Towards the Automatic Verification of Inductive Invariants for Infinite

Towards the Automatic Verification of Inductive Invariants for Infinite State UML Models∗ Holger Giese and Daniela Schilling† Software Engineering Group, University of Paderborn, Warburger Str. 100, D-33098 Paderborn, Germany [hg |das]@upb.de December 2004

Abstract The semantics of systems with infinite state space and complex structures such as UML models have been successfully specified with expressive graph transformation techniques. Available automatic approaches to verify the resulting system behavior are restricted to finite state models of moderate size. Algorithms for checking system invariants are restricted to simpler classes of graph transformation systems and properties. In this paper a sufficiently scalable algorithm to check inductive invariants for graph transformation systems is outlined. The employed graph transformation variant is expressive and includes negation. The properties, for which it is checked whether they are invariants of the system, are described by graph matching that can also deal with negations. Due to the inherent local specification style of the graph transformation rules and properties described by graph matching, the complexity of the sketched algorithm depends on the number of graph transformation rules, size of the rules, and the number and size of the graph patterns describing the system properties. It thus can address arbitrarily large or even infinite state systems, if the system and the required properties can be described with a reasonable numbers of rules and properties of limited size.

∗

This work was developed in the course of the Special Research Initiative 614 - Self-optimizing Concepts and Structures in Mechanical Engineering - University of Paderborn, and was published on its behalf and funded by the Deutsche Forschungsgemeinschaft. † Supported by the International Graduate School of Dynamic Intelligent Systems.

2

CONTENTS

Contents 1

Introduction

3

2

Related Work

4

3

Application Example

6

4

Prerequisites 4.1 Graphs . . . . . . . . . . . . . 4.2 Graph Transformations . . . . 4.3 Advanced Graph Properties . . 4.4 Graph Transformation Systems

. . . .

7 8 11 14 19

5

The System Model 5.1 States as Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2 Describing Behavior with Graph Transformations . . . . . . . . . . . . . 5.3 Systems as Graph Transformation Systems . . . . . . . . . . . . . . . . .

19 20 22 25

6

Advanced Application of Rules 6.1 Backwards Application of Rules . . . . . . . . . . . . . . . . . . . . . . 6.2 Rule Application for Patterns . . . . . . . . . . . . . . . . . . . . . . . .

27 27 29

7

Checking Inductive Invariants 7.1 Theoretical Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2 Checking Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.3 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

32 32 37 39

8

Conclusion and Future Work

40

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

References

42

Index

44

A Appendix A.1 Mathematical Notations . . . . . . . . . . . . . . . . . . . . . . . . . . .

45 45

3

1 Introduction

The semantics of systems with infinite state space and complex structures such as UML models have been successfully specified with expressive graph transformation techniques (e.g. [1, 2]). The main motivation has been the expressive power of graph transformations and their intuitive handling of structural changes. One class of available automatic approaches to verify the resulting system behavior considers the reachable set of states by employing model checking (e.g. [2, 3]). Consequently, they are restricted to graph transformation systems with a finite, moderate number of states. Another class are algorithms which enable to check system invariants by relying only on the transformation rules rather then the set of reachable states. These approaches, however, currently only support rather simple classes of graph transformation systems and properties [4]. In this paper a sufficiently scalable algorithm to check inductive invariants for a restricted form for graph transformation systems is outlined. The supported graph transformation variant is expressive and includes negation. The properties for which it is checked whether they are invariants of the system are described by graph matching that can also deal with negation. The local nature of graph transformation rules is exploited to answer the question whether a transition from a graph which still fulfills the condition to a graph which does not fulfill it can be found or not by only looking into a finite subset of representatives. As underlying formal concept, at first a restricted SPO approach is developed which excludes dangling edges as well as enables the safe backward application of rules. In addition, the application of graph transformation rules is lifted from the domain of the graphs to graph patterns to enable to reason about infinite sets of graphs by taking only finite many representatives in form of patterns into account. The approach thus exploits the inherent local specification style present for graph transformation rules and the employed style of properties to ensure scalability. The complexity of the sketched algorithm depends on the number of graph transformation rules, size of the rules, and the number and size of the graph patterns describing the system properties. It thus can address arbitrarily large or even infinite state systems, if a system and the required properties can be described with a reasonable numbers of rules and properties of limited size.

4

2 Related Work

The supported invariants can be employed to specify that all reachable system configurations of a system at hand have to ensure specific structural properties. We explain our approach and its usefullnes by means of an example from the domain of mechatronic systems. The paper is structured as follows: We first review related work in Section 2. Then, the application example is introduced in Section 3. In Section 4, the prerequisites for the approach in form of some basic graph transformation system theory are introduced. The employed typed graph transformation system model with the required specific restrictions is then defined in Section 5. A number of required results for this model with respect to the backward application of rules and application of rules to graph patterns follows in Section 6. The preceding results are combined in Section 7. This section also presents the main result of the paper: a theorem that enables us to check inductive invariants even for the case of an infinite state space by considering only finite many representatives. In addition, the resulting checking algorithm is outlined and its scalability is discussed. We close the report with a final conclusion and outlook on planed future work.

2

Related Work

A number of different approaches have been developed to verify and analyze complex systems with changing structure. One of these approaches is presented in [5] where a language and a tool named Real-Time Maude is presented. The language is based on rewriting logics. Systems specified by the Real-Time Maude language are executable. The tool supports the simulation of a single behavior of the system as well as model checking the complete state space if this is finite. For systems with infinite state space the tool offers different strategies to cut the state space down to a finite one depending on the time span to be considered. Thus, only finite state systems are actually checked whereas we have to check infinite state systems. Other approaches are based on existing specification languages, often visual languages, like the Unified Modeling Language (UML, [6]). To directly analyze a model given in such a language requires that the language has a defined formal semantics. As this is not the case for UML, approaches like [2] transform parts of the model to formal semantic domains. Heckel, Küster and Taentzer suggest to perform the transformation by using attributed graph grammars or pair/triple graph grammars. In [2] they showed how statecharts can be transformed into a CSP model which can than be checked by a model checker. Similar to this Varró

5 presents in [3] an approach to transform specifications given in a visual language, not restricted to the UML, into a semantic domain, and afterwards performs verification on the transformed model by using existing tools like model checkers. Due to the fact that model checkers are restricted to finite state systems, approaches that transform a model given in a visual language to a model given in the input language of a model checker are restricted to finite systems too. In [7, 8] Baldan, Corradini and König presented an approach where a possibly infinite graph transformation system is transformed into a finite structure, called Petri graph, which can be analyzed by existing verification techniques. A Petri graph consists of a graph and a Petri net. The relation between the Petri graph and the original transformation systems is given in the following way. A transition in the Petri graph corresponds to an application of a rule. A graph that can be created by the transformation system corresponds to a certain reachable marking in the Petri net and for each graph which can be created by the transformation system there is a morphism that maps this graph to the Petri graph. To overcome the obstacles of overapproximation the authors introduced k-truncation in [9]. In the same paper they extended the expressiveness of properties to be checked by introducing a temporal logic for graphs. In [10] the authors showed that their approach is not only applicable for transformation systems with graphs consisting of labeled edges and unlabeled nodes but also for typed graphs. This approach requires that a start graph is given at design time which is not always the case in the domain of interest. Heckel and Wagner present in [11] an approach where consistency conditions are modeled by graphs. In contrast to the above approaches they suggest to modify the transformation rules in such a way that applying the rules to an arbitrary system preserves consistency. In a first step the consistency condition is transformed into a rule’s postcondition. By applying the reverse of the rule to the newly constructed postcondition an extended precondition is received. If the so constructed rule is applied to a consistent graph the resulting graph will be consistent again. The approach of Heckel and Wagner can lead to unneccessary complex rules. This is the case if rules are changed by the approach although their application does not lead to a critical situation even if they have not been changed. In addition it is not possible to describe forbidden graphs with negative application conditions. Thus it is not possible to describe that a certain subgraph may only be contained in a graph if it also includes some specific nodes or edges.

6

3 Application Example

3

Application Example

As running example we use the software for the railcab research project,1 which aims at using a passive track system with intelligent shuttles that operate individually and make independent and decentralized operational decisions. The arbitrarily large track system, the shuttles are using, is divided into several disjoint parts each of which is controlled by a section control. To enter a section, a shuttle has to be registered at the corresponding section control. The shuttle sends its data, like position and speed to the section control. The section control in turn returns the data of all other shuttles within the section or in the case that a shuttle has a breakdown the section control alerts the other shuttles. Thus, each shuttle knows which other shuttles are nearby. Shuttles can communicate with each other and decide whether it is useful to build a convoy (this reduces the air resistance) or not. If two shuttles approach at a switch, they can bargain who has right of way. Thus a system can consist of SectionControls, Tracks, Shuttles and the two types of patterns, Registry and DistanceCoordination. The class model of such a system is given in Figure 1.

) *+ ,- #. ) ( ! #" 34 /265 48797 0:;=< /# 012 7>43@? 2A0:B / ( %$'& " ) ( ) (

5E( 0 ? 58D 4E7 0 ) C( 5 4 /2AD 487 ) 0

Figure 1: Class diagram of the example system In [12] a specific notion of real-time patterns is introduced to describe the system behavior. One example pattern is the DistanceCoordination pattern. This pattern is necessary for the coordination of two shuttles, it ensures a minimal distance between the shuttles at any time and gives them the ability to build a convoy. In Figure 1, patterns are depicted as ovals with dashed lines. The Figure shows two patterns, namely the DistanceCoordination pattern and the Registry pattern. Each pattern models a small part of the system beahvior, in the case of the DistanceCoordination pattern it models the real-time interaction between two shuttles which is needed for the distance coordination. A component is built by refining the pattern roles. Due to the fact that the components coordinate each other only via their ports (the refined pattern roles) and each component consists only of finitely many ports compositional model checking is possible (cf. [12]). This means each 1

http://www-nbp.upb.de

7 component can be checked without considering the remaining system. The same holds for the patterns. If for two shuttles holds that the DistanceCoordination pattern is instantiated between them and the model checking of both Shuttle instances and the pattern instance delivers no error than the distance coordination between these two shuttles is correct, i.e. a minimum distance between these two shuttles is guaranteed at any time. The approach in [12] does not consider when patterns are instantiated. In [13] we suggested to use graphs to describe system states and graph transformation rules to describe state changes including the instantiation of patterns. When describing the instantiation by rules we have to ensure that a pattern that is needed actually is instantiated. For example there must not be a situation where two shuttles are on the same track but do not communicate with each other, i.e. the DistanceCoordination pattern is not instantiated between the two shuttle components. Such a forbidden situation, further on called a safety property, is depicted in Figure 2 (the notation used in the Figure corresponds to the one of the Fujaba UML case tool2 where negated application conditions are denoted via x-ed nodes. The notation will be explained in more detail in the following sections).

)*+,"-$./ !#"%$&'(" $

Figure 2: Example for a critical situation In the remainder of the paper we show how safety properties can be ensured for all systems built in accordance to the class diagram given in Figure 1.

4

Prerequisites

The goal of this approach is to describe and verify safety properties for infinite state systems with complex dynamically changing structures. Therefore, a formalism is needed that is capable of modeling such a system on the one hand and on the other hand has a defined semantics to foster formal verification. We employ here graph transition systems [14] as such a formalism. In the following, we 2

www.fujaba.de

8

4 Prerequisites

define the fundamental concepts for graphs, graph operations, graph morphisms, graph transformations, and their extension with negative application conditions.

4.1

Graphs

As the later on used state and type systems are mapped to graphs, we require first a formal definition for a graph. Definition 1 (Graph). A graph is a tuple G = (N, E, src, tgt), where • N is a finite set of nodes, • E is finite set of edges, • src : E → N is the source function, that assigns a source node to each edge, and • tgt : E → N is the target function, that assigns a target node to each edge. Definition 1 can be extended to a labeled graph using the conventions given in [14] as follows:

Definition 2 (Labeled Graph). A labeled graph (over two fixed alphabets ΩN and ΩE for node and edge labels, respectively) is a tuple G = (N, E, src, tgt, lN , lE ), where • (N, E, src, tgt) is a graph, • lN : N → ΩN is the node labeling function that assigns a label to each node, and • lE : E → ΩE is the edge labeling function that assigns a label to each edge.

For a graph G, NG denotes the set of G’s nodes, EG its edges, srcG its source function and tgtG its target function. For a labeled graph lNG further denotes its node labeling and lEG its edge labeling. We use G∅ to denote the empty graph with NG∅ = EG∅ = ∅.

4.1 Graphs

9

Graph Containment and Graph Operations First fundamental questions are when graphs are identical, are contained in each other, and how new graphs can be built using graph operations such as union, intersection, or subtraction. (cf. Appendix A.1 for the employed mathematical notations). Definition 3 (Subgraph). For two graphs SG, G ∈ G we say that SG is a subgraph of G (SG ≤ G) iff NSG ⊆ NG , ESG ⊆ EG , srcSG = srcG |ESG , tgtSG = tgtG |ESG , lNSG = lNG |NSG , and lESG = lEG |ESG .3 The distance between two nodes is then given as the number of edges that have to be taken to get from the first node to the second one. If no such path exists the distance is considered to be infinite. Definition 4 (Path, Distance) Given a graph G a path is a finite sequence π ∈ NG∗ with length n such that π = n1 , . . . , nn with n1 , . . . nn ∈ NG and for all i ∈ 1, . . . , n − 1 exists an e ∈ EG with (src(e) = ni ∧ tgt(e) = ni+1 ) ∨ (tgt(e) = ni ∧ src(e) = ni+1 ). We write n1 →π nn to denote that the path π starts with node n1 and ends with node nn . The length n of a path π is denoted by length(π). The distance between two node n0 , n00 ∈ NG is a function dist := N × N → N at. min{length(π)|n0 →π n00 } : ∃π : n0 →π n00 0 00 dist(n , n ) := ∞ : 6 ∃π : n0 →π n00 Given the notion of a path, a connected graph is one where between each pair of nodes a path exists. Definition 5 (Connected Graph) A graph G ∈ G is connected if ∀n1 , n2 ∈ NG , ∃π : n1 →π n2 ∨ n2 →π n1 . The maximal distance of a connected graph can be defined using the distance between its nodes. 3

Not that instead of the condition ESG ⊆ EG the stronger one ESG ⊆ {e ∈ EG |srcG (e) ∈ NSG ∧ tgtG (e) ∈ NSG } has to be used when constructing a subgraph to ensure that SG is a graph (cf. later Defintition 28).

10

4 Prerequisites

Definition 6 (Maximal Distance) The maximal distance of a connected graph G ∈ G is defined as max{min{length(π)|n1 →p in2 }∃n1 , n2 ∈ NG }. Building the union, the intersection or the subtraction of two graphs is only possible if the labels of the both graphs are compatible.

Definition 7 (Label Compatibility). Two graphs G1 and G2 are label compatible, iff holds that lN1 |(NG1 ∩NG2 ) = lN2 |(NG1 ∩NG2 ) and lE1 |(EG1 ∩EG2 ) = lE2 |(EG1 ∩EG2 ) where lN1 and lE1 are the node respectively the edge labeling function of graph G1 and lN2 and lE2 are the node respectively the edge labeling function of N2 . Given two label compatible graphs their union can be built. To do so the nodes, edges and functions, labeling as well as source and target functions have to be combined.

Definition 8 (Union). The union of two label compatible graphs G1 and G2 is 0 , lE0 ), where N 0 := NG1 ∪ NG2 , E 0 := definied as G1 ∪ G2 := (N 0 , E 0 , src0 , tgt0 , lN 0 EG1 ∪ EG2 , src := srcG1 ⊕ srcG2 |(EG2 \EG1 ) , tgt := tgtG1 ⊕ tgtG2 |(EG2 \EG1 ) , 0 := lNG1 ⊕lNG2 |(NG2 \NG1 ) and lE0 := lEG1 ⊕lEG2 |(EG2 \EG1 ) . It holds G1 ∪G2 = lN G2 ∪ G1 . Intersecting two graphs is only possible if this two graphs are label compatible. Given two graphs that fulfill this requirement the intersection is built by intersecting their node and edge sets and restricting the labeling, source and target functions.

Definition 9 (Intersection). The intersection of two label compatible graphs G1 0 and G2 is definied as G1 ∩ G2 := (N 0 , E 0 , src0 , tgt0 , lN , lE0 ), where N 0 := NG1 ∩ 0 0 NG2 , E := EG1 ∩ EG2 , src := srcG1 |(EG1 ∩EG2 ) , tgt := tgtG1 |(EG1 ∩EG2 ) , 0 lN := lNG1 |(NG1 ∩NG2 ) and lE0 := lEG1 |(EG1 ∩EG2 ) . It holds G1 ∩ G2 = G2 ∩ G1 . Subtraction of graphs is similar to intersection. The precondition is again that the two graphs are label compatible. For subtraction the node set and edge set of a graph is subtracted from the sets of the other graph and the functionction are accordingly restricted.

4.2 Graph Transformations

11

Definition 10 (Subtraction). The subtraction of two label compatible graphs G1 0 and G2 is definied as G1 \ G2 := (N 0 , E 0 , src0 , tgt0 , lN , lE0 ), where N 0 := NG1 \ NG2 , E 0 := {e ∈ EG1 \ EG2 |srcG1 (e) ∈ N 0 ∧ tgtG1 (e) ∈ N 0 }, src0 := srcG1 |E , 0 tgt := tgtG1 |E 0 , lN := lNG1 |N 0 , and lE0 := lEG1 |E 0 . It holds G1 \ G2 6= G2 \ G1 .4

Matching of Labeled Graphs In the following we are not interessted in a similar coding of nodes and edges in two graphs than rather in the structural similarity of the two graphs. Therefore we use morphisms and isomorphisms as more powerful constructs for matching graphs. The definitions follow the concepts given in [14]. Definition 11 (Graph Morphism). A graph morphism m : G1 → G2 is a pair of functions m := hmN : NG1 → NG2 , mE : EG1 → EG2 i, which preserves sources, targets and labels, i.e. which satisfies mN ◦ tgtG1 = tgtG2 ◦ mE , mN ◦ srcG1 = srcG2 ◦ mE , lNG2 = lNG2 ◦ mN and lEG2 = lEG1 ◦ mE . We also name m a total graph morphism.

Definition 12 (Graph Isomorphism). A graph isomorphism iso is a graph morphism where both functions mN and mE are bijective. We further write G1 =iso G2 if there is a graph isomorphism iso : G1 → G2 or G1 ≈ G2 to abstract from iso. If there is a graph isomorphism iso : G1 → SG2 where SG2 ≤ G2 we write G1 ≤iso G2 or G1 - G2 . ISO(G) denotes the isomorphism class of G, i.e. ISO(G) := {H | H ≈ G}.

4.2 Graph Transformations Besides the states of a system, which can be represented by graphs as outlined in the last section, we describe the state changes by means of graph transformation rules. Note that E 0 := {e ∈ EG1 \ EG2 |srcG1 (e) ∈ N 0 ∧ tgtG1 (e) ∈ N 0 } results in the implicit deletion of dangling edges (cf. Definition 28). If not present, the resulting tuple would not necessarily represent a graph as the functions srcE 0 and tgtE 0 must not be restricted to N 0 . 4

12

4 Prerequisites

Definition 13 (Graph Transformation Rule) A graph transformation rule L→r R consists of • r the rule name, • L a graph called the left hand side, and • R a graph called the right hand side with L and R label compatible and L ∩ R 6= G∅ .5 The graph G to which a graph transformation rule should be applied is called the application graph or source graph, whereas the resulting graph is called target graph. Definition 14 (Match). A match m for a graph L in some graph G is a total graph morphism m : L → G. A transformation rule L→r R can be applied to a graph G if there is a match m for the left hand side L with m : L → G. Note that the existence of a match itself does not directly indicate that the rule can be applied, because multiple additional constraints might be required for a correct match (see Section 5.2). If any such additional conditions are fulfilled by a correct match, we can apply the rule to the application graph as follows (the following definition is adapted from [15]): Definition 15 (Direct Transformations in Single Pushout Approach). Given a rule L→r R and a match m for r in a graph G1 , i.e. m : L → G1 . A direct transformation following the Single Pushout Approach from G1 to G2 with G1 ∪ G2 defined) using the rule r is given by a graph morphism o : L ∪ R → G1 ∪ G2 with o|L = m, called occurrence, such that • o(L) ⊆ G1 and o(R) ⊆ G2 , i.e. the left hand side is embedded into G1 and the right hand side is embedded in G2 Within the literatur (cf. [14]) a graph transformation rule or production is given as p : (L →r R) where p is the production name and r is a partial morphism, i.e. a total morphism from a subgraph of L to R. Our requirement that L ∩ R 6= G∅ is in fact stronger. 5

4.2 Graph Transformations

13

• o(L\R) = G1 \G2 and o(R\L) = G2 \G1 , exactly that part of G1 is deleted which is matched by elements of L not belonging to R and, symmetrically, the part of G2 matched by R is created. We write G1 |=⇒r,o G2 or G1 |=⇒r G2 . Informally, when r is applied to G all elements (nodes and edges) that are contained in the left hand side as well as in the right hand side are preserved. Elements that are only contained in the left hand side are deleted and elements that belong only to the right hand side are added to G by using appropriate morphisms. The corresponding algorithm is given in Figure 3 01: Graph apply(Graph G, Rule hhL→r Rii, Isomorphism iso) 02: if L ≤iso G then 03: choose Isomorphism iso0 : R → G with iso0 |L = iso ∧ iso0 (R \ L) ∩ G = ∅ 04: //apply rule 05: T G := G \ iso0 (L \ R) ∪ iso0 (R) 06: //all other nodes and edges remain unchanged 07: return TG 08: else 09: return G 10: fi 11: end

Figure 3: Algorithm describing a rule’s application A sequence of direct transformations of the form ρ = (G0 |=⇒r0 ,o0 G1 |= ⇒r1 ,o1 . . . |=⇒rn−1 ,on−1 Gn ) constitutes a transformation from G0 to Gn by the rules r0 , . . . , rn−1 and their occurrences o0 , . . . , on−1 with for each 0 ≤ i < n and Li →ri Ri holds that oi |Li is a correct match, briefly denoted by G0 |= ⇒∗(r0 ,o0 );...;(rn−1 ,on−1 ) Gn , G0 |=⇒∗r0 ;...;rn−1 Gn , or G0 |=⇒∗ Gn . "#

$213)*4(,5'*678/

$&%('*)+-,.)0/

:=

!

Figure 4: SimpleShuttleMove: Example for a graph transformation rule Figure 4 gives an example for a transformation rule, it describes a shuttle’s movement from one track to a following one. 6 The rule’s left hand side, depicted by the graph in the middle, describes that shuttle s is currently located on track t1 6

We used typed and labeled nodes although we do not consider types so far.

14

4 Prerequisites

which is followed by track t2 . The rule specifies that the edge between the shuttle and track t1 has to be deleted and a new edge between the shuttle and track t2 has to be created, which is described by the rule’s right hand side and depicted by the graph on the right. Doing so the shuttle moves from track t1 to track t2 . The graph on the left is a story pattern. Story patterns are a special kind of graph rules where the rule’s left and right hand side are depicted in one graph. Unlabeled elements and elements labeled with destroy belong to the rule’s left hand side. Elements labeled with create as well as unlabeled elements belong to the right hand side. An example for the application of the SimpleShuttleMove rule is given in Figure 5. The left hand side depicts the graph before applying the rule and the right hand side the graph resulting after application.

!"

!

$

%'&)(+*-, ./%10-23435, .687:9.

!"

!

#

Figure 5: Application of the rule SimpleShuttleMove depicted in Figure 4

4.3

Advanced Graph Properties

Within this section we introduce negative application conditions to improve the expressiveness of graphs and show how graphs can be used to describe properties.

Negative Application Conditions Consider the following example: In Figure 4, a simple rule for the movement of a shuttle is depicted. By the rule a shuttle is moved from the track it is located on to the following one. The rule does well as long as there is no other shuttle located on the following track as depicted in Figure 6. In this case, the rear shuttle would be moved to the next track, as the DistanceCoordination pattern is not instantiated between these two shuttles, a critical situation occurs. This example shows that a formalism is needed which allows to describe that the rule cannot be applied to the rear shuttle. This can be done by using a negative application condition.

4.3 Advanced Graph Properties

15

!"

#

Figure 6: Two shuttles on following tracks Definition 16 (Negative Application Condition). A negative application condition (NAC) over a graph G for graph isomorphisms is a finite set Gˆ of connected graphs ˆ i ∈ Gˆ : G ≤ G ˆ i , called constraints. A constraint G ˆ i is fulfilled by a graph with ∀G 0 0 ˆ i ≤iso0 AG, written AG if ∃iso : G ≤iso AG but 6 ∃iso with iso |G = iso and G 0 ˆ i . A graph AG and the isomorphism iso satisfies a NAC G, ˆ written AG, G, iso ` G ˆ ˆ ˆ ˆ ˆ AG, G, iso ` G, if it satisfies all constraints Gi ∈ G, i.e ∀Gi ∈ G, ∃iso : G ≤iso î 7 AG ∧ AG, G, iso ` G

ˆ all nodes that belong to G ˆ but do not have a match Given a graph G and a NAC G ˆ but do not in G are called negative nodes. Similarly, all edges that belong to G have a match in G are called negative edges. To further avoid redundant information in the NAC set, we are interested in minimal NAC sets.

Definition 17 (Minimal NAC Set). A NAC set Gˆ for a graph G is a minimal NAC ˆ G ˆ0 ∈ Gˆ : G ˆ 6= G ˆ0 ⇒ (6 ∃iso : iso|G = idG ∧ G ˆ ≤iso G ˆ0 ). set iff ∀G,

ˆ ∈ Lˆ In Figure 7, the related minimization algorithm is outlined. For each NAC L 0 ˆ ˆ ˆ it is checked in line 5 to 10 whether for any L ∈ L − {L} exists an isomorphism ˆ 6≤iso Lˆ0 . If none such L ˆ 0 exists, the NAC L ˆ is added iso with iso|L = idL and L ˆ ˆ to the result set HL. When all L ∈ L have been processed, the resulting minimal set of NACs stored in the set HL is returned. 7

Due to our restriction to isomorphisms instead of more general total graph morphisms, we ˆ i for can simplify the standard definition for NACs [14]. Instead of total morphisms gi : G → G ˆ i . Therefore, we can further simplify each NAC, we use the subgraph relation between G and G ˆ i to a subgraph of AG which is equal the constraint as the non existence of an isomorphism from G to iso if restricted to G.

16

4 Prerequisites

01: Set minimizeNAC 02: Set HL := ∅; ˆ ∈ Lˆ do 03: forall L 04: Boolean f lag := true; ˆ 0 ∈ Lˆ − {L} ˆ do 05: forall L 06: if (∃ iso : iso|L = idL 07: f lag := f alse; 08: continue; 09: fi 10: done 11: if (f lag = true) then HL 12: done 13: return HL; 14: end

ˆ begin L)

ˆ 0 ≤iso L) ˆ then ∧ L

ˆ := HL ∪ {L}; fi

Figure 7: Algorithm for minimizing NACs Graph Properties Besides the system state itself, we of course also need appropriate means to specify required safety properties (cf. Figure 2). We further use graph patterns that must be (required graph patterns) or must not be (forbidden graph patterns) contained in a graph to describe required respectively forbidden structural system properties. Using subgraph isomorphisms simple graph patterns can be defined. A simple graph pattern [G] consists of a graph G. If there is a graph AG and an isomorphism iso with G ≤iso AG we can say that the graph AG fulfills the pattern. Thus, graph patterns can be used to describe a set of graphs with a common subgraph, i.e. that have a common property. Describing properties using such simple patterns has also been done in [16] by Arend Rensik. He called the graph patterns property graphs and showed that properties expressible by property graphs are equivalent to the ∃¬∃ part of (∀-free) first order logic formulas with binary predicates.

Definition 18 (Simple Graph Pattern). A simple graph pattern p := [G] consists of a non empty graph G.

More powerful graph patterns can be defined by using additional NACs. A graph ˆ then consists of a graph G and a possibly empty set of NACs Gˆ of pattern [G, G] G. It can be used to describe a set of graphs which on the one hand must contain ˆ i of G. the graph G but which on the other hand do not contain any extension G

4.3 Advanced Graph Properties

17

ˆ consists of a non Definition 19 (Graph Pattern). A graph pattern gp := [G, G] empty graph G and a possibly empty set Gˆ of NACs over G.

Note that a simple graph pattern is just a graph pattern with an empty set of NACs. ˆ and p0 = [P 0 , Pˆ 0 ] holds Definition 20 (Subpattern). For two patterns p = [P, P] 0 0 that p is a subpattern of p (p ⊆ p ) iff ˆ and • exists iso with P ≤iso P 0 and P 0 , P, iso ` P, 0 0 • for any Pˆ ∈ Pˆ exists Pˆ ∈ Pˆ such that an iso0 exists with iso0−1 |P = iso and (Pˆ 0 \ (P 0 \ iso(P ))) ≤iso0 Pˆ . A possible application for graph patterns can be to define what correct matches ˆ r R are. In addition, we use for a graph transformation rule of the from [L, L]→ graph patterns as atomic properties within more complex composed graph property formulas:

Definition 21 (Graph Property Formula). A graph property formula φ is either: • an atomic property defined by a graph pattern p named required graph pattern, • an atomic property defined by the negation ¬p of a graph pattern p named forbidden graph pattern, or • a composed property build by φ ∧ ψ, φ ∨ ψ or ¬φ of two graph property formulas φ and ψ.

The semantics of a graph property formula is defined as follows:

Definition 22 (Graph Property Formula Semantics). Whether a graph G fulfills a graph property formula θ, written (G |= θ), is defined for an atomic property ˆ and subformulas φ and ψ over the term structure as follows: p = [P, P] • • • •

ˆ G |= p iff ∃iso : P ≤iso G and G, P, iso ` P, G |= ¬φ iff G 6|= φ. G |= φ ∧ ψ iff G |= φ and G |= ψ, G |= φ ∨ ψ iff G |= φ or G |= ψ,

18

4 Prerequisites

We further emphasize one specific restricted case of properties. A safety property φs is described by a set of forbidden graphs. Each of this graphs describes an unsafe state or hazard. A safety condition has the following restricted normal form: ^ φs = (¬pk ). k∈K

An example for a safety property is given in Figure 2. The property requires that there is no pair of shuttles on the same track which does not have instantiated the DistanceCoordination pattern. W Each negated safety property can also be expresses as ¬φs = j∈J pj . Such that each local occurrence of a forbidden graph pattern (¬pj ) is sufficient to satisfy ¬φs as each of them are combined by the logical or. We further call the found forbidden occurrence for any pj a witness for ¬φs . The defined notion of system properties is further also used to define proper subsets of graphs of G. E.g., G[φ] describes all graphs of G fulfilling the property φ and is simply defined as G[φ] := {G ∈ G | G |= φ}. T [φ, ψ] is the set of all transitions that lead from a graph of G[φ] to a graph of G[ψ] defined as T [φ, ψ] := {r ∈ R|∃G1 ∈ G[φ], G2 ∈ G[ψ] : G1 ⇒r G2 }. If for two graph patterns p and p0 holds p ⊆ p0 , this also implies that all graphs matched by p are also matched by p0 . Lemma 1 (Implication of Subpattern). For two patterns p and p0 holds (p ⊆ p0 ) ⇒ (∀G ∈ G[p0 ] : G |= p), and

(1)

(∃G ∈ G[p0 ] : G 6|= p) ⇒ (p 6⊆ p0 ).

(2)

Proof: Condition 1. Per definition holds (p ⊆ p0 ) ⇒ ∃iso : P ≤iso P 0 and ∀G ∈ G[p0 ] : G ∈ G[p0 ] ⇒ ∃iso0 : P 0 ≤iso0 G. Thus it follows ∃iso00 : iso00 = iso0 ◦ iso and therefore P ≤iso00 G. On the other hand G ∈ G[p0 ] implies ∀Pˆ 0 ∈ Pˆ 0 , 6 ∃iso000 : iso000 |P 0 iso0 ∧ Pˆ 0 ≤iso000 G. ˆ ∃Pˆ 0 ∈ Pˆ 0 , ∃isoiv : isoiv−1 |P = iso ∧ (Pˆ 0 \ (P 0 \ As P 0 ≤iso0 G and ∀Pˆ ∈ P, iso(P ))) ≤isoiv Pˆ it must hold that 6 ∃isov : (Pˆ 0 \ (P 0 \ iso(P ))) ≤isov G and ˆ 6 ∃isoiv : Pˆ ≤isoiv G. therefore ∀Pˆ ∈ P, Condition 2 directly follows from condition 1. 2

4.4 Graph Transformation Systems

19

4.4 Graph Transformation Systems By means of the above definitions a system can be defined by graphs describing the system states and by graph transformation rules that describe the changes between two system states.

Definition 23 (Graph Transformation System). (GS , GSi , RS ) with

A system S is a tuple

• GS the set of all possible graphs, • G i ⊆ GS the set of all initial graphs of the system, and • RS is a finite set of graph transformation rules.

For each system S = (GS , GSi , RS ) we further have the set REACH(S) := {G | ∃G0 ∈ GSi w ∈ R∗S , G ∈ GS : G0 ⇒∗w G} of all reachable states. For a proper graph transformation system S, we additionally require that GS is closed under application of rules of RS . I.e., for any graph G ∈ GS any direct transformation via a rule r ∈ RS results in a graph which is again an element of GS . As we will see later when considering typed systems (cf. Definition 31), this requirement can be ensured for simple type systems. If however, more advanced properties such as cardinalities are also specified within the type system, it might be necessary to proof first that these properties are preserved by any rule application. Definition 23 also permits to describe infinite state systems. If for a system S = (GS , GSi , RS ) REACH(S) contains infinitely many different graphs with respect to graph isomorphisms8 , the system is called an infinite state system.

5

The System Model

The above definitions are prerequisites to define systems, system states and state transitions for UML models. 8

I.e., 6 ∃n ∈ IN , G 0 ⊆ REACH(S) : |G 0 | ≤ n ∧ (∀G ∈ REACH(S) ∃G0 ∈ G 0 : G ≈ G0 ).

20

5.1

5 The System Model

States as Graphs

In our approach we use UML class diagrams to describe all possible system structures. To formalize the class diagram, it can be mapped to a type graph by mapping classes and patterns to nodes and associations to edges. The labeling is employed to assign the related type names to the nodes respectively edges. For simplicity reasons, we abstract here from cardinalities and subtyping. A class diagram can thus be mapped to a graph GΩ = (NΩ , EΩ , srcΩ , tgtΩ ) which serves as the type graph. The node type set is then defined as ΩN = NΩ and the edge type set becomes ΩE = EΩ . The type graph for the UML class diagram given in Figure 1 is depicted in Figure 8. Registry

Section Control

controlledBy

Track

locatedOn

Shuttle

frontRole rearRole

Distance Coordination

next

Figure 8: Type graph for the UML class diagram given in Figure 1 As we want to model system states as UML object diagrams, we have to formalize which labeled graphs conform to the type graph and the originally employed class diagram. Each node of the labeled graph represents one object of the object diagram and each edge of the labeled graph corresponds to one link in the object diagram. The set of correct typed edges is defined as correctT ypedEdges(GΩ ) = {(srcΩ (e), e, tgtΩ (e)) ∈ NΩ × EΩ × NΩ |e ∈ EΩ }.

Definition 24 (Type Conformance for Graphs). The labeling of a graph G = (N, E, src, tgt, lN , lE ) is type conform for the type graph GΩ = (NΩ , EΩ , srcΩ , tgtΩ ) iff lN : N → ΩN : ΩN ⊆ NΩ and lE : E → ΩE : ΩE ⊆ EΩ

(3)

∀e ∈ E : (lN (src(e)), lE (e), lN (tgt(e))) ∈ correctT ypedEdges(GΩ )

(4)

5.1 States as Graphs

21

We further denote the set of all type conform labeled graphs for a type graph GΩ by G[GΩ ]. Using the type system defined by GΩ , we can then describe the states by type conform UML object diagrams. To describe a system’s states as type conform graphs, it has to be ensured that the transformation of one state into another state respects the type conformance, too. Definition 25 (Type Conformance for Graph Transitions). A graph transformation rule r is type conform with respect to the type graph GΩ iff all employed graphs (in particular L, Lˆ and R) are type conform for GΩ . In the following, we prove that the application of a type conform graph transformation to a type conform state will again result in a type conform graph. Lemma 2 For any two type conform and label compatible graphs G1 and G2 holds that G1 ∪ G2 is also type conform. Proof: (Sketch) Due to the definition does the union of the two graphs not result in new nodes or edges. As all node and edge labelings are compatible, we can conclude that for all edges of the resulting graph conditions 3 and 4 still hold. 2 Lemma 3 For a type conform graph G and a label compatible graph G2 hold that G1 ∩ G2 and G1 \ G2 are also type conform. Proof: (Sketch) Due to their definition does neither intersection nor subtraction of graph G2 result in new nodes or edges. As all node and edge labelings are compatible, we can conclude that for all nodes and edges of the resulting graph conditions 3 and 4 still hold. 2 Lemma 4 For any two graphs G1 and G2 and a total graph morphism m : G1 → G2 holds that G1 is type conform iff G2 is type conform. Proof: (Sketch) By definition does m also preserve the labeling for each edge and thus conditions 3 and 4 hold either for both graphs or none of them. 2 Theorem 1 For any type conform graph G1 and type conform graph transformation rule L→r R with L and R type conform holds that if a G2 with G1 |=⇒r G2 exists it is also type conform. Proof: Due to definition 15 we know that G2 \ G1 ≈ R \ L and G1 ∪ G2 is defined. Due to G1 ∪ G2 defined we can conclude using Lemma 3 that G1 ∩ G2 is

22

5 The System Model

type conform. As R is type conform, we can conclude that L and R are also type conform. Therefore using the Lemmata 3 and 4 we can derive that G2 \ G1 must be type conform. As G2 = (G1 ∩ G2 ) ∪ (G2 \ G1 ), we can due to the two preceding results and Lemma 2 conclude that G2 is also type conform.9 2

5.2

Describing Behavior with Graph Transformations

Besides the states of a UML model, which can be represented by graphs as outlined above, we describe the state changes by means of graph transformation rules. A transformation rule L→r R can be applied to a graph G if there is an isomorphism iso with iso : L ≤iso G. Applying a graph transformation rule is possibly subject to some conditions. One possible condition is the so called identification condition. This condition requires that if there is a node which is deleted by the rule then there must not be another node which is mapped to the same node in the application graph as the node to be deleted. A stronger form of this condition is that never two nodes of the rule may be mapped to the same node of the application graph.

Definition 26 (Identification Condition). The identification condition requires that for a rule L→r R and a match m : L → G where G is the application graph holds ∀n ∈ NL \ NR :6 ∃n0 ∈ NL : m(n) = m(n0 ).

Definition 27 (Strong Identification Condition). The strong identification condition requires that for a rule L→r R and a match m : L → G where G is the application graph holds ∀n, n0 ∈ NL : n 6= n0 ⇒ m(n) 6= m(n0 ).

Using only isomorphisms as matches and occurrences ensures the strong identification condition. Another often considered condition is the dangling edge condition which concerns the unconnected edges after the rule application. I.e., a node may only be deleted if all its edges are deleted by the rule too. 9

Note that G2 = (G1 ∩ G2 ) ∪ (G2 \ G1 ) only holds due to implicit deletion of dangling edges as implied by Definition 29.

5.2 Describing Behavior with Graph Transformations

23

Definition 28 (Dangling Edge Condition). The dangling edge condition requires that for an application graph AG, a rule L→r R and a occurrence o where o(L) ⊆ AG holds 6 ∃e ∈ EAG :6 ∃e0 ∈ EL ∧ oE (e0 ) = e ∧ (src(e0 ) ∈ NL \ NR ∨ tgt(e0 ) ∈ NL \ NR ). One approach which fulfills the dangling edge condition as well as the identification condition is the so called Double Pushout Approach (DPO) (cf. [14], chapter 3). On the other hand there is the Single Pushout Approach (SPO) which neither requires that the dangling edge condition nor the identification condition is met. In contrast to the DPO the SPO allows to use NACs in the rule’s left hand side. Doing so the SPO permitts to describe when a given rule must not be applied (cf. [14], chapter 4). As the DPO meets the dangling edge condition as well as the identification condition, it is always possible to apply the rules in backwards direction which is not always possible in SPO. In the following we use a restricted version of the SPO which we call RSPO and is defined in the following way. Definition 29 (Restricted Single Pushout Approach (RSPO)) A direct transformation for the Restricted Single Pushout Approach is a direct application as defined in the SPO approach (cf. Definition 15) with the following restrictions: 1. any correct match for r excludes dangling edges and 2. for all matches m of a rule L→r R in an application graph AG holds m is an isomorphism and L ≤m AG and for all occurrences o of r holds o is an isomorphism and L ∪ R ≤o AG ∪ T G where T G is the target graph. Requirement 2 of Definition 29 ensures the strong identification condition per construction. Requirement 1 implies that the graph transformation rules themselve ensure that no dangling edge can result for a correct match. The RSPO requires that the dangling edge condition is fulfilled. To fulfill this requirement we extend the left hand sides of the rule by additional NACs such that a rule can only be applied if all edges of a node which is deleted by the rule are matched. Informally, for each node which is deleted by the rule, NACs have to be added. If n is such a node then for each type which is adjacent to n’s type in

24

5 The System Model

the type graph a NAC has to be created that contains the rule’s left hand side and an additional node which is adjacent to n. ˆ r R. Figure 9 shows the algorithm that extends the left hand side L of a rule [L, L]→ Nodes that are deleted by the rule are those contained in the set NL \ NR . 01: Set danglingNAC(Pair (L, R), Graph GΩ ) 02: begin 03: Set addN AC = ∅; 04: forall n ∈ NL − NR do 05: forall (lN (n), te , tn0 ) ∈ correctT ypedEdges(GΩ ) do 06: // edge with source in G 07: choose n0 6∈ NL , e 6∈ EL ; 08: N 0 = N ∪ { n0 }; 09: E 0 = E ∪ { e }; 10: src0 = λ x.if (x == e) then n else src(x) fi; 11: tgt0 = λ x.if (x == e) then n0 else tgt(x) fi; 0 12: lN = λ x.if (x == n0 ) then tn0 else lN (x) fi; 0 = λ x.if (x == e) then t else l (x) fi; 13: lE e E 0 , l0 )); 14: addN AC.add((N 0 . E 0 , src0 , tgt0 , lN E 15: done 16: // edge with target in G 17: forall (tn0 , te , lN (n)) ∈ correctT ypedEdges(GΩ ) do 18: choose n0 6∈ NL , e 6∈ EL ; 19: N 0 = N ∪ { n0 }; 20: E 0 = E ∪ { e }; 21: src0 = λ x.if (x == e) then n0 else src(x) fi; 22: tgt0 = λ x.if (x == e) then n else tgt(x) fi; 0 23: lN = λ x.if (x == n0 ) then tn0 else lN (x) fi; 0 = λ x.if (x == e) then t else l (x) fi; 24: lE e E 0 , l0 )); 25: addN AC.add((N 0 . E 0 , src0 , tgt0 , lN E 26: done 27: done 28: return addN AC; 29: end

Figure 9: Algorithm for the extension of a rule’s left hand side The extension is defined as follows. ˆ r R and a type graph Definition 30 (Rule Extension). Given a rule [L, L]→ GΩ the extended rule [L, Lê ]→re R is built using Lê := minimizeNAC(Lˆ ∪ danglingNAC(L→r R, GΩ )). After the set of NACs has been extended it can be minimized for efficiency reasons. For this purpose all NACs have to be considered. If there are several NACs which are isomorphic to each other then all but one are deleted. ˆ r R is extended as described in Definition Lemma 5 If a type conform rule [L]→ 30, the application of this rule to a type conform application graph meets the

5.3 Systems as Graph Transformation Systems

25

dangling edge condition. Proof:(sketch) Be L→re R the extended rule, AG the application graph, AG0 the target graph, AG and AG0 are type conform and n a node that is deleted by r, i.e. n ∈ NL ∧ n 6∈ LR . Assume that applying the extended rule r to AG produces a dangling edge, i.e ∃e ∈ EAG :6 ∃e0 ∈ EL ∧ o(e0 ) = e ∧ (src(e0 ) ∈ NL \ NR ∨ tgt(e0 ) ∈ NL \ NR ). There are two cases: (1) n0 ∈ NL \NR ∧o(n0 ) = src(e). r is applicable means that 0 0 0 0 0 0 0 0 0 there is no NAC (N , E , src , tgt , lN , lE ) withN := N ∪ {n }, E := E ∪ {e}, scr(x) : x ∈ EL tgt(x) : x ∈ EL 0 src0 := , tgt0 (x) := , lN (x) := 0 n : x == e n : x == e lN (x) : x ∈ NL lE (x) : x ∈ EL 0 . As the algorithm 0 and lE (x) := 0 tn : x == n te : x == e computes a NAC for each node to be deleted and each correct typed edge which is incident to a node to be deleted (lines 5 to 15 in the algorithm) it also computes a NAC for each edge e00 with o(n0 ) = src(e00 ). Thus, if it does not compute a NAC with an edge set that contains an edge e00 with o(e00 ) = e it follows that e is not a correct typed edge which is a contradiction to the assumption that AG is type conform. The second case, i.e. e is an edge with n0 as source and n as target can be proven analgously. 2

5.3 Systems as Graph Transformation Systems By means of the above definitions a system can be defined by graphs describing the system states and by graph transformation rules that describe the changes between two system states. Definition 31 (Typed System). A typed system S is a tuple (GΩ , GSi , RS ) with • (G[GΩ ], GSi , RS ) a system as defined in Definition 23 and • ∀r ∈ RS holds r is type conform to GΩ . As proven in Theorem 1, the set G[GΩ ] is closed under application of type conform rules of RS and thus (G[GΩ ], GSi , RS ) is a proper system.

26

5 The System Model

System Properties The graph properties described by combinations of forbidden and required graphs can be used to denote which states (graphs) of a system are correct. To prove such a property φ for a system S, we thus have to prove that φ is an invariant of the system. Definition 32 (Operational Invariant). A system S = (G, G i , R) fulfills a property φ (S |= φ) iff for all G ∈ REACH(S) it is the case that G |= φ. We call such a φ an operational invariant of S. In the general case this condition cannot be checked, as graph transformation systems with types are turing complete. Therefore it is usually not possible to use automatic verification techniques (cf. [17]). However, besides this definition of an operational invariant, we can also consider the stronger form of inductive invariants (cf. [18]). Definition 33 (Inductive Invariant). Property φ is an inductive invariant of a typed system S = (G[GΩ ], G i , R) iff for all G, G0 ∈ G ∀r ∈ R : (G ⇒r G0 ∧ G |= φ) ⇒ (G0 |= φ). If φ is an inductive invariant and in addition for all G ∈ G i holds G |= φ, the inductive invariant implies that the property φ is also an operational one, while not every operational invariant is also an inductive one. To show that φ is an inductive invariant, it has to be proven that starting at G[φ] there are only rule applications that again lead to a graph of G[φ]. A property φ is thus an inductive invariant iff the set of transitions leading from the set G[φ] to the set G[¬φ], named T [φ, ¬φ], is empty.

Lemma 6 Any condition φ is an inductive invariant iff T [φ, ¬φ] = ∅. Proof: “⇒”: As φ is an inductive invariant, we have ∀G, G0 ∈ G, r ∈ R : (G |= ⇒r G0 ∧ G |= φ) ⇒ (G0 |= φ) and thus T [φ, ¬φ] = ∅. “⇐”: From T [φ, ¬φ] = ∅ follows that 6 ∃r ∈ R, G, G0 ∈ G : (G |=⇒r G0 ∧ G |= φ) ∧ G0 6|= φ and thus we have ∀r ∈ R, G, G0 ∈ G : (¬(G |=⇒r G0 ∧ G |= φ) ∨ ¬(G0 6|= φ)) which is equal to ∀r ∈ R, G, G0 ∈ G : (G |=⇒r G0 ∧ G |= φ) ⇒ (G0 |= φ) and therefore φ must be an inductive invariant. 2

27 Restrict to Witnesses Looking for possible elements of the set T [φ, ¬φ] we can restrict our attention to safety properties where at least one witness in form of a pattern pi for G[¬φ] in the target graph can be found but no witness for G[¬φ] can be found in the source graph using the following result.

Lemma 7 For a safety property φ of the form empty iff

V

j∈J (¬pj )

the set T [φ, ¬φ] is not

∃Gφ , G¬φ ∈ G, r ∈ R : (Gφ |=⇒r G¬φ ) ∧ (∃i ∈ J :: G¬φ |= pi ) ∧ (∀j ∈ J : Gφ 6|= pj )

(5)

Proof: Follows from the definition of T and the structure of safety properties. 2

6 Advanced Application of Rules To enable the verification of inductive invariants we further require more advanced results with respect to the application of rules. As a first step, we consider the backward application of rules and how for each RSPO rule an inverse rule can be derived. As a second step, we look into the application of rules for patterns in forward as well as backward direction.

6.1 Backwards Application of Rules To reverse a RSPO rule, we at first have to exchange the role of the left hand side L and right hand side R. In addition, the set of NACs have to be adjusted (see Figure 10). ˆ r Rii, Graph GΩ ) begin 01: GraphRule reverse(GraphRule hh[L, L]→ ˆ r Rii, GΩ ); 02: Set N AC := convertNAC(hh[L, L]→ 03: N AC := minimizeNAC(N AC); 04: return hh[R, N AC]→r0 Lii; 05: end

Figure 10: Algorithm for reverting graph rules

28

6 Advanced Application of Rules

ˆ r Rii, TypeGraph GΩ ) 01: Set convertNAC(GraphRule hh[L, L]→ 02: begin 03: Set HL0 := ∅; 04: Set dN AC := danglingNAC((hhL→r Rii), GΩ ); 05: // erase all NACs which relate to a dangling edge 06: Set HL := { P ∈ Lˆ | 6 ∃ P 0 ∈ dN AC : P 0 ≤ P }; 07: while HL 6= ∅ do ˆ in HL; 08: choose L ˆ 0 := apply(L, ˆ hhL→r Rii, id|L ); 09: L ˆ 10: HL := HL \ {L}; ˆ 0 }; 11: HL0 := HL0 ∪ {L 12: done 13: return HL0 ∪ danglingNAC((hhR→r−1 Lii), GΩ ); 14: end

Figure 11: Algorithm for converting NACs In Figure 11, the algorithm to convert a minimal NAC set is depicted. In a first step we recompute the required NACs for the dangling edge conditions in line 4. Then, all NACs which are not dominated by an dangling edge NAC are stored in the NAC set HP . Note that due to the fact that Lˆ is a minimal NAC set, this only results in ignoring the dangling edge NACs. Each element of the NAC set HL is then transformed by applying the rule L→r R and added to the new set of NACs HL0 in line 07 to 12. Line 06 ensures that no ˆ 0 cannot dangling edges can result from applying r. Thus the resulting NACs L contain any node which is deleted by r and which’s deletion resultes in a dangling edge. Finally, we add besides HL0 the dangling edge conditions for the inverse rule R→r−1 L to the resulting NAC set. This transformation can be used to define the reverse rule for each RSPO rule as follows: ˆ R) the inverse Definition 34 (Reverse Rule). For a RSPO transition r = ([L, L], −1 rule in form of a RSPO transition r is defined as reverse(r, GΩ ). We can further prove that the reverse rule r−1 of a rule r can transform a graph G0 into another graph G if and only if the original rule r can transform G into G0 . Theorem 2 (Backward Application). For each RSPO transformation rule ˆ r R and its inverse RSPO transformation rule [R, R]→ ˆ r−1 L holds [L, L]→ G |=⇒r G0 ⇔ G0 |=⇒r−1 G.

6.2 Rule Application for Patterns

29

Proof:(sketch) “⇒” As G0 was created by r it must hold that there exists an isomorphism iso with ˆ 6 ∃iso0 ∈ R ˆ : iso0 |R = isoR ˆ ≤iso0 R ≤iso G0 thus r−1 is applicable if it holds ∀R, 0 G. ˆ can be devided into two subsets: the set containing NACs that where The set R created by the function danglingNAC and those that were generated from the NACs of Lˆ which do not belong to the dangling condition. In the first case the additional nodes of the NACs are adjacent to nodes which are deleted by r−1 and therefore have been created by r. As nodes which have been created by r can only have adjacent nodes which also belong to R there is no isomorphism that maps one of the NACs to G0 . In the second case the NACs of r−1 are created by conˆ are created using the same rule as the verting the NACs of r. As the NACs of R one used for creating G0 of G it must hold that if there is an isomorphism iso that ˆ∈R ˆ to G0 then there must also be an isomorphism iso0 which maps maps one R ˆ ∈ Lˆ to G which is a contradiction to [L, L], ˆ iso00 |L ` G. And therefore r−1 one L is applicable. When r−1 is applied those elements (nodes and edges) which have been created by r are deleted again. Vice versa, those elements which have been deleted by r are again created by r−1 . Thus the graph resulting after applying r−1 to G0 is isomorph to G. “⇐” Can be done analogously to “⇒”. 2

6.2

Rule Application for Patterns

For the restricted case that a pattern p includes the left hand side of a rule ˆ r R ([L, L] ˆ ⊆ p), we can consider the application of rules to graph pat[L, L]→ terns instead of graphs as follows: ˆ rR Definition 35 (Direct Application for Patterns). For a RSPO transition [L, L]→ ˆ with [L, L] ˆ ⊆ p holds that the rule applicaa graph pattern p = [P, P] 0 tion for patterns results in a pattern p = [P 0 , Pˆ 0 ] with P |=⇒r,iso P 0 and ˆ [L, L]→ ˆ r R, iso, GΩ ). Pˆ 0 := convertNAC([P, P],

30

6 Advanced Application of Rules

ˆ 01: GraphPattern applyPatternRule(GraphPattern [P , P], ˆ |= Rule [L, L] |=⇒r R, isomorphism iso, TypeGraph GΩ ) ˆ ∈ Lˆ : L ˆ ≤ iso0 P then 02: if holds L ≤ iso G and ¬ ∃ iso0 , L 03: //build occurrence o:= h on , oe i by extending iso 04: on := λ x. if (x ∈ NL ) then 05: ison 06: else 07: if (x ∈ NR \ NL ) then 08: id 09: fi 10: oe := λ x. if (x ∈ EL ) then 11: ison 12: else 13: if (x ∈ ER \ EL ) then 14: id 15: fi 16: fi 17: //build target graph TG with |=⇒r GT G 18: //first remove nodes that belong to L but not to R 19: TG := G \ o(L \ R) 20: //add nodes that belong to R but not to L 21: TG := T G ∪ o(R \ L) 22: //all other nodes remain unchanged ˆ as well 23: //NACs have to be converted (those of [P, P] ˆ 24: //as those of [L, L]) ˆ ∪ P ˆ |= 25: TˆG := convertNAC([L, L] |=⇒r R, GΩ ) 26: return [T G, TˆG] 27: else ˆ 28: return [P, P] 29: fi 30: end

Figure 12: Algorithm describing a rule’s application to a pattern ˆ rR Figure 12 represents an algorithm computing the application of a rule [L, L]→ ˆ to a pattern [P, P]. We further write p |= |=⇒r p0 to denote the application of graph rules to graph patterns. The rule application at the level of patterns ensures that for all graphs matched by p holds that all via graph rule r reachable graphs are matched by p0 . ˆ r R and Theorem 3 (Application for Patterns). For each RSPO transition [L, L]→ 0 0 ˆ0 ˆ ˆ two graph patterns p = [P, P] and p = [P , P ] with [L, L] ⊆ p holds (p |= |=⇒r p0 ) ⇐⇒ (∀G, G0 ∈ G, ∀iso : P ∪ P 0 → G ∪ G0 : G, iso |p0 |= p ∧ G |=⇒r,iso|R∪L G0 ⇒ G0 , iso |= p0 ) (6)

6.2 Rule Application for Patterns

31

Proof:(sketch) “⇒” Assume that G0 ⇒ G0 , iso |= p0 does not hold. Then it must ˆ iso0 : hold that either (a) 6 ∃iso0 : iso0 |p0 = iso |p0 ∧P 0 ≤iso0 G0 or (b) ∃Pˆ 0 ∈ P, iso0 |p0 = iso |p0 ∧Pˆ 0 ≤iso0 G0 . (a) If such an isomorphism does not exists there must hold ∃n ∈ NP 0 , e ∈ EP 0 : iso0 (n) = undef ined ∨ iso0 (e) = undef ined. This case can be devided into two cases. First, 6 ∃iso00 , n0 ∈ NG , e0 ∈ EG : iso00 (n) = n0 ∨ iso00 (e) = e0 . As P - G it also holds 6 ∃iso00 , n0 ∈ NP , EP : iso00 (n) = n0 ∨ iso00 (e) = e0 . On the other hand holds n ∈ NP 0 ∨ e ∈ EP 0 and p |= |=⇒r p0 , P - G and 0 G |=⇒r,iso G and thus n ∈ NR ∨ e ∈ ER . Therefore it also holds ∃iso0 , ∀n ∈ NP 0 , e ∈ EP 0 , ∃n0 ∈ NG0 , e0 ∈ EG0 : iso0 (n) = n0 ∧ iso0 (e) = e0 . Second, ∃n ∈ NP 0 , e ∈ EP 0 : n ∈ L \ R ∨ e ∈ L \ R. Therefore p |= |=⇒r p0 ⇒6 ∃iso00 , n0 ∈ 0 00 0 00 0 NP 0 , e ∈ EP 0 : iso (n) = n ∨ iso (e) = e . Thus in both cases we have a contraditction and therefore it must hold P 0 - G0 . (b) Pˆ 0 must have been created by the function convertNAC. The set of MACs created by convertNAC can be devided into two subsets. The first one contains those NACs which are created by danglingNAC. danglingNAC creates a NAC for each newly created node. Such a NAC contains an additional node which is adjacent to the new node but not matched by the rule. As a newly created node can have only have adjacent nodes which are matched by the rule it holds 6 ∃iso0 , Pˆ 0 ∈ Pˆ 0 : Pˆ 0 ≤iso0 G0 . The second subset contains those NACs which ˆ In this case a NAC Pˆ 0 ∈ Pˆ 0 is derived by applying are the converted NACs of P. ˆ thus if it holds ∃iso0 , Pˆ 0 ∈ Pˆ 0 : Pˆ 0 ≤iso0 G0 it must also hold r to a Pˆ ∈ P, ∃iso00 : Pˆ ≤iso00 G which is a contradiction to the assumtion. “⇐” We first show that it holds P |=⇒r P 0 . For the right hand side of the equation holds ∀G, G0 ∈ G, ∀iso : P ∪ R → G ∪ G0 : G, iso |= p ∧ G |=⇒r,isoR∪L G0 ⇒ G0 , iso |= p0 thus it is possible to choose two arbitrary graphs G and G0 . Be G = P and G0 = P 0 . For these two graphs holds P |=⇒r,iso P 0 and therefore for all G and G0 with G, iso |= p and G0 |= p0 then L ≤iso P ≤iso G and R ≤iso P 0 ≤iso G0 . This implies ∀G, G0 ∈ G, ∀iso : P ∪ R → G ∪ G0 : G, iso |= p ∧ G |=⇒r,isoR∪L G0 ⇒ G0 , iso |= p0 ⇒ P |=⇒0P . Now assume that the right hand side of the equation holds but it does no hold that p |= |=⇒r p0 , i.e. p |= |=⇒r p00 . Because of P |=⇒r P 0 we know that P 0 ≈ P 00 . As p0 does not hold it must be the case that ∃Pˆ 0 ∈ Pˆ 0 : Pˆ 0 - P 00 . In this case, because L ≤iso P ≤iso G, it would also hold that G |=⇒r G0 ∧ G0 |=iso p00 and therefore Pˆ 0 - G0 which means G0 6|= p0 which is a contradiction to the assumption. 2

32

7 Checking Inductive Invariants

Using the results for the backward application of RSPO rules, we can further prove that forward and backward application imply each other. Theorem 4 (Backward Application for Patterns). For each RSPO transition ˆ r R and the inverse RSPO transition [R, R]→ ˆ r−1 L and two graph patterns [L, L]→ p and p0 and an occurence o : L ∪ R → p ∪ p0 holds p |= |=⇒r,o p0 ⇔ p0 |= |=⇒r−1 ,o p. Proof: Follows directly form Theorem 2 and 3. 2

7

Checking Inductive Invariants

Based on the preceding results we first present the main theoretical result which enables us to prove inductive invariants by only looking at a finite number of representatives. Then, the related checking algorithm is outlined and the scalability of the approach is discussed.

7.1

Theoretical Results

In Lemma 7 we showed that a safety property is an inductive invariant of the system if there is no transformation rule that transformes a correct graph into an incorrect one. This result can be further refined by considering only a minimal set of graph patterns as representatives and consider each rule application in isolation to decide whether T [φ, ¬φ] is empty or not.

Restrict to Specific Representatives The result of Lemma 7 can be further refined by considering only a minimal set of graph patterns as representatives and consider each rule application in isolation to decide whether T [φ, ¬φ] is empty or not. The important observation here is that the application of a rule has a local character. Consequently, we do not have to check the full graph, but only that fraction

7.1 Theoretical Results

33

of the source and the target graph where the rule application could effect the considered property. A rule application can only lead from a source graph Gφ ∈ G[φ] to a target graph G¬φ ∈ G[¬φ] via a rule r ∈ R when a specific witness for a forbidden graph pattern pi is generated by r. The fraction which is effected by the rule application can be described by graph patterns as defined in Definition 19. Using the graph patterns instead of the full graphs the above question whether the set T [φ, ¬φ] is empty can be answered in a local manner as follows: A so called target graph pattern is created which on the one hand contains a forbidden graph pattern pj and on the other hand the right hand side of rule r. To enforce that the forbidden pattern is generated by the rule it must hold that either Pj is created by the rule or there is a Pˆj ∈ Pˆ| that is created by the rule. The first case is only possible if R and Pj have at least one node in common. For the second case the rule must delete one node or edge which belongs to Pˆj \ Pj . As we use the RSPO this is only possible if there is another node which belongs to Pj and is adjacent to the node to be deleted or incident to the edge to be deleted which is preserved by the rule, i.e. which belongs to the rule’s left hand side as well as to its right hand side.

ˆ r R and a graph pattern p = [P, P] ˆ holds: ∀G, G0 ∈ Lemma 8 For a rule [L, L]→ 0 0 G, iso : G |=⇒r,iso G ∧ G 6|=iso p ∧ G |=iso P ⇒ (R \ L) ∩ iso(P ) 6= ∅ ∨ ∃iso0 , Pˆ ∈ Pˆ : iso0 |P = iso ∧ L ∩ R ∩ iso0 ((Pˆ \ P )) 6= ∅. Proof:(Sketch) Assume that the implication does not hold, i.e. 1. (R \ L) ∩ iso(P ) = ∅ and 2. ∀iso0 , Pˆ ∈ Pˆ : iso0 |P = iso ∧ L ∩ R ∩ iso0 (Pˆ ) = ∅. For 1. holds (R \ L) ∩ iso(P ) = ∅ ⇒6 ∃n ∈ NP , e ∈ EP : (iso(n) ∈ G0 \ G) ∨ (iso(e) ∈ G0 \ G) ⇒ P ≤iso G. And for 2. holds ∀iso0 , Pˆ ∈ Pˆ : iso0 |P = iso ∧ L ∩ R ∩ iso0 ((Pˆ \ P )) = ∅ ⇒6 ∃n ∈ N(Pˆ \P ) : iso0 (n) ∈ L ∩ R. As we use the the RSPO and the Pˆ ∈ Pˆ are connected this means on the one hand that there is neither a node nor an edge which is deleted by the rule and that belongs to Pˆ as otherwise there must be at least one node that belongs to L and R as well as to iso0 ((Pˆ \ P )). Because of the same reasons there is neither a node nor an edge which is created by the rule and that belongs to Pˆ . Thus the rule deletes and creates only nodes and edges ˆ Therefore it holds 6 ∃iso0 , Pˆ ∈ Pˆ : iso0 |P = which do not belong to any Pˆ ∈ P. iso ∧ iso0 (Pˆ ) ∈ G0 ⇒6 ∃iso00 , Pˆ ∈ Pˆ : iso00 |G ∩ G0 = iso0 ∧ iso0 (Pˆ ) ∈ G.

34


Both cases together are a contradiction to the assumtion. 2 Due to its construction, a target graph pattern for the rule r and a forbidden graph pattern pj permits to apply the rule r in backwards direction. This is possible as the target graph pattern contains the rule’s right hand side as well as its pre-conditions. The RSPO approach further guarantees that the backwards application is always defined. The graph resulting when the rule is applied backwards is called source graph. It can be extended to a source graph pattern in much the same way as done to derive the pre-condition for the inverse of rules. If this source graph pattern does not contain any of the forbidden graph patterns a transition has been found which belongs to the set T [φ, ¬φ]. Thus we know that if there is a graph within the system that contains the source graph pattern then the application of r to this graph would result in an incorrect graph that contains the target graph pattern. To built the target graph pattern, we have to consider the right hand side graph pattern of the inverse r−1 of a rule r and the graph pattern of the witness property φ. ˆ r R, its inverse Definition 36 (Target Graph Pattern (TGP)). For a rule [L, L]→ ˆ ˆ [R, R]→r−1 L, and an atomic property p = [P, P], we can derive a target graph pattern T G by using the result of Lemma 8. A TGP is either built by choosing a graph P 0 and a graph isomorphism iso î ∈ R ˆ holds that with P 0 =iso P such that P 0 ∩ (R \ L) 6= ∅ with for all R 0 0 ˆ i 6≤iso0 P 0 ∪ R and no isomorphism iso with iso |R = id exists such that R for all Pî ∈ Pˆ holds that no isomorphism iso00 with iso00 |P = iso exists such that Pî 6≤iso00 P 0 ∪ R as follows: tgp = [T G, TˆG] with T G := P 0 ∪ R and ˆ 0 ∪ P 0 |∃R ˆ ∈ R, ˆ P 00 ≤ P 0 ∩ (R \ L), (iso000 := hiso000 , iso000 i) : TˆG := {R N E ˆ 0 =iso000 R ˆ ∧ (iso000 |N \N 00 = idN \N 00 ∧ iso000 |E \E 00 = idE \E 00 ∧ R ∪ P 00 ≤ R N R E R ˆ ˆ ˆ ˆ P P P P R R ˆ 0 } ∪ {Pˆ 0 ∪ R|∃Pˆ ∈ P, ˆ R0 ≤ (R \ L) ∩ P 0 , (iso000 := hiso000 , iso000 i) : Pˆ 0 =iso000 R N E 000 ∧ iso | Pˆ ∧ iso000 |P = iso ∧ (iso000 | = id ) N \(N ∪N ) E N ∪N \(N E Pˆ0 \(ER0 ∪EP 0 ) = N Pˆ0 P0 R0 R0 P0 Pˆ0 0 0 0 idE \(E 0 ∪E 0 ) ∧ P ∪ R ≤ Pˆ }. Pˆ0

R

P

Or the TGP is built by choosing a NAC Pˆ 0 and an isomorphism (iso0 := hiso0N , iso0E )i with ∃Pˆ ∈ Pˆ : Pˆ 0 =iso0 Pˆ such that L ∩ R ∩ Pˆ 0 6= ∅ as follows: ˆ 0 ∪ Pˆ 0 |∃R ˆ ∈ R, ˆ Pˆ 00 ≤iso0 Pˆ 0 ∩ R ∩ L, (iso00 := T G = R ∪ iso0 (P ) and TˆG := {R

7.1 Theoretical Results

35

ˆ =iso R ˆ 0 ∧ iso00 |N ∩N ∩N = iso0 ∧ iso00 |E ∩E ∩E = hiso00N , iso00E i) : R N L N E L R R ˆ0 ˆ0 P P 0 00 isoE ∧ isoN |(NR ∪NPˆ 0 )\(NL ∩NR ∩NPˆ 0 ) = idN ∧ iso00E |(ER ∪EPˆ 0 )\(EL ∩ER ∩EPˆ 0 ) = idE ∧ ˆ0} R ∩ Pˆ 0 ≤iso00 R As the right hand side of the rule r−1 is a subpattern of any tgp applying the rule r backwards is always possible. The resulting graph pattern is the source graph pattern sgp. ˆ r R, its inverse Definition 37 (Source Graph Pattern). For a rule [L, L]→ ˆ and a related target graph patˆ r−1 L, an atomic property p = [P, P], [R, R]→ tern tgp = [T G, TˆG], the source graph pattern sgp is up to isomorphism defined by tgp |= |=⇒r−1 sgp (cf. Definition 35). We denote the set of correct target graph patterns for a rule r and an atomic property p as T GP (r, p). We further use T GP ≈ (r, p) to denote an arbitrarily chosen minimal subset of T GP (r, p) that is complete with respect to graph isomorphism.10 When a set T GP ≈ (r, p) has been derived, the corresponding rule can be applied in backwards direction to them which results in a related set of source graph patterns SGP ≈ (r, p). For this set we then check whether any of these graphs contains any forbidden graph. If this is not the case a witness has been found that shows that the rule can transform a correct state (the related source graph) into an incorrect one (the related target graph), i.e. the set T [φ, ¬φ] is not empty. The following lemma proves that if such a witness exists in T GP ≈ (r, p) resp. SGP ≈ (r, p) for a rule r and a property p then T [φ, ¬φ] is not empty. Lemma 9 For a system S = (GΩ , G i , R) and a safety property φ = holds ∀i ∈ J, r ∈ R

V

i∈J (¬pi )

(∀tgp ∈ T GP ≈ (r, pi ), sgp ∈ G : (tgp |= |=⇒r−1 sgp) ⇒ (∃i ∈ J : pi ⊆ sgp)) ⇒ (7) 0 0 0 (∀G, G ∈ G : (G |=⇒r G ∧ ∃i ∈ J : G |= pi ) ⇒ (∃j ∈ J : G |= pj )). Proof: “⇒”: Assuming that not holds (G |=⇒r G0 ∧ ∃i ∈ J : G0 |= pi ) ⇒ (∃j ∈ I.e., ∀tgp ∈ T GP (r, p) : ∃tgp0 ∈ T GP ≈ (r, p) with tgp ≈ tgp0 and ∀tgp1 , tgp2 ∈ T GP ≈ holds tgp1 6≈ tgp2 . 10

36


J : G |= pj ) (which is the negation of the lower clause of the implication 7), we have ¬((G |=⇒r G0 ∧ ∃i ∈ J : G0 |= pi ) ⇒ (6 ∀j ∈ J : G 6|= pj )) which can be further transformed into it exists G, G0 ∈ G with G |=⇒r G0 , ∃i ∈ J :: G0 |= pi , and ∀j ∈ J : G 6|= pj . Due to ∀j ∈ J : G 6|= pj we can conclude that the ˆ r R has “created” pi and therefore the positive part of the pattern rule [L, L]→ Pi and the right hand side R of rule r must intersect in G0 (see Lemma 8). As the set T G≈ (r, pi ) includes all possible unions of Pi and R with respect to graph isomorphisms, one of these unions must be contained in G0 . Using Theorem 2, we know that we can apply r−1 to G0 which then leads to the graph G which must match sgp. As G |= φ implies due to condition 2 of Lemma 1 that no witness can exist and thus ∀j ∈ J : pj 6⊆ sgp, the upper clause of the implication 7 can thus not hold and therfore the forward implication 7 is proven. 2

Using the former results we can derive the following condition to check inductive invariants.

Theorem 5 For a system S = (GΩ , GSi , RS ) and the safety property φ = V i∈J (¬pi ) holds that φ is an inductive invariant if ∀i ∈ J, r ∈ R, tgp ∈ T GP ≈ (r, pi ), sgp ∈ G: (tgp |= |=⇒r−1 sgp) ⇒ (∃i ∈ J : pi ⊆ sgp)

(8)

Proof: Using Lemma 9 we know, that condition 8 implies for any ∀i ∈ J and r ∈ R the lower clause of the implication 7 (G |=⇒r G0 ∧ ∃i ∈ J : G0 |= pi ) ⇒ (∃j ∈ J : G |= pj ). This obviously further implies ∀G, G0 ∈ G : (G |=⇒r G0 ∧ G0 6|= φ) ⇒ (G 6|= φ). Further applying Lemma 7 we can derive that thus T [φ, ¬φ] is empty and therefore using Lemma 6 ensures that φ is an inductive invariant for S. 2

The result of Theorem 5 can be used to check whether a safety property is an inductive invariant as outlined in the following section. It has to be noted, that besides the considered form of safety properties which forbids that something bad happens (any of the forbidden graph patterns) also preserving properties can be checked in a similar fashion. A preserving property φp is described by a set of alternatively required graph patterns. It has the following restricted normal form:

7.2 Checking Algorithm

37

φp

=

_

(pk ).

k∈K

Such a preserving property can be checked analogously looking for a case where for a rule r and an atomic graph pattern pj all relevant source graph patterns for r and pj are built first, then the resulting target graph patterns are determined applying the rule r in forward direction, and finally it is checked whether still a witness for φp can be found in the target graph pattern. If so, we know that the set T [φp , ¬φp ] must be empty and that thus φp is an inductive invariant.

7.2

Checking Algorithm

In a first step, we require an effective procedure to compute the target graph patterns of a set T GP ≈ (r, pi ). While a computation which derives a valid set T GP (r, pi ) would ensure that no isomorphic target graph patterns can result, we present a procedure in Figure 13 which does not guarantee this property. However, every set T GP (r, pi ) which ensures that a T GP ≈ (r, pi ) exists with T GP (r, pi ) ⊇ T GP ≈ (r, pi ) is sufficient. In the following algorithm 14, we in addition extend the rules with priorities. A function prio is used to assign each rule r a priority value, where a higher number indicates a higher the priority. Using this extension, we have to extend the checking procedure and have to check in addition for each resulting source graph pattern whether the left hand side of any rule with higher priority could have been applied. If so, we can conclude that the assumed rule would have been preempted and therefore not executed at all. The related algorithm is depicted V in Figure 14. For all rules r and all graph patterns of the safety property φ = j∈J ¬pj stored in the set T GP and in line 6 to 17 we proceed as follows: We first compute the set T GP which includes all possible target graph patterns and then check for all of them in line 6 to 16 whether the condition used in Theorem 5 is fulfilled. In a first step, we derive the related source graph pattern sgp. Then, we look whether a graph pattern of the safety property is included in sgp. If not, we can exclude that any graph matched by sgp can invalidate the invariant property. In the other case, i.e. such a witness was found, we continue and look for any higher priority rule which could preempt r. If no such higher priority rule can be found we finally have found a case where rule r can result in a transformation from G[φ] to G[¬φ] and return f alse, if no

38


ˆ →r R, GraphPattern [P , P]) ˆ 01: Set buildTGP(GraphRule [L, L] 02: begin 03: Set T GP := ∅; 04: 05: 06: 07:

Graph T G ˆ Set T GP := ∅ Pattern T GP ˆ Graph T GP

08: 09: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24:

// (R \ L) ∩ P 6= ∅ Set RS := {R0 | R0 ≤ (R \ L)} Set P S := {P 0 | P 0 ≤ P } forall R0 ∈ RS do forall P 0 ∈ P S do if ∃ iso : R0 =iso P 0 then T G = R ∪ (iso ⊕ id|P \ P 0 )(P ) // calculate the NACs ˆ by P //extend all R iso0 := iso ⊕ id|P \ P 0 ˆ ∈ R) ˆ do forall (R ˆ ˆ ∪ iso0 (P ) T GP = R ˆ := T GP ˆ ˆ T GP ∪ T GP od //extend all Pˆ by R ˆ do forall Pˆ ∈ P iso0 := iso ⊕ id|Pˆ \ P 0 ˆ T GP = R ∪ iso0 (Pˆ ) ˆ := T GP ˆ ˆ T GP ∪ T GP od ˆ T GP := T G ∪ T GP T GP = T GP ∪ T GP fi od od

25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53:

// L ∩ R ∩ Pˆ 6= ∅ Set TˆG Set RS := {R0 | R0 ≤ (R ∩ L)} forall R0 ∈ RS do ˆ do forall Pˆ ∈ P P S := {P 0 | P 0 ≤ Pˆ } forall P 0 ∈ P S do if (∃ iso : R0 =iso P 0 ) then T G := R ∪ iso0 (P ) //calculate NACs by extending Pˆ by R iso0 := iso ⊕ id|Pˆ \ P 0 ˆ := R ∪ iso0 Pˆ T GP ˆ := T GP ˆ ˆ T GP ∪ T GP ˆ T GP := T G ∪ T GP T GP := T GP ∪ T GP fi od od od return T GP end

Figure 13: Algorithm for building the set of TGP

7.3 Scalability

39

01: Boolean check(Set R, Set GP ) begin 02: Set T G := ∅; 03: forall (r ∈ R) do 04: forall (p ∈ GP ) do 05: T GP := buildTGP(r,reverse(r), p); 06: forall tgp ∈ T GP do 07: // determine source graph 08: sgp := applyRuleForGraphPattern(tgp,reverse(r),idR ); 09: // check if sgp fulfills any GP 10: if (6 ∃ p0 ∈ GP : p0 ⊆ sgp) then 11: // check if higher priority rule will preempt r 12: if (6 ∃ (l →r0 R) ∈ R : l ⊆ sgp ∧ prio(r0 ) > prio(r)) then 13: // report counter example: sgp |= |=⇒r tgp 14: return false 15: fi 16: fi 17: od 18: od 19: od 20: return true 21: end

Figure 14: Algorithm to check an invariance property such rule exists. Otherwise, we have successfully proven that φ is an inductive invariant. We can thus guarantee that a typed system S = (GΩ , GSi , RS ) ensures the safety V property φ = j∈J ¬pj by proving that (1) φ is an inductive invariant using the algorithm outlined in Figure 14 by calling check(R, {pj |j ∈ J}) and (2) check that for all initial graphs G ∈ GSi holds G |= φ.

7.3 Scalability For an upper bound nG on the number of nodes and edges of all graphs within the graph rules, nN an upper bound for the number of NACs in rules or atomic properties of the graph properties, nr the number of rules, and nφ the number of atomic graph patterns in the safety property φ, we can derive the following upper bounds for the complexity of the checking procedure. The buildTGP procedure presented in Figure 13 is roughly in O(exp(nG ) ∗ exp(nG )∗exp(2∗nG +2∗exp(nN ))+exp(exp(nG ))∗exp(nG )∗exp(2nG )). Where the calculation in lines 9 to 32 needs approximately O(exp(nG )∗exp(nG )∗exp(2∗ nG +2∗exp(nN ))) where the first exp(nG )∗exp(nG ) results from the forall loops in line 11 and 12. The remaining term at first includes exp(2∗nG ) for determining whether the isomorphism iso exists and then also 2 ∗ nN to build the set of NAC.

40

8 Conclusion and Future Work

The calculation in lines 34 to 51 needs O(exp(nG )∗exp(nG )∗exp(2nG )) at which exp(nG ) is needed for the loop in line 36, exp(nG ) is needed for the loop in line 37 as well as for the one in line 39 and checking for isomorphisms takes again exp(2 ∗ nG ). For the overall checking algorithm check outlined in Figure 14 we roughly get O(nr ∗ nφ ∗ (exp(nG ) ∗ exp(nG ) ∗ exp(2 ∗ nG + 2 ∗ exp(nN ))) ∗ (nφ ∗ exp(3 ∗ nG ) ∗ n2G + nr ∗ exp(3 ∗ nG ) ∗ n2G ) where nr ∗ nφ denotes to the forall loops in line 3 and 4, (exp(nG ) ∗ exp(nG ) ∗ (exp(2 ∗ nG ) + 2 ∗ nG ∗ exp(3 ∗ nG ))) results from the call to buildTGP and the following forall loop in line 5 and 6, and the remaining term nφ ∗ exp(3 ∗ nG ) ∗ n2G + nr ∗ exp(3 ∗ nG ) ∗ n2G where nφ ∗ exp(nG ∗ nG ) reflects line 10 and nr ∗ exp(nG ∗ nG ) line 12. The resulting complexity is rather horrible if we consider the case that nG will increase. However, for typical systems we can expect that nG will have a rather fixed upper bound. Shortening the constant factors accordingly for our complexity results for the check procedure we then get: O(nr ∗ nφ ∗ (nN + nr ) ∗ n3G ) Assuming that nφ , nN and nG usually also have fixed upper bounds, we even have: O(n2r ) Thus the effort of checking safety properties with the outlined procedure scales if the rather highly exponential factors with respect to nG and the polynomial effects of nφ and nG for the upper bounds, which can be observed in practice, are not too large.

8

Conclusion and Future Work

We presented in this technical report the required concepts to check inductive invariants in form of multiple forbidden Story Patterns for systems which states can be described with UML object diagrams that adhere to a given UML class diagrams and which structural changes can be described by Story Diagrams. The underlying formalization permits to describe these systems with potentially infinite state space with typed graph transitions systems which encode the states (UML object diagrams) as well as their typing (UML class diagrams) and required system properties as logical combinations of required or forbidden graph

41 pattern which might include negative application conditions. The possible structural changes described by Story Diagrams are further encoded as graph transformations. For the restricted case of required safety properties, which are the conjunction of a number of forbidden graph patterns, we can prove for a system with potentially infinite state space whether the safety property is an inductive invariant. While the efforts to check the safety properties can show rather highly exponential factors with respect to size of the graphs and the larger polynomial effects with respect to the number of atomic graph patterns in the safety property and number of negative application conditions, the algorithm is only quadratic with respect to the number of graph transformation rules and thus a certain degree of scalability has been achieved at the theoretical level (see Section 7.3). However, it remains to be proven and evaluated that these promising theoretical results can in practice really help to address real problems. At first, it must be proven that the identified exponential and polynomial factors do not prevent from applying this approach at all for reasonable large systems. Secondly, it remains to be proven that the expressiveness of the approach with forbidden graph patterns with negative application conditions is sufficient for practical problems. To increase the expressiveness of the modeling technique we plan to extend the graphs by attributes. To ensure that the resulting systems can still be checked we are palnning to intergarte a constraint solver. As the domain for which the approach is developed requires to model timing behaviour we are looking for solutions to intergrate time in such a fashion that the introduced approach can be used to verify the time extended models.

42

REFERENCES

References [1] Köhler, H., U.Nickel, J.Niere, A.Zündorf: Integrating UML Diagrams for Production Control Systems. In: Proc. of the 22nd International Conference on Software Engineering (ICSE), Limerick, Ireland, ACM Press (2000) 241 – 251 [2] R.Heckel, J.Küster, G.Taentzer: Towards Automatic Translation of UML Models into Semantic Domains. In: Proceedings of the Applied Graph Transformation (AGT2002) Workshop. (2002) 11 – 22 [3] Varró, D.: Automated Formal Verification of Visual Modeling Languages by Model Checking. Journal of Software and Systems Modelling (2003) [4] J.Padberg, B.E.Enders: Rule Invariants in Graph Transformation Systems for Analyzing Safety-Critical Systems. In A.Corradini, H.Ehrig, Kreowski, H.J., G.Rozenberg, eds.: Proc. ICGT 2002: first International Conference on Graph Transformation. Volume 2505 of Lecture Notes of Computer Science., Spain, Springer-Verlag (2002) 334 – 350 ¨ [5] P.C.Olveczky, J.Meseguer: Specification and Analysis of Real-Time Systems Using RealTime Maude. In M.Wermelinger, T.Margaria, eds.: Proceedings of Fundamental Approaches to Software Engineering: 7th International Conference (FASE2004). Volume 2984 of Lecture Notes in Computer Science., Barcelona, Spain, Springer-Verlag (2004) [6] Object Management Group: UML2 Superstructure Interim Report (2004) [7] Baldan, P., Corradini, A., König, B.: A Static Analysis Technique for Graph Transformation System. In: CONCUR 2001 - Concurrency Theory: 12th International Conference, Aalborg, Denmark, August 20-25, 2001, Proceedings. Volume 2154 of Lecture Notes in Computer Science. Springer-Verlag (2001) 381–395 [8] Baldan, P., Corradini, A., König, B.: Static Analysis of Distributed Systems with Mobility Specified by Graph Grammars - A Case Study. In Ehrig, H., Krämer, B., Ertas, A., eds.: ISPT Conference Proceedings. (2002) [9] Baldan, P., König, B.: Approximating the Behaviour of Graph Transformation Systems. In: Graph Transformation: First International Conference, ICGT 2002, Barcelona, Spain, October 7-11, 2002. Proceedings. Volume 2505. Springer-Verlag (2002) 14–30 [10] Baldan, P., Corradini, A., König, B.: Verifying Finite-State Graph Grammars: an UnfoldingBased Approach. In Gradner, P., Yoshida, N., eds.: Proceedings of the 15th International Conference on Concurrency Theory CONCUR 2004, London, UK, August 31 - September 3, 2004. Volume 3170 of Lecture Notes in Computer Science., Springer-Verlag Heidelberg (2004) 83–98 [11] Heckel, R., Wagner, A.: Ensuring consistency of conditional graph rewriting - a constructive approach. In Corradini, A., Montanari, U., eds.: Electronic Notes in Theoretical Computer Science. Volume 2., Elsevier (1995) [12] Giese, H., Tichy, M., Burmester, S., Schäfer, W., Flake, S.: Towards the Compositional Verification of Real-Time UML Designs. In: Proc. of the European Software Engineering Conference (ESEC), Helsinki, Finland, ACM Press (2003) [13] H.Giese, S.Burmester, F.Klein, D.Schilling, M.Tichy: Multi-Agent System Design for Safety-Critical Self-Optimizing Mechatronic Systems with UML. In: OOPSLA 2003 - Second International Workshop on Agent-Oriented Methodologies, Anaheim, CA, USA. (2003) 21 – 32

REFERENCES

43

[14] G.Rozenberg: Handbook of Graph Grammars and Computing by Graph Transformation. Volume 1. Foundations. World Science Publishing Co. Pte. Ltd. (1997) [15] Heckel, R., Engels, G.: Graph Transformation and Visual Modeling Languages. Bulletin of the European Association for Theoretical Computer Science (EATACS) (2000) [16] Rensink, A.: Canonical Graph Shapes. In Schmidt, D.A., ed.: Programming Languages and Systems — European Symposium on Programming (ESOP). Volume 2986 of Lecture Notes in Computer Science., Springer-Verlag (2004) 401–415 [17] Baldan, P., König, B., Rensink, A.: Graph Grammar Verification through Abstraction (summary 2). Dagstuhl Seminar Proceedings 04241 (2005) [18] Charpentier, M.: Composing Invariants. In: FME 2003: Formal Methods: International Symposium of Formal Methods Europe Pisa, Italy. Volume 2805/2003 of Lecture Notes in Computer Science. Springer-Verlag Heidelberg (2003) 401–421

Index ∩, see intersection ∪, see union ≤, see subgraph \, see subtraction

negative edges, 15 negative nodes, 15 occurrence, 12, 13, 22 operational invariant, 26

application graph, 12 path, 9 preserving property, 36

closed under application, 19, 25 correct match, 12, 13, 23

representatives, 32 required graph pattern, 17 Restricted Single Pushout Approach, 23 reverse rule, 28 RSPO, see Restricted Single Pushout Approach

dangling edge, 28 dangling edge condition, 22, 23 direct transformation, 12, 23 distance, 9 Double Pushout Approach, 23 DPO, see Double Pushout Approach

safety property, 7, 18, 36 scalability, 40, 41 simple graph pattern, 16 simple graph patterns, 16 Single Pushout Approach, 12, 23 source graph, 12 source graph pattern, 35 SPO, see Single Pushout Approach strong identification condition, 22, 23 subgraph, 9 subpattern, 17, 35 subtraction, 11 system, 19

expressiveness, 41 forbidden graph pattern, 17 graph, 8 labeled, 8 graph isomorphism, 11 graph morphism, 11 graph pattern, 16, 17, 17 graph property formula, 17 semantics, 18 graph transformation rule, 12 hazard, 18

target graph, 12 target graph pattern, 33, 34, 34, 35 total graph morphism, 11 type conform, 20, 21 type conform graph transitions, 21 type conform graphs, 20 type graph, 20 typed system, 25

identification condition, 22, 22 inductive invariant, 26, 36, 37, 39 infinite state, 19 intersection, 10 inverse rule, 28 label compatible, 10 labeled graph, 8

UML class diagrams, 20 UML object diagrams, 20, 21 union, 10 unsafe state, 18

matches, 22 maximal distance, 10 minimal NAC set, 15

witness, 18, 27

NAC, see negative application condition negative application condition, 15 minimal, 15

44

45

A Appendix A.1

Mathematical Notations

We use the operator ◦ to denote the concatenation of two functions. For functions f : X → Y and g : Y → Z holds we can define their concatenation g ◦ f : X → Z such that for any x ∈ X holds (g ◦ f )(x) = g(f (x)). If for two functions f : X1 → Y1 and g : X2 → Y2 for any x ∈ X1 ∩ X2 holds f (x) = g(x), we can define the combination of the two functions as f ⊕g : (X1 ∪X2 ) → (Y1 ∪Y2 ) defined by (g ⊕ f )(x) = f (x) if x ∈ X1 \ X2 , (g ⊕ f )(x) = g(x) if x ∈ X2 \ X1 , and (g ⊕ f )(x) = f (x) = g(x) if x ∈ X2 ∩ X1 .

Towards the Automatic Verification of Inductive Invariants for Infinite

Towards the Automatic Verification of Inductive Invariants for Infinite

Suggest Documents

Differential Invariants for Infinite-Dimensional Algebras

towards automatic dtm verification exploiting stereo orthophotos

Towards the automatic verification of PLC programs ... - CiteSeerX

Towards the automatic verification of PLC programs ... - CiteSeerX

Towards Automatic Verification of Erlang Programs by ÏâCalculus

Verification of object-oriented programs with invariants

Extended Tree Automata Models for the Verification of Infinite State ...

Generalization Strategies for the Verification of Infinite State Systems

Generalization Strategies for the Verification of Infinite State Systems

Verification of object-oriented programs with invariants

Generalization Strategies for the Verification of Infinite State Systems

Compositional Inductive Verification of Duration ... - Semantic Scholar

Verification of infinite state systems - Server users.dimi.uniud.it

Approximated Parameterized Verification of Infinite-state Processes

Approximated Parameterized Verification of Infinite-state ... - CiteSeerX

Invariants of Automatic Presentations and Semi-Synchronous ...

Automatic Synthesis of Programs and Inductive

Automatic Verification of the STS Authentication

ONTOGRATE: TOWARDS AUTOMATIC INTEGRATION FOR ...

Towards absolute invariants of images under

Distortion Measurement for Automatic Document Verification - TC11

Countermeasures for Automatic Speaker Verification Replay Spoofing

Automatic Strategy Verification for Hex - uri=webdocs.cs.ualberta

Automatic interconnection rectification for soc design verification ...

Towards the Automatic Verification of Inductive Invariants for Infinite