This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Networks and Processes (WS 2006/07)
Stefan Schwoon
Software Reliability and Security Group (SZS) Institute of Formal Methods in Computer Science (FMI) University of Stuttgart Networks and Processes
Lectures: V47.05: Thu 14:0015:30 + Thu 15:4517:15 (every two weeks), Stefan Schwoon, [email protected] Office hour Tue 14:3015:30, CS building, room 1.342 Exercises: V47.05: Thu 15:4517:15 (every other week), Dejvuth Suwimonteerabuth (Remy), [email protected] Office hour Tue 14:3015:30, CS building, room 1.352 Credits: Lectures (3 credits) + Exercises (1 credit): Written exam at the end of the course Exercises are voluntary, but we recommend doing them anyway. 2 Announcements Home page: http://www.fmi.unistuttgart.de/szs/teaching/ws0607/nets/ Lecture notes (including LaTeX sources) Biweekly exercises Email list (to be collected): Urgent announcements (sudden schedule changes, etc.) 3 Intended Audience
Infotech students
Selected Required course for CEMT majors Required Elective for ESE majors Elektrotechnik students
The course has the official title Netze und Prozesse. Mandatory course (Pflichtfach) in Vertiefungslinie 10 (Telematik und Kommunikationsnetze) Wahlpflicht course in Vertiefungslinie 4 (Automatisierungs und Softwaretechnik) Informatik/Softwaretechnik students Course in the Vertiefungslinie Sichere und Zuverlassige Softwaresysteme (as an alternative to the Model Checking course there). 4 Teaching material The outline of the course will follow last year's course, but parts of it will be new or different from last year. The (revised) slides will be made available as the course progresses. The material is partly based on the course "Parallel and Distributed Digital Systems" at Helsinki University of Technology, by Marko Makela, Teemu Tynjala, Keijo Heljanko, and Johan Lilius. Other parts are based on previous Networks & Processes courses given by Volker Diekert and Holger Austinat. 5 Prerequisites The course is mostly selfcontained; basically, the slides should allow you to follow the course. Additional literature will be given for (voluntary) background reading. Assumed mathematical background: Basic knowledge of logics, discrete mathematics, graphs, . . . 6 Section 1: Introduction Motivation
Engineers build or design things: Bridges, chips, communication equipment, protocols, software, . . . Goal: Products must work correctly. Objective: Develop techniques for verifying the correctness of hardware and software systems using formal methods. Formal methods = Systems described as mathematical objects Prove that a system works as designed In this course we will teach the mathematical background behind some of the techniques.
8 Why formal methods? Computers invade more and more aspects of our lives (home PCs, mobile phones, car electronics, . . . ) Software becomes increasingly more complex. Therefore: Producing bugfree software becomes more difficult. Formal methods allow to handle difficult characteristics such as nondeterminism, concurrency etc, where bugs are difficult to detect by testing. 9 Some (in)famous bugs The cost of bugs can be enormous (economic, reputation, even human lives): Floating point error in Pentium processor (1994) Bugs in securityrelated communication protocols Errors in space missions: Ariane 5, Mars polar lander 10 Ariane 5 crash (1996) The launcher began to disintegrate at about 39 seconds because of high aerodynamic loads resulting from an angle of attack of more than 20 degrees. 11 The cause The angle of attack was caused by incorrect altitude data following a software exception. The software exception was raised by an overflow in the conversion of a 64bit floatingpoint number to a 16bit signed integer value. The result was an operand error. The operand error occurred because of an unexpected high value of the horizontal velocity sensed by the platform. The value was much higher than expected because the early part of the trajectory of Ariane 5 differs from that of Ariane 4 and results in higher horizontal velocity values. Direct cost 500.000.000 EUR, indirect cost 2.000.000.000 EUR 12 Loss of Mars Climate Orbiter (1999) Cause: unchecked type mismatch of metric and imperial units 13 Are formal methods a silver bullet?
No  we can't hope to automatically analyse arbitrary properties of arbitrary programs, because they are too large; the problems may actually be undecidable in principle. Thus, formal efforts are concentrated on: critical parts of systems; decidable subclasses of systems or properties. 14 The objective of the course The course aims to give the necessary skills for modelling parallel and distributed systems, specifying requirements for them, and for verifying these requirements hold on these systems. Modelling: Petri nets, transition systems and process algebra Specifying: formulae in temporal logic Verifying: reachability analysis, model checking, automata theoretic methods 15 Parallel and distributed systems: Characteristics
parallel: multiple processes act simultaneously (concurrently), distributed: processes may cooperate to achieve a goal A distributed system is one on which I cannot get any work done, because a machine I have never heard of has crashed. L. Lamport communication: the processes exchange messages (synchronously or asynchronously) reactive: the system operates continuously, reacting on external events (rather than computing one result and then terminating) nondeterminism: there are alternative execution orders (stemming from concurrency, or from incomplete system description)
16 Parallel and distributed systems: Problems
Systems with inherent parallelism often are so complex that they simply cannot be built by trialanderror. Some problems caused by the specific nature of these systems are: nondeterminism: All possible execution sequences need to be considered to prove correctness of a system. communication: synchronous: parties may deadlock while waiting for another party. asynchronous: message transmission may be unreliable, messages may arrive at any time (including at inconvenient times)
17 Parallel and distributed systems: Problems
reactivity: need to consider potentially infinite executions. distribution: operating in an unknown environment number of processes (e.g. participants in a protocol) may be unknown behaviour of other components may be unknown 18 Parallel and distributed systems: what for? They arise naturally, e.g. network file system, telecommunication systems, car electronics, . . . Speeding up: it is cheaper to obtain many slow processors than a superfast one, and the speed of the fastest available processor may be inadequate for the application Redundancy: the system remains operational during maintenance breaks and partial hardware failures, or during large accidents and acts of war (geographical distribution, ArpaNet) Modularity: it may be easier to manage several specialised processes than a single complex process that takes care of everything 19 Specifications: properties of systems
Safety: "The system never reaches a bad state"; some property holds throughout the execution. Examples: deadlock freedom, mutual exclusion, . . . Liveness: "There is progress in the system"; some actions occur infinitely often. Inevitability: "Eventually, something will happen." Response: "Whenever X occurs, Y will eventually occur." Examples: sent messages are eventually received, each request is served Fairness assumptions: "X holds, assuming that no process is starved of CPU time."
20 Example: Dining philosophers
There are philosophers sitting around a round table. There are forks on the table, one between each pair of philosophers. 4 3 1 2 The philosophers want to eat spaghetti from a large bowl in the center of the table.
21 Unfortunately the spaghetti is of a particularly slippery type, and a philosopher needs both forks in order to eat it. The philosophers have agreed on the following protocol to obtain the forks: Initially philosophers think about philosophy, when they get hungry they do the following: (1) take the left fork, (2) take the right fork and start eating, (3) return both forks simultaneously, and repeat from the beginning 22 Dining philosophers: Questions Safety: Can the protocol deadlock? (Can the philosophers starve?) Response: If a philosopher wants to eat, can he obtain the forks eventually? Fairness: Can all philosophers eat eventually, assuming that none of them keeps eating forever ? 23 Specifying systems A system specification captures the assumptions and requirements of the operations. Specifications should be unambiguous but not necessarily complete. (The specification only describes the crucial requirements, leaving some freedom to the designer.) Specifications describe the allowed computations (or executions). A specification is a "contract" between the customer and the software supplier. In our setting, specifications are formal descriptions of systems. 24 Advantages of formal description techniques Unambiguity: specifications with precise mathematical meaning instead of colloquial language Correctness: automated verification that the system fulfils its requirements Consistency: inconsistent or unreasonable requirements can be detected from specifications in an early phase Reuse: abstract specifications are highly independent of software and hardware environments, and the same solutions work in different projects ("design patterns"). 25 Applications for the methods
Communication verifying and testing communication protocols evaluating the performance (queueing times, throughput, . . . ) Safetycritical systems railroad interlocking aircraft and air traffic control systems Hardware design processors, peripheral interfaces, memory caches and buses (verification of Pentium 4 FPU logic)
26 Modelling Two examples: Dining philosophers, modeled using a Petri net. AlternatingBit protocol, modeled using different formalisms, e.g. pseudocode and communicating automata. 27 Petri nets
Petri nets are a basic model of parallel and distributed systems, designed by Carl Adam Petri in 1962 in his PhD Thesis: "Kommunikation mit Automaten". The basic idea is to describe state changes in a system with transitions. s1 d d s3 t d d s4 s2 Petri nets contain places (Stelle) and transitions connected by directed arcs. (Transition) that may be Places symbolise states, conditions, or resources that need to be met/be available before an action can be carried out. Transitions symbolise actions.
28 Behaviour of Petri nets
Places may contain tokens that may move to other places by executing ("firing") actions. A token on a place means that the corresponding condition is fulfilled or that a resource is available: s1 } d d s3 } t d d s4 s2 In the example, transition t may "fire" if there are tokens on places s1 and s3. Firing t will remove those tokens and place new tokens on s2 and s4. 29 Example: Dining philosophers (revisited)
There are philosophers sitting around a round table. There are forks on the table, one between each pair of philosophers. 4 3 1 2 The philosophers want to eat spaghetti from a large bowl in the center of the table.
30 Dining philosophers: Petri net
' ' $ $ forks d T d d dd c eating thinking c E E b4 E w E l3 r4 b3 d s d dd d dd d d d ' l4 ' c thinking w w eating T ' r3 ' c fork dd d d w ' l1 ' b1 Td thinking w s d E r1 T c E d dd d fork w & eating E l2 T thinking
w & % b2 ' c w dd ' fork d dd eating r2 T E % 31 Section 2: Petri Nets Literature about Petri Nets
The course aims to be selfcontained, but a lot of literature about Petri nets is available, for instance: Reisig, Elements of Distributed Algorithms: Modelling and Analysis with Petri Nets, Springer, 1998 Reisig, Petrinetze: Eine Einfuhrung, Springer, 1986 Tools: The PEP tool http://theoretica.informatik.unioldenburg.de/pep/ Internet resources: Petri Nets World http://www.informatik.unihamburg.de/TGI/PetriNets/
33 2.1: Place/Transition Nets Place/Transition Nets
Let us study Petri nets and their firing rule in more detail: A place may contain several tokens, which may be interpreted as resources. There may be several input and output arcs between a place and a transition. The number of these arcs is represented as the weight of a single arc. A transition is enabled if its each input place contains at least as many tokens as the corresponding input arc weight indicates. When an enabled transition is fired, its input arc weights are subtracted from the input place markings and its output arc weights are added to the output place markings. 35 Place/Transition Net (Definition 2.1) A Place/Transition Net (P/T net) is a tuple N = P, T , F , W , M0 , where P is a finite set of places, T is a finite set of transitions, the places P and transitions T are disjoint (P T = ), F (P T ) (T P) is the flow relation, W : ((P T ) (T P)) I is the arc weight mapping N (where W (f ) = 0 for all f F , and W (f ) > 0 for all f F ), and / M0 : P I is the initial marking representing the initial distribution of tokens. N 36 P/T nets: Remarks (Definition 2.2) If p, t F for a transition t and a place p, then p is an input place of t, If t, p F for a transition t and a place p, then p is an output place of t, Let a P T . The set a = {a  a , a F } is called the preset of a, and the set a = {a  a, a F } is its postset. When drawing a Petri net, we usually omit arc weights of 1. Also, we may either denote tokens on a place either by black circles, or by a number. 37 Place/Transition Net: Example
'$ p1 v v &% d2 t d 2E '$ p3
&% p2 '$ v v v v v &% The place/transition net P, T , F , W , M0 above is defined as follows: P = {p1, p2, p3}, T = {t}, F = { p1, t , p2, t , t, p3 }, W = { p1, t 2, p2, t 1, t, p3 2}, M0 = {p1 2, p2 5, p3 0}.
38 Alternative definitions Sometimes the notation S (for Stellen) is used instead of P (for places) in the definition of Place/Transition nets. Some definitions also use the notion of a place capacity (the maximum number of tokens allowed in a place, possibly unbounded). Place capacities can be simulated by adding some additional places to the net (we will see how later), and thus for simplicity we will not define them in this course. Some definitions allow tokens to have colours. (E.g., a token carries some information with it.) Such models are called coloured Petri nets or highlevel nets. We shall look at them later. 39 Notation for markings Often we will fix an order on the places (e.g., matching the place numbering), and write, e.g., M0 = 2, 5, 0 instead. When no place contains more than one token, markings are in fact sets, in which case we often use set notation and write instead M0 = {p5, p7, p8}. Alternatively, we could denote a marking as a multiset, e.g. M0 = {p1, p1, p2, p2, p2, p2, p2}. The notation M(p) denotes the number of tokens in place p in marking M. 40 The firing rule (Definition 2.3) Let P, T , F , W , M0 be a Place/Transition net and M : P I one of its N markings. Firing condition: Transition t T is Menabled (or: enabled in M), written M , iff p t : M(p) W (p, t).
t Firing rule: An Menabled transition t may fire, producing the successor marking M , written M  M , where p P : M (p) = M(p)  W (p, t) + W (t, p).
41 t The firing rule of Place/Transition Nets: Example
'$ p1 &% 2 dd t '$ p2 Marking M 2E '$ p3
&% &% M  enabled disabled disabled t M {p1 0, p2 4, p3 2} {p1 2, p2 5, p3 0} {p1 0, p2 4, p3 2} {p1 1, p2 5, p3 0}
t Note: If M  M , then we call M the successor marking of M. 42 Reachable markings (Definition 2.4) Let M be a marking of a Place/Transition net N = P, T , F , W , M0 . The set of markings reachable from M (the reachability set of M, written reach (M)), is the smallest set of markings such that: 1. M reach (M ), and 2. if M  M for some t T , M reach (M), then M reach (M). Let M be a set of markings. The previous notation is extended to sets of markings in the obvious way:
t reach (M) = MM reach (M) The set of reachable markings reach (N) of a net N = P, T , F , W , M0 is defined to be reach (M0).
43 Reachability Graph (Definition 2.5) The reachability graph of a place/transition net N = P, T , F , W , M0 is a rooted, directed graph G = V , E, v0 , where V = reach (N) is the set of vertices, i.e. each reachable marking is a vertex; v0 = M0, i.e. the initial marking is the root node; E = M, t, M M V and M  M is the set of edges, i.e. there is an edge from each marking (resp. vertex) M to each of its successor markings, and the edge is labelled with the firing transition.
t 44 Reachability Graph: Example v & v p2 t2 E E $ p4 1, 0, 0, 1, 0 d sd d t1 t2dd 0, 0, 1, 1, 0 0, 0, 0, 0, 1 E
t1 E E c
t3 E p1 p3 p5 sd d d t2dd > 1, 1, 0, 0, 0 d t1 0, 1, 1, 0, 0 d t3 The weight of each arc is 1. The graph shows that t3 cannot be fired if t2 is fired before t1. Thus, intuitively speaking, t1 and t2 are not independent, even though their presets and postsets are mutually disjunct. 45 Computing the reachability graph
R EACHABILITYG RAPH( P, T , F , W , M0 ) 1 V , E, v0 := {M0}, , M0 ; 2 Work : set := {M0}; 3 while Work = 4 do select M from Work ; 5 Work := Work \ {M}; 6 for t enabled(M) 7 do M := fire(M, t); 8 if M V / 9 then V := V {M } 10 Work := Work {M }; 11 E := E { M, t, M }; 12 return V , E, v0 ; (Algorithm 2.6) The algorithm makes use of two functions: t enabled(M) := {t  M } fire(M, t) := M t if M  M The set Work may be implemented as a stack, in which case the graph will be constructed in a depthfirst manner, or as a queue for breadthfirst. Breadth first search will find the shortest transition path from the initial marking to a given (erroneous) marking. Some applications require depth first search.
46 Reachability Graph: Termination In general, the algorithm may not terminate! This is because the graph may be infinite. Example: Example:
p1 t p2 The reachable markings in this net are 1, 0 , 1, 1 , 1, 2 , . . . It is quite straightforward to see that the graph is finite if and only if we can put a bound on the number of tokens in reachable markings. 47 kSafeness (Definition 2.7) Definition: Let N be a net. If no reachable marking of N can contain more than k tokens in any place (where k 0 is some constant), then N is said to be k safe. Example (1): The following net is 1safe. v & v p2 t2 E E $ p4 E
t1 E E c
t3 E p1 p3 p5 Example (2): The net from the previous slide is not k safe for any k .
48 ksafeness and Termination A k safe net has at most (k + 1)P reachable markings; for 1safe nets, the limit is 2P. In this case, there are finitely many reachable markings, and the construction of the reachability graph terminates. On the other hand, if a net is not ksafe for any k, then there are infinitely many markings, and the construction will not terminate. 49 Use of reachability graphs In practice, all analysis tools and methods for Petri nets compute (some representation of) the reachability graph. The reachability graph can be effectively computed if the net is ksafe for some k. If the net is not k safe for any k , we may compute the coverability graph instead (see upcoming slides). 50 2.2: Coverability graphs Example
Consider the following (slightly inept) attempt at modelling a traffic light:
p1 (red light) R > RY Y > R p2 (yellow light) RY > G G > Y p3 (green light) 52 Coverability Graphs The reachability graph of the preceding net is infinite. As we have mentioned before, the algorithm for computing the reachability graph will not terminate in this case. We will show the construction of a different graph: the socalled coverability graph. The coverability graph has the following properties:
It can be used to find out whether the reachability graph is infinte. It is always finite, and its construction always terminates. It gathers some information about reachable markings. However, it is slightly more complicated than the reachability graph! 53 Computing with First we introduce a new symbol to represent "arbitrarily many" tokens. We extend the arithmetic on natural numbers with as follows. For all n I N: n + = + n = , + = ,  n = , 0 = 0, = , n 1 n = n = , n , and . Note:  remains undefined, but we will not need it. 54 Markings (Definition 2.8) We extend the notion of markings to markings. In an marking, each place p will either have n I tokens, or tokens (arbitrarily many). N Note: This is a technical definition that we will need for constructing the coverability graph! The nets that we use only have finite markings. An marking such as (1, , 0) can also be interpreted as the set of (non)markings that have one token on the first place, no token on the third place, an any number of tokens on the second place. 55 Firing Rule with markings
The firing condition and firing rule (reproduced below) neatly extend to markings with the extended arithmetic rules:
Firing condition: Transition t T is Menabled, written M , iff p t : M(p) W (p, t). Firing rule: An Menabled transition t may fire, producing the successor marking M , where p P : M (p) = M(p)  W (p, t) + W (t, p).
t If a transition has a place with tokens in its preset, that place is considered to have sufficiently many tokens for the transition to fire, regardless of the arc weight. If a place contains an marking, then firing any transition connected with an arc to that place will not change its marking.
56 Definition of Covering (Definition 2.9) An marking M covers an marking M, denoted M M , iff p P : M(p) M (p). An marking M strictly covers an marking M, denoted M < M , iff MM and M = M. 57 Coverability and Transition Sequences (1/2)
Observation: Let M and M be two markings such that M M . Then for all transitions t, the following holds: If M  then M . In other words, if M has at least as many tokens as M has (on each place), then M enables at least the same transitions as M does. This observation can be extended to sequences of transitions:
2 Define M 1 M to denote: n M1, M2, . . . , Mn : M  M1  M2  Mn = M . t t t t ...tn t1 t2 t 2 Now, if M 1 and M M , then M t t ...tn t1 t2 ...tn  .
58 Coverability and Transition Sequences (2/2) Let M, M be markings such that M < M , and assume that there is a sequence of transitions such that M  M holds. Thus, there is a marking M with M
t1 t2 ...tn t1 t2 ...tn  M . Let M := M  M (placewise difference). Because M < M , the values of M are nonnegative and at least one value is nonzero. Clearly, M = M + M = M + 2M. M t1 t2 ... tn M'
+ t1 t2 ... tn M''
+2 ... = ... = = 59 By firing the transition sequence t1t2 . . . tn repeatedly we can "pump" an arbitrary number of tokens to all the places having a nonzero marking in M. The basic idea for constructing the coverability graph is now to replace the marking M with a marking where all the places with nonzero tokens in M are replaced by . 60 Coverability Graph Algorithm (1/2) (Algorithm 2.10) The coverability graph alC OVERABILITYG RAPH( P, T , F , W , M0 ) gorithm is almost exactly 1 V , E, v0 := {M0}, , M0 ; the same as the reachability 2 Work : set := {M0}; graph algorithm, with the ad3 while Work = 4 do select M from Work ; dition of the call to subroutine 5 Work := Work \ {M}; AddOmegas(M, t, M , V , E), 6 for t enabled(M) where all the details w.r.t. cover7 do M := fire(M, t); ability graphs are contained. As 8 M := AddOmegas(M, t, M , V , E); for the implementation of Work , 9 if M V / the same comments as for the 10 then V := V {M } reachability graph apply. 11 Work := Work {M }; 12 E := E { M, t, M }; 13 return V , E, v0 ; 61 Coverability Graph Algorithm (2/2)
The following notation us used in the AddOmegas subroutine: M M iff the coverability graph currently contains a path (including the empty path!) leading from M to M. A DD O MEGAS(M, t, M , V , E) 1 repeat saved := M ; 2 for all M V s.t. M M 3 do if M < M 4 then M := M + ((M  M ) ); 5 until saved = M ; 6 return M ; In other words, repeated check all the predecessor markings of the new marking M to see if they are strictly covered by M . Line 5 causes all places whose number of tokens in M is strictly larger than in the "parent" M to contain .
62 Reachability and coverability graphs: Comparison (1) Let N = P, T , F , W , M0 be a net. The reachability graph has the following fundamental property: A marking M of N is reachable if and only if M is a vertex of the reachability graph of N. The coverability graph has the following fundamental property: If a marking M of N is reachable, then M is covered by some vertex of the coverability graph of N. Notice that the first property is an equivalence, the second one an implication! 63 More specifically, the reverse implication does not hold: A marking that is covered by some vertex of the coverability graph is not necessarily reachable, as shown by the following example: <1> 1 t1 3 t1 <> t1 In the net, only markings with an odd number of tokens are reachable, but markings with an even number of tokens are also covered. 64 Reachability and coverability graphs: Comparison (2) The construction of the reachability graph may not terminate. It terminates if and only if N is bounded. The construction of the coverability graph always terminates. If N is bounded, then the coverabilibility graph is identical to the reachability graph. 65 Reachability and coverability graphs: Comparison (3) The reachability graph captures exact information about the reachable markings (but its computation may not terminate). The coverability graph computes an overapproximation (but remains exact as long as the number of markings is finite). 66 Reachability and coverability graphs: Comparison (4) Reachability graphs are unique, i.e. for a given net there is exactly one reachability graph (modulo isomorphism). Coverability graphs are not unique, i.e. for a given net there may be more than one coverability graph, depending on the order of the worklist and the order in which firing transitions are considered. 67 2.3: Example: A Logical Puzzle A Puzzle
A man is travelling with a wolf, a goat, and a cabbage. The four come to a river that they must cross. There is a boat available for crossing the river, but it can carry only the man and at most one other object. The wolf may eat the goat when the man is not around, and the goat may eat the cabbage when unattended. Can the man bring everyone across the river without endangering the goat or the cabbage? And if so, how? Man Wolf River Goat Cabbage 69 Example: Modeling We are going to model the situation with a Petri net. The puzzle mentions the following objects:
Man, wolf, goat, cabbage, boat. Both can be on either side of the river. The puzzle mentions the following actions:
Crossing the river, wolf eats goat, goat eats cabbage. Objects and their states are modeled by places. Actions are modeled by transitions. Actually, we can omit the boat, because it is always going to be on the same side as the man.
70 Example: Places Left bank Man ML Right bank Man MR Wolf WL WR Wolf Goat GL GR Goat Cabbage CL CR Cabbage 71 Crossing the river (left to right) Left bank Man ML MLR Right bank Man MR Wolf WL WR Wolf Goat GL GR Goat Cabbage CL CR Cabbage 72 Crossing the river (left to right) Left bank Man ML MLR Right bank Man MR Wolf WL WLR WR Wolf Goat GL GR Goat Cabbage CL CR Cabbage 73 Crossing the river (left to right) Left bank Man ML MLR Right bank Man MR Wolf WL WLR WR Wolf Goat GL GLR GR Goat Cabbage CL CLR CR Cabbage 74 Crossing the river (right to left) Left bank Man ML MRL Right bank Man MR Wolf WL WRL WR Wolf Goat GL GRL GR Goat Cabbage CL CRL CR Cabbage 75 Wolf eats goat Left bank Man ML Right bank Man MR Wolf WL WGL Goat GL GR WR Wolf Goat Cabbage CL CR Cabbage 76 Wolf eats goat, goat eats cabbage Left bank Man ML Right bank Man MR Wolf WL WGL Goat GL CGL CGR GR WGR WR Wolf Goat Cabbage CL CR Cabbage 77 Example: Specification
To solve the problem using the Petri net, we need to translate the questions "Can the man bring everyone across the river without endangering the goat or the cabbage? And if so, how?" into properties of the Petri net. "Can the man bring everyone across the river?" Is the marking {MR, WR, GR, CR} reachable from {ML, WL, GL, CL}? ". . . without endangering the goat or the cabbage?" We need to avoid states in which one of the eating transitions is enabled. "How?" Give a path that leads from one marking to the other. (Optionally: Find shortest path.)
78 Example: Specification
To solve the problem using the Petri net, we need to translate the questions "Can the man bring everyone across the river without endangering the goat or the cabbage? And if so, how?" into properties of the Petri net. "Can the man bring everyone across the river?" Is the marking {MR, WR, GR, CR} reachable from {ML, WL, GL, CL}? ". . . without endangering the goat or the cabbage?" We need to avoid states in which one of the eating transitions is enabled. "How?" Give a path that leads from one marking to the other. (Optionally: Find shortest path.)
79 Example: Specification
To solve the problem using the Petri net, we need to translate the questions "Can the man bring everyone across the river without endangering the goat or the cabbage? And if so, how?" into properties of the Petri net. "Can the man bring everyone across the river?" Is the marking {MR, WR, GR, CR} reachable from {ML, WL, GL, CL}? ". . . without endangering the goat or the cabbage?" We need to avoid states in which one of the eating transitions is enabled. "How?" Give a path that leads from one marking to the other. (Optionally: Find a shortest path.)
80 Example: Specification
To solve the problem using the Petri net, we need to translate the questions "Can the man bring everyone across the river without endangering the goat or the cabbage? And if so, how?" into properties of the Petri net. "Can the man bring everyone across the river?" Is the marking {MR, WR, GR, CR} reachable from {ML, WL, GL, CL}? ". . . without endangering the goat or the cabbage?" We need to avoid states in which one of the eating transitions is enabled. "How?" Give a path that leads from one marking to the other. (Optionally: Find a shortest path.)
81 Solution We can solve the puzzle by constructing the reachability graph of the net (or the coverability graph, they are the same in this case). The initial marking of the net is {ML, WL, GL, CL}. We can omit expanding the reachability graph in markings where one of the "eating" transitions is enabled (because paths across such markings are not part of any solution). 82 Result
Constructing the reachability graph yields a graph with (at most) 36 nodes. The marking {MR, WR, GR, CR} is reachable without enabling an "eating" transition! The transitions fired along a shortest path (there are two) are: GLR MRL WLR GRL CLR MRL GLR (man and goat cross the river), (man goes back alone), (man and wolf cross the river), (man and goat go back), (man and cabbage cross the river), (man goes back alone), (man and goat cross the river).
83 2.4: Properties of P/T Nets Some Properties of Petri nets There are several typical questions one can ask about a Place/Transition net and its behavior. Some of these will be introduced on the next couple of slides. They concern: deadlock freedom concurrency (conflict, independence) 85 Running Example We use the following example to illustrate the concepts introduced in the next couple of slides: p2 t2 p4
0, 0, 1, 1, 0 0, 0, 0, 0, 1 v & v E E $ 1, 0, 0, 1, 0 d sd t1 tdd 2 d t1 E
t1 E E c
t3 E p1 p3 p5 sd d d t2dd 0, 1, 1, 0, 0 d t 3 1, 1, 0, 0, 0 d 86 Deadlocks (Definition 2.11) We have already mentioned deadlocks informally in previous discussions. We now assign a formal meaning to the term. A marking M of a Place/Transition net N = P, T , F , W , M0 is called a deadlock if and only if no transition t T is enabled in M (i.e., M  does not hold for any t T ). A net N is said to have a deadlock if one of its reachable markings (i.e. an element of reach (N)) is a deadlock, or deadlockfree otherwise. Example: In the running example, the markings 0, 0, 1, 1, 0 and 0, 0, 0, 0, 1 are deadlocks.
t 87 The existence of deadlocks in a net is quite often a sign of a problem with the net model, e.g. processes waiting for resources that are never released, or processes wrongly waiting to receive messages from other processes. For instance, the deadlock in the Dining Philosophers example means that the philosophers may starve (presumably an undesired result). However, if a Petri net is used to model a system that is designed to terminate, then a deadlock may also occur in a desired end state. 88 Concurrency (Definition 2.12) Let N = P, T , F , W , M0 be a net. A set of transitions {t1, t2, . . . , tn } T is said to be concurrent (or: concurrently enabled) in a marking M of N, iff p P : M(p) W (p, t1) + W (p, t2) + + W (p, tn ). Example: In the running example, t1 and t2 are concurrent in the initial marking: they are both enabled in the initial marking, and they do not disable each other, i.e, firing t1 leaves t2 enabled and vice versa. 89 Conflict (Definition 2.13) A conflict occurs in a marking M when two transitions t and t are both enabled (M  and M ), but the set {t, t } is not concurrent. In other words, the transitions t and t are in conflict in marking M, if they are both enabled and p P : M(p) < W (p, t) + W (p, t ).
t t Thus, firing one transition may (but need not!) disable the other. Example: Consider the marking M := 0, 1, 1, 0, 0 in the running example. In M, the transitions t2 and t3 are in conflict. 90 Concurrency and the Reachability graph
If two transitions t1 and t2 are concurrent in some marking, then the reachability graph contains a `diamond' structure. This diamond consists of the part of the reachability graph reachable by firing the concurrent transitions (in this case t1 and t2) in any order. If there are more than two concurrent transitions, then the reachability graph may contain many more diamonds. (How many?) On the other hand, a diamond in the reachability graph does not necessarily mean that concurrency is present (remember that conflicting transitions need not disable each other)! Example:
t1 p t2 91 Independence (Definition 2.14) The notion of concurrency relates to individual markings. A somewhat stronger notion (that does not relate to individual markings) is that of independence: Two transitions t1 and t2 are called independent iff for all markings M in which both are enabled, the following holds:
1 2 Let M1, M2 be markings such that M  M1 and M  M2. Then t2 is enabled in M1, t1 is enabled in M2, and there is M3 such that 2 M1  M3 t t t and 1 M2  M3. t t1 M1 M t2 M2 t1 M1 t2 M t2 M2 M3 t1 92 Concurrency and independence Concurrency and independence are similar notions, but subtly different: Concurrency is a "local" notion (defined w.r.t. individual markings); independence is a "global" notion (defined w.r.t. all markings). Concurrency is motivated by a Petri net semantics with "true concurrency" (multiple transitions may fire at the same time); independence is motivated by an "interleaving semantics" (only one transition can fire at the same time). Concurrency of two transitions does not imply independence, or vice versa! 93 Just because two transitions are concurrent in some marking, it does not mean that they are independent! Example: In the running example, t2 and t3 are concurrent in the (unreachable) marking 0, 2, 1, 0, 0 , but they are not independent (e.g. they are in conflict in the marking 0, 1, 1, 0, 0 ). p2 t2 p4 vv & E E $ E
t1 E p1 v E c
t3 E p3 p5 94 If t1, t2 are independent, they are not necessarily concurrent in all markings. Example: In the net shown below, t1 and t2 are independent, but they are in conflict for the token on place p3.
p1 p3 t1 t2 p4 p2 p5 95 2.5: Summary (so far) and Outlook Summary: Which properties can we check so far? Reachability: Given some marking M and a net N, is M reachable in N? More generally: Given a set of markings M, is some marking of M reachable? Application: This is often used to check whether some `bad' state can occur (classical example: violation of mutual exclusion property) if M is taken to be the set of `error' states. Sometimes (as in the man/wolf/etc example), this analysis can check for the existence of a solution to some problem. Using the reachability graph: Exact answer is obtained. Using the coverability graph: Approximate answer. When looking for `bad' states, this analysis is safe in the sense that bad states will not be missed, but the graph may indicate `spurious' errors. 97 Summary (cont'd) Finding paths: Given a reachable marking M, find a firing sequence that leads from M0 to M. Application: Used to supplement reachability queries. If M represents an error state, the firing sequence can be useful for debugging. When solving puzzles, the path represents actions leading to the solution. Using the reachability graph: Find a path from M0 to M in the graph, obtain sequence from edge labels. Using the coverability graph: Not so suitable edges may represent `shortcuts' (unspecified repetitions of some loop). 98 Summary (cont'd)
Enabledness: Given some transition t, is there a reachable marking in which t is enabled? (Sometimes, t is called dead if the answer is no. Actually, this is a special case of reachability.) Application: Check whether some `bad' action is possible. Also, is some desirable action is never enabled, a `no' answer is an indication of some problem with the model. In some Petrinet tools, checking for enabledness is easier to specify than checking for reachability. In that case, reachability queries can be framed as enabledness queries by adding `artificial' transitions that can fire when a given marking is reachable. Using the reachability graph: Check whether there is an edge labeled with t. Using the coverability graph: ?
99 Summary (cont'd) Conflicts, concurrency, independence: Given two transitions t1 and t2, are they independent? Are they in conflict in some marking? Application: Analyse the dependency between two actions? Can an implementation of the model distribute the actions onto two different machines? Using the reachability graph: Check whether the markings fulfil the respective definitions. Using the coverability graph: Unsuitable, as the graph conflates different markings. 100 Summary (cont'd)
Deadlocks: Given a net N, is N deadlockfree? Application: Deadlocks tend to indicate errors, see discussion in Section 2.4. Using the reachability graph: Check whether there is a vertex without an outgoing edge. Using the coverability graph: Unsuitable the graph may miss deadlocks! 1 t1 2 2 t2 <1> t1 <2> t1 t2 ... <0> <1> t1 t1 <> t2
101 Summary (cont'd)
Boundedness: Given a net N, is there a constant k such that N is ksafe? Otherwise, which places can assume an unbounded number of tokens? Application: If tokens represent available resources, unbounded numbers of tokens may indicate some problem (e.g. a resource leak). Also, this property should be checked before computing the reachability graph! Using the reachability graph: Unsuitable, computation may not terminate. Using the coverability graph: A place p can assume an unbounded number of tokens iff the coverability graph contains a vertex M where M(p) = . Iff no vertex with an exists, then the net is ksafe, where k is the largest natural number in a marking of the graph.
102 What kind of difficulties still exist? (Outlook I) Concerning modelling: So far, we have considered a very simple variant of Petri nets. These are simple to analyse, but are sometimes cumbersome to use. We will introduce two extensions of the Petri net model:
Nets with capacities Highlevel nets (next lecture) These extensions are equally expressive as P/T nets (in the sense that these extended nets can be replaced by `equivalent' P/T nets). They allow easier modeling of some problems, however, the formalisms become more complicated.
103 Moreover, Petri nets are just one of many different formalisms that can be used for modelling (programming languages, specification languages like SDL etc). Thus, in the bigger picture, it does not make sense to design verification methods for Petri nets only. We shall introduce a more general model of computation called Kripke structures. 104 Outlook II: Specification We have already learnt how to some simple properties can be expressed (and checked) using Petri nets. So far, we have not learnt how to express (and check) properties like these:
Marking M can be reached infinitely often. Whenever transition t occurs, transition t occurs later. No marking with some property x occurs before some marking with property y has occurred. Things like these can be expressed using temporal logic, which will be covered in the upcoming lectures. 105 Outlook III: Analysis methods The methods we have seen so far are all based on analysing the reachability (or coverability) graph. However, even simple nets can have very large graphs. Note: Recall that a k safe net may have up to (k + 1)P reachable markings. While the aforementioned "worst case" rarely happens, the nets can still become prohibitively large in practical examples. This effect is called state space explosion. It poses a hard problem for their analysis. Sources of large state spaces can be:
Concurrency Variables with large value ranges (in a modeling language which allows variables) Large number of variables (circuits with lots of state variables) 106 Sometimes, properties of Petri nets can be checked even without constructing the reachability graph. Methods for doing this are collectively called structural analyses. We will treat them in upcoming lectures. More general techniques for counteracting state space explosion can be characterised as follows: Abstraction: leave out unimportant information. Example: boat omitted in man/wolf/goat/cabbage puzzle Compression: operate on sets of states (or markings), use efficient data structures to store them. Example: Binary Decision Diagrams (BDDs) Reduction: avoid exploring multiple `equivalent' executions. Example: exploit independence We will treat some of these techniques in more detail later in the course.
107 2.6: Alternative Petri net models Motivation So far, we have considered a very simple variant of Petri nets. These are simple to analyse, but are sometimes cumbersome to use. We will now introduce two extensions of the Petri net model:
Nets with capacities Highlevel nets These extensions are equally expressive as P/T nets (in the sense that their behaviour can be simulated by `equivalent' P/T nets). They allow easier modeling of some problems, however, the formalisms become more complicated. 109 2.6.1: Nets with capacities Example: Peg solitaire
Peg solitaire is a board game, usually played on a crossshaped board filled with holes. The holes are arranged on a grid. Holes may be empty, or filled with a peg. Initially, all holes except for the central one contain a peg.
111 Peg solitaire: Rules (1/3) Pegs can `jump' over neighbouring pegs into empty holes two fields away: 112 Peg solitaire: Rules (2/3) The peg in the middle is removed during the jump. 113 Peg solitaire: Rules (3/3) The object is to remove all pegs except for one in the centre: 114 Peg solitaire: Petri net model
Let us try to build a Petri net that corresponds to the game: holes = places pegs = tokens moves = transitions Here's a (simple) idea for modelling the moves: For all triples of neighbouring holes, add a transition as follows: p1 p2 p3 t
115 A problem Transition t correctly moves a token (peg) from p1 to p3. The token in the middle, on p2, is removed. However, t does not observe the condition that the hole at p3 must be empty. Thus, if p3 is already occupied when t fires, we would end up with two pegs in the same hole, a situation that cannot arise in the game, Recall the firing condition for Petri nets: Transition t is enabled in marking M iff p t : M(p) W (p, t) (notice the in the condition). Thus, the firing condition can check only for the presence of tokens, not for their absence.
116 Other examples Railway (SBahn) track: Ensure that no part of the track is occupied by two trains at the same time.
f nho h No f nho h n use ha Ha a ptb u a rdb Feu ac erb h Neuwirtshaus ff Zu en Kornwestheim Bad Cannstatt Moving a train to a new track segment requires to check for the absence of other trains on that segment. 117 Traffic light: R RY should fire only if the yellow light is off.
p1 (red light) R > RY Y > R p2 (yellow light) RY > G G > Y p3 (green light) 118 A solution
If we cannot check for the absence of tokens, then we must express the condition "there is no token on p3" positively, i.e. we introduce another place (called, say, n3) that contains a token if and only if p3 doesn't. Initially, n3 is marked iff p3 is not marked. Moreover, n3 becomes an input place for every transition where p3 is an output place: p1 p2 p3 t n3 119 `Negative' places are needed for the other places/holes, too. For every transition where pi (for some i) is an input place, ni becomes an output place. The result is as follows: p1 p2 p3 t n1 n2 n3
120 Discussion The previous solution provides us with an accurate model of the game. However, the model has becomes twice as large as before. The additional places also make the model harder to understand. Moreover, it is easy to introduce mistakes when adding the new places. In the following, we discuss a solution that handles the problem in a principled way. This solution can be applied whenever we need to express the absence of something as a firing condition. 121 Nets with capacitites: Introduction We consider an extension of the Petri net model called Petri nets with capacities. These allow to make restrictions on the numbers of tokens explicit. Thus, they are much easier to work with when the absence of tokes must be considered. We then provide a generic translation from Petri nets with capacities to nets without capacities. All analyses can then be applied to the translated nets. 122 Nets with capacities (Definition 2.15) Formally, a tuple N = P, T , F , W , K , M0 is called a Place/Transition Net with capacities where P, T , F , W , M0 are defined as in normal P/T nets; K : P (I {}) is a capacity function. N The basic idea is the following: If firing a transition in marking M would lead to a marking that exceeds the capacity of some place, that transition is defined not to be enabled in M. 123 Nets with capacities: Notation In our figures, we shall denote capacities by (red) numbers next to the place. Example: 1 1 1 (We will usually omit capacities with the value .) 124 Nets with capacities: Firing Rule
The new formalism requires a firing rule that captures the extra restriction: Let P, T , F , W , K , M0 be a net and M be a marking. Firing condition: (changed) Transition t T is Menabled, written M , iff p t : M(p) W (p, t) and p t : M(p)  W (p, t) + W (t, p) K (p). Firing rule: (unchanged) An Menabled transition t may fire, producing the successor marking M , where p P : M (p) = M(p)  W (p, t) + W (t, p). Clearly, a net where all places have capacity has exactly the same behaviour as a net in the definition without capacities.
125 t Nets with capacities: Some examples Here are some examples of transitions that are enabled or disabled according to the new firing rule: 1 1 enabled 1 2 1 enabled not enabled not enabled 126 In the Peg Solitaire example, we would give each place a capacity of one. Then, the transitions take on the following form: 1 p1 1 p2 1 t p3 The new model (with capacities) is much smaller, easier to write down and to understand. However, we would not want to reformulate all analysis methods for nets with capacities! Instead, the following slides show how capacities can be eliminated, so that we obtain a net without capacity restrictions. The elimination could be easily automated.
127 Complement Places
(Definition 2.16) Let P, T , F , W , M0 be a net (without capacities). Two places p and p are called a pair of complement places iff there is a constant k such that for all markings in M reach (M0) it holds that M(p) + M(p ) = k. Example: In the man/wolf/goat/cabbage example, ML and MR are a pair of complement places (and so are WL and WR etc). Intuitively, in each marking p contains those of the k tokens that are not contained in p . 128 Complement Construction (Algorithm 2.17) Let N = P, T , F , W , K , M0 be a net (with capacities). We define the net N = P , T , F , W , M0 (without capacities) as follows: P = P { p  p P : K (p) = } (i.e. we add an extra place for each place with restricted capacity); T = T (no change); F and W extend F and W as follows: For all t T and p P with K (p) = , let p,t := W (t, p)  W (p, t). Then: (p , t) F and W (p , t) = p,t iff p,t > 0; (t, p ) F and W (t, p ) = p,t iff p,t < 0. M0(p) = M0(p) for all p P; M0(p ) = K (p)  M0(p) for all p P with K (p) = .
129 Complement Construction: Example
Consider the following net with capacities: p 1 t1 2 4 t2 5 1 1 1 t3 130 Complement Construction: Example
We remove capacities; p gets 5  M0(p) = 4 initial tokens. p 1 t1 2 4 t2 1 1 1 t3 p'
131 Complement Construction: Example
t1 adds a token to p, so one token is taken away from p . p 1 t1 1 p'
132 2 4 t2 1 1 1 t3 Complement Construction: Example
t2 removes three tokens from p, so three tokens are added to p . p 1 t1 1 p'
133 2 4 t2 3 1 1 1 t3 Complement Construction: Example
t3 does not change the number of p; no change required. p 1 t1 1 p'
134 2 4 t2 3 1 1 1 t3 Complement Construction (cont'd) Definition: If M is a marking of N , denote by M P its restriction to places in P. M P is in fact a marking of N. N has the following properties: The pairs p and p (where p is one of the added places) are complement places. A marking M is reachable in N iff M P is reachable in N. Proof: Easy, by induction on reachable markings, beginning at the initial marking. Thus, we can study the behaviour of N (with capacities) by analysing the net N (without capacities).
135 Remark: Alternative definition of firing rule
Our firing condition for nets with capacities corresponds to the notion "Remove tokens first, add new tokens, check if capacity is still within limits". Some of the literature on Petri nets uses a different notion: "Produce new tokens first, check that capacity is still within limits, then remove tokens". 1 E.g., in the net shown above, the transition would be enabled under the first definition, but not under the second one. The second definition is more restrictive and is designed to be more `secure'. In this course, we shall use the first definition (like on the previous slides).
136 2.6.2: Highlevel nets Highlevel nets
Up to now, we allowed places to be occupied by black tokens. Traffic light example: Three lights, one colour per light, one place for every light.
red yellow green Suppose we have one light that can be either red or green. Two (flawed) attempts at modelling this situation: 138 Highlevel nets: Motivation
Up to now, we allowed places to be occupied by black tokens. Traffic light example: Three lights, one colour per light, one place for every light.
red yellow green Suppose we have one light that can be either red or green. Two (flawed) attempts at modelling this situation:
red/green red green cannot distinguish colours awkward
139 If we had not just black tokens, but coloured ones (e.g. red, green), we could construct a more natural model: More generally, we could allow arbitrary values as tokens, e.g. to model numeric variables: 1 5 140 A general solution is to assign a type to every place, i.e. a set of token values that are permitted on the place: { , } traffic light {1,..,5} 2 variable x In general, a place may contain a multiset of its type. 141 Highlevel nets: Transitions
In meaningful models, we need transitions to reason about the values of tokens: E.g., switching the traffic light: { , } traffic light
"switch from red to green" "switch from green to red" Increasing a variable: {1,..,5} 2 variable x
increase value of x"
142 Suppose we have two processes competing for a common resource. If both try to access the resource simultaneously, there is a `referee' who decides which process should have priority over the other: process 1 wants access { } {1,2} 2
prioritised process { } process 2 wants access "fire if proc.1 has priority" "fire if proc.2 has priority" process 1 has access { } { } process 2 has access
143 Highlevel nets (Definition 2.18) (This looks more complicated than it actually is. . . ) A HighLevel Net (HLnet) is a tuple N = P, T , F , W , V , S, C, M0 , where P, T , F , W are as usual; V is a set of token values; S : P 2V is a type assignment for places; (Ct )tT is a collection of firing conditions (see next slide). M0 : P V I is the initial marking. Note: M0(p, v ) = 0 if v S(p). N / 144 Highlevel transitions
A firing condition decides which tokens may flow out of the preplaces and into the postplaces of a transition. Formally, if we let t be the sum of the arc weights leading into and out of t, then the signature of Ct is Ct : V t {false, true}. In figures, we place variable names onto the arcs and equip transitions with boolean expressions over these variables, like this: in = out = { , } traffic light in in out out in = out =
145 Notes on highlevel transitions If a particular assignment of token values to variables evaluates to true, then the transition may fire under that assignment. Firing under some assignment is possible if for every preplace p, p contains the token values assigned to the variables that are on the arc from p to t. Firing removes those tokens and puts corresponding tokens on the postplaces. The assignment must respect the types; e.g. if v is the variable on the arc from place p to transition t, then v must be assigned to some value from S(p). 146 Highlevel transitions: Examples For instance, in the following example, we could fire under the assignments x = 1, x = 2, x = 2, x = 3, x = 3, x = 4, x = 4, x = 5. {1,..,5} 2 variable x 'x x' x' = 'x+1
In the given marking, we can remove the 2 token and replace it by a 3 token. 147 Highlevel transitions: Examples
In the commonresource example, suppose the prioritised process is changed after every access: process 1 wants access c { }
'p { } {1,2} 2
c p' process 2 wants access c= 'p = 1 p'=2 c 'p = 2 c p'=1 c= p' prioritised 'p process process 1 has access { } { } process 2 has access Note that the condition on c is actually unnecessary.
148 Translating between P/T and HL nets (Alg. 2.19) Highlevel nets allow easier modelling, but they are equally expressive, provided that the set of token values is finite. We shall show that P/T nets can be translated into highlevel nets and vice versa. From P/T nets to highlevel nets: trivial Assign the type {} to each place and the condition `true' to each transition. 149 HL to P/T nets: Places For each highlevel place p, create a P/T place pv for each v S(p). If M0(p, v ) = k, then put k initial tokens on the P/T place pv . {1,..,5} 2 variable x x=1 x=2 x=3 x=4 x=5 150 HL to P/T nets: Transitions For each highlevel transition t, create a P/T transition ta for each assignment under which t may fire. If (p, t) is a highlevel arc with variable x, connect pv to ta in the P/T net, where v is the value of x in a. Arcs from transitions to places are treated analogously. {1,..,5} 2 variable x 'x x' x' = 'x+1 x=1 x=2 x=3 x=4 x=5 151 Remark Let N is a highlevel net and N the P/T net arising from the translation procedure described on the previous slides. One can obtain a result that relates the reachable markings in N to those in N (similar to the relationship for nets with capacities). I.e., some marking M of N is reachable iff some "corresponding" marking M in N is reachable (details omitted, proof by induction on reachable markings). Thus, we can again study the behaviour of N by analysing the P/T net N . 152 2.7: Structural analysis Structural Analysis: Motivation We have seen how properties of Petri nets can be proved by constructing the reachability graph and analysing it. However, the reachability graph may become huge: exponential in the number of places (if it is finite at all). Structural analysis enables us to prove some properties without constructing the reachability graph. The main techniques are: Place invariants Traps 154 Example 1 p2 t1 p1 p3 t2 p4 t6 p5 p7 t4 p6 t3 t5 155 Incidence Matrix Definition 2.20 Let N = P, T , F , W , M0 be a P/T net. The corresponding incidence matrix C : P T Z is the matrix whose rows correspond to places and whose columns correspond to transitions. Column t T denotes how the firing of t affects the marking of the net: C(t, p) = W (t, p)  W (p, t). The incidence matrix of Example 1: t1 t2 t3 t4 t5 t6 p1 p2 p3 p4 p5 p6 p7 1 0 1 0 0 1 1 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 0 1 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 0 0 1 156 Markings as vectors
Let us now write markings as column vectors. E.g., the initial marking in Example 1 is M0 = (1 0 0 1 1 0 0)T . Likewise, we can write firing counts as column vectors with one entry for each transition. E.g., if each of the transitions t1, t2, and t4 fires once, we can express this with u = (1 1 0 1 0 0)T . Then, the result of firing these transitions can be computed as M0 + C u. 0 1 1 0 1 0 0 0 1 0 0 1 1 0 0 0 0 1 1 1 0 0 0 1 0 0 0 1 + 0 1 1 = 0 0 1 1 1 0 1 0 0 0 1 0 1 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 1 1 0 157 Let N be a P/T net with indicence matrix C, and let M, M be two markings of N. The following implication holds: If M reach (M), then there exists a vector u such that M = M + C u such that all entries in u are natural numbers. Notice that the reverse implication does not hold in general! E.g., bidirectional arcs (an arc from a place to a transition and back) cancel each other out in the matrix. For instance, if Example 1 contained a bidirectional arc between p1 and t3, the matrix would remain the same, but the marking {p3, p6} (obtained on the previous slide) would be unreachable! 158 Example 2
A more complicated example: t1 p3 t2 p2 p1 p4
Even though we have 1 1 1 1 1 0 + 0 1 1 0 0 1 1 0 = , 0 1 1 1 none of the sequences corresponding to (1 1)T , i.e. t1t2 or t2t1, can happen.
159 Proving unreachability using the incidence matrix To summarize: The markings obtained by computing with the incidence matrix are an overapproximation of the actual reachable markings However, we can sometimes use the matrix equations to show that a marking M is unreachable. (Compare coverability graphs. . . ) I.e., a corollary of the previous implication is that if M = M + Cu has no natural solution for u, then M reach (M). / Note: When we are talking about natural (integral) solutions of equations, we mean those whose components are natural (integral) numbers. 160 Example 3
Consider the following net and the marking M = (1 1)T . p1 t2 t1 p2 + 1 0 1 1 u 1 1 = u2 1 1 1 has no solution, and therefore M is not reachable.
161 Transition invariants (Definition 2.21) Let N be a net and C its incidence matrix. A natural solution of the equation Cu = 0 is called a transition invariant (or: Tinvariant) of N. Notice that a Tinvariant is a vector with one entry for each transition. For instance, in Example 3, u = (1 1)T is a Tinvariant. A Tinvariant indicates a possible loop in the net, i.e. a sequence of transitions whose net effect is null, i.e. which leads back to the marking it starts in. 162 Place invariants (Definition 2.22) Let N be a net and C its incidence matrix. A natural solution of the equation C T x = 0 such that x = 0 is called a place invariant (or: Pinvariant) of N. Notice that a Pinvariant is a vector with one entry for each place. For instance, in Example 1, x1 = (1 1 1 0 0 0 0)T , x2 = (0 0 1 1 0 0 1)T , and x3 = (0 0 0 0 1 1 1)T are all Pinvariants. A Pinvariant indicates that the number of tokens in all reachable markings satisfies some linear invariant (see next slide). 163 Properties of Pinvariants
Let M be marking reachable with a transition sequence whose firing count is expressed by u, i.e. M = M0 + Cu. Let x be a Pinvariant. Then, the following holds:
T T T M T x = (M0 + Cu)T x = M0 x + (Cu)T x = M0 x + u T C T x = M0 x For instance, invariant x2 means that all reachable markings M satisfy (switching to the functional notation for markings): M(p3) + M(p4) + M(p7) = M0(p3) + M0(p4) + M0(p7) = 1 (1) As a special case, a Pinvariant in which all entries are either 0 or 1 indicates a set of places in which the number of tokens remains unchanged in all reachable markings.
164 Note that linear combinations of Pinvariants (i.e. multiplying an invariant by a constant or componentwise addition of two invariants) will again yield a Pinvariant. We can use Pinvariants to prove mutual exclusion properties. Example: According to equation 1, in every reachable marking of Example 1 exactly one of the places p3, p4, and p7 is marked. In particular, p3 and p7 cannot be marked concurrently! 165 More remarks on Pinvariants Pinvariants can also be useful as a preprocessing step for reachability analysis. Suppose that when computing the reachability graph, the marking of a place is normally represented with n bits of storage. E.g. the places p3, p4, and p7 together would require 3n bits. However, as we have discovered invariant x2, we know that exactly one of the three places is marked in each reachable marking. Thus, we just need to store in each marking which of the three is marked, which required just two bits. 166 Algorithms for Pinvariants There is an algorithm called "Farkas Algorithm" (by J. Farkas, 1902) to compute a set of so called minimal Pinvariants. These are place invariants from which any other invariant can be computed by a linear combination. Unfortunately there are P/Tnets with an exponential number of minimal Pinvariants (in the number of places of the net). Thus the Farkas algorithm needs (at least) exponential time in the worst case. Hint: The INA tool of the group of Peter Starke (Humboldt University of Berlin) contains a large number of algorithms for structural analysis of P/Tnets, including invariant generation. 167 Farkas Algorithm Input: the incidence matrix C with n rows (places), and m columns (transitions). Output: A set of minimal place invariants. Notation: (C  En ) denotes the juxtaposition of C by En , the n n identity matrix. 168 D0 := (C  En ); for i := 1 to m do for d1, d2 rows in Di1 such that d1(i) and d2(i) have opposite signs do d := d2(i) d1 + d1(i) d2; (* d(i) = 0 *) d := d/gcd(d(1), d(2), . . . , d(m + n)); augment Di1 with d as last row; endfor; delete all rows of the (augmented) matrix Di1 whose ith component is different from 0, the result is Di ; endfor; delete the first m columns of Dm 169 An example
Let us assume the following incidence matrix: 1 1 1 1 1 1 1 1 0 C= 0 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1 1 1 1 D0 = (C  E5) = 0 0 1 0 0 0 1 1 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 170 Addition of the rows 1 and 2, 1 and 4, 2 and 5, 4 and 5: D1 = 0 0 0 0 1 0 0 1 1 2 1 0 0 1 0 0 1 1 2 0 1 0 0 1 0 0 0 1 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 1 1 Addition of rows 3 und 4: 0 0 1 0 0 0 1 0 0 0 0 0 0 1 1 0 0 0 D2 = 0 0 0 0 0 0 0 1 1 0 0 0 0 1 1 0 1 1 171 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 1 1 D3 = D4 = 0 0 0 0 1 1 0 1 1 Minimal Pinvariants are (1, 1, 0, 0, 0) and (0, 0, 0, 1, 1). 172 An example with many Pinvariants Incidence matrix for a net with 2n places: 1 1 1 1 0 0 T = 1 1 0 0 1 1 C . . . . . . . . . . . . . . . . . . . . . 0 0 0 0 . . . . . . 1 1 0 0 0 0 1 1 (y1, 1  y1, y2, 1  y2, . . . , yn , 1  yn ) is an invariant for every y1, y2, . . . , yn {0, 1}, and so there are 2n minimal Pinvariants. This example shows that the number of minimal Pinvariants can be exponential in the size of the net. So the Farkas algorithm may need exponential time. 173 Traps (Definition 2.23) Let P, T , F , W , M0 be a P/T net. A trap is a set of places S P such that S S. In other words, each transition which removes tokens from a trap must also put at least one token back to the trap. A trap S is called marked in marking M iff for at least one place s S it holds that M(s) 1. Note: If a trap S is marked initially (i.e. in M0), then it is also marked in all reachable markings. 174 In Example 4 (see next slide), S1 = {nc1, nc2} is a trap. The only transitions that remove tokens from this set are t2 and t5. However, both also add new tokens to S1. S1 is marked initially, and therefore in all reachable markings M the following inequality holds: M(nc1) + M(nc2) 1 Traps can be useful in combination with place invariants to recapture information lost in the incidence matrix due to the cancellation of selfloop arcs. 175 Example 4
Consider the following attempt at a mutual exlusion algorithm for cr1 and cr2: pend1 t1 q1 cr1 t2 nc2 t6 q2 cr2 t4 pend2 nc1 t3 t5 The idea is to achieve mutual exclusion by entering the critical section only if the other process is not already there.
176 Proving mutual exclusion properties using traps
In Example 4, we want to prove that in all reachable markings M, cr1 and cr2 cannot be marked at the same time. This can be expressed by the following inequality: M(cr1) + M(cr2) 1 The Pinvariants we can derive in the net yield these equalities: M(q1) + M(pend1) + M(cr1) M(q2) + M(pend2) + M(cr2) M(cr1) + M(nc1) M(cr2) + M(nc2) = = = = 1 1 1 1 (2) (3) (4) (5) However, these equalities are insufficient to prove the desired property!
177 Recall that S1 = {nc1, nc2} is a trap. S1 is marked initially and therefore in all reachable markings M. Thus: M(nc1) + M(nc2) 1 (6) Now, adding (4) and (5) and subtracting (6) yields M(cr1) + M(cr2) 1, which proves the mutual exclusion property. 178 Section 3: Linear temporal logic 3.1: Transition systems and Kripke structures Moving away from nets Most analyses that we considered for Petri nets were based on its reachability graphs. A reachability graph captures the notion that the system being modelled has certain states (represented in a Petri net by marking), which can change through certain actions (represented as transitions). We will see that this principle can be applied to other models of computation, too. 181 Example 1: Producer/Consumer Assume that we have a language with variables and concurrency: var turn {0,1} init 0; cobegin {P C} coend P= start; while true do w0: wait (turn = 0); p0: /* Produce */ turn := 1; od; end C= start; while true do w1: wait(turn = 1); c1: /* Consume */ turn := 0; od; end 182 The states of Example 1
A possible representation: states S = {w0, p0} {w1, c1} {0, 1}; initial state (w0, w1, 0) w0,w1,0 w0,c1,0 w0,w1,1 p0,w1,0 p0,c1,0 w0,c1,1 p0,w1,1 p0,c1,1 183 Example 2: Recursive program
procedure p; p0: if ? then p1: call s; if ? then call p; end if; p2: else p3: call p; end if p4: return procedure s; s0: if ? then return; end if; s1: call p; s2: return; procedure main ; m0: call s; m1: return; The states are strings over the set S = {p0, . . . , p4, s0, . . . , s2, m0, m1}, initial state is m0.
m1 m0 s0 m1 s1 m1 p0 s2 m1 p3 s2 m1 p0 p4 s2 m1
184 p1 s2 m1 s0 p2 s2 m1 ... ... Transition systems (Definition 3.1) We now introduce a notion of a system that is independent of the actual formalism of the system (be it a P/T net, a recursive program or whatever). A labelled transition system is a quadruple T = S, A, , s0 where S is a set of states; A is a set of actions; S A S is a transition relation; s0 S is the initial state. Informally, a labelled transition system is "something that can execute actions and change its state".
185 Examples E.g., the labelled transition system associated with a P/T net N = P, T , F , W , M0 with reachability graph V , E, M0 is V , T , E, M0 . The transition systems for Example 1 and Example 2 are given on the previous slides (without action labels). 186 We can specify properties in two ways: based on actions; based on states. For now, we shall use states in the following. (This will make the underlying theory slightly easier to present.) In this case, we usually ignore the actions and speak of (unlabeled) transition systems. Definition: A transition system is a triple T = S, , s0 where S is a set of states; S S is a transition relation; s0 S is the initial state.
187 Classifying Temporal Properties Earlier, we mentioned a number of properties that we cannot analyse so far:
Marking M can be reached infinitely often. Whenever state s occurs, state s occurs later. No state with some property x occurs before some state with property y has occurred. We call these temporal properties as they refer to the temporal order in which states (or actions) occur in an execution. Let us look at properties of executions in more detail. We shall see how the meaning of properties can be captured formally. 188 Behaviours as languages Given a transition system T = S, , s0 , we can think of its behaviour as the set of executions that it admits, where an execution is an (infinite) sequence of states, starting at the initial state and following the transition relation. (In a labelled transition system, we could also think of the behaviour of a system as the corresponding sequences of actions.) A property, then, can be thought of as a set of behaviours (desirable or undesirable). We can then distinguish types of properties, based on (topologic) characteristics of the sets they represent. In particular, we shall consider liveness and safety properties. 189 Notation (Definition 3.2) Let T = S, , s0 be a transition system. S denotes the finite, S the infinite sequences of elements from S. A set L S or L S is called a language over S. For distinction, we use the expressions finitary and infinitary language (in the latter case also language). An element of a language L is also called a word of L. We write s t for (s, t) . If s t then s is a direct predecessor of t, and t is a direct successor of s. 190 Notation (cont'd) w S , where w = s0 . . . sn , is a path (of length n) if si si+1 for all 0 i < n. S , where = s0s1 . . . is a run if si si+1 for all i 0. (i) denotes the ith element of and i the suffix starting at (i). s t if there is a path from s to t. s + t if there is a path from s to t of positive length. If s t, then s is a predecessor of t and t is a successor of s. 191 Preview: Behaviours, Properties, and Satisfaction Note: The following thoughts are intended to motivate the following slides. We are going to refine these definitions later on. If a transition system T has states S, then we can think of its behaviours as the language L(T ) S whose elements are the runs starting at s0. A property P can be thought of as an language over S, i.e. P S . A run of T that is contained in P can be said to satisfy P, a run that is not contained in P can be said to violate it. Then, we could say that T satisfies P if L(T ) P, i.e. all executions of T satisfy P. 192 Examples of properties
Consider the following properties:
"State s cannot be reached." "x does not occur before y ." The common feature of these two properties is that they express that "something bad must not happen". In other words, once this "bad thing" happens in a run, we know that that run violates the property, e.g. like this: s
"not y" ...
x ...
193 More precisely: The property is violated iff it is violated by some finite prefix. In particular, if a finite prefix violates the property, then every infinite extension also does. Note: If S , then w S is called a prefix of iff there exists S such that w = , where w denotes the concatenation of w and . 194 Examples of properties
Consider now the following properties:
"Marking M can be reached infinitely often." M s M M s s s M ... ... s' ... ... "Whenever state s occurs, state s occurs later." s' The common features of these properties are the following: They express that "something good must eventually happen." To decide whether the property holds in an execution or not, it is never enough to examine only a finite prefix of the execution. Every finite prefix can be extended with a continuation such that the property is satisfied (or violated).
195 Safety and Liveness (Definition 3.3) The first type of properties is called safety properties; the second type liveness properties. They can formally be defined as follows: Let P (for some set ) be a property. A word w is called a bad prefix for P iff for all we have w P. / P is a safety property iff every P has a bad prefix. / P is a liveness property iff P does not have any bad prefixes. 196 Specifying properties
Let us try to specify some properties. We shall see that it makes sense to specify properties more abstractly than as languages over states. E.g., consider the following net and the mutual exclusion ("mutex") property that p3 and p7 should not be marked concurrently. p2 t1 p1 p3 t2 p4 t6 p5 p7 t4 p6 t3 t5 This property can be expressed as the language {  {p3, p7} (i) for all i 0 }.
197 Now consider another mutex implementation. p1 t1 p3 p2 t2 p5 t6 p6 p8 t4 p7 p4 t3 t5 Here, the property becomes {  {p2, p8} (i) for all i 0 }. Abstractly, we are talking about the same property: "The critical sections should not be entered at the same time." However, its representation depends on the model and is different every time.
198 Kripke structures (Definition 3.4) Idea: Enrich a transition system with "semantics". A Kripke structure is a tuple K = S, , s0, AP, where S, , s0 AP : S 2AP = = = the underlying transition system; a set of atomic propositions; a valuation of atomic propositions. Note: When we talk about runs and paths of a Kripke structure, we refer to the underlying transition system. 199 Note on Kripke structures The definition of Kripke structures allows us to reason about properties independently of actual implementations (i.e. transition systems). E.g., we can now express a property in terms of atomic propositions (i.e. the elements of AP). In the mutex examples, we might fix AP = {cs1, cs2}, where csi means that process i is in its critical section. Every subset of AP represents a different combination of atomic propositions, i.e. as the set of atomic propositions that hold at a given moment. E.g., the empty set can be interpreted as "no process is currently in its critical section"; {cs2} means "process 1 is not in its critical section, but process 2 is." The valuation tells us which propositions hold in which states. 200 Properties, satisfaction (Definition 3.5) Let AP be a set of atomic propositions. A property over AP is a set P (2AP ) . (Note: 2AP denotes the powerset of AP, i.e. the set of subsets.) Let K = S, , s0, AP, be a Kripke structure. To each run of K we can define its `image in proposition space', called (), defined by ()(i) = ((i)) for all i 0. () contains the atomic propositions that hold in the individual states of . We extend this notation to sets, i.e. (L) := { ()  L } for an language L. Let L(K) := { S  is a run of K and (0) = s0 }. Let P be a property over AP. Then, we say that K satisfies P iff (L(K)) P. 201 Example of a property Let AP := {cs1, cs2}. The mutex property, expressed in terms of AP: cs1 and cs2 never hold at the same time. Then the mutex property P (2AP ) is expressed as {  (i) = AP for all i 0 }. Then, given any particular implementation of a mutex algorithm, we can "instantiate" (and evaluate) P by defining a valuation . E.g. in the first Petri net example, cs1 (M) iff M(p3) 1. 202 3.2: Linear temporal logic (LTL) Temporal logics
We now turn to the question how properties (over AP) can be expressed both conveniently and precisely. This is achieved by means of temporal logics. Temporal logics can be seen as an extension of propositional logic, where the truth values of atomic propositions may change as time goes on. There exist two (popular) families of temporal logics to express safety and liveness properties: "Branchingtime" logics (e.g., CTL) "Lineartime" logics (e.g., LTL) Temporal logics express properties using: atomic propositions, logical operators, and temporal operators For now, we shall look at LTL, which is concerned with properties of runs.
204 Syntax of LTL (Definition 3.6) Literature/additional reading for this part: e.g., Clarke, Grumberg, Peled: Model Checking, MIT Press, 1999 Let AP be a set of atomic propositions. The set of LTL formulas over AP is inductively defined as follows: If a AP, then a is a formula. If 1, 2 are LTL formulas, then so are 1, 1 2, X 1, 1 U 2 Meaning (informally): X = "next", U = "until".
205 Semantics of LTL (Definition 3.7) To each LTL property we associate a language L() of words over 2AP , i.e. we have L() (2AP ) as follows: L(a) L() L(X ) iff a (0) iff L() / iff 1 L() and for all k < i: k L(1) L(1 2) iff L(1) or L(2) L(1 U 2) iff there is i s.t. i L(2) 206 Syntax of LTL, Part II Note: The previous slides defined only a minimal version of the syntax. In practice, we will make use of the following abbreviations: 1 2 (1 2) 1 2 1 2 true a a F true U G F 1 W 2 (1 U 2) G 1 1 R 2 (1 U 2) false true Meaning: F = "finally", G = "globally", W = "weak until", R = "release". 207 Some example formulas
Reachability: G (cs 1 cs 2) It always holds that cs1 and cs2 do not appear together. Note: Assuming an appropriate valuation, this expresses the mutex property: Two processes never enter their critical sections at the same time. Safety: (x) W y x does not occur before the first occurrence of y. Note: y may not occur at all, in which case x also does not occur. Liveness: (x) U y x does not occur before the first occurrence of y, and y does eventually occur.
208 More examples GFp p appears infinitely often. G(try1 F cs1 ) When interpreted on a mutex algorithm: Whenever process 1 tries to enter its critical section, it will eventually succeed. 209 LTL on Kripke structures (Definition 3.8) Let be an LTL formula over AP, and let K = S, , s0, AP, be a Kripke structure. A run of K satisfies (written = ) iff () L(). We say violates iff = . By extension, we say that K satisfies (written K = ) iff for all runs L(K) we have = , or, put differently, iff (L(K)) L(). 210 Note
The interpretation of LTL on Kripke structures establishes a correspondence between the logicoriented view ("an execution satisfies some temporal property") and the languageoriented view of things ("a word is contained in some language"). Thus, we can solve questions about temporal logic using languagetheoretic (or: automatatheoretic) methods. Both views employ different words for similar notions: logic view "run" or "execution" "property" "satisfaction" = language view "word" "language" () L() "containment" () L() In the following, we will use these notions and their notations interchangeably.
211 Example 1
Consider the Kripke structure with the transition system below, AP = {p}, and p (s1) (s5). s0 s1 p s2 s5 s4 s3 p Clearly, the possible runs are the infinite concatenations of s0s2s3s1, s0s2s5, and s0s4s5. Thus, the structure satisfies G F p.
212 Example 2 Note that we can have K = and K = ! This is because K = depends on all possible runs. s0 p s1 E.g., in the structure K shown above (with (p) = {s0}), the run s0 satisfies G p, but the run (s0s1) satisfies G p. Thus, we have K = G p and K = G p. 213 Fairness An important concept that is expressible in LTL is that of fairness. Consider the following attempt at a mutex algorithm: (process 1 on the left, process 2 on the right, p4 holds the resource) p2 t1 p1 p3 t2 p4 t6 p5 p7 t4 p6 t3 t5 214 Suppose that we want to check the property : G(try1 F cs1 ) on the transition system generated by this net. We interpret as try 1 the set of markings that contain p2 and as cs 1 those containing p3. Now, we find that does not hold because after firing t1 we can fire the sequence t4t5t6 indefinitely often. 215 The Petri net model does not make any assumptions about the relative speeds of the two processes. Therefore, we assumed that at any given point in time either of the two processes can take an action (assuming that one is enabled). However, this assumption admits unwanted (or: unrealistic) runs, in which the second process gets all the attention (the first process is `starved' of CPU time, so to speak). We can also regard such runs as unfair. An "unfair" run is the one that causes not to hold. 216 We may want to verify the property while excluding such unfair runs. Changing the model to exclude them is difficult, but LTL allows to specify this as a property: Let us extend the net by a place indicating which process moved last, and let sch1 and sch2 be atomic propositions that hold in states reached by an action of process 1 or 2, respectively. Then, the following formula evaluates only those runs in which both processes are treated `fairly': : ((G F sch 1) (G F sch 2)) (G(try 1 F cs 1)) 217 Relations between Temporal and Logical Operators
Note: We say 1 2 iff L(1) = L(2). X(1 2) X 1 X 2 X(1 2) X 1 X 2 X X F(1 2) F 1 F 2 F G G(1 2) G 1 G 2 G F (1 2) U (1 U ) (2 U ) U (1 2) ( U 1) ( U 2) 218 Idempotence and Recursion Laws
F FF G GG U U ( U ) F XF G XG U ( X( U )) W ( X( W )) R ( ) ( X( R ))
219 3.3: LTL property patterns LTL Property Patterns Quite often the requirements of a system follow some simple patterns. These patterns can be exploited to derive LTL formulas more easily and systematically. Sometimes we want to specify that a property should only hold in a certain context, called the scope of a property. Typical scopes are: Global: The property should hold on the whole path (i.e. on all suffixes of a run). Before R: The property should hold before the first appearance of R (i.e. on all suffixes before the first suffix satisfying R). 221 After Q: The property should hold after the first appearance of Q. Between Q and R: The property should hold in all sequences in which the first suffix satisfies Q and the last one satisfies R. After Q until R: As before, but also includes the sequences in which Q appears, but is never followed by an R. Note: In the following patterns, scopes are interpreted in a way that always includes the suffix at which the event triggering the scope happens, but excludes the suffix at which the event ending the scope happens.
222 Q Q R Q Q Q R R Scopes After Q until R Between Q and R After Q Before R Global Q Q R R Q 223 LTL Property Patterns: Absence Absence patterns specify that "P is false" within the scope: Global Before R After Q Between Q and R After Q until R G P
(F R) (P U R) G(Q G P) G((Q R F R) (P U R)) G((Q R) (P W R)) 224 LTL Property Patterns: Existence Existence patterns specify that "P becomes true" within the scope: Global Before R After Q Between Q and R After Q until R FP
R W (P R) (G Q) (F(Q F P)) G((Q R) (R W (P R))) G((Q R) (R U (P R))) 225 LTL Property Patterns
The property patterns are useful to make specifying easier: If a desired property falls into one of those patterns, the pattern can be `instantiated' for appropriate P, Q, and R. The patterns (and the definition of scopes) from the previous slides were taken from: http://patterns.projects.cis.ksu.edu/, where you can find many more of them (also for other temporal logics). There are also other patterns available expressing: Universality: "P is true" (dual of absence) Precedence: "S precedes P" Response: "S responds to P" Etc., etc.
226 3.4: Buchi automata LTL Model Checking We now turn to the question how to check whether a given Kripke structure satisfies a given formula. In the context of temporal logics, this is called model checking (i.e. checking whether all runs are models of the given formula). We follow an automatatheoretic approach: 1. We introduce a new class of automata that can express LTL properties. 2. We show how to translate properties into these automata. 3. We check whether the intersection of the system and the automaton for the negation of the property is empty. 228 Buchi Automata (Definition 3.9) A Buchi automaton is a tuple B = , S, S 0, , F such that S S0 S F S is a finite alphabet, is a finite set of states, are the initial states, are the accepting states. S S is the transition relation, and Note: The definition and graphical representation of Buchi automata (see next slide) are exactly like finite automata. However, they operate on infinite words, and they have a different acceptance condition (to be defined).
229 Example
We usually denote Buchi automata graphically, like this: s1 a s2 b 0 Call this automaton B1. Then B1 = 1, S1, S1 , 1, F1 , where 1 = {a, b} S1 = {s1, s2}
0 S1 = {s1} (the symbols on the arrows) (denoted by circles) (marked with an extra arrow) (denoted by arrows) (states with two circles)
230 1 = {(s1, a, s2), (s2, b, s2)} F1 = {s2} Language of a Buchi Automaton Let B = , S, S 0, , F be a Buchi automaton. (Definition 3.10) A run of B on an infinite word is an infinite sequence of states S such that (0) S 0, and ((i), (i), (i + 1)) for all i 0.
I.e., is a run (in the same sense as in a Kripke structure), and is the sequence of transition labels in . We call a run accepting iff for infinitely many indices i it holds that (i) F .
I.e., infinitely often visits accepting states. A word is accepted by B iff there is an accepting run on in B. The language of B, denoted L(B) , is defined as the set of infinite words over accepted by B.
231 Buchi Automata: Examples a b q0 a b q1 "infinitely often b" a,b a "infinitely often ab" q0 b q1 Note: In particular, we are going to be interested in Buchi automata with the alphabet 2AP (for suitable sets AP). 232 Operations on Buchi Automata The languages accepted by Buchi automata are closed under boolean operations. We will examine the following operations: Union of Buchi automata B1 and B2: construct B with L(B) = L(B1) L(B2) Intersection of Buchi automata B1 and B2: construct B with L(B) = L(B1) L(B2) Emptiness check: given B, check if L(B) = 0 In all following slides, let B1 = , S1, S1 , 1, F1 and 0 B2 = , S2, S2 , 2, F2 , assuming that S1 S2 = .
233 Union of Buchi automata Juxtapose both automata. 0 0 I.e., the automaton B = , S1 S2, S1 S2 , 1 2, F1 F2 accepts the language L(B) = L(B1) L(B2). 234 Intersection of Buchi automata We construct an intersection automaton (or: product automaton) B with L(B) = L(B1) L(B2). When constructing the acceptance condition for B, we need to check whether both sets of accepting states occur infinitely often. Idea: We create two copies of the intersected state space. In the first copy, we check for occurrence of the first acceptance set. In the second copy, we check for occurrence of the second acceptance set. We jump back and forth between the copies whenever we find an accepting state from the set we are looking for. Then, the accepting condition should check whether a run jumps back and forth between the two copies infinitely often.
235 Take B = , S, S 0, , F , where S = S1 S2 {1, 2},
0 0 S 0 = S1 S2 {1}, F = F1 S2 {1} ( s, t, 1 , a, s , t , 1 ) iff (s, a, s ) 1, (t, a, t ) 2, s F1 / ( s, t, 1 , a, s , t , 2 ) iff (s, a, s ) 1, (t, a, t ) 2, s F1 ( s, t, 2 , a, s , t , 2 ) iff (s, a, s ) 1, (t, a, t ) 2, t F2 / ( s, t, 2 , a, s , t , 1 ) iff (s, a, s ) 1, (t, a, t ) 2, t F2 Notes:
The automaton starts in the "first copy" (a state where the last component is 1). The choice of the final states is a bit arbitrary, e.g. we could also take S1 F2 {2}. The construction can be generalised to the intersection of any n automata.
236 Intersection: Example
a b s0 a B1 B1 x B2 s0,t0,1 a b a a b a s1,t1,2 b s1 t0 a B2 b a b t1 b s0,t0,2 s1,t1,1 b 237 Emptiness check Observation: L(B) = iff there is an accepting state s F that is reachable from an initial state and reachable from itself (the latter with a nonempty path). s0 ... s ... s ... ... This condition can be checked with an algorithm that takes linear time in the size of the Buchi automaton. (We will see how later.) 238 A simplified intersection construction (for a special case) 0 Suppose that we want to intersect B1 = , S1, S1 , 1, F1 and 0 B2 = , S2, S2 , 2, F2 , where in one of the automata, say B2, all states are accepting, i.e. F2 = S2. In this special case, we can use a simpler intersection construction: in B2, all infinite runs are accepting, therefore we only need to keep track of the acceptance condition of B1. We construct the intersection automaton 0 0 B = , S1 S2, S1 S2 , , F1 S2 , where = { ((s, t), a, (s , t ))  a , (s, a, s) 1, (t, a, t ) 2 }. Then L(B) = L(B1) L(B2). 239 Generalised Buchi Automata A variant of the model are socalled generalised Buchi automata. They differ from (normal) Buchi automata only in the acceptance condition, which is a `set of acceptance sets', i.e. F 2S In a generalised Buchi automaton, a run is accepting iff, for F = {F1, . . . , Fn } and each index 1 i n, we have that visits infinitely many states from Fi . The expressiveness of (normal) Buchi automata (BA) and generalised Buchi automata (GBA) is the same (for proof see next slide). 240 Translating between BA and GBA
Given a BA B = , S, S 0, , F , for the GBA B = , S, S 0, , {F } we have L(B) = L(B ) (obvious). Given a GBA B = , S, S 0, , F , where F = {F1, . . . , Fn }, we construct the BA B = , S, S 0 , , F as follows: S = S {1, . . . , n} S 0 = S 0 {1} F = F1 {1} ((s, i), a, (s , i)) iff 1 i n, (s, a, s ) , s Fi / ((s, i), a, (s , (i mod n) + 1)) iff 1 i n, (s, a, s ) , s Fi Then, L(B) = L(B ) (compare the intersection construction).
241 Notes on other operations
Determinisation: For finite automata (known from regular language theory), it is known that every language expressible by a finite automaton can also be expressed by a deterministic automaton, i.e. one where the transition relation is a function S S. Such a procedure does not exist for Buchi automata. In fact, there are nondetermistic Buchi automata for which no deterministic Buchi automata exist! (see next slide) Complementation: For every language L accepted by a Buchi automaton, one can also construct a Buchi automaton for the complement \ L. However, the lack of a determinisation procedure makes the complement construction rather complicated. Since we do not strictly need it, we will skip it in this course.
242 Determinism
The language of the following automaton is not expressible by a deterministic Buchi automaton! a,b s0 b b s1 "Only finitely many a s." Proof (sketch): Assume that a Buchi automaton with n states exists for this language. After every a the automaton needs to be in a different state. After a occurs in the language n + 1 times, we have necessarily entered a loop containing an accepting state.
243 Literature on Buchi automata For more information on Buchi automata, including the complement construction, see, e.g.: Wolfgang Thomas, Automata on Infinite Objects, Chapter 4 in Handbook of Theoretical Computer Science, or Igor Walukiewicz, Lecture notes on Automata and Logic, Chapter 3, www.labri.fr/Perso/~igw/Papers/igweefss01.ps 244 3.5: Buchi automata and LTL Buchi automata and LTL We have already seen that the languages of Buchi automata resemble the properties expressible in LTL. E.g., the automaton shown below expresses something like F G b. a,b s0 b b s1 In fact, given any LTL formula (over AP), it is possible to create an automaton B (with alphabet 2AP ) such that L(B) = L(). This section is devoted to this translation.
246 Note: The reverse translation (from Buchi automata to LTL) is not always possible: { }, {p} q0 {p} q1 The property "p holds in every second step" is not expressible in LTL. 247 Translating LTL to BA: Overview
Unfortunately, the construction of B is rather complex! Intuitively, this is because the BA may need to keep track of many different properties at the same time. Examples: (G F p) (G(q F r )) or (p U q) U r Let be an LTL formula over AP. We proceed as follows: 1. First, we will convert into a normal form (see next slide). We take Sub () to be the set of subformulas of that normalised formula. 2. Then we construct a GBA B (over the alphabet 2AP ) such that L(B) = L(). The states of B will be subsets of Sub (). 3. Finally, B can be converted into a (normal) Buchi automaton. 248 Normal form
Let be an LTL formula over AP. We say that is in negated normal form (or briefly: normalised) iff consists only of propositions from AP, the constants true and false, the logical operators , , , and the temporal operators X, U, R, and negations occur only in front of atomic propositions from AP. Note: Every formula can be converted into an equivalent normalised formula (i.e. such that L( ) = L()) using aforementioned equivalences such as: (1 R 2) 1 U 2 (1 2) 1 2 X X (1 U 2) 1 R 2 (1 2) 1 2 249 Example of a translation into negated normal form: G(p F q) F (p F q) (true U (p F q)) true R (p F q) false R (p F q) false R (p (true U q)) 250 Subformulas
Let be an LTL formula. We define the set of formulas Sub () to be the smallest set of LTL formulas containing and true, closed under negation, and satisfying the following conditions: if 1 2 Sub (), then 1, 2 Sub () if 1 2 Sub (), then 1, 2 Sub () if X 1 Sub (), then 1 Sub () if 1 U 2 Sub (), then 1, 2 Sub () if 1 R 2 Sub (), then 1, 2 Sub () Note that Sub () = O(). Thus, any subset of Sub () can be expressed as a bitvector of length .
251 Consistent subsets We define the (locally) consistent subsets of Sub (), called CS (), as the set containing all formula sets s Sub () such that: true s
if 1 Sub (), then 1 s iff 1 s; / if 1 2 Sub (), then 1 2 s iff 1 s and 2 s; if 1 2 Sub (), then 1 2 s iff 1 s or 2 s. 252 Translation (cont'd) We now get back to the translation routine. Let be a formula over AP. We define B = , S, S 0, , F to be the generalised Buchi automaton where: = 2AP (i.e. the alphabet of B are subsets of propositions) S = CS () (i.e. every state is a set of consistent subformulas) S0 = { s S  s } and F : see forthcoming slides 253 Intuition for the translation The construction of and F will be such that all runs starting from state s are accepted if and only if they satisfy all the subformulas contained in s. Therefore, the initial states are those containing . We construct the transition relation using recursion laws (see end of Section 3.2). These laws relate obligations that a run needs to fulfil in a state and in its successor. To ensure that eventuality conditions (as in U) are fulfilled, we employ the acceptance condition. 254 Hintikka sequences (Definition 3.11) A preHintikka sequence for a formula is a sequence CS () (i.e. a run of a corresponding Buchi automaton) with the following properties: if X 1 Sub (), then X 1 (i) iff 1 (i + 1); if 1 U 2 Sub (), then 1 U 2 (i) iff 2 (i) or (1 (i) and 1 U 2 (i + 1)); if 1 R 2 Sub (), then 1 R 2 (i) iff 1 2 (i) or (2 (i) and 1 R 2 (i + 1)). 255 Hintikka sequences A Hintikka sequence (HS) is a preHintikka sequence (PHS), with the following additional property: if 1 U 2 (i), then there exists j i such that 2 (j). Let (2AP ) . We call CS () a (pre)Hintikka sequence of iff is a (pre)Hintikka sequence and (i) = (i) AP for all i 0. Lemma: is a Hintikka sequence of iff L() for any (0). 256 Proof of the lemma
We prove the more general condition that for every i 0 and every Sub (), i L() iff (i). Proof by induction over the structure of : Induction base: Let = a for a AP. a (i) iff (by construction) a (i) and (by LTL semantics) iff i L(a). Induction step (sketch): For = , = 1 2, and = 1 2, the proof follows from local consistence and the induction hypothesis. For = X , = 1 U 2, and = 1 R 2, the proof follows from the definition of Hintikka sequences and the induction hypothesis.
257 The goal of our construction:
(0) (1) If (0)  (1)  . . . is a run of our Buchi automaton, then is a preHintikka sequence of . (This will be ensured by the choice of .) is accepting iff additionally is a Hintikka sequence. This will be ensured by the choice of F . Thus, an accepting run from a state containing reads a word contained in L(). 258 The construction of and F Transitions: (s, , t) iff = s AP and: if X 1 Sub () then X 1 s iff 1 t; if 1 U 2 Sub () then 1 U 2 s iff 2 s or (1 s and 1 U 2 t); if 1 R 2 Sub () then 1 R 2 s iff 1 2 s or (2 s and 1 R 2 t). Accepting sets: F contains a set F for every subformula of the form 1 U 2, where F contains the set of states containing either 2 or (1 U 2). 259 Proof of correctness (1/2) 1. Claim: (0)  (1)  . . . is a path of B iff is a PHS of . (0) (1) Proof: see definition of PHS and . 260 Proof of correctness (2/2)
(0) (1) 2. (0)  (1)  . . . is an accepting path of B iff is a HS of .
Remark: We already know that is a PHS. It remains to check whether there is a state in containing a U formula whose righthand side never occurs. We now show that in that case could not be accepting. "": Assume that is not a HS. Then there exists i and a subformula 1 U 2 such that (i) and 2 (j) for all j i. Since is a PHS, / (j) must hold for all j i. Then all (j), j i, are not contained in F , and is not accepting. "": Assume that is not accepting. Then there exists i and a subformula 1 U 2 such that for all j i we have (j) F , i.e. (j) and / 2 (j). Then, however, cannot be a HS. /
261 Translation: Examples (1/2) Xp {p} {p, X p} {} {p} {p} {p} {p} {} {} {X p} {} {} This generalised Buchi automaton with two initial states and an acceptance set F = accepts every feasible (infinite) run. (Negative formulas omitted from states.)
262 Translation: Examples (2/2)
pUq
s0 s4 {p, q, p U q} {p, q} s1 s5 {q, p U q}
s2 s6 {q} {p, p U q}
s7 {p} s3 {p U q} {} Generalised BA with F = {{s0 , s1 , s4 , s5 , s6 , s7 }}, transition labels omitted.
263 Notes on the translation Given a formula , the translation produces an automaton with 2O() states. The following example shows that such a blowup is inevitable for some formulas. We shall construct an LTL formula that simulates an nbit counter. Let AP = {p0, . . . , pn1}, where pi is the value of the ith bit.
n1 G(p0 X p0) i=1 G pi X pi pi1 X pi1 Clearly, the formula is of size O(n). However, a Buchi automaton for it must have at least 2n states. 264 Notes on the translation
The example from the previous slide shows that the exponential bound is asymptotically optimal. However, most formulas do not require automata of exponential size. The procedure shown on the following slides always produces automata of exponential size. Thus, it is not often used in practice. There exist better (but more complicated) translation procedures that employ heuristics to reduce the size of the automaton. Some tools for this are available on the Internet:
Spin (Holzmann, invocation: spin f 'p U q') LTL2BA (Gastin, Oddoux) Wring (Somenzi) 265 LTL and Safety/Liveness properties One interesting consequence of the translation from LTL to BA is the following: Every property expressible in LTL is the intersection of a safety and a liveness property. In other words, if is an LTL formula, then there exists a safety property Ps and a liveness property P such that L() = Ps P . Proof: Let B = , S, S 0, , F be a BA s.t. L(B) = L(). Assume w.l.o.g. that is total, i.e. for every s S and a there exists at least one s s.t. (s, a, s ) (one can always extend into a total relation by adding a nonaccepting dummy state). 266 Proof
Let N S be the states of B from which no accepting state (in F ) can be reached. Let B be the set of (finite) words w such that every path in B where w is the concatenation of the transition labels leads to a state from N. By B we denote the language { w  w P, }. Clearly, B is the set of bad prefixes of L(B), and L(B) B = . Let Ps be the complement of B, i.e. Ps := \ B. Then Ps is a safety property whose bad prefixes are B. Let P := L(B) B. Then P is a liveness property. Now, P Ps = (L(B) B) ( \ B) = (L(B) \ B) (B \ B) = L(B) = L().
267 Examples L(G p) is a safety property intersected with the (trivial) liveness property L(true). L(F p) is a liveness property intersected with the (trivial) safety property L(true). L(p U q) is the intersection of the safety property L(p W q) and the liveness property L(F q). p U q expresses that something "bad" does not happen (i.e., p stops holding before q holds). F q expresses that something "good" (i.e. q) eventually happens. 268 3.6: ModelChecking LTL ModelChecking LTL Problem: Given an LTL property and a Kripke structure K, does K = hold? Solution for finite Kripke structures: Let K = S, , s0, AP, . Construct a Buchi automaton BK = 2AP , S, {s0}, , S , where: (s, , s ) iff ss and = (s) Thus, BK accepts () iff is a run of K starting at s0. In other words, L(BK ) = (L(K)). 270 Construct the Buchi automaton B for the negation of . Let B denote the intersection automaton for B and BK . K = (L(K)) L() L(BK ) L() = L(B) = Thus we reduce the problem to emptiness checking of a Buchi automaton. If an accepting run of B exists, it serves as a counterexample for . Note that we can use the simplified intersection construction for B.
271 Emptiness checking revisited While B is typically small, BK can be huge, often millions of states (even for quite simple systems). Thus, an efficient algorithm for emptiness checking is required. Recall an observation made in Section 3.4: L(B) = iff there is an accepting state s F that is reachable from an initial state and there is a cycle around s. s0 ... s ... s ... ... 272 Running example
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 In the following slides, we will use this BA as a running example. Since transition labels are uninteresting for emptiness checking, we omit them. Notice that F = {q1, q4, q9}.
273 A first attempt Let s S. If s + s then we say that there is a cycle around s (or that "s has a cycle"). A trivial solution is as follows: Check for each s F whether s has a cycle. Let F F be the set of accepting states for which this is the case. Check whether there is s0 S 0 and s F such that s0 s. 274 Example: states reachable from q1
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 There is no cycle around q1.
275 Example: states reachable from q4
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 There is a cycle: q4 q5 q7 q6 q4, thus q4 F.
276 Example: states reachable from q9
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 There is a cycle: q9 q10 q11 q8 q9, thus q9 F.
277 Example: states reachable from the initial state(s)
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 Automaton is nonempty because q4 F, and q4 is reachable.
278 Complexity of the trivial procedure
In the first part of this procedure, we find the states reachable from each accepting state. In the worst case, this part touches each state F  times. Thus, the running time is at least S F , i.e. quadratic in the size of the automaton. Recall that B can have millions of states. A quadratic procedure like the above will not scale. We need a more efficient solution for this problem, i.e. one that takes at most linear time in the size of B. There are two such solutions: Finding the stronglyconnected components of B Nested depthfirst search
279 Strongly connected components C S is called a stronglyconnected component (SCC) of B iff for all q, q C we have q q ; C is maximal, i.e. there is no proper superset of C for which the previous condition also holds. We call an SCC C trivial iff C = {q} for some q S and q q. 280 Example: SCCs
q0 q1 q4 q6 q8 q10 q2 q3 q5 q7 q9 q11 Note: The SCCs {q0} and {q1} are trivial.
281 Solution using SCCs Observation: L(B) = iff B contains a nontrivial SCC C such that the states of C are reachable from some initial state, and C contains an accepting state. Note: SCCs can be computed in linear time in the size of B (more precisely, in O(S + ) time) using, e.g., Tarjan's algorithm (1972). 282 Are we done yet? We now have a method that works in linear time. In terms of worstcase complexity, this is the best we can expect. (E.g. we cannot determine that the language is empty until we have examined all states.) However, we can still do better if the automaton is nonempty! Notice that the SCC method examines the whole graph before the result can be determined. However, if the automaton is nonempty, it may be possible to find this by examining just a few states. The approach described on the next slides tries to exploit this. 283 Depthfirst search
(In the following, let us assume w.l.o.g. that B has exactly one initial state.) Let B be a Buchi automaton (or indeed, any directed graph. . . ). A depthfirst traversal of B (or: depthfirst search) is an algorithm that visits all states reachable from the initial state as follows: 1. Initially, mark all states as unvisited, and let s be the initial state. 2. Mark s as visited. 3. If s has a direct successor t that is not yet marked as visited, put s onto a "stack" and, then set s := t and go back to step 2. 4. If s has no unvisited successor and s is not the initial state, then let t be the last element that was put on the stack. Set s := t, remove t from the stack, and go back to step 2. (This is called backtracking.) 5. If s is the initial state and all its successors are marked as visited, terminate.
284 Nested depthfirst search Algorithm by Courcoubetis, Vardi, Wolper, Yannakakis (1992) Simple version: two phases, each of them consisting of a depthfirst search Improved version: both phases interleaved 285 The simple version
First phase: 1. Start a depthfirst search at each initial state. 2. Number the states in post order, i.e. assign a number to state s when the search backtracks from s. Second Phase: Consider the accepting states in the post order imposed by the first phase, and do the following for each accepting state q: 1. Start a depthfirst search at q. 2. Cut off the search at states visited previously during the second phase. 3. If the search "comes back" reaches q, a cycle around q has been found.
286 Example: Result of the first phase q0 8 q4 q6 7 4 q8 q10 q1 3 q2 2 q3 1 q5 6 q7 5 q9 q11 287 The simple version
First phase: 1. Start a depthfirst search at each initial state. 2. Number the states in post order, i.e. assign a number to state s when the search backtracks from s. Second Phase: Consider the accepting states in the post order imposed by the first phase, and do the following for each accepting state q: 1. Start a depthfirst search at q. 2. Cut off the search at states visited previously during the second phase. 3. If the search "comes back" reaches q, a cycle around q has been found.
288 Second Phase: Depthfirst search starting at q1
q0 8 q4 3 7 q6 4 q8 q10 q1 q2 2 q3 1 q5 6 q7 5 q9 q11 No cycle found; algorithm continues.
289 Second Phase: Depthfirst search starting at q4
q0 8 q4 3 7 q6 4 q8 q10 q1 q2 2 q3 1 q5 6 q7 5 q9 q11 Cycle found; Algorithm returns "nonempty".
290 Theorem: The second phase finds a cycle iff L(B) is nonempty. Proof: "": obvious "": Let s1, . . . , sm be the accepting states in post order. Let si be a state with a cycle such that the index i is minimal. We show that the second phase finds a cycle around si . For this it suffices to show that, at the time when the second depthfirst search from si starts, no state in the same SCC as si has been visited previously in the second phase. By contradiction, assume that there is a state q such that si + q und q si , and that q was already visited in the second phase. Then there exists sk with k < i and sk q.
291 Either the first phase visits sk before si . Because of sk q si , the post order would then place si before sk . Contradiction. Otherwise, the first phase visits si before sk . Then, because of k < i, si sk must hold. But then there is a cycle around sk , which contradicts the minimality condition on i. 292 The interleaved version
N ESTED( , S, S 0 , , F ) 1 visited := ; 2 stack := ; 3 for q S 0 4 do 5 DFS(q, 1); 6 report empty and exit DFS(s, phase) 1 append s to stack ; 2 visited := visited {(s, phase)}; 3 for t { t  : (s, , t) } 4 do 5 if phase = 2 t = seed 6 then report nonempty and exit 7 if (t, phase) visited / 8 then DFS(t, phase); 9 if phase = 1 s F 10 then seed := s; DFS(s, 2); 11 remove s from stack ; 293 Remarks on nested depthfirst search
Running time: proportional to S +  (Each state and each transition are visited at most twice.) Memory requirements: a stack and two bits per state If there is an accepting run, it may be found without exploring the whole automaton. If there is an accepting run, it can be obtained from stack . The automaton can be constructed during the depthfirst search. This is called "onthefly" model checking. Notice that the algorithm works independently of the order in which outgoing transitions (at a state) are processed.
294 "Onthefly" model checking
Input:
A compact description of a Kripke structure K (for instance, a Petri net, a Promela model, . . . ) and an LTL formula . The initial state of K and of a Buchi automaton for . Output:
YES if K = , otherwise NO. Method:
Start the nested DFS algorithm at the initial state. At each state s in the DFS, compute the successors of s directly from the description of K and from the Buchi construction for . Abort immediately with NO if a counterexample is found, otherwise search the whole automaton and in the end output YES. may avoid constructing potentially large parts of the product automaton no memory required to store transitions
295 3.7: Excursion: Demonstration of the tool SPIN Spin Spin is a model checker which implements the LTL modelchecking procedure described previously (and much more besides). Developed by Gerard Holzmann of Bell Labs Has won the prestigious ACM Software System Award in 2001 (other winners include Unix, TeX, Java, TCP/IP, Apache, PostScript, ...) WWW homepage: http://spinroot.com Literature: Holzmann, The Spin Model Checker (available in the library of the computer science building, Semesterapparat Esparza) 297 Using Spin Transition systems described with Promela (Protocol Meta Language) Can describe finitestate systems. Useful for describing concurrent processes with synchronous and asynchronous communication, variables, advanced datatypes (e.g., records). A brief introduction to Promela is available on the course webpage. 298 Example 1: Access to a museum
In the first example, we model the goingson in a museum. Due to space constraints, the museum allows only a certain number of visitors at the same time. If the museum is full, additional visitors need to wait until another visitor leaves the museum. Moreover, visitors can only enter when a certain access signal is green. Visitors can stay for some arbitrary amount of time. The museum closes its doors in the evening. Some time before the museum closes, a guard sets the access light to yellow (so no other visitors can enter). When all visitors have left, the light is set to red. Files museum1.pml, museum2.pml, and museum3.pml contain variations on this model.
299 Example 2: Leader Election Protocol The following protocol is due to Dolew, Klawe, Rodeh (1982). A model of it is contained in the Spin distribution. The protocol consists of n participants, connected in a ring of (unidirectional) message channels. Communication is asynchronous, but the channels are reliable. Each participant has a unique number (e.g., chosen randomly). Goal: The participants communicate to elect a `leader'. The protocol ensures low communication overhead (only O(n log n) messages). 300 Leader Election Protocol
During the protocol, participants are active or inactive. Initially, every participant is active. The protocol consists of rounds. In each round, some participants are deactivated. Every round will deactivate at least half of the remaining participants. (Thus, there are at most log n rounds.) In each round every active participant receives the values of the two nearest active neighbours (in incoming direction). A participant remains active iff the value of its nearest active neighbour is larger than its own value and the value of its second nearest active neighbour. If so, the participant adopts the value of its nearest neighbour. The last remaining participant is declared the leader.
301 Leader Election: Example 5 4 9 1 8 7 10 3 6 2 302 Leader Election: First round 5 (9) 4 9 1 8 7 (8) 10 3 (10) 6 2 (6) 303 Leader Election: Result of first round ... 9 ... ... ... 8 ... 10 ... 6 304 Leader Election: Second round ... 9 ... ... ... 8 (9) ... 10 ... 6 (10) 305 Leader Election: Result of second round ... ... ... ... ... 9 ... ... ... 10 306 Leader Election: Third round ... ... ... ... ... 9 (10) ... ... ... 10 307 Leader Election: Final result ... ... ... ... ... 10 ... ... ... ... 308 Leader Election Protocol Motivation for the protocol: low message complexity. (Most nave approaches will have quadratic complexity!) i Let us use Spin to check whether the protocol succeeds, i.e. eventually a leader will be elected: F G oneLeader Indeed, Spin tells us that the protocol fulfils the property. 309 A closer look at Spin's behaviour Looking at the model carefully, we see that its state space grows exponentially with the number of participants (e.g., because participants can send their messages in arbitrary order). However, Spin's running time grows only linearly with the number of participants why? This is because Spin employs a clever technique that avoids exploring the whole state space. This technique is called partialorder reduction. 310 Effect of partialorder reduction Size of the explored state space with and without reduction in Spin: n with without 4 5 6 7 136 169 4327 28075 203 185753 237 1.2 Mio Size grows linearly with reduction, but exponentially without. 311 3.8: Partialorder reduction Counteracting state space explosion
We already have an efficient algorithm for model checking LTL. However, the size of the Kripke structure can still become very large quite easily. Early in the course, we mentioned three techniques designed to reduce the size of the state space. These were: Abstraction: leave out unimportant information. Example: boat omitted in man/wolf/goat/cabbage puzzle Compression: operate on sets of states (or markings), use efficient data structures to store them. Example: BDDs Reduction: avoid exploring multiple `equivalent' executions. Example: exploit independence Today, we will look at a reduction technique.
313 State space reduction: Motivation State space reduction (also called partialorder reduction) tries to alleviate statespace explosion that arises from parallel composition. Example: Consider the following Petri net N: p1 t1 p2 p3 t2 p4 p5 t3 p6 314 Reduction: Example (1/4)
The reachability graph has 8 = 23 markings and 6 = 3! possible traversals.
{p1,p3,p5} t1 {p2,p3,p5} t2 t3 t2 {p1,p4,p5} t1 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} If our example includes n such transitions, we get 2n markings and n! traversals.
315 Reduction Example (2/4)
All traversals of the reachability lead to {p2, p4, p6}.
{p1,p3,p5} t1 {p2,p3,p5} t2 t3 t2 {p1,p4,p5} t1 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} Idea: reduce the system by avoiding to explore some interleavings of actions if they all lead to the same result.
316 Reduction Example (3/4)
However, when choosing interleavings we also need to take into account the property that we want to check. Suppose that the marking M := {p1, p4, p5} plays a role in our property.
{p1,p3,p5} t2 {p1,p4,p5} t1 t3 t1 {p2,p3,p5} t2 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} Choosing only the interleaving t1t2t3, we come (wrongly) to the conclusion that M is never reachable.
317 Reduction Example (4/4) Choosing only the interleaving t2t1t3, we would wrongly conclude that M is reachable in all executions.
{p1,p3,p5} t2 {p1,p4,p5} t1 t3 t1 {p2,p3,p5} t2 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} Thus, we must include at least two interleavings to preserve properties with M.
318 Equivalent runs The example suggests that we could reduce the size of a Kripke structure by identifying `equivalent' runs, and then just considering one representative of a class. We shall consider two runs equivalent if they satisfy the same LTL formulas (almost, see below). The following definitions formalise this notion. 319 Stuttering equivalence Let K = S, , s0, AP, be a Kripke structure. Definition: Let , be runs of K. We call and stuttering equivalent iff there exist sequences of integers 0 = i0 < i1 < i2 < and 0 = k0 < k1 < k2 < such that for all 0: ((i )) = ((i + 1)) = = ((i +1  1)) = ((k )) = ((k + 1)) = = ((k +1  1)) 320 Note: Informally, the definition of stuttering equivalence says that we can partition the states of and into `blocks' such that the same atomic properties hold in all the blocks. By extension, let K and K be Kripke structures over the same set AP, and let s0 and s 0 be their initial states. We call K and K stuttering equivalent iff (s0) = (s 0), and for every run in K there is a stuttering equivalent run in K and vice versa. 321 Stuttering invariance (Definition 3.12) Let be an LTL formula. We call stuttering invariant iff for all pairs of stuttering equivalent runs and the following holds: L() iff L(). In other words, a stuttering invariant formula cannot distinguish between stuttering equivalent runs. Let LTLX be the logic LTL without the X operator. Theorem: All formulas of LTLX are stuttering invariant. Proof: exercise for the reader 322 Summary (so far) The notion of stuttering equivalence gives us a handle to apply reduction when model checking a formula of LTLX : Given K, we `reduce' K to a smaller structure red (K) by omitting some runs that are stuttering equivalent to others. Then red (K) = iff K = , therefore we can apply the verification procedure to red (K) instead. The following slides define red (K) in more detail. 323 Outlook
We first introduce some notation to formalise the observations we made: We observed that two runs may be equivalent if they are just different interleavings of actions leading to the same result. Thus, we shall consider systems with actions. Moreover, we define what it means for actions to be independent of each other. The observation that we need to take into account the property motivates the definition of visibility. Then, using the notions of independence and visibility, we establish some conditions C0C3 and prove that, if red (K) satisfies these conditions, then red (K) is stuttering equivalent to K.
324 Actions (Definition 3.13) Let K = S, , s0, AP, be a Kripke structure and A be a set of actions. An action labelling of K is a function L that assigns to each pair (s, t) an action from A. Note: If L(s, t) = a, we write s t. In the following we assume that L is deterministic, i.e. if s t and s t , then t = t , for all s, t, t S and a A. The set of enabled actions at at state s is defined as:
a a a en (s) := {a A  t S : s t } a 325 Reduction function (Definition 3.14) Let K = S, , s0, AP, be a Kripke structure and L a (deterministic) action labelling of K. A function red : S 2A is a reduction function of K iff red (s) en (s) for all s S. By extension, we define red (K) := S , , s0, AP, structure satisfying: (i) S S, and s0 S ; (ii) if s S , s t, and a red (s), then also t S , and s t; (iii) is the restriction of to S .
326 as the smallest Kripke a a Note on red Our goal is to define a function red in such a way that red (K) is stuttering equivalent to K. There are many methods that compute such a reduction function: Ample sets, Stubborn sets, Persistent sets, Sleep sets, . . . The definition of red given here follows the definition of the ample set method. 327 Independence (Definition 3.15) Let A be a set of actions, K = S, , s0, AP, a Kripke structure, and L an action labelling. We call two actions a, b independent for K iff they satisfy the socalled forward diamond property for all states s S:
a b If a, b en (s), s t, and s u, then there is a state v such that a en (u), b en (t), t v , and u v . Note: We say that a and b depend on each other iff they are not independent.
b a 328 Forward diamond property s
a b a s
b t u t
b a u v 329 Independence: Example In the example below, let us take define A as the set of transitions. Then all pairs of actions are independent.
{p1,p3,p5} t2 {p1,p4,p5} t1 t3 t1 {p2,p3,p5} t2 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} Note: In general, independence is not a transitive relation.
330 Visibility (Definition 3.16) Let A be a set of actions, K = S, , s0, AP, a Kripke structure, and L an action labelling.
a An action a is called visible iff there is a transition s t such that (s) = (t). In other words, a visible action may change satisfaction of atomic properties. Note: We call a invisible iff it is not visible. 331 Visibility: Example In the example, let AP = {p} and {p1, p4, p5} be the only marking satisfying p.
{p1,p3,p5} t1 {p2,p3,p5} t2 t3 t2 {p1,p4,p5} t1 t3 t3 {p1,p3,p6} t1 t2 {p2,p4,p5} t3 {p2,p3,p6} t2 {p2,p4,p6} t1 {p1,p4,p6} Now, t1, t2, and t3 are all visible.
332 Conditions C0 to C3 (Definition 3.17) C0: red (s) = iff en (s) = C1: Let s be a state. On every path or run of K starting at s the following condition holds: no action that depends on an action in red (s) can be executed before an action in red (s). C2: If red (s) = en (s) then all actions in red (s) are invisible. C3: For all cycles in red (K) the following condition holds: if a en (s) for some state s in the cycle, then a red (s ) for some (possibly other) state s in the cycle. 333 Correctness Theorem: Let K = S, , s0, AP, be a Kripke structure such that S is a finite set. Let red be a reduction function for K that satisfies conditions C0 to C3. Then red (K) is stuttering equivalent to K. Proof: see next slides 334 Correctness (proof)
The proof idea: Let be a run of K (shown in brown in the following figures). We show that red (K) contains a run (shown in red) with the following property: For every prefix of there exists a prefix of s.t. the two prefixes are "stuttering equivalent" (assuming a suitably modified definition of stuttering equivalence for finite paths). During the proof, the conditions are used as follows: C0 ensures that no additional deadlocks are introduced; C1 and C2 ensure that for every omitted path there is a stuttering equivalent path that is not omitted; C3 ensures that enabled actions cannot be delayed forever.
335 Proof of correctness b Assume that the transition labelled with b is the first transition of not contained in the reduction.
336 Proof of correctness a1 b b
a1 Because of C0 the blue state must have another enabled transition, say a1 , which is invisible and independent of b (C1+C2). States in the same colours denote the same atomic propositions.
337 Proof of correctness a1 b b
a1 Now, either the second btransition is contained in the reduction, in which case we can take to be the red sequence . . .
338 Proof of correctness a1 b an b b an b
a1 . . . or the inclusion of b is "deferred" in favour of actions a2, . . . , an that are also invisible and independent of b.
339 Proof of correctness a1 b an b b an b
a1 Since K is finite, such a sequence must eventually lead to a loop, and because of C3, b must be enabled somewhere along that loop.
340 Proof of correctness a1 b an b b an b
a1 Both and contain some blue states followed by some green states and are "stuttering equivalent up to that point".
341 Proof of correctness a1 b an b b an b
a1 c now either continues with actions a1, . . . , an until the paths "converge", or deviates from such a path with some action c.
342 Proof of correctness a1 b an b b an c an b
a1 c We can conclude that this only happens if c is independent from (in this case) a2, . . . , an .
343 Proof of correctness a1 b an b b an c an c b
a1 c Moreover, with the same reasoning as before, we can conclude that eventually some ctransition must occur along the red path.
344 Proof of correctness a1 b an b b an c an c b
a1 c The red path is again stuttering equivalent to the brown path. For the rest of , the previous arguments can be repeated ad infinitum.
345 Comments Ideally, we would like to define red in such a way that red (K) is as small as possible. However, there are two obstacles: Finding the best reduction is computationally very hard (harder than actually solving the emptiness problem), so we shall be content with a lessthanoptimal reduction strategy. The reduction only makes sense if we can construct it "on the fly", during a depthfirst search (compare the slide "Onthefly model checking" in Section 3.6), i.e. without constructing all of K first 346 The definitions of independence and visibility, as well as conditions C0 and C3 are defined w.r.t. the whole Kripke structure. Checking them explicitly makes no sense because one wants to avoid constructing the whole structure in the first place! However, notice that we can work with approximations: Treating a (possibly) invisible action as if it was visible (in C2) enlarges red but does not endanger stuttering equivalence. Therefore, in C2 we may overapproximate the set of visible actions. Similarly, we can work with an underapproximation of the set of pairs of independent actions (in C1).
347 Approximations in the sense above can often be derived from the semantics of the input language from which a Kripke structure is derived (e.g., in Promela we can deduce that two send operations on different channels are independent). Spin replaces C1 and C3 by stronger conditions that can be checked efficiently by just looking at the current state and its depthfirst history. We get the following overall picture: Stuttering equivalence ensures that the reduced structure is equivalent to the original structure (w.r.t. all formulas). Conditions C0C3 ensure stuttering equivalence. In practice, suitable approximations of indepence, visibility, and stronger conditions in place of C1 and C3 ensure that C0C3 hold.
348 Section 4: Computationtree logic Programme for the upcoming lectures Introduction of computationtree logic (CTL) syntax, semantics, comparison with LTL CTL Model Checking basic algorithms fairness Binary decision diagrams (BDDs) Tool demonstration: SMV
350 LTL and CTL LTL (lineartime logic) Describes properties of individual executions. Semantics defined as a set of executions. CTL (computation tree logic) Describes properties of a computation tree: formulas can reason about many executions at once. (CTL belongs to the family of branchingtime logics.) Semantics defined in terms of states. 351 4.1: Syntax and semantics of CTL Computation tree (Definition 4.1) Let T = S, , s0 be a transition system. Intuitively, the computation tree of T is the acyclic unfolding of T . Formally, we can define the unfolding as the least (possibly infinite) transition system U, , u 0 with a labelling l : U S such that u 0 U and l(u 0) = s0; if u U, l(u) = s, and s s for some u, s, s , then there is u U with u u and l(u ) = s ; u 0 does not have a direct predecessor, and all other states in U have exactly one direct predecessor. Note: For model checking CTL, the construction of the computation tree will not be necessary. However, this definition serves to clarify the concepts behind CTL.
353 Computation tree: Example A transition system and its computation tree (labelling l given in blue):
s0 s1 s0 s0 s1 s2 s1 s2 s1 s1 s2 ... ... ... ...
354 ... ... ... CTL: Overview CTL = ComputationTree Logic Combines temporal operators with quantification over runs Operators have the following form: Q T
there exists an execution for all executions E A X F G U next finally globally until (and possibly others) 355 CTL: Syntax (Definition 4.2) We define a minimal syntax first. Later we define additional operators with the help of the minimal syntax. Let AP be a set of atomic propositions: The set of CTL formulas over AP is as follows: if a AP, then a is a CTL formula; if 1, 2 are CTL formulas, then so are 1, 1 2, EX 1, EG 1, 1 EU 2 356 CTL: Semantics (Definition 4.3) Let K = (S, , s0, AP, ) be a Kripke structure. We define the semantic of every CTL formula over AP w.r.t. K as a set of states []K , as follows: [[a]]K = { s  a (s) } [[1]]K = S \ [[1]]K [[1 2]]K = [[1]]K [[2]]K [[EX 1]]K = { s  there is a t s.t. s t and t [[1]]K } [[EG 1]]K = { s  there is a run with (0) = s and (i) [[1]]K for all i 0 } [[1 EU 2]]K = { s  there is a run with (0) = s and k 0 s.t. (i) [[1]]K for all i < k and (k ) [[2]]K }
357 for a AP We say that K satisfies (denoted K = ) iff s0 []K . We declare two formulas equivalent (written 1 2) iff for every Kripke structure K we have [[1]]K = [[2]]K . In the following, we omit the index K from []K if K is understood. 358 CTL: Extended syntax 1 2 (1 2) AX EX AG EF AF EG 1 AW 2 (2 EU (1 2)) 1 AU 2 AF 2 (1 AW 2)) true a a false true
1 EW 2 EG 1 (1 EU 2) EF true EU Other logical and temporal operators (e.g. , ER, AR), . . . may also be defined. 359 CTL: Examples
We use the following computation tree as a running example (with varying distributions of red and black states):
{p} {p} {q} ... ... ... ... {q} ... ... ... ...
360 In the following slides, the topmost state satisfies the given formula if the black states satisfy p and the red states satisfy q. ... ... ... ... ... ... AG p ... ... 361 ... ... ... ... ... ... AF p ... ... 362 ... ... ... ... ... ... AX p ... ... 363 ... ... ... ... ... p AU q ... ... ... 364 ... ... ... ... ... ... EG p ... ... 365 ... ... ... ... ... ... EF p ... ... 366 ... ... ... ... ... ... EX p ... ... 367 ... ... ... ... ... p EU q ... ... ... 368 Solving nested formulas: Is s0 [[AF AG x]]?
s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s5 {x,z} s7 {} To compute the semantics of formulas with nested operators, we first compute the states satisfying the innermost formulas; then we use those results to solve progressively more complex formulas. In this example, we compute [[x]], [[AG x]], and [[AF AG x]], in that order.
369 Bottomup method (1): Compute [[x]]
s6 {z} s0 {x,y,z} s4 s2 {y,z} {y} s1 {x,y} s3 {x} s5 {x,z} s7 {} 370 Bottomup method (2): Compute [[AG x]]
s6 {z} s0 {x,y,z} s4 s2 {y,z} {y} s1 {x,y} s3 {x} s5 {x,z} s7 {} 371 Bottomup method (3): Compute [[AF AG x]]
s6 {z} s0 {x,y,z} s4 s2 {y,z} {y} s1 {x,y} s3 {x} s5 {x,z} s7 {} 372 Example: Dining Philosophers
1 5 2 4 3 Five philosophers are sitting around a table, taking turns at thinking and eating. We shall express a couple of properties in CTL. Let us assume the following atomic propositions: ei = philosopher i is currently eating
373 Properties of the Dining Philosophers
"Philosophers 1 and 4 will never eat at the same time." AG (e1 e4) "It is possible that Philosopher 3 never eats." EG e3 "From every situation on the table it is possible to reach a state where only philosopher 2 is eating." AG EF(e1 e2 e3 e4) 374 Properties of the Dining Philosophers
"Philosophers 1 and 4 will never eat at the same time." AG (e1 e4) "It is possible that Philosopher 3 never eats." EG e3 "From every situation on the table it is possible to reach a state where only philosopher 2 is eating." AG EF(e1 e2 e3 e4) 375 Properties of the Dining Philosophers
"Philosophers 1 and 4 will never eat at the same time." AG (e1 e4) "It is possible that Philosopher 3 never eats." EG e3 "From every situation on the table it is possible to reach a state where only philosopher 2 is eating." AG EF(e1 e2 e3 e4) 376 Properties of the Dining Philosophers
"Philosophers 1 and 4 will never eat at the same time." AG (e1 e4) "It is possible that Philosopher 3 never eats." EG e3 "From every situation on the table it is possible to reach a state where only philosopher 2 is eating." AG EF(e1 e2 e3 e4) 377 4.2: Expressiveness of CTL and LTL CTL and LTL have a large overlap, i.e. properties expressible in both logics. Examples: Invariants (e.g., "p never holds.") AG p or Gp Reactivity ("Whenever p happens, eventually q will happen.") AG(p AF q) or G(p F q) 379 CTL considers the whole computation tree whereas LTL only considers individual runs. Thus CTL allows to reason about the branching behaviour, considering multiple possible runs at once. Examples: The CTL property AG EF p ("reset property") is not expressible in LTL. The CTL property AF AX p distinguishes the following two systems, but the LTL property F X p does not: {p} {p} {p} {p} 380 Even though CTL considers the whole computation tree, its statebased semantics is subtly different from LTL. Thus, there are also properties expressible in LTL but not in CTL. Examples: The LTL property F G p is not expressible in CTL: {p} s0
K = F G p {} s1 {p} s2 but K = AF AG p 381 Also, fairness conditions are not directly expressible in CTL: (G F p1 G F p2) However, as we shall see later, there is another way to extend CTL with fairness conditions. Conclusion: The expressiveness of CTL and LTL is incomparable; there is an overlap, and each logic can express properties that the other cannot. Remark: There is a logic called CTL (not considered in this course) that combines the expressiveness of CTL and LTL. 382 4.3: ModelChecking CTL ModelChecking CTL We now consider the following problem: Given a Kripke structure K = S, , s0, AP, , where S is finite, and a CTL formula , compute []. In particular, this allows to answer the question K = , which is by definition equivalent to s0 []. 384 Assumption 1: No deadlocks We also assume that K does not contain deadlocks, i.e. states without successors. Note that technically speaking, the semantics of EG and EU require the existence of an (infinite) run. The assumption makes the following presentation easier, because every state is guaranteed to have a run. One can lift the 'no deadlocks' restriction by removing deadlock states from the system before starting the computations for EG and EU, so this is not a real restriction. 385 Assumption 2: Minimal syntax In the following, we assume that is given in the minimal syntax for CTL (see the slide CTL: Syntax. If contains operators from the extended syntax (e.g., AG, EF), it must first be rewritten using the equivalences from the `Extended Syntax' slide. Alternatively, one could extend the following algorithm to handle additional operators directly. 386 The `bottomup' algorithm for CTL
The algorithm reduces to a formula to a single proposition, using the following steps. Recall that for atomic propositions p we have [[p]] = { s  p (s) }. In the following, it is useful to define this set as (p) (by slight abuse of notation). 1. Check if already consists of a single atomic proposition p. If yes, output [] = [[p]] = (p) and stop. Otherwise, continue at 2. 2. Now, must contain some subformula of the form p, p q, EX p, EG p, or p EU q, where p, q AP. Compute [] using the algorithms on the following slides. 3. Let p be a `fresh' proposition not yet in AP. Add p to AP, taking (p ) := []. Replace all occurrences of in by p . 4. Go back to step 1.
387 Computation of []: The easy cases
Case 1: p, p AP By definition, [] = S \ (p). Case 2: p q, p, q AP [[p]] and [[q]] are given by (p) and (q), respectively, thus by definition [] = (p) (q). Case 3: EX p, p AP For the following, let us define pre (X ), where X S, as the set pre (X ) := { s  t X : s t }.
[[p]] is given by (p). Then, by definition [] = pre ((p)).
388 Computation of []: the EG operator
Case 4: EG p, p AP Lemma 1: [[EG p]] is the greatest solution (w.r.t. ) of the equation X = (p) pre (X ). Proof: The proof consists of two steps: 1. We show that [[EG p]] is a solution of the equation, i.e. [[EG p]] = (p) pre ([[EG p]]). Recall that [[EG p]] = { s  : (0) = s i 0 : (i) (p) }. "" Suppose s [[EG p]] because of run . Then s (p) follows immediately. Moreover 1 is a witness for showing that (1) [[EG p]], therefore s pre ([[EG p]]).
389 Continuing the proof of Lemma 1: 1. "" Suppose s (p) pre ([[EG p]]). Then s has a successor t with a run showing that t [[EG p]], and s is a run showing that s [[EG p]]. 2. We show that [[EG p]] is indeed the greatest solution, that is, for any solution M we have M [[EG p]]. Suppose that M S is a solution, i.e. M = (p) pre (M), and that s M. We show that s [[EG p]]. Since s M, we have s (p) and s pre (M). Since s pre (M), there is s1 M such that s s1. Repeating the argument, we obtain a run = ss1 of states in (p), which proves s [[EG p]].
390 Lemma 2: Consider the sequence S, (S), ((S)), . . ., i.e. i (S) where (X ) := (p) pre (X ). For every i 0, we have i (S) [[EG p]]. Before the proof, we make two observations. (1) is monotonous: if X X , then (X ) (X ). (2) The sequence is decreasing: S (S) ((S)) . . . Proof of Lemma 2: (by induction on i) Base: i = 0: obvious. Step: i i + 1: i+1(S) = (p) pre ( i (S)) i0 , (follows from (1)). (p) pre ([[EG ]]) (ind. hyp. and monotonicity) = [[EG p]]
391 Lemma 3: There is an index i such that i (S) = i+1(S), and [[EG p]] = i (S). Proof: Since S is finite, the decreasing sequence must reach a fixed point, and thus i exists. Because i (S) = ( i (S)) = (p) pre ( i (S)), the set i (S) is a solution of the equation from Lemma 1. Because of Lemma 1, we have i (S) [[EG p]]. Because of Lemma 2, we also have i (S) [[EG p]], which completes the proof. 392 Computation of [[EG]] operator: Summary Lemma 3 gives us an algorithm for computing [[EG p]]: Compute the sequence S, (S), until a fixed point is reached. In practice, this amounts to starting with X := (p) and progressively removing from X the states that do not have a successor in X . If efficiently implemented, this can be done in O(K) time. 393 Example: Computing [[EG y]] (1/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 0(S) = S
394 Example: Computing [[EG y]] (2/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 1(S) = (y ) pre (S)
395 Example: Computing [[EG y]] (3/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 2(S) = (y ) pre ( 1(S))
396 Example: Computing [[EG y]] (4/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 3(S) = (y ) pre ( 2(S)) = 2(S): [[EG y ]] = {s0, s2, s4}
397 Computation of []: the EU operator
Case 5: p EU q, p, q AP We proceed in analogy to EG, but omit the proofs this time. Lemma 4: [[p EU q]] is the smallest solution (w.r.t. ) of the equation X = (q) ((p) pre (X )). Notice that Assumption 1 is exploited here because all states in (q) are expected to have an infinite run. Assumption 1 can also be enforced by restricting the states to the result of the algorithm of Case 4 for [[EG true]]. Lemma 5: [[p EU q]] is the fixed point of the sequence , (), (()), . . .where (X ) := (q) ((p) pre (X ))
398 Computation of [[EU]] operator: Summary Lemma 5 gives us an algorithm for computing [[p EU q]]: Compute the sequence , (), until a fixed point is reached. In practice, this amounts to starting with X := (q) and progressively adding the direct predecessors of X that are in (p). If efficiently implemented, this can be done in O(K) time. 399 Example: Computing [[z EU y ]] (1/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 0() = 400 Example: Computing [[z EU y ]] (2/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 1() = (y) ((z) pre ( 0()))
401 Example: Computing [[z EU y ]] (3/4) s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s7 {} s5 {x,z} 2() = (y) ((z) pre ( 1()))
402 Example: Computing [[z EU y ]] (4/4)
s6 {z} s0 {x,y,z} s2 {y,z} s3 s4 {y} {x} s1 {x,y} s5 {x,z} s7 {} 3() = (y) ((z) pre ( 2())) = 2() [[z EU y ]] = {s0, s1, s2, s4, s5, s6}
403 Another example The next slides show a (highlevel) Petri net, which models a mutualexclusion protocol for two processes (red and blue), and its reachability graph. The places n1, n2 symbolise the noncritical sections of the processes, c1, c2 are the critical sections of the processes, and t1, t2 indicate a willingness to enter the critical sections. For simplicity, no arcs from the red and blue process to the variables f 1, f 2, p (in the middle) have been drawn. Assume that whenever a transition mentions a variable x, then there is an arc from the place x to the transition labelled by x, and an arc back to the place labelled by x . In the reachability graph, variables f 1 and f 2 are only mentioned when they are true in some marking.
404 Example: Petri net n1 f1 false f1'=true {true,false} f2 f1'=false and p'=2 t1 false {true,false} p (f2=false or p=1) and f2=f2' and p'=1 c1 1 {1,2} f2'=false and p'=1 n2 f2'=true t2 (f1=false or p=2) and f1=f1' and p'=2 c2 "do some work" "do some work"
405 Example: Transition system
n1, n2, p=1 m1 t1, n2, f1, p=1 m3 c1, n2, f1, p=1 m6 n1, n2, p=2 m9 t1, n2, f1, p=2 m11 t1, t2, f1, f2, p=2
406 m0 m2 n1, t2, f2, p=1 m4 t1, t2, f1, f2, p=1 m7 c1, t2, f1, f2, p=1 m10 n1, t2, f2, p=2 m5 n1, c2, f2, p=2 m8 t1, c2, f1, f2, p=2 Specification
The reachability graph shows that the mutualexclusion property is satisfied. Moreover, suppose we want to check the following property: "Whenever a process indicates its willingness to enter the critical section, it will eventually do so." We first formulate the property in CTL: AG(t1 AF c1) and AG(t2 AF c2) To check these properties, we extend the transition system into a Kripke structure with four atomic propositions: c1 with (c1) := {m3, m7}; c2 with (c2) := {m5, m8}; t1 with (t1) := {m1, m4, m8, m9, m11} t2 with (t2) := {m2, m4, m7, m10, m11}
407 Specification
The reachability graph shows that the mutualexclusion property is satisfied. Moreover, suppose we want to check the following property: "Whenever a process indicates its willingness to enter the critical section, it will eventually do so." We first formulate the property in CTL: AG(t1 AF c1) and AG(t2 AF c2) To check these properties, we extend the transition system into a Kripke structure with four atomic propositions: c1 with (c1) := {m3, m7}; c2 with (c2) := {m5, m8}; t1 with (t1) := {m1, m4, m8, m9, m11} t2 with (t2) := {m2, m4, m7, m10, m11}
408 Checking the property To make the first formula compatible with Assumption 2, we rewrite it to: true EU (t1 EG c1) (The second formula is analogous, therefore we concentrate on the first.) Checking the property using our algorithm yields that the formula is not true because the system may stay forever in states m5 and m8. The erroneous behaviour happens when the blue process stays in its critical section forever. 409 Fairness It seems as if the property is false only because of a behaviour where the blue process is "unfair" and doesn't relinquish its hold on the critical section. Can we restrict our attention to "fair" executions where processes do not stay forever in their critical sections? We have already argued that such fairness constrains cannot be expressed within the logic of CTL. The following slides on CTL with fairness show how CTL can be extended to handle such requirements. 410 CTL with Fairness Formally, we consider the problem where we are given K and as before and additionally some fairness constraints F1, . . . , Fn . Fairness constraints are sets of states. In the following, we call a run fair (w.r.t. F1, . . . , Fn ) iff it contains infinitely many states from each fairness constraint. In the example, we would create fairness constraints F1 = S \ (c1) F2 = S \ (c2) 411 The problem is to compute [] for the case where the operators EG and EU consider only fair runs (w.r.t. F1, . . . , Fn ), i.e. we introduce the following modified operators: [[EGf 1]] = { s  there is a fair run with (0) = s and (i) [[1]] for all i 0 } [[1 EUf 2]] = { s  there is a fair run with (0) = s and k 0 s.t. (i) [[1]] for all i < k and (k ) [[2]] } 412 First, observe that fair runs have the following properties: (1) is a fair run if and only if i is fair for all i 0. (2) is a fair run if and only if has a fair suffix i for some i. Using this, we can rewrite the EU operator as follows: 1 EUf 2 1 EU (2 EGf true) Thus, it is enough to provide a new algorithm for EGf . 413 Strongly connected components First, we recall the following definition (given earlier): C S is called a stronglyconnected component (SCC) of K iff for all q, q C we have q q ; C is maximal, i.e. there is no proper superset of C for which the previous condition also holds. We call an SCC C trivial iff C = {q} for some q S and q q. 414 Computing [[EGf p]]
1. Compute the restriction Kp of K to the states in (p). 2. Compute the SCCs of Kp (see the algorithm in the next lecture). 3. Identify the nontrivial SCCs containing at least one state from each fairness constraint. 4. [[EGf p]] consists of states from which one of these SCCs is reachable (in Kp ).
states satisfying p s = EG f p F Complexity: still linear in the size of the model
415 4.4: Binary decision diagrams Literature Further reading on BDDs: H.R. Andersen, An Introduction to Binary Decision Diagrams, Lecture notes, Department of Information Technology, IT University of Copenhagen Available from http://www.itu.dk/people/hra/bdd97abstract.html Tools: DDcal (a "BDD calculator", visualises BDDs) Available from http://vlsi.colorado.edu/fabio/ 417 Representing sets As we have seen, CTL is defined in terms of sets of states: meaning of atomic propositions: (p) for p AP semantics of CTL formulas: [] is a set of states semantics are computed through set operations: pre , , Thus, the question of how to represent sets of states becomes interesting: explicit enumeration: Example: S = {s1, s2, s4, . . .} symbolic representation: some compact (compressed) denotation of sets
418 Symbolic representations There are many possible ways to denote sets symbolically. Some of them are used routinely for sets of numbers: intervals: write [1, 10] instead of {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} other characterisations: "odd numbers" instead of {1, 3, 5, . . .} Every symbolic representation is suitable for some sets and unsuitable for others (e.g. the interval representation is a bad choice to denote the set of odd numbers). Whether a given representation is suitable depends on expected characteristics of the types of sets that one wants to represent. 419 The representation we are going to discuss will be suitable for the case where states are naturally interpreted as vectors of boolean values, i.e. we assume that S = {0, 1}m Examples for this are: 1safe Petri nets (in every marking, a place has 0 or 1 tokens) boolean circuits (every input or output is high or low) Note: In general, the elements of every finite set can be equivalently represented as vectors of booleans (though whether that is natural is another question. . . )
420 for some m 1 Example 1: A Petri net
Consider the following 1safe Petri net:
p1 t1 p2 p3 t2 p4 p5 t3 p6 A marking (or state) of the net can be written as (p1, p2, . . . , p6), where pi , 1 i 6 is the number of tokens on place Pi . For instance, the initial marking can be written as (1, 0, 1, 0, 1, 0); some other (reachable) markings are (0, 1, 1, 0, 1, 0) or (1, 0, 0, 1, 0, 1).
421 Example 2: A circuit
Consider the following circuit (a halfadder):
x1 sum x2 carry The circuit has two inputs (x1, x2) and two outputs (carry, sum). A combination of input/output values can be written as a boolean 4tuple, e.g. (1, 0, 0, 1) (meaning x1 = 1, x2 = 0, carry = 0, sum = 1) is a valid combination of signals.
422 Characteristic functions Let C S = {0, 1}m . (Remember that we want to represent not individual vectors, but sets of them.) The set C can be equivalently represented by its unique characteristic function fC : S {0, 1}, which is defined by 1 fC (s) := if s C 0 if s C / Notice that in effect, fC is a boolean function with m inputs and therefore "equivalent" to some formula F of propositional logic with m variables. 423 E.g., the set of possible input/output combinations in Example 2 has a characteristic function that is equivalent to the following formula in propositional logic (where x1, x2, carry, sum are variables). F carry (x1 x2) sum (x1 x2) carry Thus, we can from now on speak about sets of states (i.e. sets of boolean vectors) characteristic functions boolean formulas as if they were the same thing (or at least, different representations of the same object).
424 Representations of boolean functions One basic way to represent a boolean function is a truth table: x1 0 0 0 x2 0 0 1 carry 0 0 0 Naturally, this is not a compact representation. In the following, we introduce a graphical representation.
425 sum 0 1 1 F 1 0 1 Binary decision graphs (Definition 4.4) Assume that we can impose some total ordering < on the boolean variables, e.g. x1 < x2 < carry < sum A binary decision graph (w.r.t. <) is an acyclic graph with the following properties: there is one single initial node (with no incoming edges), called the root; there are at most two terminal nodes (with no outgoing edges), labelled with 0 or 1; all nonterminal nodes are labelled by boolean variables; every nonterminal node has two outgoing edges labelled by 0 and 1; edges respect the ordering, i.e. if there is an edge from a node labelled x and a node labelled y , then x < y ;
426 Example 2: Binary decision graph (in tree form)
x1 1 x2 1 carry 1 sum 1 0 0 1 1 0 0 sum 0 0 1 0 1 sum 0 0 1 1 0 carry 0 sum 0 0 1 sum 1 0 0 0 carry 0 sum 1 1 0 0 1 0 1 sum 0 0 1 0 1 0 x2 0 carry 0 sum 0 1 Paths ending on 1 correspond to vectors that make the function true.
427 Binary decision diagrams (Definition 4.5) A binary decision diagram (BDD) is a binary decision graph with the following additional properties: No two subgraphs in the BDD are isomorphic. The BDD does not contain any redundant nodes, i.e. nodes, where both outgoing edges have the same target. Optionally, the terminal node labelled with 0 and the arrows leading to it may be omitted to obtain a smaller representation. Note: For simplicity, we shall omit the edge labels in the following slides. Edges carrying 1 are blue and edges with 0 are red. 428 Example 2: Unify isomorphic subgraphs (1/4)
x1 x2 x2 carry carry carry carry sum sum sum sum sum sum sum sum 0 1 0 0 0 0 1 0 0 0 1 0 0 0 0 1 Alle 0 und 1Knoten werden zusammengefat.
429 Example 2: Unify isomorphic subgraphs (2/4)
x1 x2 x2 carry carry carry carry sum sum sum sum sum sum sum sum 1 0 First, we unify all terminal nodes.
430 Example 2: Unify isomorphic subgraphs (3/4)
x1 x2 x2 carry carry carry carry sum sum sum 1 0 Now, equivalent sum nodes have been unified.
431 Example 2: Unify isomorphic subgraphs (4/4)
x1 x2 x2 carry carry carry sum sum sum 1 0 Now no two equivalent nodes are left, so we are done.
432 Example 2: Remove redundant nodes (1/2)
x1 x2 x2 carry carry carry sum sum sum 1 0 Notice that both edges of the rightmost sum node point to 0.
433 Example 2: Remove redundant nodes (2/2)
x1 x2 x2 carry carry carry sum sum 1 0 Now all redundant nodes have been removed, and we are done.
434 Example 2: Zero terminal node eliminated
x1 x2 x2 carry carry carry sum sum 1 Optionally, we can omit the 0 terminal (and all arrows leading to it) to obtain a smaller, more readable graph.
435 Semantics of a BDD (Definition 4.6)
Let B be a BDD (w.r.t. some ordering x1 < . . . < xn ). Let PB be the set of all paths in B leading from the root to the terminal 1. Let p PB be such a path, e.g. xi1  . . .  1. Then we can define the "semantics" of p (denoted [[p]]) as the conjunction of all xij such that bij = 1 and all xij such that bij = 0 (where j = 1, . . . , m). We then say that B represents the following boolean formula F : F =
pPB bi
1 bim [[p]] Intuitively, B represents the formula that is true for all assignments of boolean variables such that one can start at the root of B, walk down the 0 and 1edges according to the assignment, and end up at the 1 terminal.
436 Approaches to building a BDD (Definition 4.7) The previous example tells us that we can obtain a BDD by constructing the complete decision tree and then simplifying it (which is not exactly efficient...) Another approach is by constructing a socalled ifthenelse normal form. For this, we introduce a new, ternary boolean operator. Let F , G, H be boolean formulas. Then we define: ite (F , G, H) := (F G) (F H)
Moreover, let F be a boolean formula, let x be a variable, and let b be a boolean value (0 or 1). Then, F [x/b] is defined as the formula obtained by replacing all occurrences of x in F by b. 437 Ifthenelse normal form (Definition 4.8) A boolean formula F is said to be in ifthenelse normal form iff it satisfies one of the following properties: F = 0 or F = 1 (i.e., false or true); F = ite (x, G, H), where x is a variable and G, H are in ifthenelse normal form. 438 Notes about ite normal form Note: It is easy to see that the following equation holds for all F and x: F ite (x, F [x/1], F [x/0]) Theorem: Every boolean formula F is equivalent to a boolean formula in ifthenelse normal form. Proof: Either F is constantly true (a tautology) or false (unsatisfiable), then it is equivalent to 1 or 0, resp. Otherwise F depends on some variable x. Let G := F [x/1] and let H := F [x/0], and replace F by ite (x, G, H). Since G and H have less variables than F , one can recursively replace them by equivalent ifthenelse normal forms. 439 Examples for substitution
Let us consider the boolean formula from Example 2: F carry (x1 x2) sum (x1 x2) carry Then, we have, e.g.: F [x1/0] carry (sum x2) F [x1/1] (carry x2) (sum x2) F [x1/0][x2/0] carry sum F [x1/0][x2/1] F [x1/1][x2/0] carry sum F [x1/1][x2/1] carry sum
440 Building BDDs using ite normal form and substitution Ifthenelse normal form gives us a strategy for building a BDD for a formula F w.r.t. an ordering x1 < x2 < < xn . Actually, this strategy works for a set of formulas. I.e., given a set of formulas F , we construct one BDD for each formula in F . For a single formula, we might start with F := {F }. The strategy works by eliminating one variable at a time. If n = 0, i.e. there are no variables left in the ordering, then F contains only tautologies or unsatisfiable formulas, which can be represented with BDDs consisting only of the terminal 1 or 0, respectively. 441 Otherwise, let F :=
F F F [x1/1], F [x1/0] . (Treat all equivalent formulas in F as identical). Then, recursively solve the problem for F and the ordering x2 < < xn . Afterwards, for each F F : If F [x1/0] F [x1/1], represent F by the BDD for F [x1/0]. If F [x1/0] F [x1/1], represent F by a BDD with a root that has x1 as its label, the root of F [x1/0] as the target of its 0edge, and the root of F [x1/1] as the target of its 1edge. Notice that, as a result, the BDDs for F share isomorphic subgraphs.
442 Example 1 revisited Let us compute a BDD for the reachable markings of the following Petri net: p1 t1 p2 p3 t2 p4 p5 t3 p6 We note that P1 is marked if and only if P2 is not marked; P3, P4 and P5, P6 are analogous.
443 Thus, a BDD for the reachable markings is as follows:
p1 p2 p3 p4 p5 p6 p6 p4 p2 1
444 Remarks
The BDD for Example 1 exhibits the potential of BDDs: If we change the number of parallel components from 3 to some n, the growth of the BDD for the reachable markings is linear in n. Thus, a BDD of linear size can represent a set of exponentially many markings. However, the size of a BDD for a given set depends heavily on the chosen variable ordering. E.g., with the ordering p1 < p3 < p5 < p2 < p4 < p6 we would have obtained a BDD of much larger size.
445 Notice that the definition of BDDs allows variables to be bypassed on some path. In that case, the bypassed variable can be either 0 or 1. Example: The following is a BDD for the boolean formula (x1 x2) (x3 x4) (with the ordering x1 < x2 < x3 < x4).
x1 x2 x3 x4 1
Notice, that here, the ordering x1 < x3 < x2 < x4 would yield a larger BDD. What we learn from this is that functionally dependent variables should be placed close to each other in the ordering to obtain small BDDs.
446 Uniqueness of BDDs
We now establish a fundamental property of BDDs: Theorem: Let F be a boolean formula with variables x1, . . . , xn , n 0 and assume that x1 < < xn . Then there is a unique BDD that represents F . Proof: We proceed by induction on n. (I.e., induction hypothesis: the theorem is true up to a given value of n). Basis: n = 0. There are only two boolean formulas: constantly true and the constantly false. Any BDD with at least one internal node is nonconstant (there is at least one path to 0 and one path to 1, otherwise all internal nodes would have been eliminated). So there is exactly one BDD each for true and false: the terminal 0 (or the empty BDD if 0 is removed) and the terminal 1.
447 Step: n n + 1. Let F1 := F [x1/1] and recall that F ite (x, F1, F0) By induction hypothesis, there are two unique BDDs B0 and B1 (with variable ordering x2 < < xn+1) such that B0 represents F0 and B1 represents F1. First, we go through B0 and B1 and modify them in such a way that they share equivalent subgraphs. Let n0 and n1 be the roots of the resulting BDDs.
448 and F0 := F [x1/0] Then: Either n0 = n1, hence B0 = B1, and F0 F1. In that case, F F0, therefore B0 represents F . It is also the unique BDD doing so: it is (by induction hypothesis) unique for the ordering x2 < < xn+1, and, with the ordering x1 < x2 < < xn+1, a node with x1 could only appear at the root, but such a node would be redundant. Or n0 = n1, i.e. F0 F1. Then we generate a node n with n0 as its 0successor and n1 as its 1successor. The resulting BDD rooted at n represents F (in the form given on the previous slide). The BDD rooted at n is also the unique BDD node representing F : since F0 F1, F depends on the value of x1, so any BDD representing F must contain a node labelled with x1, and because of the ordering, that node must be the root. Moreover, the representation of the "rest of F " is uniquely determined by B0 and B1.
449 Operations on BDDs Which are the set operations needed for CTL model checking? set operations: complement, merge, intersect compute the predecessors of a set check if two sets are the same (for fixpoint computation) check if a certain state is contained in a set check if a set is empty We shall need corresponding operations on BDDs.
450 BDD operations (1)
Checking whether two sets S1, S2 are the same Let B1 and B2 be the BDDs for S1, S2, respectively. Because of the uniqueness theorem, the BDDs represent the same set if and only if B1 and B2 are isomorphic. (In fact, if all BDDs with the same variable ordering share equal subtrees, then we can simply check if the roots of B1 and B2 are the same nodes.) Checking whether a state/vector s is in a set S1 Let B1 be the BDD for S1; follow the path for s and check if it leads to 1. Checking whether a set S is empty Check whether the BDD representing S consists only of the node 0. Computing the complement of a set S1 In the BDD for S1, swap the terminal nodes 0 and 1.
451 BDD operations (2)
Computing the predecessors of a set S1 We have pre (S1) = { s  s : (s, s ) s S1 }. Notice that the relation is a subset of S S, i.e. is simply a set that can be represented by a BDD with 2m variables: a first set of m variables for the state before the step; a second set of m variables for the state after the step. Suppose that we have a BDD B1 for S1 that uses the second set of variables. Then, because the first set of variables does not appear in the BDD, B1 can also be interpreted as a representation of S S1! Note that we can rewrite pre (S1) as { s  s : (s, s ) (S S1)}. Thus, computing pre reduces to two operations: intersection, and existential abstraction (over the second set of variables).
452 Example: BDD for transition relation Consider the (very simple) Petri net with capacities on the lefthand side. Notice that firing the transition removes the token from p1, places a new token on p3, and leaves p2 unchanged. 1 p1 1 p2 t1 p3 1 453 The BDD Ft1 for the effect of t1 is shown below, where p1, p2, p3 represent the states before a transition and p1, p2, p3 represent the states after a transition.
p1 p1' p2 p2' p3 p3' p2' 1
454 BDD operations (3): Existential abstraction
Existential abstraction with respect to a variable x can be expressed as follows: x : F F [x/0] F [x/1] Informally, x : F is true for those assignments that can be extended with some value for x s.t. F becomes true. Example: Let F (x1 x2) x3. Then x1 : F F [x1/0] F [x1/1] (x3) (x2 x3) x2 x3 By extension, let X be a set of variables. Then we define existential abstraction over X as the stepwise abstraction over all elements of X . E.g., if F (x1, x2) x3, then {x1, x2} : F x1 : x2 : F 1
455 We have thus reduced existential abstraction to substitution and union. Implementation of substitution with BDDs: Let B be a BDD for F . Then the BDD for F [x/b] is obtained by replacing each xlabelled node with the successor reached by its blabelled edge (and then unifying equivalent nodes and removing redundant nodes). As a special case, if x labels the root of B, then the result is simply the subBDD rooted at node reached by the bedge of the root. 456 Example: Substitution and abstraction
(a) Ft1 [p2/1]; (b) Ft1 [p2/0];
p1 p1' p2 p2' p3 p3' p2' p2' p3 p3' (c) p2 : Ft1 ; (d) p1, p2, p3 : Ft1 (a) (b) p1 p1' p2 p2' (c) p1 p1' (d) p1 p3 p3' p3 1 1 1 1
457 BDD operations (4) Now all we have left to do is to design operations for intersection and union. We can actually reduce , to ite : F G F G ite (F , G, 0) ite (F , 1, G) To construct a BDD for ite , we exploit the following equivalences (where v is a variable): ite (F , G, H) ite (v , ite (F , G, H)[v /1], ite (F , G, H)[v /0]) ite (v , ite (F [v /1], G[v /1], H[v /1]), ite (F [v /0], G[v /0], H[v /0])) 458 Construction of ite
In the following, let BDD(v , F1, F0) be a BDD where the root is labelled by v , its 1successor is the root of F1, and its 0successor is the root of F0 (if F0 F1), or simply the BDD for F0 (if F0 F1). A BDD for ite is constructed recursively as follows: ite (F , G, H) = G H G if F 1 if F 0 if G H , BDD(v , ite (F [v /1], G[v /1], H[v /1]), ite (F [v /0], G[v /0], H[v /0])) otherwise where v is the smallest variable (in the ordering) labelling a root of F , G, or H. An efficient implementation of this construction takes time proportional to the product of the BDD sizes for F , G, and H.
459 ...
View
Full Document
 Winter '11
 PhanThuongCang
 Petri net, reachability graph, Petri Nets

Click to edit the document details