Towards Domain Refinement for UML/OCL Bounded Verification

Towards Domain Refinement for
UML/OCL Bounded Verification
Robert Clarisó
Universitat Oberta de Catalunya - Spain
Carlos A. González
AtlanMod team - Inria, Mines Nantes, LINA - France
Jordi Cabot
ICREA - Spain
13th Int. Conf on SW Enginerering and Formal Methods
8-11 September 2015, York, UK

Motivation
Who? The reader
What?
Where?
Find Wally
Inside the page

Motivation
Who? A solver
What?
Where?
Find faults
In a bounded
state space

1. Bounded verification
2. Related work
Outline
2. Related work
3. Solution: refinement
4. Experimental results
5. Conclusions

Model M
Model-Based Verification
A B
C
Consistent
No contradictions
A
1
2
Property P
UML
Class diagram
Non-redundant
Lack of duplicities
A B
C
context C inv:
self.a->
excludes(self)
OCL
Invariants
Does model M satisfy correctness property P?

VERIFICATION TOOL
Model-based verification: overview
?
Model
A B
C
Correctness
Formal Notation
SAT / CP
?Correctness
Property
Finite
Bounds
Designer
Feedback
Example or ?
Counterexample or ?
Reasoning Engine

Bound selection
Choose “suitable” verification
bounds for the solver
Goal
CONFIDENCE
EFFICIENCY
BOUNDSSmall Large
Fast Slow
Less More

Bound selection: heuristics
Small bounds are sufficient to
detect most faults
Small scope hypothesis
Repeat analysis progressively
increasing bounds
Incremental scoping

Our approach: bound refinement
VERIFICATION TOOL
Model
A B
C Formal Notation
SAT / CP
Correctness
Property
Finite
Bounds
Reasoning Engine
Feedback
Example or ?
Countexample or ?

Our approach: bound refinement
VERIFICATION TOOL
Model
A B
C Formal Notation
SAT / CP
Correctness
Property
Finite
Bounds
Reasoning Engine
Tighter
boundsBound
refinement
Feedback
Example or ?
Countexample or ?

Related work
Abstract size-related info to
reason about size properties
Size abstraction
Bound propagation
Yu et al (FSE’2007)
CP solvers e.g.
Remove improductive values
from verification bounds
CP solvers e.g.
Interval Constraint Solver in eCLiPSe
This work:
Size abstraction + Bound propagation
Size properties CP solvers
Arbitrary SAT

Running example: production facility
context Part inv UniqueSerials :
Part::allInstances()->isUnique(serial)
context Machine inv MachineAvailability :context Machine inv MachineAvailability :
Cutter::allInstances()->exists(c|c:idle) and
Grinder::allInstances()->exists(g|g:idle)
Property : Strong satisfiability
“It should be possible to populate of each non-abstract class
while satisfying all integrity constraints”

context Machine inv MachineAvailability :
Running example: size abstraction
Multiplicities
“4 Parts per Machine”
Generalizations
“All Cutters are
Machines”
Invariants
“There is at least one Grinder ”

Size abstraction for OCL
OCL Expression Abstract OCL Expression
Refers to the values in
an instance of the model
Refers to the size of the
model instance
OCL expression Abstraction
col->including( object ) Col <= Exp <= Col + 1
col->exists( var | cond ) (0 <= Exp <= 1) ∧
(Col = 0) -> (Exp = 0)

V = { x ∈ [0,5], y ∈ [0,7] }
C = { x + y = 7, x + 1 ≥ 2y }
y
(x ≤ 5) ∧ (x + 1 ≥ 2y)
Integer Bound Propagation
xz
=> y ≤ 3
(x ≤ 5) ∧ (x + y = 7)
=> y ≥ 2
(y ≤ 3) ∧ (x + y = 7)
=> x ≥ 4

Refinement (1/4)
Domain bounds Source
Machine
Cutter
Grinder
Part
Uses
Serial
Number of objects of type Machine
Number of objects of type Cutter
Number of objects of type Grinder
Number of objects of type Part
Number of links in association Uses
Number of distinct values of attribute Serial

Constraint Source
Refinement (2/4)
Constraint Source
Machine = Cutter + Grinder
Uses ≤ Part * Machine
Uses = 4 * Machine
Uses ≤ Part
Part ≤ Serial
Cutter ≥ 1
Grinder ≥ 1
Generalization + Abstract class
Associaton Uses
Association end pieces
Association end device
Invariant UniqueSerials
Invariant MachineAvailability
Invariant MachineAvailability

Refinement (3/4)
Domain bounds Initial Bound Inferred Bound
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)

Refinement (3/4)
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[2, ∞)
[1, ∞)
[1, ∞)
[8, ∞)
[8, ∞)
[8, ∞)
Inferred
bounds
with no
user input

Refinement (4/4)
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, 10]
[2, 2]
[1, 1]
[1, 1]
[8, 8]
[8, 8]
[8, 8]

Refinement (4/4)
Machine
Cutter
Grinder
Part
Uses
Serial
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, ∞)
[0, 10]
[2, 2]
[1, 1]
[1, 1]
[8, 8]
[8, 8]
[8, 8]
One choice
is sufficient
to bind the
state space

Designer
UML Model
A B
C
Domain Bounds
X = [1,20], Y = [2, 15], ...
Experimental set-up
KodKod Model Finder
Sat4j SAT Solver
UML-based Specification
Environment (USE)

Designer
Domain Bounds
X = [1,20], Y = [2, 15], ...
UML Model
A B
C
Bound refinement
Experimental set-up
KodKod Model Finder
Sat4j SAT Solver
Bound refinement
UML-based Specification
Environment (USE)

Experimental results: Summary (1/2)
Lightly
constrained
(“Easy”)
Satisfiable Unsatisfiable
–
Seconds Seconds
(“Easy”)
Highly
constrained
(“Hard”)
Difficulty +–
+
Minutes Hours

Experimental results: Summary (1/2)
Lightly
constrained
(“Easy”)
Satisfiable Unsatisfiable
No improvement No improvement
(“Easy”)
Highly
constrained
(“Hard”)
Speed-ups from
1,7x to 11x
Speed-ups from
2x to 50x
Overhead of bound tightening: <1 second

Conclusions… in 140 chars
Quick preprocessing to
make SAT-based verification
faster and more usable
Target: UML/OCL
Up to 50x speed-up
TODO: further experiments
Tweet0

Thank you for
your attention!
Robert Clarisó
rclariso@uoc.edu
@robertclariso

Towards Domain Refinement for UML/OCL Bounded Verification

More Related Content

What's hot (20)

Viewers also liked (13)

Similar to Towards Domain Refinement for UML/OCL Bounded Verification (20)

More from rclariso (7)

Recently uploaded (20)

Towards Domain Refinement for UML/OCL Bounded Verification