Towards Domain Refinement for UML/OCL Bounded Verification

Towards Domain Refinement for UML/OCL Bounded Verification

Robert Clarisó Universitat Oberta de Catalunya - Spain

Carlos A. González AtlanMod team - Inria, Mines Nantes, LINA - France

Jordi Cabot ICREA - Spain

13th Int. Conf on SW Enginerering and Formal Methods8-11 September 2015, York, UK

Motivation

Who? The reader

What?

Where?

Find Wally

Inside the page

Motivation

Who? The reader

What?

Where?

Find Wally

Inside the page

Motivation

Who? A solver

What?

Where?

Find faults

In a bounded state space

1. Bounded verification

2. Related work

Outline

2. Related work

3. Solution: refinement

4. Experimental results

5. Conclusions

Model M

Model-Based Verification

A B

C

Consistent

No contradictionsA

1

2

Property P

UML

Class diagram

Non-redundant

Lack of duplicities

A B

C

context C inv:

self.a->

excludes(self)

OCL

Invariants

Does model M satisfy correctness property P?

VERIFICATION TOOL

Model-based verification: overview

?

Model

A B

C

Correctness

Formal Notation

SAT / CP

?Correctness

Property

FiniteBounds

Designer

Feedback

Example or ? Counterexample or ?

Reasoning Engine

Bound selection

Choose “suitable” verification bounds for the solver

Goal

CONFIDENCE

EFFICIENCY

BOUNDSSmall Large

Fast Slow

Less More

Bound selection: heuristics

Small bounds are sufficient to detect most faults

Small scope hypothesis

Repeat analysis progressively increasing bounds

Incremental scoping

Our approach: bound refinement

VERIFICATION TOOLModel

A B

C Formal Notation

SAT / CP

CorrectnessProperty

Finite Bounds

Reasoning Engine

Feedback

Example or ?Countexample or ?

Our approach: bound refinement

VERIFICATION TOOLModel

A B

C Formal Notation

SAT / CP

CorrectnessProperty

Finite Bounds

Reasoning Engine

TighterboundsBound

refinement

Feedback

Example or ?Countexample or ?

Related work

Abstract size-related info toreason about size properties

Size abstraction

Bound propagation

Yu et al (FSE’2007)

CP solvers e.g. Remove improductive values from verification bounds

CP solvers e.g.

Interval Constraint Solver in eCLiPSe

This work:

Size abstraction + Bound propagation

Size properties CP solversArbitrary SAT

Running example: production facility

context Part inv UniqueSerials :

Part::allInstances()->isUnique(serial)

context Machine inv MachineAvailability :context Machine inv MachineAvailability :

Cutter::allInstances()->exists(c|c:idle) and

Grinder::allInstances()->exists(g|g:idle)

Property : Strong satisfiability

“It should be possible to populate of each non-abstract class while satisfying all integrity constraints”



context Machine inv MachineAvailability :

Running example: size abstraction




Multiplicities

“4 Parts per Machine”

Generalizations

“All Cutters are Machines”

Invariants

“There is at least one Grinder ”

Size abstraction for OCL

OCL Expression Abstract OCL Expression

Refers to the values in an instance of the model

Refers to the size of the model instance

OCL expression Abstraction

col->including( object ) Col <= Exp <= Col + 1

col->exists( var | cond ) (0 <= Exp <= 1) ∧

(Col = 0) -> (Exp = 0)

V = { x ∈ [0,5], y ∈ [0,7] }

C = { x + y = 7, x + 1 ≥ 2y }y

(x ≤ 5) ∧ (x + 1 ≥ 2y)

Integer Bound Propagation

xz

=> y ≤ 3

(x ≤ 5) ∧ (x + y = 7)

=> y ≥ 2

(y ≤ 3) ∧ (x + y = 7)

=> x ≥ 4






Refinement (1/4)

Domain bounds Source

Machine

Cutter

Grinder

Part

Uses

Serial

Number of objects of type Machine

Number of objects of type Cutter

Number of objects of type Grinder

Number of objects of type Part

Number of links in association Uses

Number of distinct values of attribute Serial






Refinement (1/4)

Domain bounds Source

Machine

Cutter

Grinder

Part

Uses

Serial

Number of objects of type Machine

Number of objects of type Cutter

Number of objects of type Grinder

Number of objects of type Part

Number of links in association Uses

Number of distinct values of attribute Serial

Constraint Source






Refinement (2/4)

Constraint Source

Machine = Cutter + Grinder

Uses ≤ Part * Machine

Uses = 4 * Machine

Uses ≤ Part

Part ≤ Serial

Cutter ≥ 1

Grinder ≥ 1

Generalization + Abstract class

Associaton Uses

Association end pieces

Association end device

Invariant UniqueSerials

Invariant MachineAvailability


Constraint Source






Refinement (2/4)

Constraint Source



Uses = 4 * Machine

Uses ≤ Part

Part ≤ Serial

Cutter ≥ 1

Grinder ≥ 1


Associaton Uses






Constraint Source






Refinement (2/4)

Constraint Source



Uses = 4 * Machine

Uses ≤ Part

Part ≤ Serial

Cutter ≥ 1

Grinder ≥ 1


Associaton Uses






Constraint Source






Refinement (2/4)

Constraint Source



Uses = 4 * Machine

Uses ≤ Part

Part ≤ Serial

Cutter ≥ 1

Grinder ≥ 1


Associaton Uses






Constraint Source






Refinement (2/4)

Constraint Source



Uses = 4 * Machine

Uses ≤ Part

Part ≤ Serial

Cutter ≥ 1

Grinder ≥ 1


Associaton Uses











Refinement (3/4)

Domain bounds Initial Bound Inferred Bound

Machine

Cutter

Grinder

Part

Uses

Serial

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)






Refinement (3/4)


Machine

Cutter

Grinder

Part

Uses

Serial

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[2, ∞)

[1, ∞)

[1, ∞)

[8, ∞)

[8, ∞)

[8, ∞)

Inferred bounds with no user input






Refinement (4/4)


Machine

Cutter

Grinder

Part

Uses

Serial

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, 10]

[2, 2]

[1, 1]

[1, 1]

[8, 8]

[8, 8]

[8, 8]






Refinement (4/4)


Machine

Cutter

Grinder

Part

Uses

Serial

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, ∞)

[0, 10]

[2, 2]

[1, 1]

[1, 1]

[8, 8]

[8, 8]

[8, 8]

One choice is sufficient to bind the state space

Designer

UML Model

A B

C

Domain BoundsX = [1,20], Y = [2, 15], ...

Experimental set-up

KodKod Model Finder

Sat4j SAT Solver

UML-based Specification Environment (USE)

Designer

Domain BoundsX = [1,20], Y = [2, 15], ...

UML Model

A B

CBound refinement

Experimental set-up

KodKod Model Finder

Sat4j SAT Solver

Bound refinement

UML-based Specification Environment (USE)

Experimental results: Summary (1/2)

Lightly constrained

(“Easy”)

Satisfiable Unsatisfiable–

Seconds Seconds

(“Easy”)

Highly constrained

(“Hard”)

Difficulty +–

+

Minutes Hours

Experimental results: Summary (1/2)

Lightly constrained

(“Easy”)

Satisfiable Unsatisfiable

No improvement No improvement

(“Easy”)

Highly constrained

(“Hard”)

Speed-ups from 1,7x to 11x

Speed-ups from2x to 50x

Overhead of bound tightening: <1 second

Conclusions… in 140 chars

Quick preprocessing to

make SAT-based verification

faster and more usable

Target: UML/OCL

Up to 50x speed-up

TODO: further experiments

Tweet0

Thank you for

your attention!

Robert Clarisó

[email protected]

@robertclariso

Software

Towards Domain Refinement for UML/OCL Bounded Verification