Kais Klai

Design and Evaluation of a Symbolic and Abstraction-Based Model Checker

Symbolic model-checking usually includes two steps: the building of a compact representation of a state graph and the evaluation of the properties of the system upon this data structure. In case of properties expressed with a linear time logic, it appears that the second step is often more time consuming than the first one. In this work, we present a mixed solution which builds an observation graph represented in a non symbolic way but where the nodes are essentially symbolic set of states. Due to the small number of events to be observed in a typical formula, this graph has a very moderate size and thus the complexity time of verification is neglectible w.r.t. the time to build the observation graph. Thus we propose different symbolic implementations for the construction of the nodes of this graph. The evaluations we have done on standard examples show that our method outperforms the pure symbolic methods which makes it attractive.

Formal verification of UML state diagrams: a petri net based approach

In spite of its informal semantics and of some ambiguities, UML is a widespread modelling language used in both industry and academia. On the other hand, Petri nets are a mathematical modelling language with a formal semantics and are well suited for formal verification. However, altough there is a growing interest in model checking techniques from industry, the software engineers continue to be unfamiliar with such a formalism. For that reason, it is convenient to supply formal verification techniques of UML diagrams that are completely automatic and transparent to the designer. This is the issue discussed in this paper. We propose to translate UML state diagrams into Coloured Petri nets on which verification of some desired properties can be checked automatically. We show on our example that, when expected properties are not checked, this is an opportunity to revise the model into a more adequate one

On the equivalence between liveness and deadlock-freeness in petri nets

This paper deals with the structure theory of Petri nets. We define the class of P/T systems namely K-systems for which the equivalence between controlled-siphon property (cs property), deadlock freeness, and liveness holds. Using the new structural notions of ordered transitions and root places, we revisit the non liveness characterization of P/T systems satisfying the cs property and we define by syntactical manner new and more expressive subclasses of K-systems where the interplay between conflict and synchronization is relaxed.

Symbolic abstraction and deadlock-freeness verification of inter-enterprise processes

The design of complex inter-enterprise business processes (IEBP) is generally performed in a modular way. Each process is designed separately and then the whole IEBP is obtained by composition. Even if such a modular approach is intuitive and facilitates the design problem, it poses the problem that correct behavior of each business process of the IEBP taken alone does not guarantee a correct behavior of the composed IEBP (i.e. properties are not preserved by composition). Proving correctness of the (unknown) composed process is strongly related to the model checking problem of a system model. Among others, the symbolic observation graph based approach has proven to be very helpful for efficient model checking in general. Since it is heavily based on abstraction techniques and thus hides detailed information about system components that are not relevant for the correctness decision, it is promising to transfer this concept to the problem raised in this paper: How can the symbolic observation graph technique be adapted and employed for process composition? Answering this question is the aim of this paper.

Modular construction of the symbolic observation graph

Model checking for Linear Time Logic (LTL) is usually based on converting the (negation of a) property into a Buchi automaton, composing the automaton and the model, and finally checking for emptiness of the language of the composed system. The last step is the crucial stage of the verification process because of the state explosion problem. In this work, we present a solution which builds, in a modular way, an observation graph represented in a non-symbolic manner but where the nodes are essentially symbolic sets of states and the edges either labeled by events occurring in the formula or by synchronization actions between the system components. Due to the small number of events to be observed in a typical formula, this graph has a very moderate size and thus the time complexity for verification is negligible w.r.t. the time to build the observation graph. Experimental results show that our method outperforms both a non-modular generation of the symbolic graph and existing non-symbolic approaches (modular or not).

Symbolic Abstraction and Deadlock-Freeness Verification of Inter-enterprise Processes

The design of complex inter-enterprise business processes (IEBP) is generally performed in a modular way. Each process is designed separately from the others and then the whole IEBP is obtained by composition. Even if such a modular approach is intuitive and facilitates the design problem, it poses the problem that correct behavior of each business process of the IEBP taken alone does not guarantee a correct behavior of the composed IEBP (i.e. properties are not preserved by composition). Proving correctness of the (unknown) composed process is strongly related to the model checking problem of a system model. Among others, the symbolic observation graph based approach has proven to be very helpful for efficient model checking in general. Since it is heavily based on abstraction techniques and thus hides detailed information about system components that are not relevant for the correctness decision, it is promising to transfer this concept to the problem rised in this paper: How can the symbolic observation graph technique be adapted and employed for process composition? Answering this question is the aim of this paper.

Self-loop aggregation product: a new hybrid approach to on-the-fly LTL model checking

We present the Self-Loop Aggregation Product (SLAP), a new hybrid technique that replaces the synchronized product used in the automata-theoretic approach for LTL model checking. The proposed product is an explicit graph of aggregates (symbolic sets of states) that can be interpreted as a Buchi automaton. The criterion used by SLAP to aggregate states from the Kripke structure is based on the analysis of self-loops that occur in the Buchi automaton expressing the property to verify. Our hybrid approach allows on the one hand to use classical emptiness-check algorithms and build the graph on-the-fly, and on the other hand, to have a compact encoding of the state space thanks to the symbolic representation of the aggregates. Our experiments show that this technique often outperforms other existing (hybrid or fully symbolic) approaches.

Formal Abstraction and Compatibility Checking of Web Services

For automatically composing Web services in a correct manner, information about their behaviors (an abstract model) has to be published in a repository. This abstract model must be sufficient to decide whether two, or more, services are compatible (the composition is possible) is possible without including any additional information that can be used to disclose the privacy of these services. The compatibility property is defined by different variants of the well known soundness property on open workflow nets. These properties guarantee the absence of livelocks, deadlocks and other anomalies that can be formulated without domain knowledge. In this paper we address the automatic abstraction of Web services and the checking of their compatibility using their abstract models only. To abstract Web services, we use the symbolic observation graph (SOG) approach that preserves necessary information for service composition and hides private information. We show how the SOG can be adapted and used so that the verification of different variants of compatibility can be performed on the composition of the abstract models (SOGs) of Web services instead of the original composite service.

Formal Modeling of Elastic Service-Based Business Processes

Cloud environments are being increasingly used for deploying and executing business processes and particularly service-based business processes (SBPs). One of the expected facilities of Cloud environments is elasticity at different levels. In this work, we argue the need of supporting elasticity at the service level. We propose a formal model for describing elasticity mechanisms and their strategies for SBPs. Our contribution consists in composing SBP models with models of controllers that describe the behavior of services and container replicas. In addition, we provide means for specifying both reactive and predictive elasticity strategies.

Formalizing non-concurrent UML state machines using colored petri nets

UML state machines are an interesting graphical language to express dynamic systems behavior. However, using the different features available (hierarchy, internal/external transitions, entry/exit/do activities, history pseudostates, etc.) may yield quite complex behaviors that are difficult to inspect and check visually. We introduce an algorithm to automatically generate a colored Petri net model associated with a state machine description, so as to provide a formal specification. In this proposal, although we do not consider concurrent aspects (such as fork and join), we take into ac- count all the above mentioned features in a thorough and integrated way. This is illustrated on some examples.