Diagnostic Information for ControlFlow Analysis of Workflow Graphs

  • Slides: 44
Download presentation
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1,

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cédric Favre(1, 2), Hagen Völzer(1), Peter Müller(2) (1) IBM Research - Zurich (2) ETH Zurich 1

Outline • Problem - Control-flow analysis of business process models • Contribution - Graphical

Outline • Problem - Control-flow analysis of business process models • Contribution - Graphical in-model diagnostic information for controlflow errors • Conclusion and Outlook 2

A Business Process Model (1/2) 3

A Business Process Model (1/2) 3

A Business Process Model (2/2) • • Usage of a business process model -

A Business Process Model (2/2) • • Usage of a business process model - Execution on a process engine - Simulation - Documentation Up to 50% of the processes contain a control-flow error 4

Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph - control flow graph

Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph - control flow graph (flow chart) with unique source and sink - concurrent fork and join (besides alternative choice and merge) - maps the core of process languages, but not all 5

Control-Flow Errors / Soundness • (Local) Deadlock - A token blocked in the graph

Control-Flow Errors / Soundness • (Local) Deadlock - A token blocked in the graph XOR-join XOR-split Lack of synchronization • - Two tokens on one edge aka unsafeness AND-split AND-join Sound - no deadlock and - no lack of synchronization Soundness guarantees that the workflow terminates with unique token on the sink (when loops are terminating) 6

Simplest Examples Sound Unsound 7

Simplest Examples Sound Unsound 7

A Complex Sound Example 8

A Complex Sound Example 8

Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph is sound iff connected

Workflow Graph and Corresponding Free-Choice Workflow Net • Workflow graph is sound iff connected version of corresponding Petri net is - safe = no two tokens on the same place and - live = from each reachable marking, for each transition t: a marking can be reached that enables t 9

Prior Work • Approaches based on free-choice Petri nets theory - polynomial time complexity

Prior Work • Approaches based on free-choice Petri nets theory - polynomial time complexity (!) - no diagnostic information • Approaches based on state space exploration - state space explosion (can be successfully addressed) - provide a counterexample trace as diagnostic information • detours/build up not contributing to error (esp. DFS) • arbitrary interleaving • difficult to visualize in model in case of loops • Fahland, Lohmann [12]: heuristics can reduce size of trace by a factor of 10 • not all modelers have a technical background 10

Anti-Patterns • Modeling manuals show anti-patterns in terms of instructive examples 11

Anti-Patterns • Modeling manuals show anti-patterns in terms of instructive examples 11

Problem • Can we build graphical diagnostic information such that: - every error pattern

Problem • Can we build graphical diagnostic information such that: - every error pattern implies unsoundness - unsoundness implies existence one of the error pattern - capture the essence of these simple examples 12

Outline • Problem • Contribution • Conclusion and Outlook 13

Outline • Problem • Contribution • Conclusion and Outlook 13

Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time

Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm that - returns one of the graph structures for each unsound graph • Experimental evaluation 14

Overview Error Patterns Path to sink with AND-XOR handle Empty siphon DQ-siphon with XOR-AND

Overview Error Patterns Path to sink with AND-XOR handle Empty siphon DQ-siphon with XOR-AND handle 15

Handle • A handle on a subgraph G is a directed path from an

Handle • A handle on a subgraph G is a directed path from an element of G to another element b of G that is disjoint from G apart from start and end G • G AND-XOR handle refers to the logic of start and end node 16

Error Patterns (1/3) Path from some node to sink with AND/XOR-handle 17

Error Patterns (1/3) Path from some node to sink with AND/XOR-handle 17

Siphon • A subgraph G such that each transition that adds a token to

Siphon • A subgraph G such that each transition that adds a token to G also takes a token from G - with an XOR node in G, all incoming edges belong to G - with an AND node - at least one incoming edge • An empty siphon will remain empty 18

Error Patterns (2/3) empty A siphon that does not contain the source 19

Error Patterns (2/3) empty A siphon that does not contain the source 19

DQ Siphon • A DQ-siphon is a siphon G such that no AND-split has

DQ Siphon • A DQ-siphon is a siphon G such that no AND-split has more than one outgoing edge in G • Not a DQ-siphon the number of tokens is always 1 or less 20

Error Patterns (3/3) A DQ siphon with an XOR/AND handle 21

Error Patterns (3/3) A DQ siphon with an XOR/AND handle 21

Structural characterization of soundness • A workflow graph is unsound iff one of the

Structural characterization of soundness • A workflow graph is unsound iff one of the following statements holds: 1. There exists a siphon that is not initially marked 2. There exists a DQ siphon with an XOR/AND handle 3. There exists a simple path to the sink with an AND/XOR handle 22

Strongly Related to and Making Use of • Esparza/Silva [9] characterization: - A strongly

Strongly Related to and Making Use of • Esparza/Silva [9] characterization: - A strongly connected free-choice net is safe and live iff none of the following exist: • an empty siphon • a circuit with a T/P handle • a circuit with a P/T handle without bridges 23

Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time

Contribution • New characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm that - returns one of the graph structures for each unsound graph • Experimental evaluation 24

Known Algorithm - Based on the Rank Theorem Check for empty siphons unsound Decomposition

Known Algorithm - Based on the Rank Theorem Check for empty siphons unsound Decomposition into S-components unsound Check rank equation sound unsound 25

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 26

Decomposition into S-Components • A sound graph is decomposable into sequential components • Each

Decomposition into S-Components • A sound graph is decomposable into sequential components • Each S-component has always exactly one token • Decomposition can be computed in polynomial time 27

Another Sound Example 28

Another Sound Example 28

A Minimal Siphon Generates an S-component (in a Sound Graph) • A minimal siphon

A Minimal Siphon Generates an S-component (in a Sound Graph) • A minimal siphon that is not an S-component contains: or • From which we obtain an error pattern: 29

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 30

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound

New Algorithm Check for empty siphons empty Decomposition into S-components Check rank equation sound unsound Reduce & decompose into S-components 31

Lucky Decomposition Failure of an Unsound Graph 32

Lucky Decomposition Failure of an Unsound Graph 32

Unlucky Decomposition Success of the Same Graph 33

Unlucky Decomposition Success of the Same Graph 33

A Reduction Step 34

A Reduction Step 34

Decomposition Failure on Reduced Graph Decomposition failure Error pattern generated Error pattern on original

Decomposition Failure on Reduced Graph Decomposition failure Error pattern generated Error pattern on original graph 35

Algorithm - Conclusion • Prove that reduction eventually leads to a graph that is

Algorithm - Conclusion • Prove that reduction eventually leads to a graph that is not decomposable • Prove that error pattern in reduced graph are valid in the original (unreduced) graph Soundness of N can be decided in time O(|P|2 * (max(|P|, |T|)3) such that the algorithm returns one of the structural error patterns in case N is unsound. 36

Contribution • New Characterization of soundness in terms of offending graph-structures and • Polynomial-time

Contribution • New Characterization of soundness in terms of offending graph-structures and • Polynomial-time algorithm such that • Experimental evaluation 37

Experimental Evaluation - Data Set - 1353 (703 unique original) business process models from

Experimental Evaluation - Data Set - 1353 (703 unique original) business process models from the financial domain - Average number of nodes between 89 and 107 per library - Several large nets with up to 627 nodes - 47 nets from library B 3 have 200 or more nodes. - Some models have state spaces with more than 1 million states - We validated the correctness of the results with other model checkers 38

Results • • Fast enough to support demanding use cases - checking while modeling

Results • • Fast enough to support demanding use cases - checking while modeling - checking while loading entire libraries into workspace 2 -6 times faster than some state space exploration approaches - but those were already fast enough for most use cases 39

Visualization in Modeling Tool 40

Visualization in Modeling Tool 40

Outline • Problem • Contribution • Conclusion and Outlook 41

Outline • Problem • Contribution • Conclusion and Outlook 41

Conclusion • Graphical in-model diagnostic information can be obtained in polynomial time - avoiding

Conclusion • Graphical in-model diagnostic information can be obtained in polynomial time - avoiding some problems of traces • Limited expressiveness of free-choice (e. g. no races) allows for polynomial-time verification - sufficient for data set in case study - still applicable in more expressive BPMN models • Can be combined with SESE decomposition for further error localization (and speed-up) 42

SESE Decomposition • Can be done in linear time • Soundness is compositional wrt

SESE Decomposition • Can be done in linear time • Soundness is compositional wrt SESE blocks • Errors can be localized to a SESE block 43

What is still missing • User study • Soundness under data (except one first

What is still missing • User study • Soundness under data (except one first paper) • Control-flow errors dues to message/event passing across processes (orthogonal) 44