Merged Processes of Petri nets Victor Khomenko Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler
2 Petri net unfoldings An acyclic net obtained through unfolding the PN by successive firings of transitions: for each new firing a fresh transition (called an event) is generated for each newly produced token a fresh place (called a condition) is generated The full unfolding can be infinite If the PN has finitely many reachable states then the unfolding eventually starts to repeat itself and can be truncated (by identifying a set of cut-off events) without loss of essential information, yielding a finite prefix
3 T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8 T1T1 P3P3 T3T3 P5P5 P2P2 T2T2 P1P1 T5T5 P6P6 T4T4 P4P4 P7P7 P8P8 P9P9 P 11 P 10 P 13 P 14 P 12 T9T9 T7T7 T 10 T6T6 T8T8 Example: Dining Philosophers
4 Alleviate the state space explosion problem for highly concurrent systems e.g. for Dining Philosophers the prefix size is linear in the number of philosophers even though the number of states is exponential Efficient model checking algorithms e.g. deadlock checking is PSPACE- complete for safe PNs but only NP- complete for prefixes Do not cope well with other than concurrency sources of state space explosion, e.g. with sequence of choices Do not cope well with non-safe PNs Characteristics of unfoldings
5 Example: sequence of choices No event is cut-off, the prefix is exponential
6 mm Example: non-safe PN Tokens in the same place are distinguished in the unfolding, the prefix is exponential
7 Wanted A data structure coping not only with concurrency but also with other sources of state space explosion
8 Occurrence-depth Merged Process: Fuse conditions with the same label and occurrence-depth Delete duplicate events
Example: a Petri net
10 Example: unfolding Step 1: Fuse conditions of the nodes with the same label and occurrence-depth
11 Example: (cont’d) Step 2: Delete event replicas
12 Examples MPs of these nets coincide with the original nets, even though unfoldings are exponential! mm
13 Properties of MPs Canonicity Finiteness Completeness Theoretical upper bounds on size Experimental results: size
14 Canonicity Easily follows from the canonicity of unfolding prefixes: Canonical MP = Merge(Canonical prefix)
15 Finiteness Proposition: Merge(Pref) is finite iff Pref is finite trivial, as Merge(Pref) is no larger than the prefix more difficult, as the Merge operation can collapse infinitely many nodes into one: …
16 Finiteness (cont’d) follows from the analog of Köning’s lemma for branching processes: an infinite branching process contains an infinite causal chain hence there are infinitely many instances of some place p along it hence the occurrence-depth of instances of p is unbounded hence there are infinitely many instances of p in the merged process
17 Completeness Preservation of firings is tricky – it’s hard to define cut-offs since an event can have multiple local configurations Hence consider only marking- completeness (good enough for model checking as the firings can be retrieved from the original PN) Proposition: if Pref is marking-complete then Merge(Pref) is marking-complete
18 Theoretical upper bounds on size Trivial bound: Merge(Pref) is never larger than Pref, hence never larger than the reachability graph too pessimistic in practice MPs of acyclic PN coincide with the original PNs with the dead nodes removed unfoldings can be exponential MPs of live and safe free-choice PNs [with minor restrictions] are polynomial in the size of the original PNs unfoldings can be exponential
19 Experimental results: size
20 Experimental results: PN/MP size
21 Experimental results: summary Corbett’s benchmarks were used MPs are often by orders of magnitude smaller than unfolding prefixes In many cases MPs are just slightly larger than the original PNs In some cases MPs are smaller than the original PNs due to removal of dead nodes
22 Model checking MPs are small, but are they of any use in practice? Can model checking algorithms developed for unfoldings be lifted to MPs? In what follows, we consider safe PNs only
23 Problem: cycles A Petri net
24 Problem: cycles Unfolding Criss-cross fusion results in a cycle!
25 MP with a cycle Problem: cycles Still worse, the marking equation (ME) used for unfolding-based verification can have spurious solutions
26 Problem: cycles Borrow a token Fire The borrowed token is returned The current marking is unreachable
27 Solution Add to the marking equation another constraint, ACYCLIC, requiring the run to be acyclic: ME & ACYCLIC
28 Example: an acyclic run
29 Example: a run with a cycle
30 SAT encoding Associate a Boolean variable v to each node v of MP indicating whether it belongs to the run View the run as a digraph induced in the MP by the variables whose value is true Sort the nodes of the merged process so that the number of feedback vertices is (heuristically) minimised
31 SAT encoding (cont’d) For each feedback vertex: ignore the vertices on its left generate the formula conveying that the sources of the feedback arcs are not reachable from this feedback vertex: Formula size: O(|V f |·|E|); can we do better? v
32 Another problem: spurious runs 1 2 Can visit this condition without first visiting the other one! not possible in the unfolding
33 Solution Add another constraint, NG (no-gap), conveying that if a condition with occurrence-depth k>1 is visited then the condition with the same label and occurrence-depth k-1 is also visited the conditions with the same label are visited in the order of increase of the occurrence depth (can be enforced by ACYCLIC by adding a few arcs)
34 Solution (cont’d)
35 Model checking ME & ACYCLIC & NG & VIOL This is enough to lift unfolding-based model checking algorithms to merged processes! Deadlock checking (and many other reachability-like problems) is NP-complete in the size of the MP – no worse than for unfoldings
36 Experimental results: MC time
37 Experimental results Corbett’s benchmarks were used Model checking is practical – running times are comparable with those of an unfolding-based algorithm Still deteriorates on a couple of benchmarks – but it’s early days of this approach and we keep improving it
38 Open problems / future work Direct characterization of MPs (cf. the characterization of unfoldings by occurrence nets) currently much is done via unfoldings Improve the efficiency of model checking the SAT encoding of ACYCLIC is the main problem A direct algorithm for building MPs currently built by fusing nodes in the unfolding prefix
39 Algorithm for building MPs Idea: reduce the problem of finding a possible extension to the following problem: Find a configuration C in the built part of the MP such that: C can be extended by a new event and C contains no cut-offs, i.e. for each event e in C there is no configuration C’ in the built part of MP such that Mark([e] C )=Mark(C’) and C’ [e] C Reducible to QBF with 1(?) alternation Reducible to SAT if the adequate order is