[IEEE Seventh International Conference on Application of Concurrency to System Design (ACSD 2007) -...

A more efficient time Petri net state space abstraction preserving linearproperties

Hanifa Boucheneb and Hind RakkayDepartment of Computer Engineering

Ecole Polytechnique de MontrealP.O. Box 6079, Station Centre-ville

Montreal, Quebec{hanifa.boucheneb, hind.rakkay}@polymtl.ca

Abstract

We consider here Time Petri nets (TPN model). We firstpropose an abstraction to its generally infinite state spacewhich preserves linear properties1 of the TPN model. Com-paring with TPN abstractions proposed in the literature,our abstraction produces graphs which are both smallerand faster to compute. In addition, our characterization ofabstracted states allows a significative gain in space.Afterwards, we show how to apply Yoneda’s partial orderreduction technique to construct directly reduced graphsuseful to verify LTL−X properties of the model. Usingour approach, both time and space complexities aresignificantly reduced.

Keywords. Time Petri nets, state class graph, state explo-sion problem, partial order techniques, independent transi-tions, relevant execution path.

1. Introduction

The main obstacle for enumerative verification methodssuch as model checking is the state space explosion prob-lem. Many techniques have been developed to alleviate thisproblem. Among these techniques, we consider here theabstraction [1,2,3,4,7,10,11] and partial order techniques[5,6,8,9,11,12,13,14].

Abstraction techniques aim to construct a contractionof the state space by removing some irrelevant detailswhilst preserves properties of interest. For example, intimed models, states reachable by the same firing sequenceindependently of their firing times are usually agglomerated

1Linear properties, considered here, are Linear Temporal Logic (LTL)formulae.

in the same node. The agglomerated states are then consid-ered modulo some relation of equivalence. Equivalent statesets are generally characterized by the information neededto compute their future firing sequences.

Partial order reduction constructs a smaller state space byaddressing a specific reason behind the state space explo-sion, namely the existence of many potentially equivalentfiring sequences2. The idea is to represent some equivalentfiring sequences by only one. Partial order reduction tech-niques take advantage of this by generating and exploringa graph with only a reduced set of firing sequences. Atthe same time, in order to preserve the truth value of theproperty to be verified, the reduced graph should contain,at least, one representative firing sequence from each classof equivalent firing sequences [5,6,8,9,10,11,12,13].

This paper proposes an efficient abstraction for timePetri nets which is both smaller and faster to computethan those proposed in the literature. Indeed, among theseabstractions, the State Class Graph (SCG) [1] is moreinteresting when only linear properties are of interest.SCG is in general much smaller and enjoys naturallythe finiteness property for all bounded TPNs (includingTPNs with unbounded time intervals), whereas, in otherabstractions, the finiteness is enforced using an extraoperation (over-approximation or relaxation) [1,7]. Thisoperation, applied to each computed state class, mayinvolve some overhead computation. We establish here arelation of equivalence over state classes of the SCG whichinduces more compact graph, called Contracted State ClassGraph (CSCG), preserving linear properties of the TPNmodel. This relation of equivalence allows also to reduceboth time and space computation complexities of state

2Two firing sequences are equivalent w.r.t some property if they can notbe distinguished by the property.

Seventh International Conference on Application of Concurrency to System Design (ACSD 2007)0-7695-2902-X/07 $25.00 © 2007

classes. In addition, our abstraction is more appropriateto be combined with partial order techniques of LTL−X

properties. In this sense, we show how to use Yoneda’spartial order technique to compute/explore partially ourabstraction w.r.t some LTL−X property.

We first present the TPN model and its behavior fol-lowed by the state class graph method [2]. Section 4 isdevoted to our relation of equivalence over state classes.We propose here an efficient algorithm for computingequivalence classes. Section 5 presents some experimentalresults. Section 6 shows how to apply the partial orderapproach of Yoneda to the CSCG.

2. Time Petri Nets

A Time Petri Net is a Petri Net augmented with timeintervals associated with transitions. Formally, a TPN is atuple (P, T, Pre, Post,M0, Is) where P and T are finitesets of places and transitions such that (P ∩ T = ∅), Preand Post are the backward and the forward incidencefunctions (Pre, Post: P × T −→ N, N is the set of nonneg-ative integers), M0 is the initial marking (M0 : P −→ N),and Is : T → Q+ × (Q+ ∪ {∞}), Q+ is the set ofnonnegative rational numbers. Function Is associates witheach transition t an interval [tmin(t), tmax(t)] calledthe static firing interval of t. tmin(t) and tmax(t) arerespectively the minimum and maximum firing delays of t.

Let M be a marking and t a transition. Transition t isenabled for the marking M iff all required tokens for firingt are present in M , i.e.: ∀p ∈ P,M(p) ≥ Pre(p, t).Transition t can be also multienabled in M 3. The multi-enabledness of t can be considered as different enabledtransitions which are either totaly independent or managedso as to fire the oldest one first and disable (in case of con-flict) the most recent one first. Without loss of generality,for reasons of clarity in this paper, if a transition remainsenabled after its firing, it is considered newly enabled.We denote by En(M) the set of all transitions enabled forthe marking M , i.e.:En(M) = {t ∈ T | ∀p ∈ P,Pre(p, t) ≤ M(p)}.If M results from firing transition tf from some marking,New(M, tf ) denotes the set of all transitions newlyenabled in M , i.e.: New(M, tf ) = {t ∈ En(M) | t =tf ∨ ∃p,M(p) − Post(p, tf ) < Pre(p, t)}.

There are two known characterizations of the TPNstate. The first one, based on clocks, associates a clockwith each transition to measure the time elapsed since itbecame enabled most recently. The TPN state is defined

3∀p ∈ P, M(p) ≥ 2 × Pre(p, t).

as a marking and a function which associates with eachenabled transition the value of its clock [3]. The secondcharacterization, based on intervals, defines the TPN stateas a marking and a function which associates with eachenabled transition the time interval in which the transitioncan be fired [1,2]. We focus in this paper on the latercharacterization, for its advantages over the first one whencomputing abstractions which preserve reachability andlinear properties [1].

The TPN state is a pair s = (M, I), whereM is a marking and I is an interval function,I : En(M) → Q+ × (Q+ ∪ {∞}).For a state s = (M, I) and t ∈ En(M), I(t) is called thefiring interval of t. The lower and upper bounds of theinterval I(t) are denoted ↓ I(t) and ↑ I(t). I is called thefiring domain of s. The initial state of the TPN model iss0 = (M0, I0) where I0(t) = Is(t), for all t ∈ En(M0).The TPN state evolves either by time progressions or byfiring transitions. When a transition t becomes enabled, itsfiring interval is set to its static firing interval Is(t). Thebounds of this interval decrease synchronously with time,until t is fired or disabled by another firing. t can fire, if thelower bound of its firing interval reaches 0. But it must befired, without any additional delay, if the upper bound of itsfiring interval reaches 0. The firing of a transition takes notime.

Let s = (M, I) and s′ = (M ′, I ′) be two states of the

TPN model and θ ∈ R+. We write sθ→ s′, also denoted

s + θ, iff state s′ is reachable from state s after a timeprogression of θ time units, i.e.:-∧

t∈En(M) θ ≤ ↑ I(t),- M ′ = M ,- ∀t′ ∈ En(M ′), I ′(t′) = [Max(↓ I(t′)−θ, 0), ↑ I(t′)−θ].We write s

t→ s′ iff state s′ is immediately reachable fromstate s by firing transition t, i.e.:- t ∈ En(M),- ↓ I(t) = 0,- ∀p ∈ P,M ′(p) = M(p) − Pre(p, t) + Post(p, t),

- ∀t′ ∈ En(M ′), I ′(t′) =

{Is(t′), if t′ ∈ New(M′, t),I(t′), otherwise.

The state space of a TPN model is the structure(S,→, s0), where:- s0 = (M0, I0) is the initial state of the TPN model,- S = {s|s0

∗→ s}, where∗→ is the reflexive and transitive

closure of the relation → defined above. S is the set ofreachable states of the model.

An execution path in the TPN state space (S,→, s0),starting from a state s, is a maximal sequence ρ = s1

θ1→


s1 + θ1t1→ s2 → ....., such that s1 = s. A marking M is

reachable iff ∃s ∈ S s.t. its marking is M .

3. State class graph method

We can find in the literature several state space ab-straction methods for the TPN model. The well knownare: the State Class Graph (SCG) [1, 2, 4], the GeometricRegion Graph (GRG) [11,14], the Strong State ClassGraph (SSCG) [1], the Zone Based Graph (ZBG) [7],and the Atomic State Class Graphs ASCGs [1, 3]. Theseabstractions may differ in size and the kind of propertiesthey preserve (linear or branching properties). Amongthese contractions, we consider the SCG as it preserveslinear properties and is, in general, more compact than theothers [1,2]. We first present the state class graph method.Afterwards, we propose, a contraction for the SCG whichpreserves linear properties of the model.

To finitely represent the state space of a TPN model,Berthomieu and Diaz proposed in [2] to abstract time andgroup sets of states in what is called state classes. Astate class is a symbolic representation for some infiniteset of states sharing the same marking. In the result-ing abstraction, called state class graph (SCG) [1,2],all states reachable from the initial state by firing thesame sequence of transitions are agglomerated in thesame set. These sets are considered modulo an equiva-lence relation, such that two sets are equivalent iff theyhave the same marking and their firing domains are equal.All equivalent sets are agglomerated in the same state class.

A state class is represented by the pair (M,F ), whereM is the common marking of states agglomerated in thestate class, and F is a formula which characterizes theunion of all firing domains of these states. Each transitiont which is enabled in M is a variable with the samename in F representing its firing delay. The initial stateclass is (M0, F0) where M0 is the initial marking andF0 = (

∧t∈En(M0)

tmin(t) ≤ t ≤ tmax(t)).

Let α = (M,F ) be a state class and tf a transition. Suc-cessor state classes are computed using the following firingrule:The class α = (M,F ) has a successor by tf (i.e.succ(α, tf ) �= ∅), iff tf is enabled in M and can be fired be-fore any other enabled transition (i.e.: F ∧ (

∧t∈En(M) tf ≤

t) is consistent). In this case, tf is said to be firable fromα and its firing leads to the state class α′ = (M ′, F ′) =succ(α, tf ) computed in five steps:

1. ∀p ∈ P , M ′(p) = M(p) − Pre(p, tf ) + Post(p, tf )

2. F ′ = F ∧ (∧

t∈En(M) tf ≤ t)

3. Replace in F ′ each variable t �= tf , by (t + tf ). Thissubstitution actualizes delay values of all enabled tran-sitions (old t = new t + tf ).

4. Eliminate by substitution tf and each t conflictingwith tf for M , i.e: ∃p ∈ P,M(p) < Pre(p, t) +Pre(p, tf ).

5. add the constraint: tmin(t) ≤ t ≤ tmax(t), for eachtransition t newly enabled in the marking M ′.

From this firing rule, it is easy to see that the formulaF of a state class is a conjunction of atomic constraints ofthe form (t − t′ ≺ c), (t ≺ c) or (−t ≺ c), where c ∈Q∪{∞,−∞}, ≺∈ {=,≤,≥} and t, t′ ∈ T . Constraints ofthe form (t − t′ ≺ c) are called difference constraints. Thedomain of F is therefore convex and has a unique canonicalform defined by:∧

(t,t′)∈En(M)2 t − t′ ≤ SupF (t − t′) ∧∧t∈En(M) t ≤ SupF (t) ∧ −t ≤ SupF (−t)

where SupF (t − t′), SupF (t), and SupF (−t) are respec-tively the suprema of t − t′, t, and −t in the domain of F .

For example, the canonical form of the initial state class(M0, F0) is:∧

(t,t′)∈En(M0)2t − t′ ≤ tmax(t) − tmin(t′) ∧∧

t∈En(M0)t ≤ tmax(t) ∧ −t ≤ −tmin(t)

The canonical form of a state class (M,F ) can be repre-sented by the pair (M,D), where D is a DBM of order|En(M) ∪ {o}| (o represents the value zero) defined by:∀(x, y) ∈ (En(M) ∪ {o})2, Dx y = SupF (x − y).The canonical form of a state class are usually computedusing the shortest path Floyd-Warshall’s algorithm, inO(n3), where n is the number of variables in F .

Two state classes are said to be equal iff they share thesame marking and their firing domains are equal (i.e.: theirformulae are equivalent). To compare two state classes,each one is translated into its canonical form. The twoclasses are equal, if they have the same canonical form [2].

Formally, the SCG of a TPN model is a structure(C,�, α0), where α0 = (M0, F0) is the initial state class,

αt� α′ iff (succ(α, t) �= ∅ ∧ α′ = succ(α, t)), and

C = {α | α0 �∗ α} ( �∗ is the reflexive and transitiveclosure of �).

The SCG is finite for all bounded TPN models, and alsopreserves linear properties [1,2]. A firing sequence (or anexecution path) in the SCG starting from a state class α, is


a maximal sequence ζ = α1

t1� α2

t2� α3

t3� ....., such thatα1 = α.

In [4], the authors have proposed an implementation forthe firing rule, which directly computes the canonical formof each reachable state class in O(n2). So, the complexityof testing the consistency is reduced from O(n3) to O(n)while computing complexity of the canonical form passesfrom O(n3) to O(n2). This implementation is reported inthe following proposition 1.

Proposition 1 Let α = (M,F ) be a state class, (M,D)its canonical form and tf a transition.

• tf is firable from (M,D) (i.e.: Succ(α, tf ) �= ∅) ifftf ∈ En(M) and Mint∈En(M)Dt tf

= 0.

• If tf is firable from (M,D), its firing leads to the stateclass Succ(α, tf ) = (M ′,D′) computed as follows:∀p ∈ P,M ′(p) = M(p) − Pre(p, tf ) + Post(p, tf );∀t ∈ En(M ′),

D′t o =

{tmax(t) if t ∈ New(M′, tf);Dt tf otherwise

D′o t =

{−tmin(t) if t ∈ New(M′, tf);Minu∈En(M)Du t otherwise

∀(t, t′) ∈ (En(M ′))2,

D′t t′ =

0 if t is t′

D′t o + D′

o t′ if t or t′ ∈ New(M′, tf );Min(Dt t′ , D

′t o + D′

o t′ ) otherwise

Proof: (Sketch of proof) The proof is based on the graph rep-resentation of D (i.e. F ) called constraint graph. The constraintgraph of F is a weighted directed graph, where nodes representvariables of F , with one extra node, denoted o, representing thevalue 0. An arc connecting node x to node y with weight c rep-resents the constraint: x − y ≤ c. Using classical results aboutconstraint graphs, it follows that:

• F is consistent (there is at least one tuple of values that sat-isfies, at once, all constraints in F ) iff, the constraint graphof F has no negative cycle,

• If the constraint graph of F has no negative cycle, the weightof the shortest path, in the graph, going from a node x to anode y, is equal to SupF (x− y) (i.e.: Dx y). Therefore, theweight of the arc connecting node x to node y is equal to theshortest path, in the graph, going from x to y (i.e.: Dx y).

The formula of each reachable state class is consistent. Conse-quently, its constraint graph has no negative cycle. Moreover,the weight of the shortest path, in the constraint graph of F ,from a node x to a node y is equal to Dx y . From the firingrule, we deduce that transition tf is firable from α iff, tf is en-abled for the marking M and the following formula is consistent:F ∧ (

∧t∈En(M) tf − t ≤ 0). In other words, the constraint graph

of F completed with the set of arcs {(tf , t, 0))|t ∈ En(M)} hasno negative cycle. Since before adding these arcs, the graph didnot contain any negative cycle, the completed graph will haveno negative cycle iff, all elementary cycles going through one

of the added arcs are not negative. In addition, all added arcshave tf as source node. It follows that the weight of the short-est elementary cycle going through an added arc (tf , t, 0)) isthen 0 + Dt tf . This weight must be nonnegative, i.e.: ∀t ∈En(M), Dt tf ≥ 0. Since tf ∈ En(M) and Dtf tf = 0, itcomes that: Mint∈En(M)Dt tf = 0.Suppose that tf is firable from α = (M, D). From the firing rule,we deduce that the DBM D′ of the class reachable from α by fir-ing tf , can be computed using the constraint graph of the firingcondition by adding for each transition t newly enabled in M ′, anew node t and the arcs (t, tf , tmax(t)) and (tf , t,−tmin(t)).Delays in D′ are all relative to the firing date of transition tf . So,tf is renamed o in D′. Therefore, ∀t, t′ ∈ En(M ′),- D′

o t is the weight of the shortest path from node tf to node t, inthe completed constraint graph.D′

t o is the weight of the shortest path from node t to node tf , inthe completed constraint graph.D′

t t′ is the weight of the shortest path from node t′ to node t, inthe completed constraint graph.

4. Contracting the state class graph

To achieve more contractions, we propose a relationof equivalence over state classes which induces morecompact state class graphs while preserving linear prop-erties of the model. The idea of this relation comesfrom the fact that, according with proposition 1, the lineand column o of D are not necessary to compute thesuccessor classes of (M,D). It follows that all classes,which are equal in case we do not consider the line andcolumn o, have the same firing sequences. They canbe agglomerated into one node while preserving linearproperties of the model. In addition, as the firing of atransition will disable all transitions conflicting with it,for computing firing sequences, we do not need somedistances between conflicting transitions. As an example,consider the TPN model shown in figure 1. Its state classgraph consists of 13 arcs and the following state classes:

C0 : P0 + P2 0 ≤ t1 ≤ 2 1 ≤ t2 ≤ 3

0 ≤ t3 ≤ 2 1 ≤ t4 ≤ 3

−3 ≤ t1 − t2 ≤ 1 − 2 ≤ t1 − t3 ≤ 2

−3 ≤ t1 − t4 ≤ 1 − 1 ≤ t2 − t3 ≤ 3

−2 ≤ t2 − t4 ≤ 2 − 3 ≤ t3 − t4 ≤ 1

C1 : P1 + P2 0 ≤ t3 ≤ 2 0 ≤ t4 ≤ 3

−3 ≤ t3 − t4 ≤ 1

C2 : P1 + P2 0 ≤ t3 ≤ 1 0 ≤ t4 ≤ 2

−2 ≤ t3 − t4 ≤ 1

C3 : P0 + P3 0 ≤ t1 ≤ 2 0 ≤ t2 ≤ 3

−3 ≤ t1 − t2 ≤ 1

C4 : P0 + P3 0 ≤ t1 ≤ 1 0 ≤ t2 ≤ 2

−2 ≤ t1 − t2 ≤ 1

C5 : P1 + P3 0 ≤ t0 ≤ ∞State classes C1 and C2 have the same marking and two


enabled transitions t3 and t4, which are both firable but inconflict (the firing of one of them will disable the other).In their successor state classes, all enabled transitions arenewly enabled and then their firing domains do not dependon those of their predecessors (the firing interval of eachnewly enabled transition is initialized to its static firing in-terval). Therefore, state classes C1 and C2 have the samesuccessors. They can be agglomerated into one node with-out altering linear properties of the model. For the samereasons, state classes C3 and C4 can be also agglomeratedin one node. The resulting graph is shown in figure 1.

Figure 1. A TPN model with its CSG andCSCG

We first define formally our relation of equivalence overstate classes of the SCG. Afterwards, we show that this re-lation is a bisimulation over the SCG.

Let M be a marking and conf(M) the set of pairs oftransitions enabled but in conflict for M , i.e.: conf(M) =

{(t, t′) ∈ En(M)2 | ∃p ∈ P, M(p) < Pre(p, t) + Pre(p, t′)}.

Definition 1 : Relation �Let � be a relation over state classes of the SCG, definedby: ∀α1 = (M1,D1), α2 = (M2,D2) ∈ C,(M1,D1) � (M2,D2) iff

• M1 = M2, and

• ∀t, t′ ∈ En(M1),{Min(0, D1t t′ ) = Min(0, D2t t′ ) if (t, t′) ∈ conf(M1)

D1t t′ = D2t t′ otherwise

Lemma 1 � is a bisimulation over the SCG.

Proof: Since relation � is symmetric, it suffices to show that� is a simulation over the SCG, i.e.:∀α1 = (M1, D1), α2 = (M2, D2) ∈ C,∀tf ∈ T,(α1 � α2 ∧ succ(α1, tf ) �= ∅) ⇒(succ(α2, tf ) �= ∅ ∧ succ(α1, tf ) � succ(α2, tf )).By assumption, α1 � α2 and succ(α1, tf ) �= ∅. It follows that:

• M1 = M2,

• ∀u, t′ ∈ En(M1), Min(0, D1u t′ ) = Min(0, D2u t′ );

• In addition, since ∀t′ ∈ En(M1), D1t′ t′ = D2t′ t′ = 0, itfollows that: ∀t′ ∈ En(M1),Minu∈En(M1)D1u t′ = Minu∈En(M1)Min(0, D1u t′ )andMinu∈En(M1)D2u t′ = Minu∈En(M2)Min(0, D2u t′ ).

• Above relations imply that: [1] ∀t′ ∈ En(M1),Minu∈En(M1)D1u t′ = Minu∈En(M2)D2u t′ .

Proposition 1 states that succ((M1, D1), tf ) �= ∅ iffMinu∈En(M1)D1u tf

= 0. Using relation [1], it follows that:Minu∈En(M1)D1u tf

= 0 iff Minu∈En(M2)D2u tf= 0.

Then succ(α2, tf ) �= ∅.Let us now show that succ(α1, tf ) � succ(α2, tf ).Let (M ′

1, D′1) and (M ′

2, D′2) be respectively the successor state

classes of (M1, D1) and (M2, D2) by tf . We have M ′1 = M ′

2

and proposition 1 states that: ∀t, t′ ∈ En(M ′1)

1- if t is t′, D1′t t′

= D2′t t′

= 0

2- if t and t′ are newly enabled in M ′1:

D1′t t′

= D2′t t′

= tmax(t) − tmin(t′).

3- if t and t′ are not newly enabled in M ′1:

D1′t t′

= Min(D1t t′ , D1t tf+ Minu∈En(M1)D1u t′ )

D2′t t′

= Min(D2t t′ , D2t tf+ Minu∈En(M2)D2u t′ ).

4- if t is newly enabled but t′ is not newly enabled in M ′1:

D1′t t′

= tmax(t) + Minu∈En(M1)D1u t′

D2′t t′

= tmax(t) + Minu∈En(M2)D2u t′ .

5- if t is not newly enabled but t′ is newly enabled in M ′1:

D1′t t′

= D1t tf− tmin(t′)

D2′t t′

= D2t tf− tmin(t′).

From the fact that (M1, D1) � (M2, D2), the following state-ments hold, for each t, t′ in En(M ′

1) − New(M ′1, tf ):

• M ′1 = M ′

2, since M1 = M2


• D1t tf= D2t tf

[since (t, tf ) /∈ conf(M1)].

• Minu∈En(M1)D1u t′ = Minu∈En(M2)D2u t′ [relation 1above]

• D1t t′ = D2t t′ , if (t, t′) /∈ conf(M1).

• Min(0, D1t t′ ) = Min(0, D2t t′ ), if (t, t′) ∈ conf(M1).

Note that if two transitions t and t′ are not newly enabled and inconflict (resp. not in conflict) in M1, then they are also in conflict(resp. not in conflict) in M ′

1. It follows that ∀t, t′ ∈ En(M ′1),

1- if t and t′ are not in conflict in M ′1:

D1′t t′

= D2′t t′

.

2- if t and t′ are in conflict in M ′1:

Min(0, D1′t t′

) = Min(0, D2′t t′

).

Then α′1 � α′

2

Our abstraction called the Contracted State Class Graph(CSCG) is the quotient graph of the SCG w.r.t the relation�. It preserves both markings and firing sequences while itis, in general, smaller than SCG (see table 1 in section 5).CSCG is thus more appropriate than SCG to check linearproperties of the model. Moreover, our relation of equiva-lence allows a gain in space needed to represent each stateclass, as there is no need to keep the minimum and maxi-mum firing delays of each enabled transition (i.e. line andcolumn o of D). Distances between firing delays are enoughto compute successor state classes.

Definition 2 : Equivalence class w.r.t �Let α = (M,D) be a state class. Its equivalence class w.r.tthe relation � is the state class α = (M, D) defined by:∀t, t′ ∈ En(M),{

Dt t′ = Min(0, Dt t′) if (t, t′) ∈ conf(M)

Dt t′ = Dt t′ otherwise

The firing rule given in proposition 1 can be rewrittenusing equivalence classes as follows:

Proposition 2 Let α = (M,D) be a state class,α = (M, D) its equivalence class and tf a transition.Succ(α, tf ) �= ∅ iff Minu∈En(M)Du tf

= 0.If Succ(α, tf ) �= ∅ and Succ(α, tf ) = (M ′,D′) then theequivalence class (M ′, D′) of (M ′,D′) can be computedusing D as follows:∀(t, t′) ∈ (En(M ′))2 − conf(M ′), D′

t t′ =

0 if t is t′

tmax(t) − tmin(t′) if t, t′ ∈ New(M′, tf);tmax(t) + Minu∈En(M)Du t′ if t ∈ New(M′, tf);Dt tf − tmin(t′) if t′ ∈ New(M′, tf );Min(Dt t′ , Dt tf + Minu∈En(M)Du t′ ) otherwise

∀(t, t′) ∈ conf(M ′), D′t t′ =

0 if t is t′

Min(0, tmax(t) − tmin(t′)) if t, t′ ∈ New(M′, tf);Min(0, tmax(t) + Minu∈En(M)Du t′ ) if t ∈ New(M′, tf);Min(0, Dt tf − tmin(t′)) if t′ ∈ New(M′, tf);Min(0, Dt t′ , Dt tf + Minu∈En(M)Du t′ ) otherwise

Proof: (Sketch of proof) From the definition of D and thefact that ∀t′ ∈ En(M), Dt′t′ = Dt′t′ = 0, it follows that: [1]∀t′ ∈ En(M), Minu∈En(M)Du t′ = Minu∈En(M)Du t′ .Using proposition 1, it follows that: succ(α, tf ) �= ∅ iffMinu∈En(M)Du tf = 0.If succ(α, tf ) �= ∅ and succ(α, tf ) = (M ′, D′) then the com-putation of its equivalence class is immediate from relation [1],proposition 1 and the fact that ∀t ∈ En(M ′) − New(M ′, tf ),((t, tf ) /∈ conf(M)) and then Dt tf = Dt tf .

For example, consider the TPN model shown in figure 1and its SCG. Its CSCG is the quotient graph of the SCGw.r.t the relation �. State classes C1 and C2 satisfy re-lation � as they have the same marking and their two en-abled transitions t3 and t4 are in conflict and satisfy bothrelations Min(0,D1t3 t4) = Min(0,D2t3 t4) = 0 andMin(0,D1t4 t3) = Min(0,D2t4 t3) = 0. Their class ofequivalence is the state class (P1 + P2, t3 − t4 = 0). Inthe same way, we establish that state classes C3 and C4 ofthe SCG satisfy relation �. State classes of the CSCG areequivalence classes of � over state classes of the SCG:

C0 : P0 + P2 0 ≤ t1 − t2 ≤ 0 − 2 ≤ t1 − t3 ≤ 2

−3 ≤ t1 − t4 ≤ 1 − 1 ≤ t2 − t3 ≤ 3

−2 ≤ t2 − t4 ≤ 2 0 ≤ t3 − t4 ≤ 0

C1 : P1 + P2 0 ≤ t3 − t4 ≤ 0

C3 : P0 + P3 0 ≤ t1 − t2 ≤ 0

C5 : P1 + P3

5. Experimental results

We have implemented and tested the construction of theZBG [7], SCG [2] and CSCG using the models shown infigures 2, 3 and 4. The figure 2 shows the TPN modelcomponents of the classical level crossing example [1]:the train, the controller and the barrier models. Thelevel crossing model is obtained by putting in parallelone copy of the controller model, m copies of the trainmodel, and one copy of the barrier model. The modelcomponents are synchronized on transitions with thesame names. Models in figure 3 are put in parallel (ncopies of the model in figure 3.b with one copy of themodel in figure 3.a) while merging all places namedP1 in one single place. The figure 4 is the model of fourtasks that are launched periodically and executed in parallel.

Table 1 reports sizes (nodes/arcs) of the zone basedgraphs (column 2), the state class graphs (column 3) andthe contracted state class graphs (column 4) obtained for


TPN ZBG SCG CSCG Ratio1 Ratio2Fig.2(m=2) 147 123 113 1.09 2.19Arcs 266 218 198 1.10CPU(s) 0 0 0 -Fig.2(m=3) 6299 3101 2816 1.10 1.96Arcs 16565 7754 6941 1.12CPU(s) 0.22 0.04 0.02 2Fig.2(m=4) ? 134501 122289 1.10 2.02Arcs 436896 391240 1.11CPU(s) 4.47 2.41 1.85

Fig.3(n=2) 2941 748 519 1.44 2.04Arcs 9952 2460 1678 1.47CPU(s) 0.02 0.01 0 -Fig.3(n=3) 100060 4604 2834 1.62 1.99Arcs 485732 21891 13208 1.66CPU(s) 20.57 0.09 0.04 2.25Fig.3(n=4) ? 14086 8159 1.73 1.90Arcs 83375 47592 1.75CPU(s) 1.41 0.59 2.39Fig.3(n=5) ? 31657 17643 1.79 1.83Arcs 217423 120804 1.80CPU(s) 8.77 3.22 2.72Fig.3(n=6) ? 77208 37876 2.04 1.80Arcs 624158 294363 2.12CPU(s) 53.47 16.37 3.27

Fig.4 24015 18543 12910 1.44 1.89Arcs 86621 65403 45970 1.42CPU(s) 5.75 3.27 1.62 2.02

Table 1. Comparison of ZBG, SCG and CSCG

the tested models. Column 5 gives the ratios of the CSCGsizes and times to those of the SCG. Column 6 gives theratio of the space needed to represent classes of the CSCGto those of the SCG. Question mark indicates a situationwhere the computation has aborted due to a lack of memory.

These results confirm that CSCG is very appropriate toverify linear properties of the TPN model. Our abstractionproduces graphs which are, at once, smaller, faster to com-pute and need less resources (the space needed to memorizeclasses is reduced). In addition for all tested models, thegain in time and size are more significative and grows withthe size of the model (columns 5 and 6).

6. Partial order reductions

Several approaches have been developed that applypartial order reduction to model checking systems: thepersistent set method [8], the ample set method [9], thestubborn set method [13], and the ready set method [11,12].The common characteristic of all these methods is thatthey explore only a certain subset of execution paths fromeach state (state class). This subset is sufficient to verifyproperties of interest. For linear properties, partial orderreduction techniques are, in general, based on the conceptof stuttering equivalent sequences. Let φ be an LTL

open

m

m

[0,0]

coming

leaving

app

app

app

exit

exit

in far m

m-1

m-1

down

up

down L lowering

raising

R

closed

up

down

close_i

in_i

on_i

ex_i

left_i

exit

far_i

Controller Train

Barrier

[0,0]

[0,0]

[1,2]

[1,2]

[3,5] [2,4]

2 2

Figure 2. The level crossing models

P0 P2 P3

P1

P4 P5 P6

P1

t0 t1 t2 t3

[2 , 4] [1 , ∞] [1 , ∞] [1, 3]

a) ProdCons1 b) ProdCons2

Figure 3. Producer consumer model

Figure 4. A TPN model of some periodicaltasks


formula whose atomic propositions are interpreted onmarkings. Let L be a labelling function which associateswith each state class α the set of atomic propositions of φsatisfied for the marking of the state class. L(α) is calledthe label set of α w.r.t. φ. Let ρ be an execution path. Thelabel set sequence of ρ w.r.t. φ is obtained by replacingeach state class of ρ with its label set, and collapsing toa single set any maximal sequence of identical label sets.Two execution paths are stuttering equivalent (figure 5) ifthey have identical label set sequences. It has been shownin [9, 11, 13] that in case φ does not contain the nextoperator X , the truth values of φ for stuttering equivalentexecution paths are the same. Therefore, to verify φ forall execution paths of a state class, it suffices to consideronly execution paths which are not stuttering equivalent(representative execution paths).

For example, consider the TPN model and its contractedstate class graph shown in figure 6. Suppose that we haveto check the formula F (P0 + P1 = 0) which meansthat from the initial state, we will reach eventually a stateclass where the marking of both places P0 and P1 areequal to 0. For this formula, all execution paths of theinitial state class have exactly the same label set sequence(∅, {P0 + P1 = 0}). Therefore, to verify this formula, itsuffices to explore only one execution path.

However, in the context of partial order reduction, theselection of representative execution paths must be madeby selecting, from each state class α, a subset of firabletransitions, without exploring beforehand all executionpaths. In addition, the resulting subset should be as smallas possible while the overhead for their computing shouldnot offset the benefits of the reduction.

To compute an over-approximation of the subset oftransitions to be considered from each class, we use theapproach proposed in [11,13] by Yoneda and al.. Thisapproach considers one-safe time Petri nets4 with nounbounded firing intervals and an abstraction, calledGeometric Region Graph (GRG), which produces graphslarger than SCGs [1].

We first present Yoneda’s partial order technique andthen show how to adapt it to our abstraction and timePetri nets with unbounded firing intervals. The use of ourabstraction allow a gain in both time and space. Indeed, ourabstraction is more coarser than GRG and needs less spaceto represent each state class. Moreover, as we will see, thetime complexity of computing each state class is reducedfrom O(n3) to O(n2), n being the number of transitionsenabled in the state class.

4A time Petri net is one-safe iff the bound of each place is 1.

Figure 5. stuttering equivalent executionpaths

Figure 6. A TPN model with no conflictingtransitions

A state class in Yoneda’s approach is a tripleβ = (M,F, η), where M is the marking obtained byfiring from the initial marking M0 the sequence of transi-tions η, and F is a set of time constraints on firing dates oftransitions in M and their parents (transitions of η whichmade transitions of En(M) enabled). A transition ofEn(M) is firable from a state class iff it can be fired beforeall other enabled transitions. Two classes are equivalent iftheir markings are equal, the enabled transitions have thesame parents, and these parents could be fired at the sameabsolute times (dates).

The Yoneda’s partial order technique is mainly basedon the concept of independence. Let β = (M,F, η) be astate class, t1, t2 two transitions of Fr(β) (the set of firabletransitions from β), and φ an LTL−X formula. t1 is saidto be independent of t2 w.r.t. β and φ, if for any executionpath ρ2 of β starting with t2, there exists an executionpath ρ1 of β starting with t1 s.t. ρ1 and ρ2 are stutteringequivalent w.r.t. φ. Otherwise, t1 is said to be dependent oft2 w.r.t. β and φ. In the case that t1 is independent of t2,there is no need to consider the firing of t2 when generatingsuccessors of β.

The construction of an over-approximation of the subsetof firable transitions to consider, w.r.t. β and φ, is based onthe following definitions:

1 Let t1 and t2 be two transitions of T . t1 and t2 are


structurally in conflict iff they share at least one inputplace, i.e.: ◦t1 ∩ ◦t2 �= ∅. Such transitions are consid-ered dependent as the firing of one of them may disablethe other.

2 Let t be a transition of T and Places(φ) the set ofplaces which appear in φ. t is invisible w.r.t. φ if itsinput and output places do not appear in Places(φ),i.e.: (◦t ∪ t◦)∩Places(φ) = ∅. A transition is visibleif it is not invisible. A visible transition is considered tobe dependent of all other visible transitions as the firingorder of visible transitions is relevant for the evaluationof φ.

3 Let t be a transition of T . conflict+(t) is the setdefined by:{{t′ ∈ T | ◦t ∩ ◦t′ �= ∅} if t is not visible{t′ ∈ T | ◦t ∩◦ t′ �= ∅ ∨ t′ is visible} otherwise

4 Let t be a transition of T . necessary(t, β) is the setdefined by:{t′ ∈ En(M)|∃p, Pre(p, t) > M(p) ∧ Post(p, t′) > 0}Intuitively, if t is disabled in β, necessary(t, β)is the set of all transitions of En(M) such thattheir firing may enable t. necessary∗(t, β) is thesmallest set such that: t ∈ necessary∗(t, β) andif t′ ∈ necessary∗(t, β) then necessary(t′, β) ⊆necessary∗(t, β).

5 Let tf be a firable transition from β. The de-pendent set of tf w.r.t. β and φ, denoteddependent(tf , β, φ), is a set of transitions suchthat for every t ∈ conflict+(tf ) there ex-ists a set necessary∗(t, β) which is included independent(t, β, φ). dependent∗(tf , β, φ) is a set oftransitions such that: tf ∈ dependent∗(tf , β, φ) and ift ∈ dependent∗(tf , β, φ) then dependent(t, β, φ) ⊆dependent∗(tf , β, φ).

6 The set of firable transitions to be considered is calledthe ready set of β for φ. This set is computed as fol-lows:

6.1 Initialize the ready set ready with some transi-tion firable from β.

6.2 Iterate ready := ready ∪ (dependent(t, β, φ) ∩Fr(β)) for some t in ready until a fixed point isreached.

6.3 If there exist t ∈ ready and t′ ∈dependent(t, β, φ) such that t’ can fire before alltransitions in ready but t′ is not in ready, thenadd some firable t′′ to ready for which F impliest′′ < t′ and go to step 6.2.

The size of the ready set is however dependent on thetransition selected first. For efficiency purposes, one cancompute all possible ready sets and choose the smallestone. Another feature of Yoneda’s approach is that it relatesthe firing of a ready transition to transitions in the readyset (i.e.: the computation of successor classes is done byignoring transitions which do not belong to ready).The computation of the ready set of Yoneda’s class, whichis mainly based on the current marking, the structureof the model and some firing tests, can be also appliedto our classes. Let (M ′, F ) be a state class, (M,D)its canonical form and (M, D) its equivalence class.Using our abstraction, the test whether a transition t′

of a ready set can fire before all other transitions in theready set (step 6.3) is done in O(n), n being the cardinalof the ready set, as follows: Minu∈readyDu t′ = 0.The test of condition (F implies t′′ < t′) (step 6.3)is done in O(1) as follows Dt′′ t′ < 0. Recall that:

Dt′′ t′ =

{Min(0,Dt′′ t′) if (t′′, t′) ∈ conf(M)Dt′′ t′ otherwise

It follows that Dt′′ t′ < 0 iff Dt′′ t′ < 0. The definition ofD states that Dt′′ t′ = SupF (t′′ − t′). Then, Dt′′ t′ < 0 iffall tuples of delays which satisfy F , satisfy also t′′ < t′.Let (M, D) be a class and tf a transition of ready. Thesuccessor (M ′, D′) of (M, D) by tf in the reduced graphis computed, in O(n2), as follows:∀p ∈ P,M ′(p) = M(p) − Pre(p, tf ) + Post(p, tf );∀(t, t′) ∈ (En(M ′))2 − conf(M ′), D′

t t′ =0 if t is t′

tmax(t) − tmin(t′) if t t′ ∈ New(M′, tf )tmax(t) + Minu∈readyDu t′ if t ∈ New(M′, tf)Dt tf − tmin(t′) if t′ ∈ New(M′, tf)Min(Dt t′ , Dt tf + Minu∈readyDu t′ ) otherwise

∀(t, t′) ∈ conf(M ′), D′tt′ =

0 if t is t′

Min(0, tmax(t) − tmin(t′)) if t t′ ∈ New(M′, tf )Min(0, tmax(t) + Minu∈readyDu t′ ) if t ∈ New(M′, tf)Min(0, Dt tf − tmin(t′)) if t′ ∈ New(M′, tf)Min(0, Dt t′ , Dt tf + Minu∈readyDu t) otherwise

The correctness and the completeness of this partialorder are shown in [12,14] for one-safe and non zeno timePetri nets with no unbounded intervals. The non zenonessassumption guarantees that each enabled transition willeventually become firable unless it is disabled by anotherfiring. For nets with no unbounded intervals, this as-sumption guarantees also that each enabled transition willeventually fire in the future unless it is disabled by anotherfiring. On the other hand, the firing of an unboundedtransition may be delayed indefinitely to lead in the reducedgraph to some cycle such that a transition is firable fromeach state class of the cycle but does not belong to its readyset (unfair sequence). Note that such a transition is invisible


as by construction, all firable transitions that are visiblebelong to the ready set but the fairness criterion (we mustnot indefinitely neglect some transition) is not guaranteed.To deal with the fairness criterion, the ready set has tosatisfy also the Cycle closing condition, i.e.: for every cyclein the reduced state class graph there is at least one nodes.t. its ready set is equal to its set of firable transitions(fully expanded node) considered in [9] to address the sameproblem.

We have implemented and tested the partial order tech-nique of Yoneda on the SCG and the CSCG. Table 2 re-ports the sizes (nodes/arcs) of the reduced graphs w.r.t.G(Controller.far <= m), G(P1 <= 5) and F (P11 =1) for respectively the models shown in figures 2, 3 and 4,using the Yoneda’s approach and the SCG (column 2) orthe CSCG (column 3). These results confirm that CSCGand RCSCG are very appropriate to verify linear propertiesof the TPN model. Our abstraction produces graphs whichare, altogether, smaller, faster to compute and need fewer re-sources (the space needed to memorize classes is reduced).

7. Conclusion

In this paper, we considered time Petri nets for enu-merative analysis. We first proposed an abstraction for itsgenerally infinite state space. Experimental results haveshown that our abstraction is very appropriate to modelcheck linear properties as it produces more compact graphsin shorter times than those proposed in the literature.Afterwards, we adapted and applied the partial orderapproach of Yonada to our abstraction and time Petri netswith unbounded transitions.

In the near future, we will investigate further theconstruction of abstractions for other timed Petri nets.

References

[1] B. Berthomieu, F. Vernadat, State class constructions for branchinganalysis of time Petri nets, volume 2619 of LNCS, 2003.

[2] B. Berthomieu, M. Diaz, Modeling and verification of time depen-dent systems using time Petri nets, IEEE Transactions on SoftwareEngineering, vol 17, no 3, 1991.

[3] H. Boucheneb, R. Hadjidj, CTL* model checking for time Petri nets,Journal of Theoretical Computer Science TCS, vol. 353/1-3, pages208-227, 2005.

[4] H. Boucheneb, J. Mullins Analyse des reseaux de Petri temporels:Calcul des classes en O(n2) et des temps de chemin en O(m × n),Technique et Science Informatiques, vol. 22, no. 4, 2003.

[5] C. Daws, R. Gerth, B. Knaack, and R. Kuiper, Partial-order re-duction techniques for real-time model checking, Formal Aspects ofComputing, (10), pages 469-482, Springer, 1998.

TPN RSCG RCSCG RatioFig.2(m=2) 89 82 1.09Arcs 136 124 1.10CPU(s) 0.01 0.01 1Fig.2(m=3) 427 394 1.08Arcs 723 667 1.08CPU(s) 0.07 0.06 1.17Fig.2(m=4) 1439 1333 1.08Arcs 2530 2337 1.08CPU(s) 0.59 0.51 1.16

Fig.3(n=2) 33 28 1.18Arcs 50 43 1.16CPU(s) 0 0 -Fig.3(n=4) 307 250 1.23Arcs 742 604 1.23CPU(s) 0.03 0.02 1.5Fig.3(n=6) 844 681 1.24Arcs 2476 1961 1.26CPU(s) 0.17 0.15 1.14

Fig.4 348 254 1.37Arcs 307 229 1.34CPU(s) 0.02 0.01 2

Table 2. Comparison of RSCG and RCSCG

[6] S. Edelkamp, S. Leue, A. Lluch-Lafuente Partial-order reductionand trail improvement in directed model checking,International Jour-nal of Software Tools Technology Transfer (2004)6, pages 277301,Springer-Verlag, November 2004.

[7] G. Gardey, O. H. Roux, and O. F. Roux. Using zone graph method forcomputing the state space of a time Petri net. In Proc. of FORMATS2003, volume 2791 of LNCS, Springer-Verlag, 2004.

[8] P. Godefroid. Partial-Order Methods for the Verification of Concur-rent Systems, volume 1032 of LNCS, Springer-Verlag, 1996.

[9] D. Peled and T. Wilke. Stutter invariant temporal properties are ex-pressible without the next-time operator. Information Processing Let-ters, 63(5), 1997.

[10] W. Penczek and A. Polrola, Specification and Model Checking ofTemporal Properties in Time Petri Nets and Timed Automata, In Proc.of ICATPN, volume 3099 of LNCS, pages 37-76, Springer–Verlag,2004.

[11] W. Penczek, A. Polrola, Abstraction and partial order reductionsfor checking branching properties of time Petri nets, In Proc. ofICATPN, volume 2075 of LNCS , pages 323-342, 2001.

[12] D. Pradubsuwun, T.Yoneda, C. Myers, Partial order reduction fordetecting safety and timing failures of timed circuits, IEICE Trans.Inf. & Syst., vol. E88-D, no. 7, July 2005.

[13] A. Valmari, A stubborn attack on state explosion, volume 531 ofLNCS, Springer-Verlag, 1990.

[14] T.Yoneda, B.H.Schlingloff, Efficient Verification of Parallel Real-Time Systems, Formal Methods in System Design, Kluwer AcademicPublishers, vol. 11, no. 2, pp.187-215, August 1997.


[IEEE Seventh International Conference on Application of Concurrency to System Design (ACSD 2007) -...

Documents

Transcript of [IEEE Seventh International Conference on Application of Concurrency to System Design (ACSD 2007) -...