Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1
Outline • Problem - Control-flow analysis of business process models • Contribution - Graphical in-model diagnostic information for control-flow errors • Conclusion and Outlook 2
A Business Process Model (1/2) 3
A Business Process Model (2/2) • Usage of a business process model - Execution on a process engine - Simulation - Documentation • Up to 50% of the processes contain a control-flow error 4
Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph - control flow graph (flow chart) with unique source and sink - concurrent fork and join (besides alternative choice and merge) - maps the core of process languages, but not all 5
Control-Flow Errors / Soundness (Local) Deadlock • A token blocked in the graph - XOR-join XOR-split Lack of synchronization • AND-join Two tokens on one edge - AND-split aka unsafeness - Sound • no deadlock and - no lack of synchronization - Soundness guarantees that the workflow terminates with unique - token on the sink (when loops are terminating) 6
Simplest Examples Sound Unsound 7
A Complex Sound Example 8
Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph is sound iff connected version of corresponding Petri net is - safe = no two tokens on the same place and - live = from each reachable marking, for each transition t: a marking can be reached that enables t 9
Prior Work • Approaches based on free-choice Petri nets theory - polynomial time complexity (!) - no diagnostic information • Approaches based on state space exploration - state space explosion (can be successfully addressed) - provide a counterexample trace as diagnostic information • detours/build up not contributing to error (esp. DFS) • arbitrary interleaving • difficult to visualize in model in case of loops • Fahland, Lohmann [12]: heuristics can reduce size of trace by a factor of 10 • not all modelers have a technical background 10
Anti-Patterns • Modeling manuals show anti-patterns in terms of instructive examples 11
Problem • Can we build graphical diagnostic information such that: - every error pattern implies unsoundness - unsoundness implies existence one of the error pattern - capture the essence of these simple examples 12
Outline • Problem • Contribution • Conclusion and Outlook 13
Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm that - returns one of the graph structures for each unsound graph • Experimental evaluation 14
Overview Error Patterns Path to sink with AND-XOR handle DQ-siphon Empty siphon with XOR-AND handle 15
Handle • A handle on a subgraph G is a directed path from an element of G to another element b of G that is disjoint from G apart from start and end G G • AND-XOR handle refers to the logic of start and end node 16
Error Patterns (1/3) Path from some node to sink with AND/XOR-handle 17
Siphon • A subgraph G such that each transition that adds a token to G also takes a token from G - with an XOR node in G, all incoming edges belong to G - with an AND node - at least one incoming edge • An empty siphon will remain empty 18
Error Patterns (2/3) empty A siphon that does not contain the source 19
DQ Siphon • A DQ-siphon is a siphon G such that no AND-split has more than one outgoing edge in G Not a DQ-siphon • the number of tokens is always 1 or less 20
Error Patterns (3/3) A DQ siphon with an XOR/AND handle 21
Structural characterization of soundness • A workflow graph is unsound iff one of the following statements holds: 1. There exists a siphon that is not initially marked 2. There exists a DQ siphon with an XOR/AND handle 3. There exists a simple path to the sink with an AND/XOR handle 22
Strongly Related to and Making Use of • Esparza/Silva [9] characterization: - A strongly connected free-choice net is safe and live iff none of the following exist: • an empty siphon • a circuit with a T/P handle • a circuit with a P/T handle without bridges 23
Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm that - returns one of the graph structures for each unsound graph • Experimental evaluation 24
Known Algorithm - Based on the Rank Theorem Check for unsound empty siphons Decomposition into unsound S-components Check sound rank equation unsound 25
New Algorithm Check for empty empty siphons Decomposition into S-components Check sound rank equation unsound Reduce & decompose into S-components 26
Decomposition into S-Components • A sound graph is decomposable into sequential components • Each S-component has always exactly one token • Decomposition can be computed in polynomial time 27
Another Sound Example 28
A Minimal Siphon Generates an S-component (in a Sound Graph) • A minimal siphon that is not an S-component contains: or • From which we obtain an error pattern: 29
New Algorithm Check for empty empty siphons Decomposition into S-components Check sound rank equation unsound Reduce & decompose into S-components 30
New Algorithm Check for empty empty siphons Decomposition into S-components Check sound rank equation unsound Reduce & decompose into S-components 31
Lucky Decomposition Failure of an Unsound Graph 32
Unlucky Decomposition Success of the Same Graph 33
A Reduction Step 34
Decomposition Failure on Reduced Graph Decomposition failure Error pattern generated Error pattern on original graph 35
Algorithm - Conclusion • Prove that reduction eventually leads to a graph that is not decomposable • Prove that error pattern in reduced graph are valid in the original (unreduced) graph Soundness of N can be decided in time O(|P|2 * (max(| P|,|T|)3) such that the algorithm returns one of the structural error patterns in case N is unsound. 36
Contribution • New Characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm such that • Experimental evaluation 37
Experimental Evaluation - Data Set - 1353 (703 unique original) business process models from the financial domain - Average number of nodes between 89 and 107 per library - Several large nets with up to 627 nodes - 47 nets from library B3 have 200 or more nodes. - Some models have state spaces with more than 1 million states - We validated the correctness of the results with other model checkers 38
Results • Fast enough to support demanding use cases - checking while modeling - checking while loading entire libraries into workspace • 2-6 times faster than some state space exploration approaches - but those were already fast enough for most use cases 39
Visualization in Modeling Tool 40
Outline • Problem • Contribution • Conclusion and Outlook 41
Conclusion • Graphical in-model diagnostic information can be obtained in polynomial time - avoiding some problems of traces • Limited expressiveness of free-choice (e.g. no races) allows for polynomial-time verification - sufficient for data set in case study - still applicable in more expressive BPMN models • Can be combined with SESE decomposition for further error localization (and speed-up) 42
SESE Decomposition • Can be done in linear time • Soundness is compositional wrt SESE blocks • Errors can be localized to a SESE block 43
What is still missing • User study • Soundness under data (except one first paper) • Control-flow errors dues to message/event passing across processes (orthogonal) 44
Recommend
More recommend
