Model Checking XML Manipulating Software

1
Model Checking XML Manipulating Software

• Xiang Fu Tevfik Bultan Jianwen Su
• Department of Computer Science
• University of California, Santa Barbara
• fuxiang,bultan,su_at_cs.ucsb.edu

2
Web Services

• Loosely coupled, interaction through standardized
  interfaces
• Standardized data transmission via XML
• Asynchronous messaging
• Platform independent (.NET, J2EE)

WSCI
Interaction
BPEL4WS
Composition
WSDL
Implementation Platforms
Service
Microsoft .Net, Sun J2EE
SOAP
Message
XML Schema
Type
XML
Data
Web Service Standards
3
Outline

• An Example Stock Analysis Service
• Capturing Global Behaviors
• Conversations, Conversation Protocols
• Web Service Analysis Tool
• XML Messaging
• XML data, MSL types, XPath expressions
• Model Checking Conversation Protocols
• Translation to Promela
• Conclusions and Future Work

4
An Example Stock Analysis Service (SAS)

• SAS is a composite web service
• a finite set of peers Investor (Inv), Stock
  Broker (SB), and Research Department (RD)
• and a finite set of message classes register,
  ack, cancel, accept, ...

register ack, cancel
Investor (Inv)
Stock Broker (SB)
accept, reject, bill
report
request, terminate
Research Dept. (RD)
5
Communication Model

• We assume that the messages among the peers are
  exchanged through reliable and asynchronous
  messaging
• FIFO and unbounded message queues

Stock Broker (SB)
Research Dept. (RD)
req
req

• This model is similar to industry efforts such as
  
• JMS (Java Message Service)
• MSMQ (Microsoft Message Queuing Service)

6
Conversations

• A virtual watcher records the messages as they
  are sent

Investor (Inv)
Stock Broker (SB)
Watcher
rep
acc
bil
reg
ack
req
ter
Research Dept. (RD)

• A conversation is a sequence of messages the
  watcher sees during an execution

7
Conversation Protocols

• Conversation Protocol An automaton that accepts
  the desired conversation set

SAS conversation protocol
report
ack
1
6
7
8
register
request
cancel
ack
request
reject
accept
bill
2
3
5
9
report
terminate
4
10
12
11
bill
cancel
terminate
8
Properties of Conversations

• The notion of conversation enables us to reason
  about temporal properties of the composite web
  services
• LTL framework extends naturally to conversations
• LTL temporal operators
• X (neXt), U (Until), G (Globally), F (Future)
• Atomic properties
• Predicates on message classes (or contents)
• Example G ( accept ? F bill )
• Model checking problem Given an LTL property,
  does the conversation set satisfy the property?

9
Web Service Analysis Tool (WSAT)
Verification Languages
Web Services
Front End
Analysis
Back End
Intermediate Representation
GFSA to Promela (synchronous communication)
success
BPEL to GFSA
Synchronizability Analysis
BPEL
Guarded automata
fail
(bottom-up)
GFSA to Promela (bounded queue)
Promela
skip
GFSA parser
Conversation Protocol
Guarded automaton
GFSA to Promela(single process, no
communication)
success
Realizability Analysis
fail
(top-down)

• Friday 400pm, tool presentation at CAV
• Demonstration Saturday (or anytime you find me
  with my laptop)

10
SAS Guarded Automata
Topdown Schema PeerList Investor, Broker,
ResearchDept , TypeList Register ... Accept
... , MessageList register Investor -gt
Broker Register , accept Broker -gt
Investor Accept , ... , GProtocol
States s1,s2,s3,s4,s5,s6,s7,s8,s9,s10,s11,s12
, InitialState s1 , FinalStates s4 ,
TransitionRelation t1 s1 -gt s2 register,
Guard true , t2 s2 -gt s5 accept,
Guard true gt accept//orderID
register//orderID , ...
11
XML (eXtensible Markup Language)

• XML is a markup language like HTML
• Similar to HTML, XML tags are written as
• lttaggt followed by lt/taggt
• HTML vs. XML
• In HTML, tags are used to describe the appearance
  of the data
• ltbgt lt/bgt ltigt lt/igt ...
• In XML, tags are used to describe the content of
  the data rather than the appearance
• ltdategt lt/dategt ltaddressgt lt/addressgt
• XML documents can be modeled as trees where each
  internal node corresponds to a tag, and leaf
  nodes correspond to basic types

12
An XML Document and Its Tree
ltRegistergt ltinvestorIDgt VIP01 lt/investorIDgt ltreque
stListgt ltstockIDgt 0001 lt/stockIDgt ltstockIDgt 0002 lt
/stockIDgt lt/requestListgt ltpaymentgt ltaccountNumgt 04
25 lt/accountNumgt lt/paymentgt lt/Registergt
13
MSL (Model Schema Language)

• MSL is a language for defining XML data types
• MSL captures core features of XML Schema
• Basic MSL syntax
• g ? ? b t g g m , n
  
• g , g g g g g
• g is an XML type (i.e., an MSL type expression)
• ? is the empty sequence
• b is a basic type such as string, boolean, int,
  etc.
• t is a tag
• m and n are positive integers
• , are MSL type constructors

14
MSL Semantics

• t g
• denotes a type with root node labeled t with
  children of type g
• g m , n
• denotes a sequence of size at least m and at most
  n where each member is of type g
• g1 , g2
• denotes an ordered sequence where the first
  member is of type g1 and the second member is of
  type g2
• g1 g2
• denotes an unordered sequence where one member is
  of type g1 and the other member is of type g2
• g1 g2
• denotes a choice between type g1 and type g2,
  i.e., either type g1 or type g2, but not both

15
An MSL Type Declaration and an Instance
ltRegistergt ltinvestorIDgt VIP01 lt/investorIDgt ltreque
stListgt ltstockIDgt 0001 lt/stockIDgt ltstockIDgt 0002 lt
/stockIDgt lt/requestListgt ltpaymentgt ltaccountNumgt 04
25 lt/accountNumgt lt/paymentgt lt/Registergt
Register investorIDstring , requestList
stockIDint1,3 , payment
creditCardNumint accountNumint
16
Mapping MSL types to Promela

• Restrictions no unbounded or unordered
  sequences, no string manipulation
• Basic types
• integer and boolean types are mapped to Promela
  basic types int and bool
• strings are mapped to enumerated type (mtype) in
  Promela
• we only allow constant string values
• Type constructors are handled using
• structured types (declared using typedef) in
  Promela
• or arrays

17
Example
typedef t1_investorID mtype
stringvalue typedef t2_stockIDint
intvalue typedef t3_requestList t2_stockID
stockID 3 int stockID_occ typedef
t4_accountNumint intvalue typedef
t5_creditCardint intvalue mtype m_accountNum,
m_creditCard typedef t6_payment t4_accountNum
accountNum t5_creditCard creditCard mtype
choice typedef Register t1_investorID
investorID t3_requestList requestList
t6_payment payment
Register investorIDstring , requestList
stockIDint1,3 , payment
creditCardNumint accountNumint
18
XPath

• In order to write specifications or programs that
  manipulate XML documents we need
• an expression language to access values and nodes
  in XML documents
• XPath is a language for writing expressions
  (queries) that navigate through XML trees and
  return a set of answer nodes
• An XPath query defines a function which
• takes and XML tree and a context node (in the
  same tree) as input and
• returns a set of nodes (in the same tree) as
  output

19
XPath Syntax

• Basic XPath syntax
• q ? . .. b t q / q
  q // q q exp
• q is an XPath query
• exp denotes a predicate on basic types, i.e., on
  the leaf nodes of the XML tree
• b denotes a basic type such as string, boolean,
  int, etc.
• t denotes a tag

20
XPath Semantics

• XPath expression are evaluated from left to right
• Given an XML tree and a node n as a context node
• . returns n
• .. returns the parent of n
• Given an XML tree and a set of nodes
• returns all the nodes
• b returns the nodes that are of basic type b
• t returns the nodes which are labeled with tag
  t

21
XPath Semantics Contd.

• Starting at the context node
• q1 / q2 returns each node which matches q2
  starting at a child of a node which matches q1
• q1 // q2 returns each node which matches q2
  starting at a descendant of a node which
  matches q1
• (if q1 is missing, then start at the root)
• q exp returns the nodes that match q and
  with children for which exp evaluates to true

22
Examples
//payment/ returns the node labeled
accountNum /Register/requestList/stockID/int
returns the nodes labeled 0001 and
0002 //stockIDint gt 1/int returns the node
labeled 0002
23
XPath to Promela

• Generate code that evaluates the XPath expression
• Restrictions no ancestors-axis, no string
  expressions
• Uses two data structures
• Type tree shows the structure of the
  corresponding MSL type
• Abstract statements which are mapped to Promela
  code
• Traverse the XPath expression from left to right
• Statements generated in each step are inserted
  into the BLANK spaces left in the code from the
  previous step
• The type tree is used to keep track of the
  context of the generated code

24
Statement
Promela Code
if c -gt BLANK else -gt skip fi
IF(c)
FOR(v,l,h)
v l 1 do v lt h -gt BLANK v
else -gt break od
EMPTY
BLANK
INC(v)
v
SET(v,a)
v a
25
Type Tree
Register investorIDstring requestList
stockIDint1,3 payment
creditCardNumint accountNumint
26
register // stockID / int()gt5 / position()
last() / int()
EMPTY
1
FOR (i1,1,3)
IF (i2i3)
5
EMPTY
5
5
6
Sequence
cond ? v_register.requestlist.stockIDi1 gt 5
Insert
27
request//stockIDregister//stockIDint()gt5posi
tion()last()
/ result of the XPath expression / bool
bResult false / results of the predicates 1,
2, and 1 resp. / bool bRes1, bRes2, bRes3 /
index, position(), last(), index, position() /
int i1, i2, i3, i4, i5 i21 / pre-calculate
the value of last(), store in i3 / i40 i51
i30 do i4 lt v_register.requestList.stockID_
occ -gt / compute first predicate /
bRes3 false if v_register.requestList.
stockIDi4.intvaluegt5 -gt bRes3 true
else -gt skip fi if bRes3 -gt i5
i3 else -gt skip fi i4
else -gt break od
28
request//stockIDregister//stockIDint()gt5posi
tion()last()
i10 do i1 lt v_register.requestList.stockID
_occ -gt bRes1 false if
v_register.requestList.stockIDi1.intvaluegt5 -gt
bRes1 true else -gt skip fi if
bRes1 -gt bRes2 false if
(i2 i3) -gt bRes2 true else -gt
skip fi if bRes2 -gt
if (v_request.stockID.intvalue
v_register.requestList.stockIDi
1.intvalue) -gt bResult true
else -gt skip fi else -gt
skip fi i2 else -gt skip
fi i1 else -gt break od
29
Model Checking Using Promela

• Error in SAS conversation protocol
• t14 s8 -gt s12 bill,
• Guard
• request//stockID register//stockID
  position() last()
• gt
• bill //orderID register//orderID
• Repeating stockID will cause error
• One can only discover these kinds of errors by
  analysis of XPath expressions

30
Related Work

• Verification of web services
• Simulation, verification, composition of web
  services using a Petri net model Narayanan,
  McIlraith WWW02
• Using MSC to model BPEL web services which are
  translated to labeled transition systems and
  verified using model checking Foster, Uchitel,
  Magee, Kramer ASE03
• Model checking Web Service Flow Language
  specifications using SPIN Nakajima ICWE04
• BPEL verification using a process algebra model
  and Concurrency Workbench Koshkina, van Breugel
  TAV-WEB04

31
Related Work

• Conversation specification
• IBM Conversation support project
  http//www.research.ibm.com/convsupport/
• Conversation support for business process
  integration Hanson, Nandi, Kumaran EDOCC02

32
Future Work

• Other input languages in the front end
• WSCI, OWL-S
• Other verification tools at the back end
• SMV, Action Language Verifier
• Symbolic representations for XML data
• Abstraction for XML data and XML data manipulation

33
Current and Future Work
Web Service Specification Languages
Verification Languages
Front End
Analysis
Back End
Intermediate Representation
success
BPEL
Translation with synchronous communication
Translator for bottom-up specifications
Promela
SynchronizabilityAnalysis
Guarded automata
Conversation Protocols
fail
ActionLanguage
Translation with bounded queue
Automated Abstraction
skip
SMV
. . .
Translator for top-down specifications
Realizability Analysis
WSCI
Translation withsingle process, no communication
Guarded automaton
. . .
success
fail