Post on 12-Feb-2016
description
Merged Processes of Petri netsVictor Khomenko
Joint work with Alex Kondratyev, Maciej Koutny and Walter Vogler
2
Petri net unfoldings• An acyclic net obtained through unfolding the
PN by successive firings of transitions: for each new firing a fresh transition (called
an event) is generated for each newly produced token a fresh
place (called a condition) is generated• The full unfolding can be infinite• If the PN has finitely many reachable states
then the unfolding eventually starts to repeat itself and can be truncated (by identifying a set of cut-off events) without loss of essential information, yielding a finite prefix
3
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
T1
P3 T3 P5
P2 T2
P1 T5 P6 T4
P4
P7
P8
P9
P11
P10
P13
P14
P12
T9
T7
T10 T6
T8
Example: Dining Philosophers
4
Alleviate the state space explosion problem for highly concurrent systems e.g. for Dining Philosophers the prefix
size is linear in the number of philosophers even though the number of states is exponential
Efficient model checking algorithms e.g. deadlock checking is PSPACE-
complete for safe PNs but only NP-complete for prefixes
Do not cope well with other than concurrency sources of state space explosion, e.g. with sequence of choices
Do not cope well with non-safe PNs
Characteristics of unfoldings
5
Example: sequence of choices
No event is cut-off, the prefix is exponential
6
m m
Example: non-safe PN
Tokens in the same place are distinguished in the unfolding, the prefix is exponential
7
Wanted A data structure coping not
only with concurrency but also with other sources of
state space explosion
8
Occurrence-depth
1 1 1 3 2
1 2 1
Merged Process: Fuse conditions with the same label and
occurrence-depth Delete duplicate events
9
2
1
4
3
Example: a Petri net
10
Example: unfolding
2
1
4
3
4
3
Step 1: Fuse conditions of the nodes with the same label and occurrence-depth
11
Example: (cont’d)
2
1
4
3
4
3
Step 2: Delete event replicas
12
Examples
MPs of these nets coincide with the original nets, even though unfoldings are exponential!
m m
13
Properties of MPs• Canonicity• Finiteness• Completeness• Theoretical upper bounds on size• Experimental results: size
14
Canonicity• Easily follows from the canonicity of
unfolding prefixes:
Canonical MP = Merge(Canonical prefix)
15
FinitenessProposition: Merge(Pref) is finite iff Pref is finite trivial, as Merge(Pref) is no larger than
the prefix more difficult, as the Merge operation can
collapse infinitely many nodes into one:
…
16
Finiteness (cont’d) follows from the analog of Köning’s
lemma for branching processes: an infinite branching process contains
an infinite causal chain hence there are infinitely many
instances of some place p along it hence the occurrence-depth of instances
of p is unbounded hence there are infinitely many
instances of p in the merged process
17
Completeness• Preservation of firings is tricky – it’s hard
to define cut-offs since an event can have multiple local configurations
• Hence consider only marking-completeness (good enough for model checking as the firings can be retrieved from the original PN)
Proposition: if Pref is marking-complete then Merge(Pref) is marking-complete
18
Theoretical upper bounds on size• Trivial bound: Merge(Pref) is never larger than
Pref, hence never larger than the reachability graph too pessimistic in practice
• MPs of acyclic PN coincide with the original PNs with the dead nodes removed unfoldings can be exponential
• MPs of live and safe free-choice PNs [with minor restrictions] are polynomial in the size of the original PNs unfoldings can be exponential
19
Experimental results: size
0 20000 40000 60000 80000 100000
BdsDme(11)
Dpd(7)Dpfm(11)
Dph(7)Elev(4)
FtpFurn(3)
Gasnq(5)Gasq(4)
Key(4)Mmgt(4)Over(5)
QRw(12)Speed
|T||E||Ê|
20
Experimental results: PN/MP size
0 1000 2000 3000 4000 5000 6000
BdsDme(11)
Dpd(7)Dpfm(11)
Dph(7)Elev(4)
FtpFurn(3)
Gasnq(5)Gasq(4)
Key(4)Mmgt(4)Over(5)
QRw(12)Speed
|T||Ê|
21
Experimental results: summary• Corbett’s benchmarks were used• MPs are often by orders of magnitude
smaller than unfolding prefixes• In many cases MPs are just slightly larger
than the original PNs• In some cases MPs are smaller than the
original PNs due to removal of dead nodes
22
Model checking
•MPs are small, but are they of any use in practice?
•Can model checking algorithms developed for unfoldings be lifted to MPs?
•In what follows, we consider safe PNs only
23
Problem: cycles
A Petri net
24
Problem: cycles
Unfolding
Criss-cross fusion results in a cycle!
1 1 2
1 1 2
25
MP with a cycle
Problem: cycles
Still worse, the marking equation (ME) used for unfolding-based verification can have spurious solutions
26
Problem: cycles
Borrow a token
Fire
Fire
The borrowed token is returned
The current marking is unreachable
27
Solution
• Add to the marking equation another constraint, ACYCLIC, requiring the run to be acyclic:
ME & ACYCLIC
28
Example: an acyclic run
29
Example: a run with a cycle
30
SAT encoding• Associate a Boolean variable v to each node v of
MP indicating whether it belongs to the run• View the run as a digraph induced in the MP by
the variables whose value is true• Sort the nodes of the merged process so that
the number of feedback vertices is (heuristically) minimised
31
SAT encoding (cont’d)
• For each feedback vertex: ignore the vertices on its left generate the formula conveying that the
sources of the feedback arcs are not reachable from this feedback vertex:
• Formula size: O(|Vf|·|E|); can we do better?
xvx
yxyx
v reachreachyreachreachv
)()(
v
32
Another problem: spurious runs
1
2Can visit this condition without first visiting the other one!
not possible in the unfolding
33
Solution• Add another constraint, NG (no-gap),
conveying that if a condition with occurrence-depth k>1 is
visited then the condition with the same label and occurrence-depth k-1 is also visited
the conditions with the same label are visited in the order of increase of the occurrence depth (can be enforced by ACYCLIC by adding a few arcs)
34
Solution (cont’d)
35
Model checking
ME & ACYCLIC & NG & VIOL
• This is enough to lift unfolding-based model checking algorithms to merged processes!
• Deadlock checking (and many other reachability-like problems) is NP-complete in the size of the MP – no worse than for unfoldings
36
Experimental results: MC time
1 10 100 1000 10000 100000
BdsDme(11)
Dpd(7)Dpfm(11)
Dph(7)Elev(4)
FtpFurn(3)
Gasnq(5)Gasq(4)
Key(4)Mmgt(4)Over(5)
QRw(12)Speed
UnfMP
37
Experimental results• Corbett’s benchmarks were used• Model checking is practical – running
times are comparable with those of an unfolding-based algorithm
• Still deteriorates on a couple of benchmarks – but it’s early days of this approach and we keep improving it
38
Open problems / future work• Direct characterization of MPs (cf. the
characterization of unfoldings by occurrence nets) currently much is done via unfoldings
• Improve the efficiency of model checking the SAT encoding of ACYCLIC is the main
problem• A direct algorithm for building MPs
currently built by fusing nodes in the unfolding prefix
39
Algorithm for building MPsIdea: reduce the problem of finding a possibleextension to the following problem:• Find a configuration C in the built part of the MP
such that: C can be extended by a new event and C contains no cut-offs, i.e. for each event e in C
there is no configuration C’ in the built part of MP such that Mark([e]C)=Mark(C’) and C’ [e]C
• Reducible to QBF with 1(?) alternation• Reducible to SAT if the adequate order is