Verification of Graph Transformation Systems Arman Sheikholeslami [email protected]

Verification of Graph Transformation Systems

Arman [email protected]

Graph and GTS

• Directed Graph – is set of vertices.– is set of edges.– often used to model static characteristics of a system.

• Graph Transformation System – used to model behavior of a dynamic system.– as initial graph.– as a set of transformation rules.

2Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Chess

Transformed!

A7Pawn

A8

A6

B7

B8Rook

A7

Pawn

A8

A6

B7

B8RookTransformed!


1. Find a matching of in .

2. Delete all vertices and edges in s.t. .

3. Add all vertices and edges to s.t. .

How Transformation works?

H4Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

G

A7

A6

Pawn

A5

A7

A6

A5

RHS

A7

A6 Pawn

LHS

A7

A6

Pawn

Pawn

• Algebraic approach– Single push-out (SPO)

• If node deletion causes dangling edge, node is deleted along with dangled edge.

– Double push-out (DPO)• If node deletion causes

dangling edge, the rule is not applied.

• Not applicable in chess!

Formalization of GTS

LHS RHS

G H

A7 Pawn A7

A7

A6

Pawn A7

A6

LHS RHS

G H

A7 Pawn Pawn

A7

A6

Pawn

A6

Pawn


Transition System using SPO

Rule X

LHS RHS

A7

A6 P

A7

A6

P

Rule Y

LHS RHS

P

PA5

A6

A7 A7

A6

A5

Rule Z

LHS RHS

PA7

A6

A5 B5

K

A7

A6

A5 B5

P

Rule X

Rule ZRule Y

A7

A6

Pawn

A5 B5

Knight

A7

A6

Pawn

A5 B5

A7

A6

Pawn

A5 B5

Knight

A7

A6

Pawn

A5 B5

Knight


• Verification is to determine if behavior of system (semantic) to conform with specifications (properties).

• Properties of GTS– conditions and restrains a GTS should satisfy.

• Semantic of GTS– producible transition system.

Verification of GTS


• Which properties of GTS can be verified?– Safety

• something bad will never happen.• e.g. a forbidden pattern (sub-graph) is

never reached.

– Liveness• something good will eventually happen.• e.g. Deadlock-freedom, security

Properties of GTS

A7

A6

Pawn

A5 B5

Knight

Knight hit by Pawn! Unsafe!


Intuitively…

Rule X

LHS RHS

A7

A6 P

A7

A6

P

Rule Z

LHS RHS

PA7

A6

A5 B5

K

A7

A6

A5 B5

P

Rule X

Rule ZRule Y

A7

A6

Pawn

A5 B5

Knight

A7

A6

Pawn

A5 B5

A7

A6

Pawn

A5 B5

Rule Y

LHS RHS

PA7

A6

A5 B5

K

A7

A6

A5 B5

P

A7

A6

Pawn

A5 B5

Knight


Hit pattern,Unsafe!

Technically…

Semantics Properties

Kripke Structure

Temporal Logic

Model Checker

B

A

C D

E

Chess play Transition System

Avoid getting hit!

LTL:B


• Problem statement– several variables in a system

with range of possible values.– a state assigned to each

possible concrete combination of variables.

– set of possible states is too large.

• This happens in almost every system– That’s why we cannot have a

complete verification of large systems e.g. OS.

State space explosion

x,y


• A worse case of State Space Explosion problem.

• Occurs when state set of system is endless.

• Infinite state space is created by application of rules in which LHS can be found in RHS.

Infinite State Space

LHS RHS

G H


• Under-approximation– An abstraction (subset) of original graph (state set) satisfying

less properties.• Bounded Model Checking

• Over-approximation– An abstraction (superset) of original graph (state set) satisfying

more properties.• Shape Graphs• Inductive Invariance

• Applicable to both State Space Explosion and Infinite State Space problems

Solutions


• is the pre-defined absolute bound.

• Look for a bad pattern in -bounded execution length.

• If no bad pattern found, increment () until a bad pattern is found.

• If and no bad pattern found, verification stops.– system is not necessarily safe

(under-approx.)

Bounded Model Checking

𝐵

𝐾=1𝐾=2


Only movements of one level are

modeled!(K=1)

• To shrink state space by abstraction– information is discarded.– how to retrieve it to create concrete instances?

• Local Shape Logic (LSL)– a way to express additional information about nodes and edges

in a graph.

• Shape graph is an abstract model– concrete instances are built based on shape constraints.

• Still more than one precise instance can be produced (over-approx.).

Shape Graphs


Shape Graphs (example)

Abstraction

Repro

ducti

on

Not a valid Instance!

Constraints:• There is exactly one Pawn

In :

A7Pawn

A8

A6

B7

B8Rook

G

A7Pawn

A8

A6

B7

B8Rook

Pawn

A7Pawn

A8

A6

B7

B8Rook

G


Cell

King

Queen

Rook

PawnKnight

BishopSG

G

• Investigate if transition from a safe state to an error state (forbidden pattern) is possible– Apply the rules backwards from forbidden pattern.– if safe state reached, the property is can be violated (it’s NOT

Inductive Invariant).

• Instead of the whole graph, only borders are investigated (abstraction).

Inductive Invariance

A6

A7

A5

Pawn

B5

Knight

A6

A7

A5

Pawn

B5

Knight


• If the property is inductive invariant– no rule can be used to reach forbidden pattern from a state is

not forbidden pattern.– the system is safe.

• If the property is not inductive invariant– the system still might be safe.– forbidden pattern can be reached given any starting graph (over-

approx.).

Inductive Invariant (cont.)

E4

E5

E3

BishopD4

D5

D3

Bishop


C2

C3

C1

D7

D8

Pawn

Bishop

• What if we need to differentiate elements of graphs from each other?– we need to use attributes to specify

differences.– Typed Attributed Graphs (TAG)

introduces as extension.

• What if time has specific effect on the system?– simple graphs do not care about time!– Timed Graphs introduces as extension

(also and extension to TAG).

19

Extensions

Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

• A graph with vertices and edges having an attribute– where is a graph and data vertices in .– node attribute as data node with an edge from graph node to

data node.– edge attribute as data node with an edge from graph edge to

data node.

Typed Attributed GTS

A7Pawn

A8

A6

B7

B8Rook

Black

A data node indicating

color


• Contains 3 rules to perform TGT1. Clock Instance Rule

• adds clock instances to graph.• by using discrete- or dense-time model (timed automata), passing of

time can be expressed.

2. Invariant Rule• restrict the execution of the rule to a specific time interval.

3. Timed Graph Transformation Rule • normal graph transformation rule.

Timed GTS


Timed GTS (example)

Apply Invariant

rule

2

𝐶 𝐼 ≤10

A7Pawn

A8Rook

A6

A7

Pawn

A8Rook

CI

A6Rule X

LHS RHS

A7

A6 P

A7

A6

P

Apply Clock

Instance rule

1

A7

Pawn

A8

Rook

CI

A6

Rule Y

LHS RHS

A8

A7 R

A8

A7

R


Apply Transformation

rule

3

No

Yes

• There are many studies about model checking of TCTL over timed automata.

• To reduce model checking TGTS to model checking of timed automata.– to benefit from existing theories and tools.

• To do that1. produce TS for TGTS (-automaton).

2. reduce First Order-TCTL to TCTL.

3. label -automaton with atomic propositions holding in states.

Verification of TGTS

Timed GTSFO-TCTL Property

-AutomatonTCTL

Property

Labeled -Automaton

TCTL Model Checker

1 2

3


Verification of TGTS (example)

𝐴𝐺≤10(∀ 𝑥)(𝐶𝐼 (𝑥))𝐴𝐺≤10(𝐶𝐼𝑥)

TCTL Model Checker

FO-TCTL

TCTL

Timed GTS

Labeled -Automaton

Inv:

A7

Pawn

A8Rook

CI

A6

A7

Pawn

A8Rook

CI

A6

𝐶𝐼 ≤10

A7

Pawn

A8Rook

CI

A6

A7

Pawn

A8Rook

CI

A6

𝐶𝐼 ≤10

-Automaton

𝐶𝐼 ≤10𝐶𝐼 ≤10

A7

Pawn

A8Rook

CI

A6

A7

Pawn

A8Rook

CI

A6

𝐶𝐼 ≤10CI_xCI_x


25

Question?!

Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Documents

Verification of Graph Transformation Systems Arman Sheikholeslami [email protected]