On model checking for Petri nets and a linear-time

OnModelCheckingforPetriNetsandaLinear-TimeTemporalLogicTomohiroYonedaTokyoInstituteofTechnologyyoneda@cs.titech.ac.jpHolgerSchlingloTechnischeUniversitatMunchenschlingl@informatik.tu-muenchen.deAbstractThispaperpresentsanecientmodelcheckingalgorithmforPetrinets.Itisbasedonthereducedstatespacegenerationwheretheresultoftheevaluationonthefullstatespaceandthereducedstatespaceisidentical.Thisreductionofthestatespacesispossible,because(1)theringsofthetransitionsareonlypartiallyorderedbycausalityandagivenformula,and(2)theorderofringsoftransitionsnotrelatedbythispartialorderisirrelevantfortheevaluationofthegivenfor-mula.Fortheconsiderablereductionofthestatespaces,alinear-timetemporallogicwithoutthenext-timeoperatorisused.Theconcretealgorithmofthereducedstatespacegenerationisshownaswellasthebriefsketchofthecorrectnessproof.Finally,someexperimentalresultsareshowntodemonstratetheeciencyoftheproposedmethod.1IntroductionPetrinetshavebeenwidelystudiedasaformalismforconcurrentanddis-tributedsystems.Especiallytheyprovedtobeappropriatefordescribingthebehaviorofasynchronouscircuits[DNS90],whichhavebecomerecentlyofincreasinginterestbecauseofcertainlimitationsinsynchronouscircuits.OncesuchsystemsaremodeledbyPetrinets,theyareopentoformalveri-cationusingautomatedtools.ReachabilityanalysiscanbeusedtocheckPresentedatIEICEFTS92workshop,Kyoto,Japan,June199212certainclassesofsafetyproperties.Modelcheckingtechniques[CES86]al-lowtocheckmoregeneralclassesofproperties(representedbytemporallogicformulas)includingbothsafetyandlivenessrequirements.Unfortunately,eventhoughthenumberofreachablestatesisinmanycasesnite,inmostpracticalsystemsitisoftenextremelylarge.Thissocalledstateexplosionproblemhasbeenoneofthebiggestbottlenecksfortheautomaticvericationofpracticalsystems.Recently,severalresearchprojectstoavoidthisproblemarereported.Oneapproachissymbolicmodelchecking,inwhichsetsofstatesarerepresentedsymbolicallyandthesetthatsatisesaformulaiscomputedasthexpointofacertainfunctional.Implementationsofthismethodwithbinarydecisiondiagrams(BDDs)suc-ceedinhandlinghugenumberofstates[BCD+90].However,whenthestatespaceisrathersparse(asitisoftenthecasewithmodelsofasynchronouscircuits),BDDbasedtechniquesdonotseemtorepresentthestatespaceef-cientlywithoutpre-analysisorvariablere-orderingbyhand.Inthissense,thisapproachisnotfullyautomatic.Anotherapproachtoconnethestateexplosionproblemistousepartialorders.Thesetechniquesarebasedonthefactthatnotallpossibleinterleavingsofconcurrenteventsarerelevantforthepropertiestobechecked.Severalmethods[God90,McM92]basedonpartialordershavebeenproposedfortheecientreachabilityanalysisofPetrinets.In[GW91],thetraceautomatonmethodof[God90]isex-tendedforcheckingpropertiesofextendedlineartemporallogiconsystemsofcommunicatingBuchiautomata.Anothermethod,usingstubbornsets,wasdevelopedin[Val90]fortheecientmodelcheckingoflinear-timetem-porallogicsonvariable/transitionsystems.Independently,in[YTK91],asimilarideaforthezero-reachabilityproblemoftimePetrinetshasbeenpresented.Inthiswork,mainlyforthevericationofasynchronouscircuits,weaimatthedevelopmentofanecientmodelcheckingalgorithmforone-safePetrinetsandlinear-timetemporallogic(LTL).Therelationbetweenourandtheabovementionedmethodsisasfollows:Ourloopconditiondiersfromtheonesfoundin[Val90]and[GW91],resultinginaninmanycasessmallerstatespace.Wefocusononlyjustrunsratherthanunrestrictedrunsorgenerallivenessconditions,becauseitissuitabletomodelasynchronouscir-cuits.Thisrestrictionbothsimpliestheproofofcorrectnessforourmethodandmakesthealgorithmecient.3Ouralgorithmworkson-line,i.e.runsarecheckedforsatisabilitywhiletheyareconstructed.Wegiveaconcretealgorithmforaspecicmodelofcomputationandaxedlogic.Wealsoshowhowtoapplyourmethodtothevericationofasynchronouscircuitsandgivesomeexperimentalresults.Therestofthispaperisorganizedasfollows.Inthenextsection,deni-tionsofPetrinetsandtheirrunsaregiven.Insection3,webrieyintroducethelogicweareusing.Thepartialordermodelcheckingalgorithmispre-sentedinsection4.Someexperimentalresultsareshowninthenextsection,andnallywesummarizeourdiscussion.2PetrinetsAPetrinetNisatupleN=(P,T,F,s0),where1.Pisanitesetofplaces,2.Tisanitesetoftransitions(P\T=;),3.F(PT)[(TP)istheowrelation,and4.s0Pistheinitialstateofthenet.Foranytransitiont,t=fpj(p;t)2Fg,t=fpj(t;p)2Fgdenotethepresetandthepostsetoft,respectively.Forsimplicity,wedisallow\idletransitionstwitht=t.AstatesofNisanysubsetofP.Ifp2s,wesaythatpisoccupied,elsepisemptyats.Atransitiontisenabledatstatesifts(allitsinputplacesareoccupiedats).Otherwise,thetransitionisdisabled.Astates0istheresultofringatransitiontatastates(st!s0),iftisenabledatsands0=(st)[t.s0isasuccessorstateofs(s!s0),ifthereexistssometsuchthatst!s0.Arun=(s0s1s2)ofNisaniteorinnitesequenceofstatessisuchthats0istheinitialstateofN,andforeveryisi!si+1.Notethatwiththisdenitionweadopttheso-calledinterleavingview:Theparallelexecutionoftwoindependenttransitionst1andt2(i.e.,(t1[t1)\(t2[t2)=;)atastatesiismodelledbythetwoseque