SLIDE 1 Theoretical Foundations of the UML
Lecture 15+16: A Logic for MSCs Joost-Pieter Katoen
Lehrstuhl für Informatik 2 Software Modeling and Verification Group
moves.rwth-aachen.de/teaching/ss-20/fuml/
June 15, 2020
Joost-Pieter Katoen Theoretical Foundations of the UML 1/41
HMM
(
Part
2)
Head
SLIDE 2 Outline
1
Introduction
2
Local Formulas and Path Expressions Syntax Formal Semantics
3
PDL Formulas
4
Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability
Joost-Pieter Katoen Theoretical Foundations of the UML 2/41
Propositional
)
c
M
PDL
OI
MEE
?
\
MSG
g
PDL
OI
COI
Frisch
.
MKOI
? tf
ME
Leg)
.
MKE
?
SLIDE 3 Overview
1
Introduction
2
Local Formulas and Path Expressions Syntax Formal Semantics
3
PDL Formulas
4
Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability
Joost-Pieter Katoen Theoretical Foundations of the UML 20/41
SLIDE 4 Local formulas
Definition (Syntax of local formulas)
For communication action σ ∈ Act and path expression α, the grammar
- f local formulas is given by:
ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ The syntax of path expressions α will be defined later on.
Definition (Derived operators)
false := ¬true ϕ1 ∧ ϕ2 := ¬(¬ϕ1 ∨ ¬ϕ2) ϕ1 → ϕ2 := ¬ϕ1 ∨ ϕ2 [α]ϕ := ¬α¬ϕ [α]−1ϕ := ¬α−1 ¬ϕ
Joost-Pieter Katoen Theoretical Foundations of the UML 10/41
#
! 4,2
, a)
? C 2
,
forward
✓
backward
2 is
a regular
G)
e
expressions describes
the possible admitted
ways
to navigate
through
a
MSC
SLIDE 5 Path expressions
Definition (Syntax of local formulas)
For communication action σ ∈ Act and path expression α, the grammar of local formulas is given by: ϕ ::= true | σ | ¬ϕ | ϕ ∨ ϕ | αϕ | α−1ϕ
Definition (Syntax of path expressions)
For local formula ϕ, the grammar of path expressions is given by: α ::= { ϕ } | proc | msg | α; α | α + α | α∗
Joost-Pieter Katoen Theoretical Foundations of the UML 12/41
A
4
T
I
horizontally
local
vertically
I s msg )
left
2 right
formula
downwards
(
proc )
cmsgj
'
right ileft
backwards
C pros >
SLIDE 6 PDL formulas
Definition (Syntax of PDL formulas)
For local formula ϕ, the grammar of PDL formulas is given by: Φ ::= ∃ϕ | ∀ϕ | Φ ∧ Φ | Φ ∨ Φ
Negation
Negation is absent. As existential and universal quantification, as well as conjunction and disjunction are present, PDF-formulas are closed under negation.
Joost-Pieter Katoen Theoretical Foundations of the UML 21/41
does the
MSC contain
an
event satisfying
if
( !
&
° "
eh
"
" "
"
" "
"
"
" $
&
v
SLIDE 7 Intuitive meaning of PDL formulas
MSC M satisfies ∃ϕ if M has some event e satisfying ϕ MSC M satisfies ∃αϕ if from some event e in M, there exists an α-labelled path from e to an event e′, say, satisfying ϕ MSC M satisfies ∃[α]ϕ if from some event e in M, every event that can be reached via an α-labelled path satisfies ϕ
Joost-Pieter Katoen Theoretical Foundations of the UML 22/41
O
O
O
(
=
ask
>
SLIDE 8 Semantics of PDL formulas
Definition (Semantics of PDL formulas)
Let M = (P, E, C, l, m, <) ∈ M be an MSC. (M, Φ) ∈ | = iff PDL formula Φ holds in MSC M. M | = ∃ϕ iff ∃e ∈ E. M, e | = ϕ M | = ∀ϕ iff ∀e ∈ E. M, e | = ϕ M | = Φ1 ∧ Φ2 iff M | = Φ1 and M | = Φ2 M | = Φ1 ∨ Φ2 iff M | = Φ1 or M | = Φ2
Joost-Pieter Katoen Theoretical Foundations of the UML 23/41
SLIDE 9 Example (1)
The (unique) maximal event of M is labeled by ?(2, 1, a) Yes. No.
Joost-Pieter Katoen Theoretical Foundations of the UML 24/41
f
t
? an
, a)
SLIDE 10 Example (1)
The (unique) maximal event of M is labeled by ?(2, 1, a) Yes. No. ∀ ((proc + msg)∗([proc] false ∧ ?(2, 1, a))) Yes. No.
Joost-Pieter Katoen Theoretical Foundations of the UML 24/41
§
. .
a
SLIDE 11 p
=
proc
M
F
tf
C (
ptm )* > ( Ep ]
false
n
? ( 2.
ma ))
m
8
=
iff
(
*
semantics
PPL
formulas
te )
V-e
EE
. (
e
f
fcptm
)
's ) ( Ep ]
false
n
? ( 2.
ya )) )
T
events
M
iff
Ck
semantics
local
formulas
t )
V-e.EE
.
(
Fn
E
IN
.
et
Xp
tm ) >
"
(
Ep ]
falser
? Can
.
intuitive
:
for
every
event
in
the
MSG
,
there exists
an
event
e
'
such
that
and
e '
f-
Ep ]
false
r
? ( 2in
,
a )
'
has
no
Successors
at
its process
and
it
7
( F
e
"
.
e
'
Ep
e
" )
and
is
labeled wits
? Can
,a§
ele
' )
=
?(
a ,
a )
( * )
SLIDE 12 Heft
:
OI
holds
↳
f
Lcptm )t > ( Ep ]
falser
? fan,aD
I
take
e
's
eo
eo
K
Ck )
,
and
V-ec-E.es?eoe-g
e
,
f
Sp >
sp
>
eo
(
n=z )
and
similar
for
all
events
in Mcneff
.Thus
,
M
left
FOI
.
M
right
i
eo 't
CPT false
n
? G.
za )
and
is
the
event
in
Mright
satisfying
this
formula
V-ec-En.ge
.
e
Teo
'
this
does
not
hold
as
eg
'
St
eo
'
.
Thus
M
right
#
OI
.
SLIDE 13 Example (2)
The maximal event on process 2 is labeled by ?(2, 1, a) Yes. Yes.
Joost-Pieter Katoen Theoretical Foundations of the UML 25/41
SLIDE 14 M
K
F
(
Ep ]
false
n
? (
? ma ))
iff FEEE
.
(
e
f
Ep )
false
n
2C ?
a.
a ) )
iff
FEEE
(
e
f
Ep ]
false
and et
? (
G.
a ) )
Tff
FEEE
I
(F
e' EE
.
espe
'
r
e
'
t
false )
and
ele
)
=
? Cana ) )
iff
FEEE
(
7
(
FLEE
.
ecope
' )
and
Nele
?kmaD
M
left
#
I
since
tteok ? ( ?
ma )
and eo
has
no
successors
at
its
process
Msight
KOI
in
a
similar
way
using
e
SLIDE 15 Example (2)
The maximal event on process 2 is labeled by ?(2, 1, a) Yes. Yes. ∃ ([proc] false ∧ ?(2, 1, a)) Yes. Yes.
Joost-Pieter Katoen Theoretical Foundations of the UML 25/41
SLIDE 16 Example (3)
No two consecutive events are labeled with ?(2, 3, c) No. Yes. ∀ ([{ ?(2, 3, c) }; proc; { ?(2, 3, c) }] false) No. Yes.
Joost-Pieter Katoen Theoretical Foundations of the UML 26/41
O
⑨
+
: : :
SLIDE 17 M f
tf
[
{ ? (
as
,
c ) }
; p ;
f
? Case ) ))
false Tff
He
EE
.
e
f-
[
.
. ]
false
iff
Ct
use
that
Ex ]
y
=
752377
I )
He
EE
.
e
f
7
(
.
.
)
n
false
iff
IEEE
.
not
(
e
f
(
. . . . >
true )
Iff
He
EE
.
not
(
et
( L ? C 2,3
,
c ) } >
sp ) s { 7133,0 } >
line ) iff feet
.
not
(
If e)
=
7133
, c)
n
e
Fsp
> s
.
. )
the )
iff
V-ec-E.net/lCe)=?C43,c )
and
1-
e'
EE
.
ec.pe
'
and
l(
e.)
=
? Case ) )
M
left
#
OI
take
e
=
e ,
and
et
= ez
q
and
ez
violate
the
above formula
Mnnght
FOI
two
cases
e
=
e
, '
and
e
=
ez
'
e
,
'
ape
, '
but
llg
' ) I
76,3
,
ez
' Ep
eo
'
but lleo
' )
=/
?
Cas
,
I
SLIDE 18 Example (4)
The number of send events at process 3 is odd. No. No.
Joost-Pieter Katoen Theoretical Foundations of the UML 27/41
SLIDE 19 Abbreviations
( auxiliary
formulas
)
send acton
at
I
.
=
V
! G. j
,
a )
"
' d
aec
r
to
g
local
process
j
u
formula
message
contents send action at
V
I
°
top
process
1
PEP
?mj
=
V
? G. j
,
a )
receive some
AEC
message
from
j
at
process
1
%
=
¥p,*
.
(
tsjv
?
, ;)
a£Y÷
!
f
Py
Tff
e
at
process
1
SLIDE 20 2
Path
expression
asserting
that
a
certain
some
process
j
event
happens
an
even
number
times
(
↳
O
,
2
,
4,6
,
(
local
formula
)
*
a
(
43
243
)
event
no
event
no
event
satisfying
4
satisfying
4
satisfying
Y
( Ent ) ;
proc )*
;
proc
; (
Int )
; proc )*
SLIDE 21 Example (4)
The number of send events at process 3 is odd. No. No. See next slide
Joost-Pieter Katoen Theoretical Foundations of the UML 27/41
for
a
PDL
for
a
similar
property
.
SLIDE 22 Example
MSC M has an even number of messages sent from process 1 to 2: ∀
- [proc]−1 false ∧ P1
- minimal event on process 1
→ α [proc] false
- maximal event on process
- where P1 =
j∈P,j=1(!1,j ∨ ?1,j) with !1,j = a∈C !(1, j, a) and ?1,j is
defined in a similar way, i.e., e | = P1 iff e occurs at process 1. Path expression α is defined by: α = (({¬!1}; proc)∗; {!1}; proc; ({¬!1}; proc)∗; {!1}; proc; ({¬!1}; proc)∗)∗ and where !1 abbreviates
a∈C !(1, 2, a)
Joost-Pieter Katoen Theoretical Foundations of the UML 28/41
.
as
←
no
!
,
event
←
SLIDE 23 Let
it
j
tf
Cfp
;
→
(
spree
; msg
;pw sing
> Pj ))
expresses
that
process
i
can
"
reach
"
process
j
by exactly
two
messages
( using
intermediate
processes )
Pi
⇐ Pj
t
→
I
.-4.1-1 .
Epi
SLIDE 24 Overview
1
Introduction
2
Local Formulas and Path Expressions Syntax Formal Semantics
3
PDL Formulas
4
Verification problems for PDL Model checking MSCs Model checking CFMs Model checking MSGs Satisfiability
Joost-Pieter Katoen Theoretical Foundations of the UML 29/41
g
←
given
a
rises
+
PDL
OI
MEE
?
there exist
a
↳
PPL
Msc
M
,
M
FOI
? OI
SLIDE 25 Model checking MSCs
Model checking MSCs versus PDL
[Kern, 2009]
The following model-checking problem is decidable in polynomial time: Input: MSC M, PDL-formula Φ Output: does M | = Φ?
Proof.
(Sketch). Let Φ be a PDL formula. In subformulae αϕ and α−1ϕ of Φ, view α as regular expression over finite alphabet { proc, msg, {ϕ1}, . . . , {ϕn} } with local formulae ϕi (in Φ). Any such expression can be transformed into a corresponding finite automaton of linear size. We proceed by inductively labelling events of the given MSC with states of the finite automata. This state information is then used to discover whether or not an event of M satisfies a sub-formula αϕ and α−1ϕ which yields labellings in { 0, 1 }.
Joost-Pieter Katoen Theoretical Foundations of the UML 30/41
B
SLIDE 26 Model checking MSCs
Model checking MSCs versus PDL
[Kern, 2009]
The following model-checking problem is decidable in polynomial time: Input: MSC M, PDL-formula Φ Output: does M | = Φ?
Proof.
(Sketch). Let Φ be a PDL formula. In subformulae αϕ and α−1ϕ of Φ, view α as regular expression over finite alphabet { proc, msg, {ϕ1}, . . . , {ϕn} } with local formulae ϕi (in Φ). Any such expression can be transformed into a corresponding finite automaton of linear size. We proceed by inductively labelling events of the given MSC with states of the finite automata. This state information is then used to discover whether or not an event of M satisfies a sub-formula αϕ and α−1ϕ which yields labellings in { 0, 1 }. Boolean combinations and ∃ϕ and ∀ϕ are then handled in a straightforward manner. Time complexity: O(|E| · |Φ|2) with |E| is the number of events in M and |Φ| the length of Φ.
Joost-Pieter Katoen Theoretical Foundations of the UML 30/41
SLIDE 27 PDL model checking algorithm for MSCs (1)
Joost-Pieter Katoen Theoretical Foundations of the UML 31/41
K set
events
←
SLIDE 28 PDL model checking algorithm for MSCs (2)
Joost-Pieter Katoen Theoretical Foundations of the UML 32/41
say
45
'
y
SLIDE 29 PDL model checking algorithm for MSCs (3)
Joost-Pieter Katoen Theoretical Foundations of the UML 33/41
~
(e.
e
' )
K
p trans
Ei ] Ej ]
=
time k concatenation
iff
( e ; ,ej )
f- P
A choice
SLIDE 30 PDL model checking algorithm for MSCs (4)
Joost-Pieter Katoen Theoretical Foundations of the UML 34/41 A Kleene star
SLIDE 31 Communication finite-state machines
Let a CFM now be accepting if all its processes have reached a local accepting state and either halt there or visit a local accepting state infinitely often.
An example CFM and an infinite MSC accepted by it
Client-server interaction to get access to an interface. Accepting state is (s3, t0, q0).
Joost-Pieter Katoen Theoretical Foundations of the UML 35/41
:
SLIDE 32 PDL formulas on CFMs
A CFM is accepting if all its processes have reached a local accepting state and reside their ad infinitum. The language L(A) of CFM A is the set of MSCs that admit an accepting run.
CFM versus PDL
A CFM A satisfies PDL-formula Φ, denoted A | = Φ, whenever for all MSCs M it holds: M ∈ L(A) if and only if M | = Φ.
The example CFM satisfies ∀ (P1 → (proc∗; msg; proc∗; msg P3) where for i ∈ P, formula Pi =
j∈P,j=i(!i,j ∨ ?i,j), i.e., M, e |
= Pi iff e occurs at process
- i. The PDL formula asserts that process 3 (Interface) can be “reached” from 1
(Client) by exactly two messages using an intermediate process in between.
Joost-Pieter Katoen Theoretical Foundations of the UML 36/41
SLIDE 33 PDL model checking problem
Model checking CFMs versus PDL
The following model-checking problem is undecidable: Input: a CFM A, PDL-formula Φ Output: is there an MSC M ∈ L(A) with M | = Φ?
Proof.
Follows immediately from the fact that the emptiness problem for CFMs is
- undecidable. By using the formula true, the above problem encodes the
emptiness problem.
Joost-Pieter Katoen Theoretical Foundations of the UML 37/41
(
t
true F
tune
SLIDE 34 PDL model checking problem
Model checking CFMs versus PDL
The following model-checking problem is undecidable: Input: a CFM A, PDL-formula Φ Output: is there an MSC M ∈ L(A) with M | = Φ?
Proof.
Follows immediately from the fact that the emptiness problem for CFMs is
- undecidable. By using the formula true, the above problem encodes the
emptiness problem. To obtain decidable model-checking problems, we consider B-bounded MSCs.
Joost-Pieter Katoen Theoretical Foundations of the UML 37/41
SLIDE 35 Model checking CFMs versus PDL
Model checking CFMs versus PDL
[Bollig et. al, 2011]
The following model-checking problem is PSPACE-complete: Input: a CFM A and B ∈ N>0, PDL-formula Φ Output: is there an ∃B-bounded MSC M ∈ L(A) with M | = Φ?
Proof.
(Sketch). Every PDL formula Φ can effectively be translated into a CFM AΦ such that AΦ | = Φ.
Joost-Pieter Katoen Theoretical Foundations of the UML 38/41 Construction
is
involved
.
HOI
.
Me
{
ME
IM I
MKE )
can
be
accepted
by
a
CFM
A
such that
LCA )
=
M
.
SLIDE 36 Model checking CFMs versus PDL
Model checking CFMs versus PDL
[Bollig et. al, 2011]
The following model-checking problem is PSPACE-complete: Input: a CFM A and B ∈ N>0, PDL-formula Φ Output: is there an ∃B-bounded MSC M ∈ L(A) with M | = Φ?
Proof.
(Sketch). Every PDL formula Φ can effectively be translated into a CFM AΦ such that AΦ | = Φ. The details are out of the scope of this lecture. This synthesis step is independent of the channel bound size B (if any). The size of AΦ is exponential in the length of Φ and the number of processes in P.
Joost-Pieter Katoen Theoretical Foundations of the UML 38/41
I
AOI IA
I
c- OG
'
SLIDE 37 Model checking CFMs versus PDL
Model checking CFMs versus PDL
[Bollig et. al, 2011]
The following model-checking problem is PSPACE-complete: Input: a CFM A and B ∈ N>0, PDL-formula Φ Output: is there an ∃B-bounded MSC M ∈ L(A) with M | = Φ?
Proof.
(Sketch). Every PDL formula Φ can effectively be translated into a CFM AΦ such that AΦ | = Φ. The details are out of the scope of this lecture. This synthesis step is independent of the channel bound size B (if any). The size of AΦ is exponential in the length of Φ and the number of processes in P. Then construct a CFM accepting L(A) ∩ L(AΦ).
Joost-Pieter Katoen Theoretical Foundations of the UML 38/41
SLIDE 38 Model checking CFMs versus PDL
Model checking CFMs versus PDL
[Bollig et. al, 2011]
The following model-checking problem is PSPACE-complete: Input: a CFM A and B ∈ N>0, PDL-formula Φ Output: is there an ∃B-bounded MSC M ∈ L(A) with M | = Φ?
Proof.
(Sketch). Every PDL formula Φ can effectively be translated into a CFM AΦ such that AΦ | = Φ. The details are out of the scope of this lecture. This synthesis step is independent of the channel bound size B (if any). The size of AΦ is exponential in the length of Φ and the number of processes in P. Then construct a CFM accepting L(A) ∩ L(AΦ). Decide whether the resulting CFM accepts some ∃B-bounded MSC. This can all be done in polynomial space. The PSPACE-hardness follows from the hardness of LTL model checking.
Joost-Pieter Katoen Theoretical Foundations of the UML 38/41
Model
Checking
µ
wise
2020/27
SLIDE 39 Model checking MSGs versus PDL
Model checking MSGs versus PDL
[Bollig et. al, 2011]
The following model-checking problem is PSPACE-complete: Input: a MSG G and PDL-formula Φ Output: is there an MSC M ∈ L(G) with M | = Φ?
Proof.
(Sketch.) For every vertex v, we can determine a linearization of the MSC λ(v). Construct a finite automaton AG that accepts a linearization for every M ∈ L(G), and vice versa, each word accepted by AG is a linearization of some M ∈ L(G). The size of AG is linear in the size of G. Construct a CFM AΦ for PDL-formula Φ with M ∈ L(AΦ) iff M | = Φ. Construct a transition system by running AG and AΦ
- simultaneously. This construction terminates as AG only accepts linearizations that
are B-bounded (as every linearization of MSG G is ∃B-bounded by definition). Deciding whether some simultaneous run is accepting can be done in polynomial
- space. The PSPACE-hardness follows from the hardness of LTL model checking.
Joost-Pieter Katoen Theoretical Foundations of the UML 39/41
SLIDE 40 Satisfiability problem for MSCs
Model checking MSCs versus PDL
[Kern, 2009]
The following model-checking problem is decidable in polynomial time: Input: MSC M, PDL-formula Φ Output: does M | = Φ?
MSC satisfiability for PDL
[Bollig et. al, 2011]
The following satisfiability problem is undecidable: Input: PDL-formula Φ Output: is there an MSC M with M | = Φ?
Joost-Pieter Katoen Theoretical Foundations of the UML 40/41
SLIDE 41 Other PDL decision problems
Theorem:
[Alur et al., 2001, Bollig et al., 2007]
Let Φ be a PDL formula. Then:
1 The decision problem “does there exist a CFM A such that for any
MSC M ∈ L(A) we have M | = Φ” is undecidable.
2 The decision problem “does there exist a CFM A such that for
some ∃B-bounded MSC M ∈ L(A) we have M | = Φ” is decidable in PSPACE.
3 The decision problem “for MSG G, is there an MSC M ∈ L(G)
such that M | = Φ” is NP-complete.
Joost-Pieter Katoen Theoretical Foundations of the UML 41/41
SLIDE 42 JDL
verification problems
Msc M M
FOI
?
decidable
in
P
PDL
OI
CFM
A
PDL
OI
FMELCA
)
.
MKE
?
undecidable
CFM A
FM
e
Lca )
.
decidable
PDL
OI
M
KOI
and
(
PSPACE
BEIN
>
is
FB
?
complete
)
decidable
MSG
G
Fm
.e
L CG)
.
M
FOI
?
(
PSPACE
IT
complete )
PDL
satisfiability
problems
PDL
OI
FMEIM
.
M
KOI ?
undecidable
OI
FCFM
A
such
that
undecidable
VMELCA
)
.
MKE
?
PDL
OI
FCFM
A such
that decidable
bound
BEIN
FM
c-
LIA )
.
M
is
FB
th M
FOI ?
PSPACE
SLIDE 43 For
Logic
people
:
PDL
€
FMSO
monadic
second
Fx
try
FX FY Fxex
.
②
Extending
PDL
with intersection
yields
a
logic
that
is
more
expressive then
CFMS
.
#
(
x
,
naz
>
T
"
there
exist
too
paths
described
by
a
,
and
q
resp
.
that
both
lead
to
an
event
satisfying
Y
"
Then
E Bollig
et al
.
, 2010J
showed
i
F
y
such
that I ME
Its
IM
K if }
I
in extended
cannot be
accepted
by
a
CFM
,
PDL
SLIDE 44 ③
PDL
supports
"
forward
"
navigation
a
>
y
and
"
backward
"
navigation
a
>
→
X
.
PDL
does not
allow
to
mix
"
forward
"
and
"
backward
"
in
a
single
formula
'
proc
't
;
msg
'
;
proc
is
not
a
syntactically
admitted
formula
.
④
The
temporal
logic
formula
Y
until
4
,
.
T
holds
at
all
events until
an
event
satisfying
4
is
"
reached
"
can
be
expressed
as
PDL
*
(
( 2x }
; Cproctmsg ))
>
Y
