An Abstraction Technique for the Verification of Artifact-Centric - PowerPoint PPT Presentation

An Abstraction Technique for the Verification of Artifact-Centric Systems Francesco Belardinelli Laboratoire IBISC, Universit´ e d’Evry Joint work with Alessio Lomuscio Imperial College London, UK and Fabio Patrizi Sapienza Universit` a di Roma, Italy within the EU funded project ACSI (Artifact-Centric Service Interoperation) JAIF – 13 June 2013 1

Model Checking in one slide Model checking: technique(s) to automatically verify that a system design S satisfies a property P before deployment. More formally, given • a model M S of a system S • a formula φ P representing a property P we check that M S | = φ P 2

Turing Award 2007 www.acm.org/press-room/news-releases-2008/turing-award-07 (a) E. Clarke (CMU, (b) A. Emerson (c) J. Sifakis USA) (U. Texas, USA) (IMAG, F) • Jury justification For their roles in developing model checking into a highly effective verification technology, widely adopted in the hardware and software industries. 3

Overview Motivation: Artifact Systems are data-aware systems 1 Main task: formal verification of infinite-state AS 2 ◮ model checking is appropriate for control-intensive applications... ◮ ...but less suited for data-intensive applications (data typically ranges over infinite domains) [1]. Key contribution: verification of bounded and uniform AS is decidable 3 4

Artifact Systems Outline • Recent paradigm for Service-Oriented Computing [2]. • Motto: let’s give data and processes the same relevance! • Artifact : data model + lifecycle ◮ (nested) records equipped with actions ◮ actions may affect several artifacts ◮ evolution stemming from the interaction with other artifacts/external actors • Artifact System : set of interacting artifacts, representing services, manipulated by agents. 5

Artifact Systems Order-to-Cash Scenario 6

Research questions Which syntax and semantics should we use to specify AS? 1 Is verification of AS decidable? 2 If not, can we identify relevant fragments that are reasonably well-behaved? 3 How can we implement this? 4 7

Challenges Multi-agent systems, but . . . • . . . states have a relational structure, • data are potentially infinite, • state space is infinite in general. ⇒ The model checking problem cannot be tackled by standard techniques. 8

Artifact Systems Results Artifact-centric multi-agent systems (AC-MAS): formal model for AS. 1 Intuition: databases that evolve in time and are manipulated by agents. FO-CTLK as a specification language: 2 AG ∀ id , pc ( ∃ � x MO ( id , pc ,� x ) → K M ∃ � y PO ( id , pc ,� y )) the manufacturer M knows that each MO has to match a corresponding PO . Abstraction techniques and finite interpretation to tackle model checking. 3 Main result: under specific conditions MC can be reduced to the finite case. 9

Semantics: Databases The data model of Artifact Systems is given as a database. • a database schema is a finite set D = { P 1 / a 1 , . . . , P n / a n } of predicate symbols P i with arity a i ∈ N . • an instance on a domain U is a mapping D associating each predicate symbol P i with a finite a i -ary relation on U . • the active domain adom ( D ) is the set of all u ∈ U appearing in D • Composition : D ⊕ D ′ is the ( D ∪ D ′ )-interpretation s.t. (i) D ⊕ D ′ ( P i ) = D ( P i ), and (ii) D ⊕ D ′ ( P ′ i ) = D ′ ( P i ). 10

Artifact-centric Multi-agent Systems Agents Agents have partial access (views) to the artifact system. • an agent is a tuple i = �D i , Act i , Pr i � where ◮ D i is the local database schema ◮ Act i is the set of local actions α ( � x ) with parameters � x ◮ Pr i : D i ( U ) �→ 2 Act i ( U ) is the local protocol function • the setting is reminiscent of the interpreted systems semantics for MAS [3],... • ...but here the local state of each agent is relational. Intuitively, agents manipulate artifacts and have (partial) access to the information contained in the global db schema D . 11

Example 1: the Order-to-Cash Scenario • Agents: Customer, Manifacturer, Supplier. • Local db schema D C ◮ Products(prod code, budget) ◮ PO(id, prod code, offer, status) • Local db schema D M ◮ PO(id, prod code, offer, status) ◮ MO(id, prod code, price, status) • Local db schema D S ◮ Materials(mat code, cost) ◮ MO(id, prod code, price, status) • Then, D = { Materials , Products , PO , MO } . • Parametric actions can introduce values from an infinite domain U . ◮ createPO(prod code, offer) belongs to Act C . ◮ createMO(prod code, price) belongs to Act M . 12

Artifact-centric Multi-agent Systems AC-MAS Agents are modules that can be composed together to obtain AC-MAS. • Global states are tuples s = � D 0 , . . . , D n � ∈ D ( U ). • An AC-MAS is a tuple P = � Ag , s 0 , τ � where: ◮ Ag = { 0 , . . . , n } is a finite set of agents ◮ s 0 ∈ D ( U ) is the initial global state ◮ τ : D ( U ) × Act ( U ) �→ 2 D ( U ) is the transition function • Temporal transition : s → s ′ iff there is α ( � u ) s.t. s ′ ∈ τ ( s , α ( � u )). • Epistemic relation : s ∼ i s ′ iff D i = D ′ i . • AC-MAS are infinite-state systems in general. AC-MAS are first-order temporal epistemic structures. Hence, FO-CTLK can be used as a specification language. 13

Syntax: FO-CTLK • Data call for First-order Logic. • Evolution calls for Temporal Logic. • Agents (operating on artifacts) call for Epistemic Logic. The specification language FO-CTLK: t ) | t = t ′ | ¬ ϕ | ϕ → ϕ | ∀ x ϕ | AX ϕ | A ϕ U ϕ | E ϕ U ϕ | K i ϕ ϕ ::= P ( � Alternation of free variables and modal operators is enabled. 14

Semantics of FO-CTLK Formal definition An AC-MAS P satisfies an FO-CTLK-formula ϕ in a state s for an assignment σ , iff = P i ( � ( P , s , σ ) | t ) iff � σ ( t 1 ) , . . . , σ ( t a i ) � ∈ D s ( P i ) = t = t ′ σ ( t ) = σ ( t ′ ) ( P , s , σ ) | iff ( P , s , σ ) | = ¬ ϕ iff ( P , s , σ ) �| = ϕ ( P , s , σ ) | = ϕ → ψ iff ( P , s , σ ) �| = ϕ or ( P , s , σ ) | = ψ for all u ∈ adom ( s ), ( P , s , σ x ( P , s , σ ) | = ∀ x ϕ iff u ) | = ϕ for all runs r , r 0 = s implies ( P , r 1 , σ ) | ( P , s , σ ) | = AX ϕ iff = ϕ for all runs r , r 0 = s implies ( P , r k , σ ) | = ϕ ′ for some k ≥ 0, = A ϕ U ϕ ′ ( P , s , σ ) | iff and ( P , r k ′ , σ ) | = ϕ for all 0 ≤ k ′ < k there exists r s.t. r 0 = s , ( P , r k , σ ) | = ϕ ′ for some k ≥ 0, = E ϕ U ϕ ′ ( P , s , σ ) | iff = ϕ for all 0 ≤ k ′ < k and ( P , r k ′ , σ ) | for all states s ′ , s ∼ i s ′ implies ( P , s ′ , σ ) | ( P , s , σ ) | = K i ϕ iff = ϕ • Active-domain semantics for quantifiers. 15

Semantics of FO-CTLK Intuition (d) AX ϕ (e) A ϕ U ψ (f) E ϕ U ψ 16

Verification of AC-MAS How do we verify FO-CTLK specifications on AC-MAS? • the manufacturer M knows that each MO has to match a corresponding PO : AG ∀ id , pc ( ∃ pr , s MO ( id , pc , pr , s ) → K M ∃ o , s ′ PO ( id , pc , o , s ′ )) • the client C knows that every PO will eventually be discharged (by M): AG ∀ id , pc ( ∃ pr , s MO ( id , pc , pr , s ) → EF K C ∃ o PO ( id , ps , o , shipped)) Problem: the infinite domain U may generate infinitely many states! Investigated solution: can we simulate the concrete values from U with a finite set of abstract symbols? 17

Abstraction: Isomorphism and Bisimulation • Two states s , s ′ are isomorphic , or s ≃ s ′ , if there is a bijection ι : adom ( s ) ∪ C �→ adom ( s ′ ) ∪ C such that ◮ ι is the identity on C ◮ for every � u ∈ adom ( s ) a i , i ∈ Ag , � u ) ∈ D ′ u ∈ D i ( P j ) ⇔ ι ( � i ( P j ) D ′ D a b 1 2 ≃ b c 2 c d e 4 5 ◮ ι : a �→ 1 b �→ 2 c �→ c d �→ 4 e �→ 5 18

Abstraction: Isomorphism and Bisimulation • Two states s , s ′ are bisimilar , or s ≈ s ′ , if ◮ s ≃ s ′ ◮ if s → t then there is t ′ s.t. s ′ → t ′ , s ⊕ t ≃ s ′ ⊕ t ′ , and t ≈ t ′ s t ≈ s ′

Abstraction: Isomorphism and Bisimulation • Two states s , s ′ are bisimilar , or s ≈ s ′ , if ◮ s ≃ s ′ ◮ if s → t then there is t ′ s.t. s ′ → t ′ , s ⊕ t ≃ s ′ ⊕ t ′ , and t ≈ t ′ s t ≈ ≈ s ′ t ′ ◮ the other direction holds as well ◮ similarly for the epistemic relation ∼ i 19

Abstraction: Isomorphism and Bisimulation However, bisimulation is not sufficient to preserve FO-CTLK formulas: P 1 2 3 4 5 6 P ′ a b φ = AG ∀ x ( P ( x ) → AX AG ¬ P ( x )) 20

Uniformity • An AC-MAS P is uniform iff for s , t , s ′ ∈ S and t ′ ∈ D ( U ): ◮ s → t and s ⊕ t ≃ s ′ ⊕ t ′ imply s ′ → t ′ s t a b a f b c f c d e s ′ t ′ 1 2 1 6 2 c 6 c 4 5

Uniformity • An AC-MAS P is uniform iff for s , t , s ′ ∈ S and t ′ ∈ D ( U ): ◮ s → t and s ⊕ t ≃ s ′ ⊕ t ′ imply s ′ → t ′ s t a b a f b c f c d e s ′ t ′ 1 2 1 6 2 c 6 c 4 5 • Intuitively, the behaviour of uniform AC-MAS is independent from data not explicitly named in the system description. • Uniform AC-MAS cover a vast number of interesting cases [2, 4]. 21