Where did I go wrong? Explaining errors in process models

Where did I go wrong?

Explaining errors in process models
Niels Lohmann

Verification of processes and services
WS-Adressing

WSDM
WS-CDL

WSCI
WS-TX

WSRM

WS-AT

WS-C

BPEL4People

WS-TX

WSRF
WSFL

WS-Policy

WS-BPEL
WS-Routing

- more aspects and domains = new languages and checks
- domain-speciﬁc approaches are not ﬂexible
- moving target

2

Model checking

general purpose veriﬁcation approach:
1. formalize model and speciﬁcation*
2. push a button

*

can be 
hidden from
the user

3

Effectiveness and efficiency
- model checking works in reality
- successful applications in many domains
!

!

!

!

!

- “verify while you model”

4

Diagnosis
- in case of error: outputs
target state and
produce a witness path
- describes how target
state can be reached
- operational semantics:
can be simulated

target state
witness path
5

Diagnosis: the bad
- paths can become very long
- length correlates with 
size of the model
- reports all events equally:
disregarding importance

6

Reasons for useless paths
detours

interleavings

indisputable parts

depth-ﬁrst search

concurrency

bootstrapping

7

process in Fig. 2 and to which we added a start and an end event. This process model
contains a lack of synchronization error as well as a local deadlock, which are not so
easy to spot in the ﬁrst place.

Running example

M2
M1
J1
F1

lack of synchronization
Fig. 4: Workﬂow graph with deadlock and lack of synchronization errors.
t4

p1

t1

t3

p5

t5

p6

p4

t6

p7

p10
t11
t7
p2
A local deadlockt2is a p3
reachable state s of the process that has a token on p8 incoman
p9
t13
p13
t9
t10
ing edge et8 of an AND-join such that each state that is in turn reachable from s also
p11

6

t12

p12
t14

p14

8

Reduction: obvious parts
- assumption: progress
- classiﬁcation of transitions*
- only report decisions
t4
p1

t1

t3
p2

t2

p5

t5
p6

p4
p10

p3

p7

t11

t7

t9

t13

t10
p11

* not just XOR-gateways!

t12

p8

p13

t14

t8

p9

t6

p14

p12

9

t4
t1

p1

t3
p2

t2

p5

t5
p6

p4
p10

p3

p7

t11

t7

t9

t13

t10
p11

t1

t2

t9

t10

t11

t12

t14

p14

p12

t12

t8

p8

p13

t14

t8

p9

t6

t2

t3

t4

t5

10

t4
t1

p1

t3
p2

t2

p5

t5
p6

p4
p10

p3

p7

t11

t7

t9

t13

t10
p11

t1

t2

t9

t10

“down”

t11

t12

t14

“down”

p14

p12

t12

t8

p8

p13

t14

t8

p9

t6

t2

t3

“up”

t4

t5

10

Table 1. Paths from the checks for local deadlocks

Reduction: obvious checks for local deadlocks
Table 1. Paths from the parts
library

A

avg. path length before / after
max. path length before / after
library
sum of path lengths before / after
reduction

B1

B2

B3

C

17.51 / 1.83
53 / 8
A
1699 / 178
17.51 / 1.83
89.52 %
53 / 8
1699 / 178

17.52 / 2.11
66 / 7
B1
1419 / 171
17.52 / 2.11
87.95 %
66 / 7
1419 / 171

16.06 / 1.54
56 / 6
B2
1349 / 129
16.06 / 1.54
90.44 %
56 / 6
1349 / 129

20.34 / 1.67
54 / 5
B3
1688 / 139
20.34 / 1.67
91.77 %
54 / 5
1688 / 139

13.40 / 2.30
21 / 3
C
134 / 23
13.40 / 2.30
82.84 %
21 / 3
134 / 23

reduction

Table 2. Paths 89.52 % checks for lack of90.44 %
from the
synchronization %
87.95 %
91.77

library

A
B1
B2
B3
Table 2. Paths from the checks for lack of synchronization

82.84 %
C

30.83 / 3.17
10.47 / 0.66
12.16 / 0.68
11.50 / 0.59
51.00 / 7.57
89 / 13
52 / 7
100 / 8
103 / 14
120 / 17
library
A
B1
B2
B3
C
1079 / 111
1047 / 66
1459 / 82
1507 / 77
357 / 53
30.83 3.17
10.47 /
Table 3. Paths /from the 93.70 0.66 noninterference94.89 0.59 51.00 / 7.57
checks for 12.16 / 0.68 11.50 / %
reduction
89.71 %
%
94.38 %
85.15 %
89 / 13
52 / 7
100 / 8
103 / 14
120 / 17
1079 / 111
1047 / 66
1459 / 82
1507 / 77
357 / 53
library
A
B1
B2
B3
C
reduction
89.71 %
93.70 %
94.38 %
94.89 %
85.15 %
12.06 / 2.79
13.82 / 2.55
18.13 / 2.33
14.27 / 2.55
11.27 / 2.33
Information flow security. Furthermore, the/ same business process models were used
44 / 7
70 7
95 / 7
95 / 7
27 / 3
suma recent report [12] on information flow/ security. In / this case study, noninterfer169 / 35
in of path lengths before / after 19699 / 4557 5707 1054 13835 1777 17494 / 3130

ence [13] wasflow security. correctness criterion ensures that decisions from a secure
reduction
76.87 %
87.16 %
82.11 %
79.29 %
Information verified. This Furthermore,81.53same business process models were used
the %

domain cannot be reproduced by investigating public runtime case study, noninterferin a recent report [12] on information flow security. In this information of the busi-

11

Reduction: spurious decisions
p2

p5

p5

p3
p1

p3
p6

p1

p6

p4

- some decisions determine others
- often occurs in non-free choice models
- can be model checked

12

Table 4. Reduced paths from the checks for local deadlocks

Reduction: spurious decisions
library

Table 4. Reduced A
paths from the checks for local deadlocks
B1
B2
B3

library
reduction length before / after
max. path
abortedpath lengths before / after
sum of checks

1.84 / 0.91
8 A2
/
178 / 88
1.84 / 0.91
50.562%
8/
1
178 / 88

2.11 / 0.67
7B1
/1
171 / 54
2.11 / 0.67
68.421%
7/
0
171 / 54

1.54 / 0.57
6B2
/1
129 / 49
1.54 / 0.57
62.79 %
6/1
1290/ 49

1.67 / 0.41
5B3
/1
139 / 34
1.67 / 0.41
75.54 %
5/1
1390/ 34

reduction
aborted checks

Table 5. Reduced

50.56 %
1
paths from

68.42 %
0
the checks for

library

Table 5. Reduced paths from the checks for lack B2 synchronization
of
A
B1
B3

62.79 %
75.54 %
0
0
lack of synchronization

3.17 / 0.86
0.66 / 0.17
0.68 / 0.14
0.59 / 0.09
13A 2
/
7B1
/2
8B2
/2
14 / 2
library
B3
111 / 30
66 / 17
82 / 17
72 / 12
3.17 / 0.86
0.66 / 0.17
0.68 / 0.14
0.59 / 0.09
reduction length before / after
72.97 2
54.552%
79.27 %
84.42 2
max. path
13 / %
7/
8/2
14 / %
abortedpath lengths before / after
1
sum of checks
111 / 30
82 0 17
/
72 0
/
Table 6. Reduced paths from 66 4 checks for noninterference 12
the/ 17
reduction
aborted checks
library

72.97 %
1
A

54.55 %
4
B1

79.27 %
0
B2

84.42 %
0
B3

C
2.30 / 0.90
3C1
/
23 / 10
2.30 / 0.90
60.87 %
3/1
23 0 10
/
60.87 %
0

C
7.57 / 1.00
17 / 2
C
53 / 7
7.57 / 1.00
86.792
17 / %
534/ 7
86.79 %
4
C

could exploitbefore Petri net structure to calculate conflict /clusters 2.55identify 2.33 / 0.40
to / 0.63
possible
avg. path length the / after
2.79 / 0.99
2.55 / 0.75
2.33 0.55
7/2
7/2
7/2
7/2
3/1
conflict transitions. This allowed / for a quick check whether a transition is actually a
4557 1614
1054 / 310
1777 / 423
3130 / 772
35 / 6
could exploit the Petri net structure to calculate conflict clusters to identify possible
conflict.
reduction
64.58 %
70.59 %
76.20 %
75.34 %
82.86 %
conflict transitions. This allowed for aas a sequences of transitions leading to the0goal
However, we still considered 12
paths quick 4check whether a transition is actually a
aborted checks
4
7
conflict.
state. As discussed earlier, this sequence may be an arbitrary linearization of originally

13

Reduction: unorder transitions

- Petri nets have explicit locality
- exploit to derive concurrency
- helps to “distribute” actions to components
- makes synchronization points (milestones) explicit

14

t4
t1

p1

t3
p2

t2

p5

t5
p6

p4
p10

p3

p7

t11

t7

t9

t13

t10
p11

t1

t2

t9

t10

t11

t12

t14

t12

t8

p8

p13

t14

t8

p9

t6

p14

p12

t2

t3

t4

t5
p10

p1

t1

p2

t2

p3

t9

p9

t10

p11

t12

p12

t14

p14

t8

p2

t2

p3

t3

p4

t4

t11

p6

p5

t5

p6

15


16

Summary
- paths can be shortened and uncluttered
- result is a partial order of important decisions
- applicable to any veriﬁcation goal 

Open issues
- error localization vs. explanation
- cyclic behavior
- How should a good diagnosis for $problem
look like?

17

Where did I go wrong? Explaining errors in process models

More Related Content

Similar to Where did I go wrong? Explaining errors in process models (20)

More from Universität Rostock (20)

Recently uploaded (20)

Where did I go wrong? Explaining errors in process models