004Department of Measurement and Information Systems 38
Thank You for Your Kind Attention
and many thanks toÁkos Schmidt (BUTE - for tooling CheckVML)