verification of web services
play

Verification of Web Services Jianwen Su University of California, - PowerPoint PPT Presentation

Mar 29, 2024 •572 likes •1.7k views

Verification of Web Services Jianwen Su University of California, Santa Barbara The Verification Problem Given a web service/composition/choreography/workflow/ a goal do all executions satisfy the goal? ? = Choices for

  1. Verifying BPEL Services � S : a BPEL service, P : a set of propositions, ϕ : an LTL formula � Determine if every execution of S satisfies ϕ � Algorithm: 1. Construct a transition system T S , P 2. Determine if T S , P satisfies ϕ � Complexity: O (2 O (|ϕ|) | S |) time � Good news but � Control states (flow) only, no variables/data � Single service, no composition School of Formal Methods 2009/6/6 27

  2. Adding Data � BPEL allows variables to hold XML documents � Bad news (folklore): BPEL is Turing (computationally) complete � Immediate consequence: It is undecidable if a given BPEL service satisfies a given LTL formula � One possible restriction: limit variables to � finite domains: the number of possible values is finite School of Formal Methods 2009/6/6 28

  3. Finite Domain Variables � Represent variable contents explicitly through states ? quantity ? quantity = 1 ? quantity = 2 . . . [Fu-Bultan-S. ISSTA ’04] ? quantity = 15 � Transition states increased by n m times: n : (max) domain size, m : number of variables � Complexity of verification: O (2 O (|ϕ|) | S | n m ) time ϕ : LTL formula, S : BPEL service School of Formal Methods 2009/6/6 29

  4. Composition of BPEL Services � Peer to peer register , ack , cancel Investor Stock Broker accept , reject , bill request , terminate report Research Dept. � Mediated or hub-and-spoke Mediator Investor Research Dept. Stock Broker School of Formal Methods 2009/6/6 30

  5. Synchronous Messaging Model � Two specific actions: � Send a message ( ! ) � Receive a message ( ? ) synchronization <receive> : <invoke> : ? authorize ! authorize response request-response … ? ok <invoke> : ! ok request … store bank School of Formal Methods 2009/6/6 31

  6. Product with Synchronous Messaging � Two services requester server 4 2 r 1 , r 2 ? e e ! e ! r 1 ! r 2 ! a 2 ! a 1 1 1 ? a 1 a 1 , a 2 ? r 2 ? a 2 ? r 1 3 2 � Their synchronous product as a transition system: 11 a 1 a 2 r 1 r 2 e 12 24 13 School of Formal Methods 2009/6/6 32

  7. Product with Synchronous Messaging � In general, the composition of k BPEL services with synchronous messaging can be modeled as a transition system with r k states where � r is the (max) number of states in a single service � Complexity of verification: O (2 O (|ϕ|) (| S | n m ) k ) time � ϕ : LTL formula � | S | : size of a BPEL service � n : domain size � m : number of variables in a BPEL service � k : number of BPEL services School of Formal Methods 2009/6/6 33

  8. Asynchronous Messaging [Bultan-Fu-Hull-S. WWW ’03] � Two specific actions: � Send a message ( ! ) � Receive a message ( ? ) 〈 receive 〉 : 〈 invoke 〉 : ? authorize ! authorize request-response response … ? ok 〈 invoke 〉 : ! ok request … store bank � FIFO queues are used to buffer unconsumed messages � One queue per service for incoming messages School of Formal Methods 2009/6/6 34

  9. Verification is Undecidable � Finite state automata with FIFO queues are Turing complete [Brand-Zafiropulo JACM’83] � Immediate consequence: Verification problem is undecidable � One possible restriction: bound queue size School of Formal Methods 2009/6/6 35

  10. Bounded Queues & Finite State Automata � Observation: a bounded length queue has a finite number of states … … … ! a ? a ? a a … … ? b … b a synchronize ! b ! a … b … � Asynchronous + bounded queue can be simulated � Note: Only focus on message types not content School of Formal Methods 2009/6/6 36

  11. BPEL with Asynchronous Messaging � Number of states for queues: e l , where e : number of message types, l : queue length bound � With message contents: e l n l , where n is domain size � Complexity of verification: O (2 O (|ϕ|) (| S | n m e l n l ) k ) time � ϕ : LTL formula � | S | : size of a BPEL service � n : domain size � m : number of variables in a BPEL service � k : number of BPEL services School of Formal Methods 2009/6/6 37

  12. Summary of Verifying BPEL Services � Focus on decidability boundary of LTL properties of BPEL + compositions (synchronous, bounded queue asynchronous messaging) � Verification algorithms: map to exiting verifiers � Model checker: SPIN [Fu-Bultan-S. 2003-4] [Nakajima 2004] , [Pistore-Traverso-et al 2005] � Process algebras: LTSA [Foster-Uchitel-Magee- Kramer 2003] , CWB [vanBreugel-Koshkina 2004] [Salaun-Bordeaux-Schaef 2004] , LOTOS [Ferara 2004][Salaun-Ferara-Chirichiello 2004] � ASM: [Farahbod-Classer-Vajihollahj 2004][Deutsch-Sui- Vianu 2004] [Fahland-Reisig 2005] School of Formal Methods 2009/6/6 38

  13. Outline � Motivations � Transitions systems � BPEL services and compositions � Choreographies (of BPEL services) � Artifact-centric workflow � Concluding remarks ? ⎥ = ϕ School of Formal Methods 2009/6/6 39

  14. Composition: Common Topologies � Peer-to-peer register , ack , cancel Investor Stock Broker accept , reject , bill request , terminate report Research Dept. � Mediated, or “hub and spoke” Mediator Investor Research Dept. Stock Broker School of Formal Methods 2009/6/6 40

  15. Orchestration vs Choreography Choreography WS-CDL Composition BPEL OWL-S ServiceModel WSCL (Individual) Service Description WSDL OWL-S ServiceProfile XML SOAP Messaging School of Formal Methods 2009/6/6 41

  16. WS Choreography Definition Language � Specification of choreography � Model complex business protocol (e.g. order management) to enable interoperability � Generate computational logic of individual collaborating participants � Key concepts � Collaborating participants: role, relationship, participants � Information driven collaboration: channel, activities, workunit, choreography � Standardization through W3C (Version 1.0: December 2004) School of Formal Methods 2009/6/6 42

  17. Composition: BPEL and WS-CDL register , ack , cancel Investor Stock Broker accept , reject , bill Focus on Focus on request , terminate report global behaviors local actions Research Dept. BP EL WS-CDL Mediator Investor Research Dept. Stock Broker School of Formal Methods 2009/6/6 43

  18. Composition: BPEL and WS-CDL register , ack , cancel Investor Stock Broker accept , reject , bill Focus on Focus on request , terminate report global behaviors local actions Research Dept. orchestration Choreography BP EL WS-CDL Mediator Investor Research Dept. Stock Broker � For “hub and spoke”, the difference is small For “peer-to-peer”, the concept of choreography is interesting and not well understood School of Formal Methods 2009/6/6 44

  19. Automated Design: Top-down vs Bottom-up register , ack , cancel Investor Stock Broker accept , reject , bill request , terminate report Research Dept. Top-down specification of specification of individual services global behaviors orchestration Choreography Bottom-up e.g., BPEL e.g., WS-CDL � Verification and analysis of choreography � Focus on the conversation model School of Formal Methods 2009/6/6 45

  20. Verification of WS Choreography � Verification of choreography of a WS (BPEL) composition register , ack , cancel Investor Stock Broker accept , reject , bill request , terminate report Research Dept. � Services: finite transition systems on messaging actions � Unbounded FIFO queues for messages � Choreography: message sequences (send only) � How to model? � LTL on choreography [Fu-Bultan-S. WWW’04, ISSTA’04] School of Formal Methods 2009/6/6 46

  21. An Example: Stock Analysis Service (SAS) Three peers: Investor , Stock Broker , and Research Dept � Inv initiates the stock analysis service by sending a register message to SB � SB may accept or reject the registration � If the registration is accepted, SB sends an analysis request to the RD � RD sends the results of the analysis directly to the Inv as a report � After receiving a report Inv can either send an ack to SB or cancel the service � Then, SB either sends the bill for the services to Inv , or continues the service with another analysis request School of Formal Methods 2009/6/6 47

  22. SAS Composition � SAS is a web service composition � a finite set of peers: Inv , SB , RD , and � a finite set of message classes: register , ack , cancel , accept , ... register ack cancel Investor Stock Broker (Inv) (SB) accept reject bill request report terminate Research Dept. (RD) School of Formal Methods 2009/6/6 48

  23. Asynchronous Messaging � We assume that the messages among the peers are exchanged through reliable and asynchronous messaging � FIFO and unbounded message queues Stock Broker Research Dept. req req (SB) (RD) � This model is similar to industry efforts such as � JMS (Java Message Service) � MSMQ (Microsoft Message Queuing Service) School of Formal Methods 2009/6/6 49

  24. Mealy Service Model [Bultan-Fu-Hull-S. WWW’03] � Finite state control � Acts on a finite set of message classes � Transitions are based on receiving a message ? m or sending a message ! m register, ack, ! register Investor cancel Stock Broker (Inv) (SB) ? accept accept, reject, ! ack bill request, ? reject ? report terminate report ? bill ! cancel Research Dept. ? bill (RD) School of Formal Methods 2009/6/6 50

  25. Composite Mealy Service Execution Investor Stock Broker Firm ! register ? register ! accept ? accept ! request ! ack bill rep acc ! reject ? reject ? ack ? report ack reg ! bill ? cancel ! cancel ? bill ! bill ? bill ! terminate Research Dept. � Execution halts if ? request ! report req ter � All Mealy services are in final states, and ? terminate � All queues are empty School of Formal Methods 2009/6/6 51

  26. Conversations and Conversation Protocols � Conversation: a message sequence � A conversation protocol specifies the set of desired register, conversations ack, cancel Investor Stock Broker (Inv) (SB) accept, reject, bill request, terminate report report ack 1 6 7 8 register request request cancel Research Dept. (RD) reject accept ack 3 2 5 9 bill report terminate 4 12 11 10 cancel terminate bill School of Formal Methods 2009/6/6 52

  27. Conversations of Composite Services � A virtual watcher records the messages as they are sent register Investor Stock Broker accept (Inv) (SB) ack bill report request terminate Watcher Research Dept. reg acc req rep ack bil ter (RD) � A conversation is a sequence of messages the watcher sees in a successful run (or enactment) � Conversation language: the set of all possible conversations � What properties do conversation languages have? School of Formal Methods 2009/6/6 53

  28. Conversation Languages Are Not Regular ? a a ! a ? b b ! b p 1 p 2 � The set of conversations CL ∩ a ∗ b ∗ = a n b n � Conversation languages are not always regular � Some may not even be context free � Causes: asynchronous communication & unbounded queue � Bounded queues or synchronous: CL always regular � CLs are always context sensitive School of Formal Methods 2009/6/6 54

  29. Remarks � Communicating finite state machines with queues are computationally Turing complete � Conversation languages ≠ tracing execution states � Why regular languages? � They would allow static analysis, e.g. model checking � Testing and debugging in SOA are harder � Queue v.s. no queue: design time decision! School of Formal Methods 2009/6/6 55

  30. Two Key Questions register ack, cancel Investor Stock Broker (Inv) (SB) accept, reject, bill request, report terminate Research Dept. (RD) � Is the composition of (BPEL) services “correct”? � Verify conversations � Automated design of services from the desired conversation protocol? School of Formal Methods 2009/6/6 56

  31. Temporal Properties of Conversations � The notion of conversation enables reasoning about temporal properties of the composite web services � Extend LTL extends naturally to conversations � LTL temporal operators X (neXt), U (Until), G (Globally), F (Future) � Atomic properties Predicates on message classes (or contents) G ( accept → F bill ) � Example: � Verification problem: Given an LTL property, does the conversation language (i.e. every conversation) satisfy the property? School of Formal Methods 2009/6/6 57

  32. Design Scenario 1: Bottom Up � Given a composition of services, does its CL satisfy the LTL properties? Peer A Peer B Peer C ?msg1 !msg1 !msg3 Input ?msg3 !msg2 Queue ?msg2 !msg5 ?msg5 ?msg6 ?msg4 !msg4 !msg6 ? ... ⎟ = G ( msg 1 → F ( msg 3 ∨ msg 5)) Conversation � Problem: the general case is undecidable [Brand-Zafiropulo JACM’83] School of Formal Methods 2009/6/6 58

  33. Design Scenario 2: Top Down � Specify the global messaging behavior explicitly as a conversation protocol � Determine if the conversations allowed by the protocol satisfy LTL properties Conversation Protocol A → B: B → A: B → C: B → A: msg1 msg2 msg5 msg6 ? ⎟ = G ( msg 1 → F ( msg 3 ∨ msg 5)) B → C: C → B: msg3 msg4 A B C � Problem: the conversation protocol may not be realizable School of Formal Methods 2009/6/6 59

  34. Approaches � (Bottom up) verification is undecidable � Approach 1: check if the conversations using bounded queue satisfy LTL property —partial verification � Approach 2: sufficient condition for bounded queue CL = unbounded queue CL —synchronizablility � (Top down) protocol may be unrealizable � Approach 3: sufficient condition for realizability School of Formal Methods 2009/6/6 60

  35. Realizability Problem � Not all conversation protocols are realizable! Projection of the conversation protocol to the peers A → B: m1 !m2 ?m2 ! m1 ? m1 C → D: m2 Peer A Peer B Peer C Peer D Conversation protocol � Conversation “ m2 m1 ” will be generated by any legal peer implementation which follows the protocol School of Formal Methods 2009/6/6 61

  36. Another Non-Realizable Protocol m2 A m1 A B m2 m1 B m3 C m3 C m2 B � A m1 A � B A B C ε ε ?m2 !m1 !m2 ?m1 m1 A � B m2 B � A !m1 ?m1 ε ε ?m2 !m2 m3 A � C ε Conversation !m3 ?m3 protocol m2 m1 m3 Generated conversation: School of Formal Methods 2009/6/6 62

  37. A Sufficient Condition for Realizability [Fu-Bultan-S. CIAA ’03] � Three parts for realizability (contentless messages) � Lossless join Conversation protocol should be equal to the “join” of its projections to each peer � Synchronous compatible When the projections are composed synchronously, there should not be a state where a peer is ready to send a message while the corresponding receiver is not ready to receive � Autonomous Each peer should be able to make a deterministic decision on whether to send or to receive or to terminate School of Formal Methods 2009/6/6 63

  38. Bottom-Up Approach � Given a composition of web services, check if its conversations satisfy some LTL properties � General problem is undecidable due to asynchronous communication (with unbounded queues) � Naïve idea: limit the queue length � Problem 1: only partial verification, unless we are lucky � Problem 2: state size explosion School of Formal Methods 2009/6/6 64

  39. Example 1: Regular CL, Bounded Queues r 1 , r 2 ! e ? e e ! a 1 ? a 2 ! a 2 ? a 1 a 1 , a 2 ! r 2 ? r 2 ? r 1 ! r 1 requester server � Conversation language is regular: ( r 1 a 1 | r 2 a 2 ) ∗ e � During every halting run two queues are bounded School of Formal Methods 2009/6/6 65

  40. Example 2: Not Regular, Unbounded r 1 , r 2 ? e e ! e ! r 1 ! r 2 ! a 2 ! a 1 ? a 1 a 1 , a 2 ? r 2 ? r 1 ? a 2 requester server � Conversation language is not regular � Queues are not bounded School of Formal Methods 2009/6/6 66

  41. Example 3: Regular, Unbounded r , r 1 , r 2 ! e ? e e ! r 1 ? r 1 ! r ? r ! r 2 ? r 2 a ? a ! a requester server � Conversation language is regular: ( r 1 | r 2 | ra ) ∗ e � Queues are not bounded School of Formal Methods 2009/6/6 67

  42. Three Examples 1600 1400 # of states x 10 3 1200 Example 1, regular, bounded 1000 Example 2, not regular, unbounded 800 Example 3, regular, unbounded 600 400 200 0 1 3 5 7 9 1 3 1 1 queue length � Verification of Examples 2 and 3 are difficult even if we bound the queue length � How can we distinguish Examples 1 and 3 (with regular conversation languages) from 2? � Synchronizability Analysis School of Formal Methods 2009/6/6 68

  43. Synchronizability Analysis � A composite web service is synchronizable, if its conversation language does not change � when asynchronous communication with unbounded queues is replaced with synchronous communication or bounded queues � A composite web service is synchronizable, if it satisfies the synchronous compatible and autonomous conditions [Fu-Bultan-S. WWW’04] School of Formal Methods 2009/6/6 69

  44. Are These Conditions Too Restrictive? Problem Set Size Synchronizable? #msg #states #trans. Source Name SAS 9 12 15 ISSTA ’ 04 yes CvSetup 4 4 4 yes MetaConv 4 4 6 IBM no Chat 2 4 5 Conv. yes 5 5 6 Buy yes Support 8 5 8 Haggle no Project 8 10 15 AMAB yes 2 3 3 shipping yes BPEL Loan 6 6 6 yes spec Auction 9 9 10 yes StarLoan 6 7 7 collaxa.com yes Cauction 5 7 6 (Oracle) yes School of Formal Methods 2009/6/6 70

  45. Summary � Verification of choreography is intricate � Choreography of composition may not be regular and does not fall into natural formal language classes � Must be concerned with the realizability problem � Realizability and verification on conversations with Mealy machines [Fu-Bultan-S. 2003-6] � Realizability on process algebras, choreography languages [many, 2005-] School of Formal Methods 2009/6/6 71

  46. Outline � Motivations � Transitions systems � BPEL services and compositions � Choreographies (of BPEL services) � Artifact-centric workflow � Concluding remarks ? ⎥ = ϕ School of Formal Methods 2009/6/6 72

  47. Workflow (Business Process) � A bookseller example: Traditional control-centric model Fill Payment Shipping ID Archive information Confirmation Shopping Customer Preference Cart School of Formal Methods 2009/6/6 73

  48. Workflow (Business Process) � A bookseller example: Traditional control oriented model � Multiple steps needed for each activity Fill Payment Shipping ID Archive information Confirmation Shopping Customer Preference Cart Ground Credit Air In practice, In-stock Check Handling PayPal 100s to Inventory Warehouses/ Back-order Size New 1000s of Existing Handling Customer Customer nodes Registration Check Login Hard to reason, find useful views: missing data School of Formal Methods 2009/6/6 74

  49. Business Intelligence: Data View � Extract-Transform-Load inventory Transactions Transactions workflow activities Data Analysis catalog Warehouse workflow is missing! cust_db Transactions School of Formal Methods 2009/6/6 75

  50. Business Artifacts ! � A business artifact is a key conceptual business entity that is used in guiding the operation of the business � fedex package delivery , patient visit , application form , insurance claim , order , financial deal , registration , … � both “information carrier” and “road-maps” � Very natural to business managers and BP modelers � Includes two parts: � Information model: data needed to move through workflow � Lifecycle: possible ways to evolve School of Formal Methods 2009/6/6 76

  51. Example: Restaurant Artifacts Create Add Item Open Guest Check Guest Check GCs Kitchen Order Prepare Pending Receipt KOs Receipt Cash Balance Prepare & Pending Closed Receipts Test Quality GCs Ready Payment Update KOs Paid Cash Balance Receipts Disagreed Deliver Receipts Cash Archived Archived Receipts GCs Balance Recalculate Archived KOs Receipt School of Formal Methods 2009/6/6 77

  52. Example: Restaurant Artifacts Create GC KO Add Item Open Guest Check Guest Check GCs Kitchen Order Prepare RC Pending Receipt KOs Receipt Cash Balance Prepare & Pending Closed Receipts Test Quality GCs Ready Payment Update KOs Paid Cash Balance Receipts Disagreed Deliver Receipts Cash Archived Archived CB Receipts GCs Balance Recalculate Archived KOs Receipt School of Formal Methods 2009/6/6 78

  53. Emerging Artifact-Centric BPs customer cart info . . . + Specification of artifact lifecycles Artifacts (Info models) � Informal model [Nigam-Caswell IBM Sys J 03] � Systems: BELA (IBM 2005), Siena (IBM 2007) � Formal models � State machines [Bhattacharya-Gerede-S. SOCA 07] [Gerede-S. ICSOC 07] � Rules [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] School of Formal Methods 2009/6/6 79

  54. A Logical Artifact Model for BPs if C enable + + … Artifacts Semantic services Condition- (info models) (IOPEs) action � A variation of [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] � [Hull-S. 09] (in preparation) School of Formal Methods 2009/6/6 80

  55. Verification Problem � Given a workflow and a goal, do all executions of the workflow satisfy the goal? ? if C enable + + ⎥ = ϕ … Artifacts Semantic services Condition- (Info models) (IOPEs) action [Bhattacharya-Gerede-S. SOCA 07] [Gerede-S. ICSOC 07] [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] [Deutsch-Hull-Patrizi-Vianu ICDT 09] [Vianu ICDT 09] School of Formal Methods 2009/6/6 81

  56. Synthesis Problem � Given a goal and a set of services, construct a set of rules so that every execution satisfies the goal ? if C enable + ϕ + … Artifact Semantic services Goal Condition- (Info model) (IOPEs) (FO) action [Fritz-Hull-S. ICDT 09] (restricted to single artifact, first-order goals) School of Formal Methods 2009/6/6 82

  57. Workflow Schema � A workflow schema is a triple W = ( Γ, S , R ) � Γ : a set of artifacts classes (artifact schema) � S : a set of (semantic) services � R : a set of condition-action rules School of Formal Methods 2009/6/6 83

  58. A First-Order Logic + Structure � Assuming some first order logic L with a fixed structure � U is the universe � Existence of an infinite set of artifact IDs � Existence of an infinite set of attributes School of Formal Methods 2009/6/6 84

  59. Artifact Classes � An artifact class consists of � a finite set of attributes, of type U or artifacts IDs � a finite set of states, initial and final states (transitions not defined) � An artifact is a pair: � a mapping from attributes to U ∪ IDs ∪ {⊥} � a state GuestCheck Artifact GCID date time Name KOID table# TOTAL Payment ptime Waiting for Seated Ordered Delivered Completed table School of Formal Methods 2009/6/6 85

  60. Artifacts in a Workflow � During runtime, each artifact class in Γ may have a finite set of artifacts � The union I of sets of artifacts must be closed under “cross-referencing” School of Formal Methods 2009/6/6 86

  61. (Semantic) Services � A service has a precondition and effects, conditions on � Attribute values � Defined-ness of attribute values � Equality of artifact ID s � An attribute holds the ID of a newly created artifact SERVICE SeatingGuests WRITE : { x : GuestCheck } READ : { x : GuestCheck , y : Table } PRE-CONDITION : ¬ Defined ( x . table# ) ∧ ¬ Defined ( y . GCID ) EFFECTS : - Defined ( x . table# ) ∧ Seated ( x ) - ¬ Defined ( x . table# ) ∧ Waiting4table ( x ) School of Formal Methods 2009/6/6 87

  62. Another Example A B σ 0 ≤ A ≤ 2 0 ≤ A < 1 ∧ 0 ≤ B ∨ 1 ≤ A ≤ 2 ∧ 1 ≤ B School of Formal Methods 2009/6/6 88

  63. (Semantic) Services � A (semantic) service is a tuple (σ, R , W , π, ρ) , where � σ is a task name � R , W are finite sets of (resp., read, write) artifacts � π , ρ are quantifier-free formulas (pre- and post- condition, resp.) over attributes of artifacts in R , R ∪ W , resp. � allow Defined ( A ) for an attribute A � I ′ is the result of executing σ on I , I → I ′ , if σ � ( I , I ′) ⎟ = π ∧ ρ , and � frame conditions are satisfied School of Formal Methods 2009/6/6 89

  64. Condition-Action Rules � Rules that define business logic � Invoke a service � Change artifact states states are used to organize the processing if Waiting4Table ( x ) enable SeaingGuest ( x ) if Defined ( x . GCID ) ∧ Defined ( x . GCID . table# ) change state to Taken ( x ) ∧ Seated ( x . GCID ) School of Formal Methods 2009/6/6 90

  65. Condition-Action Rules � A condition-action rule is an expression of form “ if ϕ enable σ ” or “ if ϕ change state to φ ” or where � ϕ is a (quantifier-free) formula � σ is a semantic service � φ is a state changing formula r � I ′ is the result of executing a rule r : if ϕ … on I , I → I ′ , if � I ⎟ = ϕ , and σ � I → I ′ or I , I ′ only differ on states as specified School of Formal Methods 2009/6/6 91

  66. Workflow Schema � A workflow schema is a triple W = (Γ, S , R ) � Γ : artifact schema � S : a finite set of semantic services � R : a finite set of condition-action rules r � Denote → the closure of ∪ → ∗ r ∈ R School of Formal Methods 2009/6/6 92

  67. Verification Problem � Given a workflow and a goal, do all executions of the workflow satisfy the goal? ? if C enable ⎥ = ϕ + + … Artifacts Semantic services Condition- (Info models) (IOPEs) action [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] [Deutsch-Hull-Patrizi-Vianu ICDT 09] School of Formal Methods 2009/6/6 93

  68. Analysis Problems � An artifact system W = ( Γ, S , R ) artifacts, services, rules � Completion: Does W allow a complete run of some artifact? � Dead-end: Does W have a dead-end path? � Attribute redundancy: Does W have a redundant attribute? No attribute value comparisons [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] School of Formal Methods 2009/6/6 94

  69. Results � The problems are undecidable Primary reason: workflow language is Turing complete � If we disallow creation of new artifacts � Initial: if each artifact has only initial attributes defined The analysis problems are PSPACE -complete � even for a single artifact [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] � Consider only a single artifact School of Formal Methods 2009/6/6 95

  70. Monotonic Workflow � Once an attribute is assigned a value, it cannot be changed � For monotonic services: Complexity ranging from linear to intractable under various conditions [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] School of Formal Methods 2009/6/6 96

  71. Completion (Monotonic Workflow) � Linear time if � Services are deterministic (single effect) � Preconditions has no negation � Rule conditions are positive and does not check state information � NP-complete if the above conditions are slightly relaxed (single artifact) [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] School of Formal Methods 2009/6/6 97

  72. Dead-End & Redundancy (Monotonic Workflow) � Checking if there is a dead end path is Π 2 -complete, p even with various restrictions � Checking redundant attributes is co-NP-complete, even with various restrictions (single artifact) [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] School of Formal Methods 2009/6/6 98

  73. Three Analysis Problems: Review � An artifact system W = ( Γ, S , R ) artifacts, services, rules � Completion: Does W allow a complete run of an artifact? � Dead-end: Does W have a dead-end path? � Attribute redundancy: Does W have a redundant attribute? � Undecidable in general, PSPACE if no artifact creation, intractable for monotonic workflows [Bhattacharya-Gerede-Hull-Liu-S. BPM 07] � Ad hoc properties, restricted to defined-ness � How to verify LTL properties? [Deutsch-Hull-Patrizi-Vianu ICDT 09] School of Formal Methods 2009/6/6 99

  74. Adding Infinite States to Artifacts � An artifact is a pair: � a mapping from attributes to U ∪ IDs ∪ {⊥} � a state relation GuestCheck Artifact GCID date time Name KOID table# TOTAL Payment ptime Waiting for Seated Ordered Delivered Completed table Items ItemNo Qty cookingReq Table# School of Formal Methods 2009/6/6 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Verification Process Self-Verification Training Tom Wolf, Governor 1 &gt; Pedro Rivera,

Verification Process Self-Verification Training Tom Wolf, Governor 1 &gt; Pedro Rivera,

EI Self-Verification Training Early Intervention Verification Process Self-Verification Training Tom Wolf, Governor 1 &gt; Pedro Rivera, Secretary of Education | Ted Dallas, Secretary of Human Services EI Self-Verification Training

445 views • 15 slides
Verification Reporting Public and Nonpublic Verification Collection Report Deb Linderblood

Verification Reporting Public and Nonpublic Verification Collection Report Deb Linderblood

Verification Reporting Public and Nonpublic Verification Collection Report Deb Linderblood October, 2014 1 Verification Collection Report Verification Collection Report or FNS 742 FNS stands for Food and Nutrition Services Same

752 views • 64 slides
Arkansas Department of Human Services Introduction to Electronic Visit Verification and Other

Arkansas Department of Human Services Introduction to Electronic Visit Verification and Other

Arkansas Department of Human Services Introduction to Electronic Visit Verification and Other Policy Updates January 15, 2019 Agenda 1. Electronic Visit Verification (EVV) Update a. What is EVV &amp; Why b. What are Arkansass plans for

468 views • 20 slides
Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification

Electronic Visit Verification File Specification: Visit Interface Electronic Visit Verification Project February 26, 2020 Welcome HMOs, MCOs, IRIS FEAs Sandata team (EVV vendor) Wisconsin Department of Health Services team

941 views • 47 slides
Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records

Introduction to Electronic Verification Electronic Verification of Educational Records OVERVIEW 01 04 Scope of Verification Peggys Picks Types of verification, Verifying exam results or parameters, privacy graduation using databases

1.25k views • 81 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Electronic Visit Verification Reason Code Training Health and Human Services Commission and

Electronic Visit Verification Reason Code Training Health and Human Services Commission and

Electronic Visit Verification Reason Code Training Health and Human Services Commission and Department of Aging and Disability Services April 2015 Page 1 Objectives This presentation is for providers who are required to use Health and

1.11k views • 95 slides
Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and

Verification &amp; Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Steven Zeil February 13, 2013 Verification and Validation

Verification and Validation Verification and Validation Steven Zeil February 13, 2013 Verification and Validation Outline The Process 1 Non-Testing V&amp;V 2 Code Review Mathematically-based verification Static analysis tools

790 views • 55 slides
Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV December 2020 Stakeholder

Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV December 2020 Stakeholder

Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV December 2020 Stakeholder Meeting 1 Agenda Introduction of the State EVV panelists EVV Registration and Start Date Be Ready-Get Trained for EVV Email Update

429 views • 9 slides
Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV October Stakeholder

Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV October Stakeholder

Electronic Visit Verification (EVV) for Medicaid Services Nebraska EVV October Stakeholder Meeting 1 EVV START DATE REVISED Please see below for DHHS revised schedule of events: Production Ready for third-party EVV vendors: 11/13/2020

444 views • 20 slides
Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification

Verification regulations: Description Draft to define model for meeting verification regulations Verification Code Extension (draft-gould-eppext-verificationcode) Purpose Separate verification details from registry interface

167 views • 6 slides
Employment Eligibility and Verification Form I-9 Background All U.S. employers must verify

Employment Eligibility and Verification Form I-9 Background All U.S. employers must verify

6/17/2015 I-9 I-9 Services Services Training Training Presented by Lori Miller Human Resource Services June 2015 Employment Eligibility and Verification Form I-9 Background All U.S. employers must verify employment eligibility.

614 views • 17 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of

Welcome! Asset Verification Service (AVS) The purpose of AVS is to automate verification of assets for initial and re-determinations for OSIP-M consumers without SSI. Asset Verification Service Kick-Off 11/8/18 Introduce Project Team

253 views • 14 slides
Single Source Shortest Paths (SSSP) Directed graph Edge weights Shortest path from to :

Single Source Shortest Paths (SSSP) Directed graph Edge weights Shortest path from to :

Single Source Shortest Paths (SSSP) Directed graph Edge weights Shortest path from to : Path = 0 , 1 , , of minimum weight () 5 3 where 0 = , = and 4 7 4 1

766 views • 21 slides
Logistics HW 2 due now HW 3 out this afternoon Reading: K&amp;T 3.4-3.6 Questions? Logistics

Logistics HW 2 due now HW 3 out this afternoon Reading: K&amp;T 3.4-3.6 Questions? Logistics

Logistics HW 2 due now HW 3 out this afternoon Reading: K&amp;T 3.4-3.6 Questions? Logistics Homework: 35% Midterms: 30% Final: 20% Quizzes + participation: 15% Some Comments I look forward to learning more about the p versus np problem

829 views • 34 slides
Design and Implementation of the Bio-Networking Architecture Jun Suzuki, Tadashi Nakano and

Design and Implementation of the Bio-Networking Architecture Jun Suzuki, Tadashi Nakano and

Design and Implementation of the Bio-Networking Architecture Jun Suzuki, Tadashi Nakano and Tatsuya Suda {jsuzuki, tnakano, suda}@ics.uci.edu http://netresearch.ics.uci.edu/bionet/ Dept. of Information and Computer Science University of

534 views • 24 slides
Advanced Pathfinding IMGD 4000 With material from:

Advanced Pathfinding IMGD 4000 With material from:

3/16/17 Advanced Pathfinding IMGD 4000 With material from: Millington and Funge, Ar#ficial Intelligence for Games , Morgan Kaufmann 2009 (Chapter

461 views • 30 slides
MAN ANET ETKi Kit: S Suppor upportin ing the g the Dynam Dynamic Deploy Deploymen ent

MAN ANET ETKi Kit: S Suppor upportin ing the g the Dynam Dynamic Deploy Deploymen ent

MAN ANET ETKi Kit: S Suppor upportin ing the g the Dynam Dynamic Deploy Deploymen ent and Reconfig and Reconfigurat ation on of A of Ad-Hoc Hoc Routing Routing P Protoc otocol ols ACM/ I FI P/ USENI X 10th I nternational

619 views • 22 slides
1 Quantitative and Qualitative Divide and Conquer In this figure, we can Partition space

1 Quantitative and Qualitative Divide and Conquer In this figure, we can Partition space

Iso-contour/surface Extractions Iso-Contouring and Level-Sets Roger Crawfis Contributors: Roger Crawfis, Han-Wei Shen, Raghu Machiraju, Torsten Moeller, Fan Ding, Charles Dyer, and Huang Zhiyong 3D Iso-surface 2D Iso-contour 4/17/2003 R.

339 views • 12 slides
Introduction Computational Models for Complex Systems Paolo Milazzo Dipartimento di Informatica,

Introduction Computational Models for Complex Systems Paolo Milazzo Dipartimento di Informatica,

Introduction Computational Models for Complex Systems Paolo Milazzo Dipartimento di Informatica, Universit` a di Pisa http://pages.di.unipi.it/milazzo milazzo di.unipi.it Laurea Magistrale in Informatica A.Y. 2019/2020 Paolo Milazzo

672 views • 39 slides
www.drupaleurope.org Making Mentoring Magic Elli Ludwigson Elli Ludwigson Content Creator Open

www.drupaleurope.org Making Mentoring Magic Elli Ludwigson Elli Ludwigson Content Creator Open

www.drupaleurope.org Making Mentoring Magic Elli Ludwigson Elli Ludwigson Content Creator Open Strategy Partners @ekl1773 What is Core Contribution Mentoring? Goals: Traditional mentoring methods: More Contributors generally DrupalCons

460 views • 20 slides

More recommend