Workshop presentation given by Niels Lohmann on February 20, 2014 in Potsdam, Germany at the Sixth Central-European Workshop on Services and their Composition (ZEUS 2014).
Where did I go wrong? Explaining errors in process models
1. Where did I go wrong?
Explaining errors in process models
Niels Lohmann
2. Verification of processes and services
WS-Adressing
WSDM
WS-CDL
WSCI
WS-TX
WSRM
WS-AT
WS-C
BPEL4People
WS-TX
WSRF
WSFL
WS-Policy
WS-BPEL
WS-Routing
- more aspects and domains = new languages and checks
- domain-specific approaches are not flexible
- moving target
2
3. Model checking
general purpose verification approach:
1. formalize model and specification*
2. push a button
*
can be
hidden from
the user
3
4. Effectiveness and efficiency
- model checking works in reality
- successful applications in many domains
!
!
!
!
!
- “verify while you model”
4
5. Diagnosis
- in case of error: outputs
target state and
produce a witness path
- describes how target
state can be reached
- operational semantics:
can be simulated
target state
witness path
5
6. Diagnosis: the bad
- paths can become very long
- length correlates with
size of the model
- reports all events equally:
disregarding importance
6
7. Reasons for useless paths
detours
interleavings
indisputable parts
depth-first search
concurrency
bootstrapping
7
8. process in Fig. 2 and to which we added a start and an end event. This process model
contains a lack of synchronization error as well as a local deadlock, which are not so
easy to spot in the first place.
Running example
M2
M1
J1
F1
lack of synchronization
Fig. 4: Workflow graph with deadlock and lack of synchronization errors.
t4
p1
t1
t3
p5
t5
p6
p4
t6
p7
p10
t11
t7
p2
A local deadlockt2is a p3
reachable state s of the process that has a token on p8 incoman
p9
t13
p13
t9
t10
ing edge et8 of an AND-join such that each state that is in turn reachable from s also
p11
6
t12
p12
t14
p14
8
9. Reduction: obvious parts
- assumption: progress
- classification of transitions*
- only report decisions
t4
p1
t1
t3
p2
t2
p5
t5
p6
p4
p10
p3
p7
t11
t7
t9
t13
t10
p11
* not just XOR-gateways!
t12
p8
p13
t14
t8
p9
t6
p14
p12
9
10. Reduction: obvious parts
- assumption: progress
- classification of transitions*
- only report decisions
t4
p1
t1
t3
p2
t2
p5
t5
p6
p4
p10
p3
p7
t11
t7
t9
t13
t10
p11
* not just XOR-gateways!
t12
p8
p13
t14
t8
p9
t6
p14
p12
9
17. Table 4. Reduced paths from the checks for local deadlocks
Reduction: spurious decisions
library
Table 4. Reduced A
paths from the checks for local deadlocks
B1
B2
B3
avg. path length before / after
max. path length before / after
library
sum of path lengths before / after
avg. path length before / after
reduction length before / after
max. path
abortedpath lengths before / after
sum of checks
1.84 / 0.91
8 A2
/
178 / 88
1.84 / 0.91
50.562%
8/
1
178 / 88
2.11 / 0.67
7B1
/1
171 / 54
2.11 / 0.67
68.421%
7/
0
171 / 54
1.54 / 0.57
6B2
/1
129 / 49
1.54 / 0.57
62.79 %
6/1
1290/ 49
1.67 / 0.41
5B3
/1
139 / 34
1.67 / 0.41
75.54 %
5/1
1390/ 34
reduction
aborted checks
Table 5. Reduced
50.56 %
1
paths from
68.42 %
0
the checks for
library
Table 5. Reduced paths from the checks for lack B2 synchronization
of
A
B1
B3
62.79 %
75.54 %
0
0
lack of synchronization
avg. path length before / after
3.17 / 0.86
0.66 / 0.17
0.68 / 0.14
0.59 / 0.09
max. path length before / after
13A 2
/
7B1
/2
8B2
/2
14 / 2
library
B3
sum of path lengths before / after
111 / 30
66 / 17
82 / 17
72 / 12
avg. path length before / after
3.17 / 0.86
0.66 / 0.17
0.68 / 0.14
0.59 / 0.09
reduction length before / after
72.97 2
54.552%
79.27 %
84.42 2
max. path
13 / %
7/
8/2
14 / %
abortedpath lengths before / after
1
sum of checks
111 / 30
82 0 17
/
72 0
/
Table 6. Reduced paths from 66 4 checks for noninterference 12
the/ 17
reduction
aborted checks
library
72.97 %
1
A
54.55 %
4
B1
79.27 %
0
B2
84.42 %
0
B3
C
2.30 / 0.90
3C1
/
23 / 10
2.30 / 0.90
60.87 %
3/1
23 0 10
/
60.87 %
0
C
7.57 / 1.00
17 / 2
C
53 / 7
7.57 / 1.00
86.792
17 / %
534/ 7
86.79 %
4
C
could exploitbefore Petri net structure to calculate conflict /clusters 2.55identify 2.33 / 0.40
to / 0.63
possible
avg. path length the / after
2.79 / 0.99
2.55 / 0.75
2.33 0.55
max. path length before / after
7/2
7/2
7/2
7/2
3/1
conflict transitions. This allowed / for a quick check whether a transition is actually a
sum of path lengths before / after
4557 1614
1054 / 310
1777 / 423
3130 / 772
35 / 6
could exploit the Petri net structure to calculate conflict clusters to identify possible
conflict.
reduction
64.58 %
70.59 %
76.20 %
75.34 %
82.86 %
conflict transitions. This allowed for aas a sequences of transitions leading to the0goal
However, we still considered 12
paths quick 4check whether a transition is actually a
aborted checks
4
7
conflict.
state. As discussed earlier, this sequence may be an arbitrary linearization of originally
13
18. Reduction: unorder transitions
- Petri nets have explicit locality
- exploit to derive concurrency
- helps to “distribute” actions to components
- makes synchronization points (milestones) explicit
14
21. Summary
- paths can be shortened and uncluttered
- result is a partial order of important decisions
- applicable to any verification goal
Open issues
- error localization vs. explanation
- cyclic behavior
- How should a good diagnosis for $problem
look like?
17
22. Where did I go wrong?
Explaining errors in process models
Niels Lohmann