# Verification of Graph Transformation Systems Arman Sheikholeslami

## Presentation on theme: "Verification of Graph Transformation Systems Arman Sheikholeslami"— Presentation transcript:

Verification of Graph Transformation Systems Arman Sheikholeslami armanpts@mail.upb.de

Graph and GTS 2 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Chess Transformed! A7 Pawn A8 A6 B7 B8 Rook A7 Pawn A8 A6 B7 B8 Rook Transformed! 3 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

How Transformation works? H 4 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn G A7 A6 Pawn A5 A7 A6 A5 RHS A7 A6 Pawn LHS A7 A6 Pawn

Algebraic approach –Single push-out (SPO) If node deletion causes dangling edge, node is deleted along with dangled edge. –Double push-out (DPO) If node deletion causes dangling edge, the rule is not applied. Not applicable in chess! Formalization of GTS LHSRHS GH A7 Pawn A7 A6 Pawn A7 A6 LHSRHS GH A7 Pawn A7 A6 Pawn A6 Pawn 5 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Transition System using SPO Rule X LHS RHS A7 A6 P A7 A6 P Rule Y LHS RHS P P A5 A6 A7 A6 A5 Rule Z LHS RHS P A7 A6 A5 B5 K A7 A6 A5 B5 P Rule X Rule Z Rule Y A7 A6 Pawn A5B5 Knight A7 A6 Pawn A5B5 A7 A6 Pawn A5 B5 Knight A7 A6 Pawn A5 B5 Knight 6 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Verification is to determine if behavior of system (semantic) to conform with specifications (properties). Properties of GTS –conditions and restrains a GTS should satisfy. Semantic of GTS –producible transition system. Verification of GTS 7 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Which properties of GTS can be verified? –Safety something bad will never happen. e.g. a forbidden pattern (sub-graph) is never reached. –Liveness something good will eventually happen. e.g. Deadlock-freedom, security Properties of GTS A7 A6 Pawn A5B5 Knight Knight hit by Pawn! Unsafe! 8 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Intuitively… Rule X LHS RHS A7 A6 P A7 A6 P Rule Z LHS RHS P A7 A6 A5 B5 K A7 A6 A5 B5 P Rule X Rule Z Rule Y A7 A6 Pawn A5B5 Knight A7 A6 Pawn A5B5 A7 A6 Pawn A5B5 Rule Y LHS RHS P A7 A6 A5 B5 K A7 A6 A5 B5 P A7 A6 Pawn A5B5 Knight 9 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn Hit pattern, Unsafe!

Technically… SemanticsProperties Kripke Structure Temporal Logic Model Checker B A C D E Chess play Transition System Avoid getting hit!  10 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Problem statement –several variables in a system with range of possible values. –a state assigned to each possible concrete combination of variables. –set of possible states is too large. This happens in almost every system –That’s why we cannot have a complete verification of large systems e.g. OS. State space explosion x,y 11 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

A worse case of State Space Explosion problem. Occurs when state set of system is endless. Infinite state space is created by application of rules in which LHS can be found in RHS. Infinite State Space LHSRHS GH 12 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Under-approximation –An abstraction (subset) of original graph (state set) satisfying less properties. Bounded Model Checking Over-approximation –An abstraction (superset) of original graph (state set) satisfying more properties. Shape Graphs Inductive Invariance Applicable to both State Space Explosion and Infinite State Space problems Solutions 13 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Bounded Model Checking 14 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn Only movements of one level are modeled! (K=1)

To shrink state space by abstraction –information is discarded. –how to retrieve it to create concrete instances? Local Shape Logic (LSL) –a way to express additional information about nodes and edges in a graph. Shape graph is an abstract model –concrete instances are built based on shape constraints. Still more than one precise instance can be produced (over-approx.). Shape Graphs 15 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Shape Graphs (example) Abstraction Reproduction Not a valid Instance! Constraints: There is exactly one Pawn A7 Pawn A8 A6 B7 B8 Rook G A7 Pawn A8 A6 B7 B8 Rook Pawn A7 Pawn A8 A6 B7 B8 Rook G 16 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn Cell King Queen Rook Pawn Knight Bishop SG G

Investigate if transition from a safe state to an error state (forbidden pattern) is possible –Apply the rules backwards from forbidden pattern. –if safe state reached, the property is can be violated (it’s NOT Inductive Invariant). Instead of the whole graph, only borders are investigated (abstraction). Inductive Invariance A6 A7 A5 Pawn B5 Knight A6 A7 A5 Pawn B5 Knight 17 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

If the property is inductive invariant –no rule can be used to reach forbidden pattern from a state is not forbidden pattern. –the system is safe. If the property is not inductive invariant –the system still might be safe. –forbidden pattern can be reached given any starting graph (over- approx.). Inductive Invariant (cont.) E4 E5 E3 Bishop D4 D5 D3 Bishop 18 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn C2 C3 C1 D7 D8 Pawn Bishop

What if we need to differentiate elements of graphs from each other? –we need to use attributes to specify differences. –Typed Attributed Graphs (TAG) introduces as extension. What if time has specific effect on the system? –simple graphs do not care about time! –Timed Graphs introduces as extension (also and extension to TAG). 19 Extensions Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Typed Attributed GTS A7 Pawn A8 A6 B7 B8 Rook Black A data node indicating color 20 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Contains 3 rules to perform TGT 1.Clock Instance Rule adds clock instances to graph. by using discrete- or dense-time model (timed automata), passing of time can be expressed. 2.Invariant Rule restrict the execution of the rule to a specific time interval. 3.Timed Graph Transformation Rule normal graph transformation rule. Timed GTS 21 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Timed GTS (example) Apply Invariant rule 2 A7 Pawn A8 Rook A6 A7 Pawn A8 Rook CI A6 Rule X LHS RHS A7 A6 P A7 A6 P Apply Clock Instance rule 1 A7 Pawn A8 Rook CI A6 Rule Y LHS RHS A8 A7 R A8 A7 R 22 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn Apply Transformation rule 3 No Yes

Verification of TGTS Timed GTS FO-TCTL Property TCTL Property TCTL Model Checker 1 2 3 23 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

Verification of TGTS (example) TCTL Model Checker FO-TCTL TCTL Timed GTS A7 Pawn A8 Rook CI A6 A7 Pawn A8 Rook CI A6 A7 Pawn A8 Rook CI A6 A7 Pawn A8 Rook CI A6 A7 Pawn A8 Rook CI A6 A7 Pawn A8 Rook CI A6 CI_x 24 Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn

25 Question?! Seminar Advanced Verification Techniques - Winter term 2012/13 - University of Paderborn