verification of graph transformation systems arman sheikholeslami [email protected]
TRANSCRIPT
![Page 2: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/2.jpg)
Graph and GTS
• Directed Graph – is set of vertices.– is set of edges.– often used to model static characteristics of a system.
• Graph Transformation System – used to model behavior of a dynamic system.– as initial graph.– as a set of transformation rules.
2Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 3: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/3.jpg)
Chess
Transformed!
A7Pawn
A8
A6
B7
B8Rook
A7
Pawn
A8
A6
B7
B8RookTransformed!
3Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 4: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/4.jpg)
1. Find a matching of in .
2. Delete all vertices and edges in s.t. .
3. Add all vertices and edges to s.t. .
How Transformation works?
H4Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
G
A7
A6
Pawn
A5
A7
A6
A5
RHS
A7
A6 Pawn
LHS
A7
A6
Pawn
Pawn
![Page 5: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/5.jpg)
• Algebraic approach– Single push-out (SPO)
• If node deletion causes dangling edge, node is deleted along with dangled edge.
– Double push-out (DPO)• If node deletion causes
dangling edge, the rule is not applied.
• Not applicable in chess!
Formalization of GTS
LHS RHS
G H
A7 Pawn A7
A7
A6
Pawn A7
A6
LHS RHS
G H
A7 Pawn Pawn
A7
A6
Pawn
A6
Pawn
5Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 6: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/6.jpg)
Transition System using SPO
Rule X
LHS RHS
A7
A6 P
A7
A6
P
Rule Y
LHS RHS
P
PA5
A6
A7 A7
A6
A5
Rule Z
LHS RHS
PA7
A6
A5 B5
K
A7
A6
A5 B5
P
Rule X
Rule ZRule Y
A7
A6
Pawn
A5 B5
Knight
A7
A6
Pawn
A5 B5
A7
A6
Pawn
A5 B5
Knight
A7
A6
Pawn
A5 B5
Knight
6Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 7: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/7.jpg)
• Verification is to determine if behavior of system (semantic) to conform with specifications (properties).
• Properties of GTS– conditions and restrains a GTS should satisfy.
• Semantic of GTS– producible transition system.
Verification of GTS
7Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 8: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/8.jpg)
• Which properties of GTS can be verified?– Safety
• something bad will never happen.• e.g. a forbidden pattern (sub-graph) is
never reached.
– Liveness• something good will eventually happen.• e.g. Deadlock-freedom, security
Properties of GTS
A7
A6
Pawn
A5 B5
Knight
Knight hit by Pawn! Unsafe!
8Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 9: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/9.jpg)
Intuitively…
Rule X
LHS RHS
A7
A6 P
A7
A6
P
Rule Z
LHS RHS
PA7
A6
A5 B5
K
A7
A6
A5 B5
P
Rule X
Rule ZRule Y
A7
A6
Pawn
A5 B5
Knight
A7
A6
Pawn
A5 B5
A7
A6
Pawn
A5 B5
Rule Y
LHS RHS
PA7
A6
A5 B5
K
A7
A6
A5 B5
P
A7
A6
Pawn
A5 B5
Knight
9Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Hit pattern,Unsafe!
![Page 10: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/10.jpg)
Technically…
Semantics Properties
Kripke Structure
Temporal Logic
Model Checker
B
A
C D
E
Chess play Transition System
Avoid getting hit!
LTL:B
10Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 11: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/11.jpg)
• Problem statement– several variables in a system
with range of possible values.– a state assigned to each
possible concrete combination of variables.
– set of possible states is too large.
• This happens in almost every system– That’s why we cannot have a
complete verification of large systems e.g. OS.
State space explosion
x,y
11Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 12: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/12.jpg)
• A worse case of State Space Explosion problem.
• Occurs when state set of system is endless.
• Infinite state space is created by application of rules in which LHS can be found in RHS.
Infinite State Space
LHS RHS
G H
12Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 13: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/13.jpg)
• Under-approximation– An abstraction (subset) of original graph (state set) satisfying
less properties.• Bounded Model Checking
• Over-approximation– An abstraction (superset) of original graph (state set) satisfying
more properties.• Shape Graphs• Inductive Invariance
• Applicable to both State Space Explosion and Infinite State Space problems
Solutions
13Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 14: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/14.jpg)
• is the pre-defined absolute bound.
• Look for a bad pattern in -bounded execution length.
• If no bad pattern found, increment () until a bad pattern is found.
• If and no bad pattern found, verification stops.– system is not necessarily safe
(under-approx.)
Bounded Model Checking
𝐵
𝐾=1𝐾=2
14Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Only movements of one level are
modeled!(K=1)
![Page 15: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/15.jpg)
• To shrink state space by abstraction– information is discarded.– how to retrieve it to create concrete instances?
• Local Shape Logic (LSL)– a way to express additional information about nodes and edges
in a graph.
• Shape graph is an abstract model– concrete instances are built based on shape constraints.
• Still more than one precise instance can be produced (over-approx.).
Shape Graphs
15Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 16: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/16.jpg)
Shape Graphs (example)
Abstraction
Repro
ducti
on
Not a valid Instance!
Constraints:• There is exactly one Pawn
In :
A7Pawn
A8
A6
B7
B8Rook
G
A7Pawn
A8
A6
B7
B8Rook
Pawn
A7Pawn
A8
A6
B7
B8Rook
G
16Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Cell
King
Queen
Rook
PawnKnight
BishopSG
G
![Page 17: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/17.jpg)
• Investigate if transition from a safe state to an error state (forbidden pattern) is possible– Apply the rules backwards from forbidden pattern.– if safe state reached, the property is can be violated (it’s NOT
Inductive Invariant).
• Instead of the whole graph, only borders are investigated (abstraction).
Inductive Invariance
A6
A7
A5
Pawn
B5
Knight
A6
A7
A5
Pawn
B5
Knight
17Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 18: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/18.jpg)
• If the property is inductive invariant– no rule can be used to reach forbidden pattern from a state is
not forbidden pattern.– the system is safe.
• If the property is not inductive invariant– the system still might be safe.– forbidden pattern can be reached given any starting graph (over-
approx.).
Inductive Invariant (cont.)
E4
E5
E3
BishopD4
D5
D3
Bishop
18Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
C2
C3
C1
D7
D8
Pawn
Bishop
![Page 19: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/19.jpg)
• What if we need to differentiate elements of graphs from each other?– we need to use attributes to specify
differences.– Typed Attributed Graphs (TAG)
introduces as extension.
• What if time has specific effect on the system?– simple graphs do not care about time!– Timed Graphs introduces as extension
(also and extension to TAG).
19
Extensions
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 20: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/20.jpg)
• A graph with vertices and edges having an attribute– where is a graph and data vertices in .– node attribute as data node with an edge from graph node to
data node.– edge attribute as data node with an edge from graph edge to
data node.
Typed Attributed GTS
A7Pawn
A8
A6
B7
B8Rook
Black
A data node indicating
color
20Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 21: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/21.jpg)
• Contains 3 rules to perform TGT1. Clock Instance Rule
• adds clock instances to graph.• by using discrete- or dense-time model (timed automata), passing of
time can be expressed.
2. Invariant Rule• restrict the execution of the rule to a specific time interval.
3. Timed Graph Transformation Rule • normal graph transformation rule.
Timed GTS
21Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 22: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/22.jpg)
Timed GTS (example)
Apply Invariant
rule
2
𝐶 𝐼 ≤10
A7Pawn
A8Rook
A6
A7
Pawn
A8Rook
CI
A6Rule X
LHS RHS
A7
A6 P
A7
A6
P
Apply Clock
Instance rule
1
A7
Pawn
A8
Rook
CI
A6
Rule Y
LHS RHS
A8
A7 R
A8
A7
R
22Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
Apply Transformation
rule
3
No
Yes
![Page 23: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/23.jpg)
• There are many studies about model checking of TCTL over timed automata.
• To reduce model checking TGTS to model checking of timed automata.– to benefit from existing theories and tools.
• To do that1. produce TS for TGTS (-automaton).
2. reduce First Order-TCTL to TCTL.
3. label -automaton with atomic propositions holding in states.
Verification of TGTS
Timed GTSFO-TCTL Property
-AutomatonTCTL
Property
Labeled -Automaton
TCTL Model Checker
1 2
3
23Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 24: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/24.jpg)
Verification of TGTS (example)
𝐴𝐺≤10(∀ 𝑥)(𝐶𝐼 (𝑥))𝐴𝐺≤10(𝐶𝐼𝑥)
TCTL Model Checker
FO-TCTL
TCTL
Timed GTS
Labeled -Automaton
Inv:
A7
Pawn
A8Rook
CI
A6
A7
Pawn
A8Rook
CI
A6
𝐶𝐼 ≤10
A7
Pawn
A8Rook
CI
A6
A7
Pawn
A8Rook
CI
A6
𝐶𝐼 ≤10
-Automaton
𝐶𝐼 ≤10𝐶𝐼 ≤10
A7
Pawn
A8Rook
CI
A6
A7
Pawn
A8Rook
CI
A6
𝐶𝐼 ≤10CI_xCI_x
24Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn
![Page 25: Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649c7c5503460f94930457/html5/thumbnails/25.jpg)
25
Question?!
Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn