Fabio Patrizi DIS Sapienza - University of Rome

Similar documents
Algorithmic Software Verification

Testing LTL Formula Translation into Büchi Automata

Formal Verification by Model Checking

Software Modeling and Verification

Lecture 2: Universality

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Formal Verification of Software

Model Checking: An Introduction

Welcome to... Problem Analysis and Complexity Theory , 3 VU

T Reactive Systems: Introduction and Finite State Automata

Formal Verification and Linear-time Model Checking

6.080/6.089 GITCS Feb 12, Lecture 3

1. Nondeterministically guess a solution (called a certificate) 2. Check whether the solution solves the problem (called verification)

Tableau Algorithms for Description Logics

Ensuring Consistency in Long Running Transactions

3515ICT Theory of Computation Turing Machines

INF5140: Specification and Verification of Parallel Systems

Fixed-Point Logics and Computation

Bounded Treewidth in Knowledge Representation and Reasoning 1

Simulation-Based Security with Inexhaustible Interactive Turing Machines

The Halting Problem is Undecidable

CSE 135: Introduction to Theory of Computation Decidability and Recognizability

Counterexample-guided Design of Property-based Dynamic Software Updates

Software safety - DEF-STAN 00-55

The Classes P and NP

6.852: Distributed Algorithms Fall, Class 2

Enforcing Security Policies. Rahul Gera

Introduction to Software Verification

Theoretical Computer Science (Bridging Course) Complexity

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Semantic Description of Distributed Business Processes

Turing Machines, Part I

Trust but Verify: Authorization for Web Services. The University of Vermont

Web Data Extraction: 1 o Semestre 2007/2008

Formal verification of contracts for synchronous software components using NuSMV

Runtime Verification for Real-Time Automotive Embedded Software

Introduction to Logic in Computer Science: Autumn 2006

Fundamentals of Software Engineering

Reminder: Complexity (1) Parallel Complexity Theory. Reminder: Complexity (2) Complexity-new

XML Data Integration

Business Process Verification: The Application of Model Checking and Timed Automata

Feature Specification and Automated Conflict Detection

Temporal Logics. Computation Tree Logic

Guiding Principles for Modeling and Designing Reusable Services

The Optimum One-Pass Strategy for Juliet

Program Synthesis is a Game

Analysis of Boolean Programs

Probabilistic Model Checking at Runtime for the Provisioning of Cloud Resources

Combining Software and Hardware Verification Techniques

Automata Theory. Şubat 2006 Tuğrul Yılmaz Ankara Üniversitesi

Specification and Analysis of Contracts Lecture 1 Introduction

A Propositional Dynamic Logic for CCS Programs

A Framework for the Semantics of Behavioral Contracts

MATHEMATICS: CONCEPTS, AND FOUNDATIONS Vol. III - Logic and Computer Science - Phokion G. Kolaitis

Automata on Infinite Words and Trees

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Reliability Guarantees in Automata Based Scheduling for Embedded Control Software

Business-Driven Software Engineering Lecture 3 Foundations of Processes

Development of dynamically evolving and self-adaptive software. 1. Background

Lecture 1: Oracle Turing Machines

Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances

Consistent Query Answering in Databases Under Cardinality-Based Repair Semantics

Complexity Theory. Jörg Kreiker. Summer term Chair for Theoretical Computer Science Prof. Esparza TU München

Hint 1. Answer (b) first. Make the set as simple as possible and try to generalize the phenomena it exhibits. [Caution: the next hint is an answer to

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Software Verification and Testing. Lecture Notes: Temporal Logics

Patterns for Business Object Model Integration in Process-Driven and Service-Oriented Architectures

Turing Machines: An Introduction

Algebraic Computation Models. Algebraic Computation Models

NP-Completeness and Cook s Theorem

Reducing Clocks in Timed Automata while Preserving Bisimulation

Static Program Transformations for Efficient Software Model Checking

(IALC, Chapters 8 and 9) Introduction to Turing s life, Turing machines, universal machines, unsolvable problems.

Software Engineering using Formal Methods

Handling Fault Detection Latencies in Automata-based Scheduling for Embedded Control Software

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

A first step towards modeling semistructured data in hybrid multimodal logic

CS154. Turing Machines. Turing Machine. Turing Machines versus DFAs FINITE STATE CONTROL AI N P U T INFINITE TAPE. read write move.

Monitoring Metric First-order Temporal Properties

Environment Modeling for Automated Testing of Cloud Applications

Transcription:

Fabio Patrizi DIS Sapienza - University of Rome

Overview Introduction to Services The Composition Problem Two frameworks for composition: Non data-aware services Data-aware services Conclusion & Research Direction 2

Services Given, modular, decoupled blocks Possibly distributed Interacting Possibility to compose! Service 1 Service 2 Service 3 Service 4 3

Services (2) Examples: A (typical) set of web services over a network A set of interacting autonomous agents 4

The composition Problem Instance: A set of available services A (non available) goal service Solution: An automaton which mimics the goal service, by delegating goal interactions to available services 5

Service composition Community Service 1 Service 2 Service 3 Service 4 (Goal Service) 6

Modeling Services Focus on behavior (vs in/out description) High-level descriptions (e.g.,wsdl, BPEL, process algebra) abstracted as Finite Transition Systems (cf.[vanbreugel&koshkina,06]) Classification: Det, Ndet, Data, No-data 7

Services as TSs NDet recharge With Data/Messages!price(p) go_ahead?carid(x) searchprice(x,p) Guarded Combination passengers drive passengers stop?studid(id) chkstat(id,s) load_unload 8

A Composition framework for Non data-aware services 9

The Roman Model[Berardi & al., 03, 05] Focus on service behavior Atomic actions (abstract conversations) Asynchronous composition Extendible to NDet services (not here) Deterministic Goal service R.Hull, SIGMOD 04 10

The Roman Model (2) A Community of services over a shared alphabet A A (Virtual) Goal service over A Community Goal Service 11

The Roman Model (3) Composite Goal Service REQUIREMENTS: Service 1. If a run is executed by the Goal service, it is executed by the composed service 2. If the Goal service is in a final state, all available services do 12

input_french The Roman Model (4) IN GENERAL: Not just a TS labeling, but a Composite function Service of community histories! output_italian input_french output_italian input_french output_italian 13

Orchestrators Orchestrators are functions of community histories: for each history and current action, select HOW the right TO COMPUTE available service ORCHESTRATORS? Can be thought of as TSs, possibly infinite state 14

Propositional Dynamic Logic PDL[Fischer&Ladner, 79; Kozen&Tiuryn, 90; ]: Á! P Á Á 1 ÆÁ 2 hriá [r]á THEOREM[Berardi & al. 03]: A PDL formula can be built which is SAT iff an orchestrator exists Formulae interpreted over Kripke structures PDL-SAT: find a structure satisfying EXPTIME in the size of 15

Encoding as PDL-SAT i-th available service additional domainindependent conditions is polynomial in the size of services 16

Finding orchestrators (2) Finding an orchestrator in the Roman Model is EXPTIME-complete Membership: Reduction to PDL-SAT[Berardi & al. 03] Hardness: By reducing existence of an infinite computation in LB ATM (EXPTIME-hard) [Muscholl & Walukiewicz 07] 17

Finding orchestrators THEOREM: If an orchestrator exists then there exists one which is finite state[berardi et al. 03] Size at most exponential in the size of services S 0,,S n,s g 18

PDL Drawbacks 1. Only finite state orchestrators 2. Actual tools (e.g., Pellet@Univ. of Maryland) not effective: Extracting models, thus orchestrators, not a trivial task: for efficiency reasons, only portions of the model are stored during tableaux construction 19

Service Composition Via Simulation 20

Simulation Relation Given TS 1 and TS 2 s 1 4 s 2 iff: 1. s 1 final implies s 2 final 2. For each transition s 1! a s 1 in TS 1, there exists a transition s 2! a s 2 in TS 2 s.t. s 1 4 s 2 TS 1 is simulated by TS 2 iff s 0 1 4 s 0 2 21

Simulation Relation, informally TS 2 TS 1 c a b c c a a b b TS 2 behaviors include TS 1 s 22

Composition via Simulation PDL Encoding contains the idea of simulation. The composition problem can be reduced to search for a simulation of the target service by the available services asynchronous product [Berardi et al., 07] S t 4 S 1 S n? 23

Composition via Simulation (2) Community Asynchronous product X Largest Simulation Relation Target Service Compute Simulation (if any) 24

Composition via Simulation (3) 25

Orchestrators from Simulation Computing simulation is P in # of states # of states is S n Complexity refinement (wrt PDL-Sat): max # of states We get ALL orchestrators! O(S n+1 ) Exponential in number of services # of available services EXPTIME, thus still optimal wrt worst-case 26

Orchestrators from Simulation (2) ALL orchestrators Just-in-time composition Can deal Largest with Simulation failures Relation Orchestrator Generator Community 27

Extension: ND-Simulation Non-det services (but det target) Generalization: ND-simulation Simulation preserved regardless of ND action outcomes TS 1 b a TS 2 b a a c,b c 28

ND-Orchestrator Target service a b Observe actual state a service 1 a b service 2 b 29

Tools for computing (ND-) orchestrators Effective techniques & synthesis tools developed by the verification community: TLV [Pnueli & Shahar 96] Based on symbolic OBDD representation Conceptually based on simulation technique 30

Application Scenarios Web service composition[berardi et al., 07] An implementation from BPEL specifications @ DIS Distributed agents in a common environment, with failures(work in preparation) 31

Unfortunately many services deal with data 32

Dealing with data Examples: Agents need to exchange messages (e.g., position, battery level, ) Web services take input messages (e.g., users subscribing a service) and return output messages (e.g., pricelist) 33

Dealing with data (2) REMARK: Infinitely many messages may give raise to infinitely many states PROBLEM: Finite-state property no longer holds We expect to get undecidability 34

COLOMBO[Berardi & al., VLDB 05] A general framework for web services with messages Basic results in data-aware composition Asynchronous, Deterministic, finite-state services with messaging Messages from infinite domains (Key-based) Access to a database through atomic processes (i.e., parametric actions) 35

COLOMBO (2) getincome Guarded automata Deterministic Messaging Invoke atomic processes Designed to interact with a client DB: PEOPLE(ssn, name,surname, income) STUDENTS(id,ssn,exams,age,grant) ssn inc id studentdata assigngrant studinc AS 2 ssn id id ssn studssn AS 1 AS 3 studssn studid Atomic (transationally) Stateless Can read, insert, studid delete or modify single tuples studelig checkeligibility Data from infinite domains: Dom =, Dom, Bool; id elig AS 4 studid 36

Atomic processes getincome I:ssn; O:inc Effects: inc := PEOPLE 3 (ssn) Interface specification checkeligibility I:id; O:eligibility Effects: if (STUDENT 4 (id) == true) then eligibility := true else eligibility := false assigngrant I:id Effects: either modify STUDENT 4 (id, false) or no-op Conditional effects - over local variables / accessed values Nondeterministic effects (Finite branching) - due to incomplete abstract model 37

Available services From client / service From / to same atomic process AS 1? studssn(ssn) getincome(ssn,inc) State: automaton state + variable configuration inc < 1000! msg( accepted ) inc >= 1000! msg( rejected ) To client / service 38

Synchronization 1. Wait for incoming messages (length-1 queues) 2. Execute a fragment of computation 3. After sending a message, either: Terminate (in a final state) or Go to 1. Client starts by sending a message Available services wait 39

System Execution No external modifications C C S S 1 S 3 S 2 S 4 AP 1 AP 2 DB AP 3 Linkage: set of inter-service communication channels (one-to-one only) 40

Execution Tree A system: S=h C, { S 1,,S n }, L i Infinite tree evolution: Nodes are snapshots of service + DB states Edges are labeled by: Ground messages Process invocations DB states (pre / post transition) 41

Execution Tree (2) 42

Execution Trees Essence Project the Execution Tree onto: Messages to/from client C S S 1 Atomic process invocations S 3 S 2 S 4 Effects on DB AP 1 AP 2 AP 3 DB REMARK: internal messages collapse! 43

System Equivalence C DB C DB Two systems are equivalent iff they have isomorphic essences! (Equivalent in terms of what is observable) 44

The Composition Problem in COLOMBO C C G GOAL: Messages Atomic processes MEDIATOR: Messages only COMPOSITION PROBLEM: Build a linkage and a (p,q)-bounded S 1 mediator such that the obtained system is equivalent S 2 M to the goal S 4 SERVICES (including CLIENT): Only messages from/to mediator S 3 45

Solving the Composition Problem in COLOMBO IDEA Reduce to the finite case OBSTACLES: Infinite messages and initial DB yield infinite properties (e.g., send-ground-message) RESTRICTIONS needed 46

Restrictions Bounded # of new values introduced by the client (wrt to initial DB state) Bounded # of DB lookups, depending on # of new values the client introduces REMARK: number of new values are finite, actual values still infinite 47

Symbolic representation Values are referred to by symbols Relevant features of symbols Relationships with All other symbols (wrt, =) Constants occurring in guards 48

Symbolic Value Characterization 7 Relevant constants: {4,15} 5 9 r 11 r 12 r 13 r 21 r 22 r 23 9 11 7 INTUITION: svc = {r 11 >r 12, r 11 <r 13, r 11 <r 21, Under restrictions, a bounded r 11 <r 22, number r 11 =r 23, r 11 >4, of r 11 <15, } symbols is sufficient to represent all executions 12 Relevant constants: {4,15} 8 13 13 14 12 49

Symbolic execution tree Finite set of symbolic DB classes Finite set of states! Finite set of symbols yields finite branchings 50

From Infinite to Finite Each actual enactement has a symbolic counterpart! 51

Solution Technique & Issues (p,q)-bounded mediator: At most p states and q variables Reduction to PDL-Sat, with underconstrained variables To be guessed Represent existence of links and mediator behavior Upper bound double-exptime in p,q, size of target and community services: Expect to get rid of p,q Derivable from target and available services structure? Complexity can be refined with a more efficient encoding? 52

Conclusion & Future Directions Good understanding of behavioral composition: Optimal technique for deterministic scenarios Ongoing extension to nondeterministic contexts w/ failures Starting point for data-aware services: General framework and first results, but severe restrictions Relax key-based access assumption? Remove, or derive, mediator bounds? Investigate over decidability bounds Flexible solutions PDL technique returns only one solution, what about simulation? Reasoning about infinite state systems Abstraction (cf., e.g., [Pnueli & al, VMCAI 05], [Kesten&Pnueli, 00]) 53

Thanks For Your Attention! Questions? 54

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information