Towards Domain Refinement for UML/OCL Bounded Verification
Robert Clarisó Universitat Oberta de Catalunya - Spain
Carlos A. González AtlanMod team - Inria, Mines Nantes, LINA - France
Jordi Cabot ICREA - Spain
13th Int. Conf on SW Enginerering and Formal Methods8-11 September 2015, York, UK
Motivation
Who? The reader
What?
Where?
Find Wally
Inside the page
Motivation
Who? The reader
What?
Where?
Find Wally
Inside the page
Motivation
Who? A solver
What?
Where?
Find faults
In a bounded state space
1. Bounded verification
2. Related work
Outline
2. Related work
3. Solution: refinement
4. Experimental results
5. Conclusions
Model M
Model-Based Verification
A B
C
Consistent
No contradictionsA
1
2
Property P
UML
Class diagram
Non-redundant
Lack of duplicities
A B
C
context C inv:
self.a->
excludes(self)
OCL
Invariants
Does model M satisfy correctness property P?
VERIFICATION TOOL
Model-based verification: overview
?
Model
A B
C
Correctness
Formal Notation
SAT / CP
?Correctness
Property
FiniteBounds
Designer
Feedback
Example or ? Counterexample or ?
Reasoning Engine
Bound selection
Choose “suitable” verification bounds for the solver
Goal
CONFIDENCE
EFFICIENCY
BOUNDSSmall Large
Fast Slow
Less More
Bound selection: heuristics
Small bounds are sufficient to detect most faults
Small scope hypothesis
Repeat analysis progressively increasing bounds
Incremental scoping
Our approach: bound refinement
VERIFICATION TOOLModel
A B
C Formal Notation
SAT / CP
CorrectnessProperty
Finite Bounds
Reasoning Engine
Feedback
Example or ?Countexample or ?
Our approach: bound refinement
VERIFICATION TOOLModel
A B
C Formal Notation
SAT / CP
CorrectnessProperty
Finite Bounds
Reasoning Engine
TighterboundsBound
refinement
Feedback
Example or ?Countexample or ?
Related work
Abstract size-related info toreason about size properties
Size abstraction
Bound propagation
Yu et al (FSE’2007)
CP solvers e.g. Remove improductive values from verification bounds
CP solvers e.g.
Interval Constraint Solver in eCLiPSe
This work:
Size abstraction + Bound propagation
Size properties CP solversArbitrary SAT
Running example: production facility
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Property : Strong satisfiability
“It should be possible to populate of each non-abstract class while satisfying all integrity constraints”
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Running example: size abstraction
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Multiplicities
“4 Parts per Machine”
Generalizations
“All Cutters are Machines”
Invariants
“There is at least one Grinder ”
Size abstraction for OCL
OCL Expression Abstract OCL Expression
Refers to the values in an instance of the model
Refers to the size of the model instance
OCL expression Abstraction
col->including( object ) Col <= Exp <= Col + 1
col->exists( var | cond ) (0 <= Exp <= 1) ∧
(Col = 0) -> (Exp = 0)
V = { x ∈ [0,5], y ∈ [0,7] }
C = { x + y = 7, x + 1 ≥ 2y }y
(x ≤ 5) ∧ (x + 1 ≥ 2y)
Integer Bound Propagation
xz
=> y ≤ 3
(x ≤ 5) ∧ (x + y = 7)
=> y ≥ 2
(y ≤ 3) ∧ (x + y = 7)
=> x ≥ 4
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (1/4)
Domain bounds Source
Machine
Cutter
Grinder
Part
Uses
Serial
Number of objects of type Machine
Number of objects of type Cutter
Number of objects of type Grinder
Number of objects of type Part
Number of links in association Uses
Number of distinct values of attribute Serial
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (1/4)
Domain bounds Source
Machine
Cutter
Grinder
Part
Uses
Serial
Number of objects of type Machine
Number of objects of type Cutter
Number of objects of type Grinder
Number of objects of type Part
Number of links in association Uses
Number of distinct values of attribute Serial
Constraint Source
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability
Constraint Source
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability
Constraint Source
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability
Constraint Source
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability
Constraint Source
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (3/4)
Domain bounds Initial Bound Inferred Bound
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (3/4)
Domain bounds Initial Bound Inferred Bound
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[2, ∞)
[1, ∞)
[1, ∞)
[8, ∞)
[8, ∞)
[8, ∞)
Inferred bounds with no user input
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (4/4)
Domain bounds Initial Bound Inferred Bound
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, 10]
[2, 2]
[1, 1]
[1, 1]
[8, 8]
[8, 8]
[8, 8]
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Refinement (4/4)
Domain bounds Initial Bound Inferred Bound
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, 10]
[2, 2]
[1, 1]
[1, 1]
[8, 8]
[8, 8]
[8, 8]
One choice is sufficient to bind the state space
Designer
UML Model
A B
C
Domain BoundsX = [1,20], Y = [2, 15], ...
Experimental set-up
KodKod Model Finder
Sat4j SAT Solver
UML-based Specification Environment (USE)
Designer
Domain BoundsX = [1,20], Y = [2, 15], ...
UML Model
A B
CBound refinement
Experimental set-up
KodKod Model Finder
Sat4j SAT Solver
Bound refinement
UML-based Specification Environment (USE)
Experimental results: Summary (1/2)
Lightly constrained
(“Easy”)
Satisfiable Unsatisfiable–
Seconds Seconds
(“Easy”)
Highly constrained
(“Hard”)
Difficulty +–
+
Minutes Hours
Experimental results: Summary (1/2)
Lightly constrained
(“Easy”)
Satisfiable Unsatisfiable
No improvement No improvement
(“Easy”)
Highly constrained
(“Hard”)
Speed-ups from 1,7x to 11x
Speed-ups from2x to 50x
Overhead of bound tightening: <1 second
Conclusions… in 140 chars
Quick preprocessing to
make SAT-based verification
faster and more usable
Target: UML/OCL
Up to 50x speed-up
TODO: further experiments
Tweet0