Analysis of Communication Mechanisms in
WS Compositions
Raman Kazhamiakin
Marco Pistore
Luca Santuari
Verification Problem
•
Check correctness of the behavior of WS composition with respect to the
set of different properties of interest:
•
•
Verification relies on the existence of the formal model for:
•
•
composition representation, interactions representation
Communication mechanisms are complex and implementation-dependent:
•
•
Deadlock freeness, LTL properties
queues, diversity of protocols, message overpasses
No appropriate formal model for the analysis that allows to analyze arbitrary
composition scenario:
02.09.2005
•
Complexity and decidability problems for general models
•
Specific models are restricted w.r.t. the set of scenarios
WS-FM'05
2
Example 1
•
Problems with synchronous communication model:
•
•
Each output happens synchronously with corresponding input
Concurrent emissions are possible, queues are needed
!a
a
?b
?a
b
!b
!a !b
?c
02.09.2005
!d
d
c
WS-FM'05
!c
?d
3
Example 2
•
Problems with asynchronous communication model:
•
•
•
Output is non-blocking
Messages are stored in FIFO queues
Message overpasses are possible, non-FIFO queues might be needed
?a
?b
GOOD
02.09.2005
!a
?b
?a
BAD
!a
!b
?a
?a
!b
?b
?a
!b
?b
BAD
GOOD
WS-FM'05
4
Aim of the Approach
•
Adequateness
Starting from the composition scenario, find an adequate communication
model that completely describes the behavior of the composition
•
Composition boundedness
Check that the system execution does lead to infinitely growing queues
•
Composition completeness
Check that in any possible execution messages are not lost
This kind of analysis allows for abstracting from the communication-level
problems, thus enabling further analysis of business-level behavioral
requirements
02.09.2005
WS-FM'05
5
Solution
• Previous work (WSFM’05)
•
Based on the Extended Composition Model
•
Complex implementation
•
Restricted w.r.t. set of analyzable properties
•
Potentially incomplete results for an arbitrary scenario
• Current work
02.09.2005
•
Based on the STS with channels model
•
Simple implementation
•
Efficient analysis
•
Wider set of properties
•
Complete theoretical results
WS-FM'05
6
Formalization
• Assumptions:
•
Disjoint and perfect channels
•
Non-blocking operations
•
Arbitrary (up to non-FIFO) queue implementations
•
Arbitrary (but bounded) queue length
•
No internal loops in the service implementation
• STS with Channels corresponding to composition of n STSs:
•
State is a pair <S,C> where S=<s1,…,sn> is global control state and
C = <w1,…,wm> is a content of m FIFO queues
•
T = GS x (I υ O υ {τ}) x GS is a transition relation:
• If action is input ?a, message is consumed: a.C’ = C
• If action is output !a, message is added to a queue: C’ = C.a
• If action is internal τ, queue content is not changed: C’ = C
02.09.2005
WS-FM'05
7
Formalization (cont’d)
• Behavior:
•
Reachability tree (possibly infinite):
nodes labeled with global states of CSTS
root is labeled with initial state of CSTS
edges labeled with actions
•
Reachability graph
obtained from reachability tree by merging nodes with identical labels
• Finiteness of the model:
•
THEOREM: reachability graph is bounded iff all the queues are bounded
[that is there is a constant K s.t. length of the queue < K in any global state]
•
02.09.2005
The problem of unboundedness is undecidable in general
WS-FM'05
8
Adequateness Problem
• Given a composition scenario (set of STSs), determine a minimal
CSTS (channel configuration) such that the behavior is the maximal
for the scenario
• Minimal model:
•
The simplest interaction mechanisms, the most trivial implementation
•
The most efficient analysis techniques
• Maximal behavior:
02.09.2005
•
The behavior should be the same as in the worst case where everything is possible
•
Relies on the model simulation relation between models
•
Requires the definition of the worst case - most general model
WS-FM'05
9
Adequateness Problem (cont’d)
• Model simulation relation
•
Model Δ1 simulates model Δ2, Δ2 ≤ Δ1, if for any composition scenario set of
behaviors of the composition under model Δ2 is included in the set of behaviors of
the composition under model Δ1
•
THEOREM: Let Δ1 Δ2 be two communication models with queue structures
<M11*,…, M1m*> and <M21*,…, M2n*>. If for any alphabet M2i there exists an
alphabet M1j such that M2i ≤ M1j , then Δ1 ≤ Δ2
• Most general communication model
•
Δ is the communication model with the following queue structure:
For any message type a there is a separate queue with alphabet M = {a}
02.09.2005
•
THEOREM: for any communication model Δ, Δ ≤ Δ
•
The boundedness problem for the Δ model is decidable
WS-FM'05
10
Adequateness Analysis
1. Consider a sequence of communication models from the simplest to the most
general: Δ1 ≤ Δ2 ≤ … ≤ Δ
2. Starting from the first model, compute the behavior of the composition
under the current model and compare it with the behavior under the most
general model
•
•
If different, take the next model and repeat the step
•
If the same, then Δi = Δ and therefore the model is adequate
The implementing algorithm is based on the reachability graph construction
02.09.2005
•
DFS algorithm
•
Boundedness is checked on the fly
•
Completeness is checked on the fly
WS-FM'05
11
Analysis issues
•
•
The outcome of the analysis is represented as global transition
system
•
Some states may be marked to be unbounded
•
Some states may be marked to be incomplete
This model is used for further analysis of properties [with presence
of variables] in NuSMV
Overall analysis approach is a combination of explicit search techniques
(graph construction) and symbolic techniques (further model
checking)
02.09.2005
WS-FM'05
12
Analysis issues (cont’d)
•
The explicit search algorithm allows for application of Partial Order
Reduction and on-the-fly optimizations.
•
The experimental results demonstrate much higher performance
w.r.t. previous NuSMV implementations
•
Future work:
Knowledge-level verification
•
02.09.2005
May be performed on-the-fly combined with the graph constructions algorithm
WS-FM'05
13
?
Any question
02.09.2005
WS-FM'05
14