Mar 29, 2008 - Overview of the results. 4 Conclusion. Summary of the talk. N. Beneš et al. A Case Study in Parallel Verification of CBSs. March 29, 2008. 2 / 26 ...
Outline
Introduction
Foundations
Verification
Conclusion
A Case Study in Parallel Verification of Component-Based Systems ˇ a, J. Sochor, P. Vaˇrekov´a and B. Zimmerova N. Beneˇs, I. Cern´ Faculty of Informatics, Masaryk University Brno, Czech Republic PDMC’08
March 29, 2008
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
1 / 26
Outline
Introduction
Foundations
1
Introduction Motivation Contribution
2
Foundations CoCoME modelling contest Modelling language Logic for properties specification
3
Verification Model of the system Verification of the model Overview of the results
4
Conclusion Summary of the talk
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
Verification
Conclusion
March 29, 2008
2 / 26
Outline
Introduction
Foundations
1
Introduction Motivation Contribution
2
Foundations CoCoME modelling contest Modelling language Logic for properties specification
3
Verification Model of the system Verification of the model Overview of the results
4
Conclusion Summary of the talk
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
Verification
Conclusion
March 29, 2008
3 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Motivation
Component-based development as a current trend in SE • Systems assembled from third-party components
→ issue of correct interaction among components
Parallel verification becomes a need • Concurrency of a large number of components
→ applicability of sequential verification techniques becomes challenging
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
4 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Contribution
1
Identification of the component-specific properties defining correctness issues in component-based systems, and their formalization • expressed in the logic CI-LTL – an extended version of the
action-based Linear Temporal Logic • check the validity of the model and the correctness of the
system
2
Experimental application of parallel model checking to the model of a real system • CoCoME modelling example • parallel model-checking tool DiVinE
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
5 / 26
Outline
Introduction
Foundations
1
Introduction Motivation Contribution
2
Foundations CoCoME modelling contest Modelling language Logic for properties specification
3
Verification Model of the system Verification of the model Overview of the results
4
Conclusion Summary of the talk
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
Verification
Conclusion
March 29, 2008
6 / 26
Outline
Introduction
Foundations
Verification
Conclusion
CoCoME modelling contest The contest • The aim to evaluate and compare the existing component
modelling approaches on a common modelling example • 18/13 modelling teams, URL http://www.cocome.org Organized by A. Rausch, R. Reussner, R. Mirandola, F. Plasil
The Common Component Modelling Example • A trading system handling sales in a chain of supermarkets – interaction with the cashier, inventory, ordering goods, generating reports
• Specification in terms of Java source code (125 classes) – to prevent ambiguities in the interpretation of the specification by the teams
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
7 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Common Component Modelling Example
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
8 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Modelling language
1/3
Component-Interaction automata language (or CI automata for short) • Automata-based language – finite state model, infinite executions/traces
• Three types of actions – input, output and internal
• Captures important interaction information – participants of communication, hierarchy of components
• Flexible composition – can be parametrized by architectural assembly, communication strategy
• General to meet various component models – by fixing the composition operator and semantics of actions
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
9 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Modelling language
2/3
A component-Interaction automaton • Finite set of states • Labeled transitions with structured labels (component names, actions)
• Hierarchy of component names
Example:
C1 :
Hierarchy: (1)
7654 0123 q MM ( 1 ,sB, − ) MMM ~> ( − ,sA, 1 ) ~~ MMM ~ ~ MMM ~ ( 1 ,sC , − ) MM& ~~ 0123 7654 0123 / 7654 p _@ r qq @@ q 0 q ( − ,sC , 1q)q @@ q @@ q q 0 ( 1 ,sA , − ) @ qqq ( − ,sB 0 , 1 ) 7654 0123xqr
t
& 7654 0123
s
Hierarchy: (2)
0123 7654 q pp8
( −, sB, 2p)ppp
C2 :
p ppp ppp 0123 / 7654 p o
C3 :
0123 / 7654 p o
� 7654 0123 r
( 2, int, 2 )
( 2, sB 0 , − )
/ 7654 0123
( −, sC , 3 )
q
( 3, sC 0 , − )
Hierarchy: (3)
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
10 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Modelling language
3/3
Composition of CI automata
C = ⊗F {C1 , C2 , C3 }
Hierarchy: (1)
C1 :
7654 0123 q MM ( 1 ,sB, − ) MMM ~> ( − ,sA, 1 ) ~~ MMM ~ ~ MMM ~ ( 1 ,sC , − ) ~ MM& ~ 0123 0123 7654 / 7654 p _@ q r q @@ q ( − ,sC 0 , 1q)qq @@ q @ q qq ( 1 ,sA0 , − ) @@ ( − ,sB 0 , 1 ) xqqq 7654 0123 t r
/.(q,p,p)*+ -, () QQQ s9 QQQ ( − ,sA, 1 )sss Q
C:
Hierarchy: (2)
& 7654 0123
s
0123 7654 q pp8
( −, sB, 2p)ppp
C2 :
p ppp ppp 0123 / 7654 p o
C3 :
0123 / 7654 p o
( 2, sB 0 , − ) ( −, sC , 3 )
� 7654 0123 r
( 2, int, 2 )
/ 7654 0123
q
( 3, sC 0 , − )
Hierarchy: (3)
( 1 ,sB, 2 )
QQQ sss ( 1 ,sC , 3 ) QQQ( sss /. /() /.(p,p,p)*+ -, -, ()(r ,p,q)*+ eKKK m KKK ( 3 ,sC 0 , 1 )mmmm m m KK mmm ( 1 ,sA0 , − ) KK vmmm -,o /.(t,p,p)*+ () ( 2 ,sB 0 , 1 )
/.(s,q,p)*+ /() -,
( 2 ,int, 2 )
� /.(s,r ,p)*+ -, () Hierarchy: ((1),(2),(3))
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
11 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Logic for properties specification CI-LTL • extended version of the action based LTL • motivated by CBSE requirements • expresses properties about both • occurring component interaction (i.e. labels in automata) • possible component interaction (i.e. label enabledness)
Operators • possible interaction (in a state) E(l) • actual interaction (on a path) P(l) • LTL operators – next X Φ, until Φ U Ψ, and Φ ∧ Ψ, not ¬ Φ
Example N. Beneˇs et al.
G (E(1, a, 2) ⇒ F P(1, a, 2)) A Case Study in Parallel Verification of CBSs
March 29, 2008
12 / 26
Outline
Introduction
Foundations
1
Introduction Motivation Contribution
2
Foundations CoCoME modelling contest Modelling language Logic for properties specification
3
Verification Model of the system Verification of the model Overview of the results
4
Conclusion Summary of the talk
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
Verification
Conclusion
March 29, 2008
13 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Model of the system Structure of the model • 140 primitive CI automata, • composed hierarchically – 34 composite automata, 6 levels • complemented with a usage profile of the Cashier
State space of the model • Without usage profile – over 322 millions of states (60 GB of memory)
• With usage profile – 749 340 reachable states, 3 181 473 reachable transitions
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
14 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Verification of the model
1/2
Correctness of the system • Local deadlocks of components – one of the components cannot move further
• Blocking of components – temporary blocking of a component
• Infinite loops in the model – finite for/while cycles traversed infinitely-many times
• Use-case scenarios – presence of a particular scenario (sequence of actions) in the system
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
15 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Verification of the model
2/2
Validity of the model • checking safety of considered abstractions • simplification of the communicational scheme • internal behaviour of primitive components • checked via a number of test cases translated into CI-LTL
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
16 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Selected properties
1/3
Property 4 (Local deadlock on one action). It cannot happen that the CashDeskApplication (100) is ready to send a notification to the CashDeskChannel (200) saying that it received the SaleStartedEvent, but the CashDeskChannel is never ready to accept the notification. [FP(100, oESS 00 , −)] ∨ G[E(100, oESS 00 , −) ⇒ FE(100, oESS 00 , 200)] property prop4
N. Beneˇs et al.
states 749 343
transitions 3 181 479
memory 532 MB
A Case Study in Parallel Verification of CBSs
time 67 s
result holds
March 29, 2008
17 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Selected properties
2/3
Property 7 (Blocking of a component). It cannot happen that the CashDeskApplication (100) is ready to send a notification to the CashDeskChannel (200) saying that it received the SaleStartedEvent, but the CashDeskChannel is not right in the current state ready to accept the notification. [FP(100, oESS 00 , −)] ∨ G¬[E(100, oESS 00 , −)∧¬E(100, oESS 00 , 200)] property prop7
N. Beneˇs et al.
states 1 498 671
transitions 6 362 935
memory 688 MB
A Case Study in Parallel Verification of CBSs
time 534 s
result holds not
March 29, 2008
18 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Selected properties
3/3
Use Case scenarios 1. Cash Payment 2. Unsuccessful Card Payment 3. Successful Card Payment
property uc1 uc2 uc3
N. Beneˇs et al.
states 19 362 460 11 670 924 11 680 736
transitions 81 959 821 49 165 124 49 202 320
memory 4 204 MB 2 694 MB 2 698 MB
A Case Study in Parallel Verification of CBSs
time 5 141 s 3 203 s 3 098 s
result found found found
March 29, 2008
19 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Effect of the parallelization Memory consumption depending on the number of computers
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
20 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Effect of the parallelization Time consumption depending on the number of computers
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
21 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Effect of the parallelization Time consumption depending on the number of computers
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
22 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Lessons learned
Experience and discussion • Characteristics of the model – state space explosion, irregular changes
• Deadlocks in the model – unrealistic behaviour
• Local deadlocks and component-blocking properties – enabledness operator
• Parallelization – effect of parallelization
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
23 / 26
Outline
Introduction
Foundations
1
Introduction Motivation Contribution
2
Foundations CoCoME modelling contest Modelling language Logic for properties specification
3
Verification Model of the system Verification of the model Overview of the results
4
Conclusion Summary of the talk
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
Verification
Conclusion
March 29, 2008
24 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Conclusion Summary of the talk • Practical application of the parallel verification to a real
component-based system • Identification of a number of typical component specific
properties • Formalization of the properties using the logic CI-LTL • Demonstration of the parallel CI-LTL verification
Future work • Reduction techniques – the partial-order and the symmetry reduction
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
25 / 26
Outline
Introduction
Foundations
Verification
Conclusion
Thank you
Thank you for your attention
N. Beneˇs et al.
A Case Study in Parallel Verification of CBSs
March 29, 2008
26 / 26
