user.it.uu.seuser.it.uu.se/~aletta/papers/thesis.pdf · Dissertation for the Degree of Doctor of...

ACTA UNIVERSITATIS UPSALIENSISUppsala Dissertations from

the Faculty of Science and Technology51

Aletta Nylen

Compact Constraints forVerification of Well

Quasi-Ordered Programs

Dissertation for the Degree of Doctor of Philosophy in Computer Sciencepresented at Uppsala University in 2003.

Abstract

Nylen, A. 2003: Compact Constraints for Verification of Well Quasi-Ordered Pro-

grams, Acta Universitatis Upsaliensis. Uppsala dissertations from the Faculty of Sci-

ence and Technology 51. 119 pp. Uppsala. ISBN 91–554–5788–6.

In this thesis we present algorithms and constraint systems for efficient verifi-cation of infinite-state transition systems that are monotonic with respect to awell quasi-ordering.

A major problem in verification of infinite-state systems is constraint explo-sion, that is, the number of constraints generated during analysis is too large.The problem can be reduced either by reducing the number of constraints thatneed to be analysed (partial order methods) or by producing constraint systemsthat are more compact in the sense that the number of states represented by asingle constraint is increased. The main contributions of this thesis are:

• An unfolding algorithm for symbolic verification of unbounded Petri nets.Unfoldings is a partial order method which has previously only been usedin verification of finite-state systems.

• A framework for developing compact constraint systems. The frameworkis based on the theory of better quasi-ordering and allows constructionof constraint systems that are much more compact than those developedin previous frameworks based on well quasi-ordering.

• A framework for developing constraint systems that are suitable for for-ward analysis. In forward analysis, the constraints give a characterizationof the set of reachable states. Although this is not computable in general,it turns out that for some applications forward analysis is more efficientthan backward analysis.

Aletta Nylen, Department of Information Technology, Uppsala University, Box 337,SE–751 05 Uppsala, Sweden.c© Aletta Nylen 2003

ISSN 1104–2516

ISBN 91–554–5788–6

Printed in Sweden by Elanders Gotab, Stockholm 2003.

To Christer and David

Acknowledgments

First of all, I would like to thank my supervisor Parosh Abdulla. With-out his support and guidance this thesis would never have been written.

I have found great and inspiring role models in Bengt Jonsson, whoI had the pleasure of working with in the beginning of my graduatestudies, and Purush Iyer, who was my coauthor on the unfolding papers.I am also grateful to my collaborators and fellow Ph. D. students Juliend’Orso, Pritha Mahata and Johann Deneux. I have enjoyed our longand rewarding discussions. Thanks also to Theres Wiklund who workedwith me on the implementation of existential zones and to Jesper Møllerfor helping me understand how to let time pass.

I would like to thank Parosh Abdulla, Christer Jonsson, ThiemoVoight and Johann Deneux for valuable comments on this thesis, DavidWebber for linguistic support and Erik Stenman for helping me get theLATEX-formatting right.

Everybody at DoCS, the Algorithmic Program Verification-group,Bjorn Victor, Gustaf Naeser and Jan Nystrom, have taken part in mak-ing my days as a student enjoyable.

Finally, I would like to thank my family, Christer, who has had toread this thesis almost as many times as I have, and our son David, whohas put up with my writing-instead-of-playing far too many times. Ilove you.

i

Contents

1 Introduction 11.1 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Publications by the Author . . . . . . . . . . . . . . . . . 4

2 Background 52.1 Partial Order Methods . . . . . . . . . . . . . . . . . . . . 52.2 Symbolic Verification . . . . . . . . . . . . . . . . . . . . . 62.3 Infinite-State Systems . . . . . . . . . . . . . . . . . . . . 72.4 Well-Structured Transition Systems . . . . . . . . . . . . . 72.5 Constraint Explosion . . . . . . . . . . . . . . . . . . . . . 92.6 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.7 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Fundamentals 153.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 Quasi-Orderings . . . . . . . . . . . . . . . . . . . . . . . 153.3 Transition Systems . . . . . . . . . . . . . . . . . . . . . . 163.4 Reachability . . . . . . . . . . . . . . . . . . . . . . . . . . 163.5 Well Quasi-Ordered Constraint Systems . . . . . . . . . . 173.6 Backward Reachability Algorithm . . . . . . . . . . . . . 18

4 Petri Nets 214.1 Multisets . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 Petri Nets . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.3 Coverability . . . . . . . . . . . . . . . . . . . . . . . . . . 224.4 Parameterized Systems . . . . . . . . . . . . . . . . . . . . 234.5 A Constraint System . . . . . . . . . . . . . . . . . . . . . 24

5 Unfoldings 255.1 Coverability . . . . . . . . . . . . . . . . . . . . . . . . . . 26

iii

iv CONTENTS

5.2 Reverse Occurrence Nets . . . . . . . . . . . . . . . . . . . 275.3 An Unfolding Algorithm . . . . . . . . . . . . . . . . . . . 295.4 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . 315.5 Checking Coverability using SAT-solvers . . . . . . . . . . 345.6 Prover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.7 Implementation . . . . . . . . . . . . . . . . . . . . . . . . 365.8 Experimental Results . . . . . . . . . . . . . . . . . . . . . 375.9 Related work . . . . . . . . . . . . . . . . . . . . . . . . . 40

6 Timed Petri Nets 436.1 Existential Regions . . . . . . . . . . . . . . . . . . . . . . 466.2 Fischer’s Protocol . . . . . . . . . . . . . . . . . . . . . . . 47

7 Better-Structured Systems 517.1 Well Quasi-Ordered Constraint Systems . . . . . . . . . . 527.2 Better-Structured Transition Systems . . . . . . . . . . . 557.3 Existential Zones . . . . . . . . . . . . . . . . . . . . . . . 587.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . 657.5 Broadcast Protocols . . . . . . . . . . . . . . . . . . . . . 677.6 Lossy Channel Systems . . . . . . . . . . . . . . . . . . . 677.7 Integral Relational Automata . . . . . . . . . . . . . . . . 697.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 70

8 Forward Analysis 718.1 Downward Closed Language Generators . . . . . . . . . . 738.2 Intersection . . . . . . . . . . . . . . . . . . . . . . . . . . 758.3 Entailment . . . . . . . . . . . . . . . . . . . . . . . . . . 788.4 Multisets . . . . . . . . . . . . . . . . . . . . . . . . . . . 808.5 Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868.6 Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 868.7 Hierarchical DLGs . . . . . . . . . . . . . . . . . . . . . . 878.8 Region Generators . . . . . . . . . . . . . . . . . . . . . . 888.9 Computing post-images . . . . . . . . . . . . . . . . . . . 898.10 Other Models . . . . . . . . . . . . . . . . . . . . . . . . . 948.11 Experimental Results . . . . . . . . . . . . . . . . . . . . . 958.12 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 95

9 Undecidability 979.1 Undecidability of LTL . . . . . . . . . . . . . . . . . . . . 989.2 The Recurrent Place Problem . . . . . . . . . . . . . . . . 989.3 Lossy Counter Machines . . . . . . . . . . . . . . . . . . . 989.4 Undecidability Proof . . . . . . . . . . . . . . . . . . . . . 99

CONTENTS v

10 Conclusions and Future Work 105

Index 107

References 109

List of Figures

1.1 A small transition system . . . . . . . . . . . . . . . . . . 2

4.1 A small Petri net. . . . . . . . . . . . . . . . . . . . . . . . 234.2 A system consisting of three processes and a Petri net

model of the system. . . . . . . . . . . . . . . . . . . . . . 24

5.1 An unfolding of the net in Figure 4.1 . . . . . . . . . . . . 285.2 A finite postfix of the unfolding in Figure 5.1. . . . . . . . 345.3 A Simple Token Ring Network . . . . . . . . . . . . . . . 385.4 A more complicated token ring network . . . . . . . . . . 395.5 A buffer process . . . . . . . . . . . . . . . . . . . . . . . 40

6.1 A small timed Petri net. . . . . . . . . . . . . . . . . . . . 446.2 Graphical illustration of M1 ¹ M2. . . . . . . . . . . . . . 456.3 Fischer’s Protocol for Mutual Exclusion . . . . . . . . . . 486.4 Timed Petri net model of Fischer’s Protocol for Mutual

Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

7.1 A graphic illustration of [[φ2,5]] and [[ψ5]]. Filled circlesrepresent points satisfying the corresponding constraint. . 54

7.2 Example of restrictions on ages of tokens. . . . . . . . . . 597.3 Two constraints in L2 . . . . . . . . . . . . . . . . . . . . 68

8.1 An invariant of Fischer’s protocol. . . . . . . . . . . . . . 96

9.1 (a) Simulating the operation of increasing a counter.(b) Simulating the operation of decreasing a counter. . . . 100

9.2 Simulating the operation of testing the value of a counter. 1019.3 Simulating losses. . . . . . . . . . . . . . . . . . . . . . . . 102

vii

Chapter 1

Introduction

An important issue in computer science is to ensure that programs dowhat they are intended to do. This is commonly accomplished by testingsoftware more or less thoroughly. However, testing of software can neverguarantee the absence of errors in non-trivial programs. An alternativeapproach is to use mathematics as a tool to verify that programs behavecorrectly. This thesis investigates the use of logic for automatic programverification.

Model checking is one of the most widely used techniques for auto-matic verification of programs [34]. It is used to verify that programssatisfy certain properties. The properties are usually expressed in somelogic formalism such as temporal logic [71], and the programs are mod-elled in some formalism, e.g. λ-calculus or Petri nets. It is then checkedif the model satisfies the properties.

The notion of states is fundamental to program modelling. A pro-gram state is an abstract representation of the information needed todescribe the program’s possible future actions. Usually the state can bedefined by the values of the variables used in the program. With the ad-dition of transitions between states we get a complete formal descriptionof the program, a transition system. Figure 1.1 shows a small transi-tion system where a, b, c and d are the states and the arrows representtransitions between the states.

In this thesis we focus on verifying safety properties. A safety prop-erty states that something bad cannot happen. The goal is then toprove that this is actually true. A typical safety property can be thata program does not halt unexpectedly, i.e., deadlock, or that a sharedresource can only be accessed by one process at a time, i.e., mutualexclusion.

One method to verify safety properties is to describe states wheresomething bad has happened and then analyse whether these states canbe reached during execution of the system [55]. This method is calledreachability analysis. In the transition system in Figure 1.1, we see that

2 CHAPTER 1. INTRODUCTION

b c

d

a

Figure 1.1: A small transition system

if we start execution in state a, we can never reach state d. We say thatthe set of reachable states is {a, b, c}.

Reachability analysis can be performed in two directions. Forwardreachability analysis starts from the initial system state and computesthe set of reachable states. Backward reachability analysis starts froma set of final states, usually bad states which we do not want to occurduring execution, and computes the set of states from which the finalstates can be reached.

The transition system in the figure has a finite number of states. Thisis not always the case. In fact, most programs have an infinite numberof states. An example of an infinite-state program is a counter where thestates represent the value of the counter. The counter is an infinite-statesystem because the set of possible values for the counter, i.e., the set ofnatural numbers, is infinite. We say that the counter operates on datawith an infinite domain. A system may also be infinite-state becausethe system consists of an unbounded number of processes. We may e.g.consider networks of computers where we want to verify that a networksatisfies a given property regardless of the size of the network. Suchsystems are called parameterized systems since they are parameterizedby the number of processes in the system.

Techniques developed for the analysis of finite-state systems can beadapted to work in the analysis of infinite-state systems by use of sym-bolic methods. That means that the analysis is performed on (potentiallyinfinite) sets of states rather than on individual states. Furthermore, wewant states belonging to the same set to have similar behavioural prop-erties. We use constraints to represent such sets of states. Some systemsallow a finite set of constraints to represent the entire state space. An

1.1. OUTLINE 3

example is timed automata, where a finite-state machine operates on afinite set of real-valued clocks. In timed automata the set of reachablestates can be partitioned into a finite set of regions [19].

Not all systems allow such a finite partitioning. An example is Petrinets, which are widely used to model concurrent systems. They allowan unbounded number of tokens to reside in the places of the net. Thereare algorithms for analysing classes of systems that do not allow finitepartitioning. One such class is that of well-structured systems [7, 11, 51],which are systems where the set of states is equipped with a well quasi-ordering. The aim of the work behind this thesis is to increase efficiencyin the analysis of well-structured infinite-state systems by developingnew algorithms and constraint systems. In particular, this work concen-trates on the analysis of Petri nets and their extensions.

1.1 OUTLINEChapter 2 contains an introduction to the field of formal verification. Inparticular, we focus on methods and constraint systems used to combatstate explosion.

In Chapter 3, we give a technical background to the work in the restof the thesis by introducing basic concepts such as quasi-orderings andtransition systems. We also present an algorithm for symbolic reacha-bility analysis.

In Chapter 4, Petri nets are introduced.In Chapter 5 we present an unfolding algorithm for unbounded Petri

nets. We also report on some experimental work which compares the un-folding algorithm to the backward reachability algorithm from Chapter3.

In Chapter 6 we introduce timed Petri nets and describe existentialregions, a constraint system for verifying timed systems.

In Chapter 7 we present a method for developing compact constraintsystems which can be used together with the backwards reachability al-gorithm that was described in Chapter 3. Existential zones, a constraintsystem for timed systems with an unbounded number of clocks, is pre-sented and used in an implementation of coverability analysis for timedPetri nets.

In Chapter 8 we consider forward reachability analysis. A frameworkis presented within which constraint systems well suited for forwardanalysis can be developed. Furthermore, region generators, a constraintsystem for timed Petri nets is presented and used in an implementation.

In Chapter 9 we show that action-based linear-time temporal logic(LTL) is undecidable for timed Petri nets.

4 CHAPTER 1. INTRODUCTION

In Chapter 10 we give some conclusions and directions for futurework.

1.2 PUBLICATIONS BY THE AUTHORThis thesis is based on the following articles.

1. P. A. Abdulla and A. Nylen. BQOs and timed Petri nets.Technical Report 2000-021, Dept. of Information Technology, Up-psala University, Sweden, 2000.

2. P. A. Abdulla and A. Nylen. Better is better than well: Onefficient verification of infinite-state systems. In Proc. 16th

IEEE Int. Symp. on Logic in Computer Science, 2000.

3. P. A. Abdulla, P. Iyer and A. Nylen. Unfoldings of unboundedPetri nets. In Proc. 12th Int. Conf. on Computer Aided Verifi-cation, volume 1855 of Lecture Notes in Computer Science, 2000.

4. P. A. Abdulla and A. Nylen. Timed Petri nets and BQOs.In Proc. 22th Int. Conf. on Application and Theory of Petri Nets,volume 2075 of Lecture Notes in Computer Science, 2001.

5. P. A. Abdulla and A. Nylen. Undecidability of LTL for timedPetri nets. In Proc. 4th Int. Workshop on Verification ofInfinite-State Systems, 2002.

6. P. A. Abdulla, P. Iyer and A. Nylen. SAT-solving the cov-erability problem for unbounded Petri net. Accepted forpublication in Formal Methods in System Design, 2003.

7. P. A. Abdulla, J. Deneux, P. Mahata and A. Nylen. Downward-closed language generators. Technical Report 2003-001, Dept.of Information Technology, Uppsala University, Sweden, 2003.

Chapter 2

Background

Formal verification consists of three components: a formalism in whichan appropriate abstraction, or model, of the system can be expressed,a formalism in which correctness properties of the system can be speci-fied and, finally, an analysis procedure which can decide whether modelsmeet their specifications. A common approach to automated verificationis to perform an enumerative search of the state space. For most sys-tems, even if they are finite-state systems, the state space is very large.In fact, the size of the state space is often exponential in the size of thesystem that is being modelled. This state explosion problem [95] is alimiting factor in automated verification, and therefore tools developedfor exhaustive state space exploration can only be used to analyse smallsystems. Two techniques that have been developed to reduce state ex-plosion are partial order methods [94, 55, 85, 41, 75, 13, 15] and symbolicmethods [32, 75].

2.1 PARTIAL ORDER METHODSPartial order methods is a family of techniques used to reduce the num-ber of states that need to be explored during analysis. They are basedon the observation that concurrent actions are often independent andthus their different interleavings are equivalent in the sense that theylead to the same state regardless of the order in which they are applied.In fact, the different interleavings are only different representations ofone “truly concurrent” execution, but they go through many differentintermediate states and the reachability graph contains them all.

This observation has motivated research along at least two differ-ent lines. One approach is to define equivalences between interleavings.The reachability graph can then be reduced by letting one interleav-ing represent a whole class of equivalent interleavings. Stubborn sets[94], persistent sets [55] and ample sets [85] are based on this approach.Partial order reductions have also been used in the context of symbolicverification [13, 15]. In symbolic verification a preorder, rather than an

6 CHAPTER 2. BACKGROUND

equivalence relation, is defined on the set of interleavings. The methodhas been applied to lossy channel systems and to (unbounded) Petri netsand is applicable to the verification of both finite-state and infinite-statesystems.

Another approach is to replace the reachability graph by a structurewhich represents the “truly concurrent” executions directly and doesnot explicitly show any individual interleavings. Following this direc-tion, McMillan introduced the unfolding technique [41, 75]. Unfoldingsare occurrence nets [84]: unrollings of Petri nets (see Chapter 4) thatpreserve their semantics. Although unfoldings are usually infinite, it isobserved in [76] that for n-safe Petri nets, we can always construct afinite initial prefix of the unfolding which captures its entire behaviour,and which in many cases is much smaller than the state space of the sys-tem. The prefix algorithm was improved in [49]. An n-safe Petri net is aPetri net where the number of tokens in a place never exceeds n. Hencean n-safe Petri net is a finite-state system since the number of mark-ings is bounded by (n + 1)|P | where |P | is the number of places in thenet. In addition to n-safe Petri nets, unfoldings have also been appliedto other classes of finite-state systems such as synchronous products offinite transition systems [46, 68].

Several different algorithms have been used to perform deadlock de-tection on prefixes, e.g. a branch-and-bound algorithm [76], an algo-rithm based on linear programming [78] and an algorithm based onSAT-solvers with stable semantics [58]. There are also several algorithmsfor performing reachability analysis on prefixes of 1-safe Petri nets in-cluding an on-the-fly solution [76], a linear programming approach [77],reduction to a logic program [58] and a graph theoretic approach [48].

In this thesis we combine unfoldings with symbolic methods and showhow unfoldings can be used in the verification of infinite-state systems.We also show how to use a SAT-solver to perform coverability analysison our unfoldings.

2.2 SYMBOLIC VERIFICATIONThe other technique used to reduce the state explosion problem is sym-bolic verification. In symbolic verification, the analysis is performedon sets of states rather than on individual states. Since infinite-statesystems cannot be analysed by state space traversal, using symbolicmethods is a way to enable verification of such systems.

A key ingredient in symbolic verification is data structures that al-low representing and manipulating (infinite) sets of states. One of themost widely used symbolic representations is Binary Decision Diagrams(BDDs) [31]. BDDs are canonical representations of propositional logic

2.3. INFINITE-STATE SYSTEMS 7

formulae which can be used to represent sets of states when the statesare encoded as words of a fixed length. This representation has beenefficiently implemented and has been successfully been applied in forexample hardware verification [30, 32, 75]. Although BDDs offer a com-pact representation of sets of states, they suffer from one importantdrawback. They only allow representation of finite sets. Consequently,they cannot be used in the analysis of infinite-state systems.

2.3 INFINITE-STATE SYSTEMSInfinite-state systems arise naturally in at least two ways. First, a pro-gram may be infinite-state since it operates on unbounded data struc-tures, e.g., integers, stacks, queues, etc. This is the case with timed au-tomata, pushdown automata, communicating finite-state machines andcounter machines. A program may also be infinite-state because it hasan unbounded control structure. This is the case with Petri nets andparameterized systems, programs intended to run on a network withan arbitrary number of nodes. Examples of such programs are mutualexclusion protocols, cache coherence protocols and broadcast protocols.

Several highly nontrivial algorithms for verification of differentclasses of infinite-state systems such as timed automata [19, 20], hybridautomata [59], relational automata [33], Petri nets [66], parameterizedsystems [35, 86] and lossy channel systems [10, 14] have been developed.An observation is that many of these methods are based on finite parti-tioning [19, 33, 59]. The state space of the original system is divided intoa finite set of partitions such that states belonging to the same partitionare equivalent in the sense that transitions from them lead to equivalentstates. In other words, states belonging to a partition are bisimulationequivalent. A typical approach is to represent sets of states using predi-cates which we will call constraints. An example of a constraint systemwhich offers a finite partitioning of the state space is regions [19] whichis used to represent clock values in verification of timed automata.

2.4 WELL-STRUCTURED TRANSITION SYSTEMSWell-structured transition systems [7, 11, 51] is a generalization of finitepartitioning where the set of states is equipped with a preorder instead ofan equivalence relation. Furthermore, the preorder satisfies the followingconditions:

(i) the transition system is monotonic with respect to the preorder,i.e., a transition from a larger state leads to a larger state. Thismeans that we work with a simulation rather than a bisimulation(larger states simulate smaller states). If the preorder is taken


to be an equivalence relation, then the simulation reduces to abisimulation.

(ii) the preorder is a well quasi-ordering, which means that each infi-nite sequence contains an element which is larger than or equiv-alent to an earlier element in the sequence. If the preorder istaken to be an equivalence relation, then this condition amountsto finiteness of the number of equivalence classes.

This method has been used to explain several existing algorithms forverification of computation models such as real-time automata, Petrinets, relational automata, lossy channel systems etc. It has also beenused to derive new verification algorithms and to show that a numberof properties, including the following, are decidable for well-structuredsystems.

• Reachability: The question of whether a certain set of states isreachable. Several properties, e.g. safety properties and invariantproperties, can be reduced to the reachability problem.

• Termination: The question of whether there is an infinite execu-tion.

• Eventuality/Inevitability: The question of whether all executionswill eventually reach a given set of states. Eventuality correspondsto the formula AFp in CTL.

• Simulation: The question of whether there is a simulation betweena finite automaton and a well-structured system. The simulationproblem is decidable in both directions.

A central part in the verification of well-structured system is develop-ing well quasi-ordered constraint systems, i.e., constraint systems wherethe constraints are well quasi-ordered under entailment. In [7, 11, 51],a method for constructing well quasi-ordered constraint systems is de-fined. The method is based on the fact that all finite domains are wellquasi-ordered under equality, and that well quasi-orderings are closedunder a basic set of operations including building finite trees, strings,vectors, multisets, sets, etc [61]. This means that well quasi-ordered con-straint systems can be developed by starting from a set of constraintsover finite domains, and then repeatedly generate new constraints bybuilding more compound data structures.

2.5. CONSTRAINT EXPLOSION 9

2.5 CONSTRAINT EXPLOSIONMany constraint systems derived according to the above method, sufferfrom a constraint explosion problem, as the number of constraints gen-erated during analysis grows exponentially with the size of the problem.This problem is similar to the state explosion encountered in verificationof finite-state systems. In this thesis we contribute to combating con-straint explosion by developing constraint systems that are more com-pact than existing ones. We also combine symbolic methods with partialorder methods and present an unfolding algorithm for infinite-state Petrinets.

2.6 EXAMPLESIn the following we will give some examples of well-structured, infinite-state systems. The problems listed in Section 2.2 are decidable for all ofthese systems. Furthermore, they allow using the method from [7, 11, 51]to generate well quasi-ordered constraint systems although in many casesanalysis using these constraint systems is infeasible due to constraintexplosion.

Lossy Channel SystemsLossy channel systems [10] consist of finite-state processes communicat-ing over a set of unbounded FIFO buffers, or channels, which are unre-liable in the sense that they can non-deterministically lose messages. Astate of a lossy channel system defines the local state of the processesand the contents of the channels which are described as words over afinite alphabet. The state space of a lossy channel system is infinite dueto the unboundedness of the channels.

Lossy channel systems can model many interesting systems, e.g. linklayer protocols such as the Alternating Bit Protocol and HDLC. Theseprotocols and others are designed to operate correctly even in the casethat the FIFO channels are faulty and may lose messages. An interest-ing fact is that all non-trivial verification problems are undecidable forsystems with unbounded perfect FIFO channels.

Decidability of reachability for lossy channel systems was shown byAbdulla and Jonsson in [8]. The result was one of the first examples ofdecidability of reachability for a class of systems that do not allow finitepartitioning of the state space. The general model checking problem forpropositional temporal logics such as PTL and CTL (when interpretedover lossy channel systems) as well as eventuality properties under dif-ferent types of fairness conditions on the channels are undecidable [9].

For lossy channel systems, backward analysis is feasible while forwardanalysis is not [10, 73]. Nevertheless, forward analysis is still practically


very attractive from the point of view of model checking [1, 2, 52]. Itturns out that it is possible to design semi-algorithms for forward anal-ysis which terminate on almost all interesting examples [4, 21, 22]. In[3, 4] simple regular expressions (SREs) representing downward closedsets of words are used for characterizing sets of states of lossy channelsystems in forward analysis.

A constraint system for symbolic verification of lossy channel sys-tems was presented in [10]. The constraint system is well quasi-orderedand can be constructed using the methodology described above. Theconstraints represent upward closed sets of states and can for examplebe used for verifying safety properties. In practice, reachability analysiswith this constraint system is not feasible due to constraint explosion.In [13, 15], partial order reductions were used to reduce this problem.

Timed AutomataOne of the most successful formalisms for describing time-constrainedsystems is that of timed automata [18, 19, 60]. Timed automata is anextension of finite-state automata where each automaton operate on afinite set of real-valued clocks which proceed synchronously, i.e., at thesame rate. The arcs of a timed automaton may be labelled with clockconstraints testing the values of the clocks and reset sets, a set of clockswhose values will be set to zero. A state of a timed automaton is of theform (s, v) where s is a control state and v is a mapping from clocks tonon-negative real numbers, i.e., clock values.

Timed automata are infinite-state systems because of the real-valuedclocks, but it is possible to partition the state space into a finite setof regions [19]. States belonging to the same region are bisimulationequivalent, that is transitions from them lead to (new) equivalent states.The finite partitioning, usually called region construction, is based onthe following observations: (i) The actual value of clocks whose valuesare greater than the maximum integer occurring in the clock constraintsis irrelevant. (ii) The fractional part of the clock values is irrelevant (ifthey are not equal to 0). (iii) The ordering of the fractional parts isrelevant since it determines the order in which the integral part of theclock values will increase when time passes.

Even though regions offer a finite partitioning of the state spacethey are not feasible in practice for most systems since the number ofregions grow exponentially with the number of clocks in the system. Aconstraint system which has been more successful is that of zones. Eachzone corresponds to the disjunction of a (sometimes large) number ofregions. Zones are used in tools such as Uppaal [69] and Kronos [98]

2.6. EXAMPLES 11

which have been used to verify actual real-time systems such as PhilipsAudio Protocol [25] and Bang & Olufsen Audio/Video Protocol [57].

In the literature, constraint systems that are even more compact thanzones have been presented. Clock Difference Diagrams (CDDs) [24] andDifference Decision Diagrams (DDDs) [82] are such systems where eachCDD/DDD correspond to the disjunction of a number of zones.

Parameterized SystemsParameterized systems [53] arise in the verification of systems consistingof an arbitrary number of identical components sometimes together witha global controller. Examples of such systems are mutual exclusion pro-tocols, cache coherence protocols, broadcast protocols, etc. For instance,a property that should be satisfied by a mutual exclusion protocol isthat no two processes should be at their critical sections simultaneously.This property should hold regardless of the number of processes insidethe system. Parameterized systems are infinite-state due to an infinitecontrol structure, as opposed to systems that are infinite state becausethey operate on data with infinite domains. Several constraint systemshave been applied for verification of parameterized systems. The con-straint systems fall into two classes, minimal condition constraints andregular expressions (regular model checking).

Minimal condition constraints state a minimal number of conditionsto be satisfied by a system state. A typical example of such a constraintis: ”at least two processes of the system are in their critical sections”.Minimal condition constraints arise naturally when modelling param-eterized systems, and are amenable to analysis using the methods de-scribed in [7, 11, 51]. This framework has also been applied to designverification algorithms for systems with an unbounded number of real-valued clocks such as networks of timed processes [12] and timed Petrinets [16]. These systems are infinite-state both due to the unboundedcontrol structure and due to the fact that they operate on data withinfinite domains.

Regular model checking [5, 28, 65] is a unifying framework for algo-rithmic verification of infinite-state systems with, e.g., queues, stacks,integers, or a parameterized topology. States are represented by stringsover a finite alphabet and the transitions are represented by a regularlength-preserving relation on strings.

Petri NetsPetri nets is a modelling formalism widely used to model communicationin concurrent systems. A Petri net is a directed graph consisting of twotypes of nodes, places and transitions. Each arc in the net connects


a place and a transition. A state of a net is called a marking and itassigns a number of tokens to each place in the net. Petri nets are alsowell suited for modelling and analysing parameterized systems.

In 1968, Karp and Miller published what is probably the most wellknown algorithm for verifying Petri nets [66]. The algorithm consists ofconstructing a KM-tree which is a representation of the set of reachablemarkings. Petri nets can also be analysed in the framework of [7, 11, 51],but both of these representations suffer from constraint explosion.

Partial order methods have been successfully applied to reduce con-straint explosion in the analysis of Petri nets, both partial order reduc-tions using different independency criteria [55, 85, 94] and, for n-safePetri nets, unfolding techniques [76, 49]. Unfoldings have been used fordeadlock detection [58, 76, 78], checking submarking reachability [58]and LTL model checking [45], but only for n-safe Petri nets.

2.7 CONTRIBUTIONThe aim of the work behind this thesis is to decrease the impact of con-straint explosion in the analysis of well-structured systems (Section 3.3).This is done either by reducing the number of constraints that need tobe analysed (partial order methods) or by producing constraint systemsthat are more compact in the sense that the number of states representedby a single constraint is increased.

The unfolding technique is a partial order method which has pre-viously been applied only to finite-state systems (Section 2.1). In thisthesis we show how the unfolding technique can be combined with sym-bolic methods and then be used in the context of infinite-state systems.More precisely, we present an unfolding algorithm for symbolic verifica-tion of unbounded Petri nets. To our knowledge, this is the first timethat the unfolding technique has been applied to infinite-state systems.We have implemented a prototype based on our unfolding techniqueand compared it to an implementation which does not use partial or-der methods. Our comparison shows that the unfolding technique offerssavings in both time and space.

We also present a new framework for developing well quasi-orderedconstraint systems which allows development of constraint systems thatare more compact than the ones developed in the framework of [7, 11, 51].We suggest ordering state spaces by a stronger relation than well quasi-ordering, namely that of better quasi-ordering [80, 88]. We also present amethodology to develop better quasi-ordered constraint systems whichcan be used together with existing algorithms designed for well-quasiordered constraints. We consider timed Petri nets (Chapter 6) and in-troduce a new constraint system called existential zones for verification

2.7. CONTRIBUTION 13

of systems with an unbounded number of clocks. To demonstrate prac-tical feasibility of existential zones, we have implemented a prototypefor verifying safety properties for timed Petri nets. We have used ourprototype to verify a parameterized version of a mutual exclusion proto-col, Fischer’s protocol. Using existing, less compact well quasi-orderedconstraint systems verifying this version of the protocol is not possible.

We also describe a formalism for performing forward analysis. Weuse downward closed languages as symbolic representation for sets ofstates. We introduce downward closed language generators (dlgs), whichcharacterize downward closed sets of words over a (potentially) infinitealphabet. Furthermore, we generalize our theory in two directions. Weconsider other data structures than words and study languages whichare sets of multisets, sets, vectors, etc. Such languages arise in the anal-ysis of infinite-state systems (see [37, 44, 7, 17] for some examples). Wealso present a methodology for defining downward closed languages overcomplex data structures in a hierarchical manner. We use the hierar-chical definition to derive a novel formalism for representing downwardclosed sets of markings in timed Petri nets. We have implemented aprototype based on our representation for timed Petri nets and used itto verify an invariant of Fischer’s protocol.

Chapter 3

Fundamentals

In this chapter, we will introduce basic concepts such as transition sys-tems, well quasi-ordering and reachability, which will be used throughoutthe rest of this work.

3.1 NOTATIONWe let N, Z and R≥0 denote the set of natural numbers, integers and non-negative reals respectively. Given a set A, we let P(A) be the powersetof A.

3.2 QUASI-ORDERINGSA quasi-ordering is a pair (A,¹) where ¹ is a reflexive and transitivebinary relation on a set A. A quasi-ordering is said to be a well quasi-ordering if for any infinite sequence a0, a1, a2, . . . of elements of A, thereare i and j with i < j and ai ¹ aj . The definition implies that there isno infinite strictly decreasing sequence of elements of A.

Example 3.1. Examples of well quasi-orderings are ({a, b} , =), i.e., afinite set {a, b} where the order is taken to be equality, and (N,≤), i.e.,the set of natural numbers ordered by the relation ≤.

Given a quasi-ordering (A,¹), we say that a set B ⊆ A is upwardclosed if a ∈ B and a ¹ b imply b ∈ B. We let min(B) be the set ofminimal elements in B, i.e., the set {a | a ∈ B and @a′ ∈ B . a′ ¹ a}. If(A,¹) is a well quasi-ordering we know that min(B) is finite. Noticethat if B is upward closed, then B is completely characterized by itsminimal elements. The upward closure a ↑ of an element a ∈ A is theset {b | a ¹ b}. Downward closed sets and the downward closure a ↓ isdefined in a similar manner.

We use A∗ (Aω) to denote the set of finite (infinite) strings over A.For a string w we let w(i) be the ith element of w. Given a quasi-ordering(A,¹) we define a new quasi-ordering (A∗,¹∗) such that a1 • · · · •am ¹∗b1 •· · ·•bn if and only if there is an injection h : {1, . . . ,m} → {1, . . . , n}

16 CHAPTER 3. FUNDAMENTALS

such that ai ¹ bh(i) for each i ∈ {1, . . . , m} and h is strictly monotone,meaning that h(i) < h(j) if and only if i < j.

Example 3.2. For example, given the quasi-ordering ({a, b, c} , =) wehave that a • b • a =∗ a • c • b • b • a but a • b • a 6=∗ a • a • b • b • c.

A quasi-ordering(AM,¹M)

on the set of multisets over A can bedefined in a similar manner. Note that for multisets, the injection his not necessarily monotone. For infinite strings we define the quasi-ordering (Aω,¹ω) where w1 ¹ω w2 if and only if there is a strictlymonotone injection h : N→ N where w1(i) ¹ w2(h(i)) for each i ∈ N.

3.3 TRANSITION SYSTEMSA transition system is a tuple (S,−→) where S is a potentially infiniteset of states and −→ is a transition relation. We use ∗−→ to denote thetransitive closure of −→. A state s2 is said to be reachable from a states1 if s1

∗−→ s2. Assume that the set S of states is equipped with aquasi-ordering ¹. We say that the transition system is monotonic withrespect to ¹ if for each s1, s

′1, s2 ∈ S such that s1 ¹ s′1 and s1 −→ s2

there is a state s′2 such that s2 ¹ s′2 and s′1 −→ s′2.A transition system is said to be a well-structured transition system

[7, 11, 51] if the set S of states is equipped with a well quasi-ordering¹ and the transition system is monotonic with respect to ¹. The wellquasi-ordering can be used to ensure termination of several algorithmicanalysis methods and it has been shown that a number of properties, e.g.reachability, termination, eventuality and simulation, are decidable forwell-structured systems (see Section 2.4). Examples of well-structuredtransition systems are Petri nets, timed Petri nets, lossy channel sys-tems, broadcast protocols and integral relational automata.

3.4 REACHABILITYThe state reachability problem, i.e., the question of whether a state s2

is reachable from a state s1, is not decidable for well-structured systemsin general. It is e.g. not decidable for timed Petri nets [91]. However, itis decidable whether an upward closed set of states is reachable. Moreprecisely, it is decidable whether an upward closed set of states containsa reachable state.

In this work we will consider the reachability problem defined asfollows.

Instance: A transition system (S,−→), an initial state sinit ∈ S andan upward closed set of final states Sfin ⊆ S.

3.5. WELL QUASI-ORDERED CONSTRAINT SYSTEMS 17

Question: Is there a state sfin ∈ Sfin which is reachable from sinit , i.e.,where sinit

∗−→ sfin?

The states in Sfin are usually bad states that we do not want to occurduring an execution. Using standard techniques [55, 96], we can reduceseveral classes of safety properties to the reachability problem.

3.5 WELL QUASI-ORDERED CONSTRAINT SYSTEMSWhen performing reachability analysis, we will use symbolic analysismethods. This means that the analysis will be performed on sets ofstates rather than on individual states. Recall that we are working withwell-structured systems, i.e., that the set S of states is equipped witha well quasi-ordering ¹. We will use constraints to represent sets ofstates that are upward closed with respect to ¹. Each constraint φcharacterizes a potentially infinite set [[φ]] of states. From the upwardclosedness of [[φ]] and the well quasi-ordering of ¹, it follows that [[φ]]can be completely characterized by a finite set of states, min([[φ]]).

Let Φ = {φ1, . . . , φn} be a finite set of constraints. We sometimeswrite the disjunction φ1 ∨ · · · ∨ φn as

∨Φ. The denotation [[

∨Φ]] of a

disjunction of a set of constraints is the union of the denotations of itselements. In other words, [[

∨Φ]] = [[φ1]] ∪ · · · ∪ [[φn]]. We usually write

[[Φ]] instead of [[∨

Φ]] to increase readability.We define an entailment relation v on constraints such that φ1 v φ2

if and only if [[φ2]] ⊆ [[φ1]]. Intuitively, φ1 v φ2 means that φ2 is astronger constraint than φ1 or that φ1 subsumes φ2. We also definea relation v on sets of constraints such that Φ1 v Φ2 if and only if∀φ2 ∈ Φ2 : ∃φ1 ∈ Φ1 : φ1 v φ2. Note that Φ1 v Φ2 implies that[[Φ2]] ⊆ [[Φ1]].

Since constraints represent sets of states that are upward closed withrespect to a well quasi-ordering ¹, it follows that the entailment relationv is also a well quasi-ordering. We say that the constraint system isa well quasi-ordered constraint system. A method for generating wellquasi-ordered constraint systems is described in [7, 11, 51]. It is basedon the following two properties of well quasi-orderings.

1. If A is a finite set, then (A, =) is a well quasi-ordering.

2. If (A,¹) is a well quasi-ordering, then (A∗,¹∗) and(AM,¹M)

are also well quasi-orderings [61].

New well quasi-ordered constraint systems can be developed by startingfrom a set of constraints over finite domains. These are well quasi-ordered by the first property. The second property states that well quasi-orderings are closed under building finite strings and multisets. This

18 CHAPTER 3. FUNDAMENTALS

means that new constraints can be generated by repeatedly applyingthese operations to build more compound data structures. In fact, itfollows that well quasi-orderings are also closed under building finitetrees, vectors, sets, etc.

3.6 BACKWARD REACHABILITY ALGORITHMFor reachability analysis, we sometimes use a general algorithm for sym-bolic reachability analysis from [7, 11]. The algorithm performs a back-ward reachability analysis where a key ingredient is computing the pre-image of a constraint. That is, given a constraint φ, we compute a finiteset of constraints Pre(φ) characterizing the set {s | ∃s′ ∈ [[φ]].s −→ s′} ofstates from which a state in [[φ]] is reachable through a single transition.Note that upward closedness of [[φ]] implies that the set of states fromwhich [[φ]] is reachable is also upward closed since the transition systemis monotonic.

Given a constraint φfin characterizing the set Sfin of bad states, thereachability algorithm computes a set of constraints characterizing thestates from which [[φfin ]] can be reached in at most i steps for successivelylarger i. More precisely, we compute the sequence Φ0, Φ1, Φ2, . . . whereΦi characterizes the states from which [[φfin ]] can be reached in i stepsor less. This means that Φ0 = {φfin} and Φi+1 = Φi ∪ Pre(Φi). Notethat the sequence is increasing, i.e., Φ0 ⊆ Φ1 ⊆ · · · . This also meansthat [[Φ0]] ⊆ [[Φ1]] ⊆ · · · . If we reach a point j where φj v φj+1, andhence [[Φj ]] ⊇ [[Φj+1]], we have reached a fixpoint and the procedure canbe terminated. In such a case Φj characterizes the set of all states fromwhich Sfin is reachable. Consequently, the reachability of Sfin from sinit

is equivalent to whether sinit ∈ [[Φj ]].We observe that we need the following four properties of the con-

straint system in order to be able to implement the backward reachabil-ity algorithm.

1. Computability of the membership relation. We need this propertyto check whether the initial state satisfies the fix point.

2. Computability of the entailment relation between constraints.This property is needed to check the termination condition.

3. Computability of the function Pre on constraints. We need thisproperty to derive each element of the sequence from the previousone.

4. Termination. We need to be able to guarantee that the algorithmwill always terminate.

3.6. BACKWARD REACHABILITY ALGORITHM 19

Recall that the set of states characterized by a constraint can also becharacterized by a finite set of states. This means that checking mem-bership and entailment can be reduced to the problem of checking therelation ¹ on states. The fourth property is the least obvious one. How-ever, the following lemma shows that the algorithm is guaranteed toterminate exactly in the case where the set of constraints is well quasi-ordered (see Section 3.2) under the entailment relation, i.e., when theconstraint system is well quasi-ordered.

Lemma 3.1 ([7]). A constraint system is well quasi-ordered if and onlyif for each infinite (⊆-increasing) sequence Φ0 ⊆ Φ1 ⊆ Φ2 ⊆ · · · of setsof constraints, there is an i where Φj v Φj+1 for all j ≥ i.

Proof. Assume that we have a well quasi-ordered constraint system andan infinite sequence Φ0 ⊂ Φ1 ⊂ Φ2 ⊂ · · · of sets of constraints wherethere is no i such that Φi v Φi+1. It follows that there is a sequenceφ0, φ1, φ2, . . . such that for all j ≥ 0 we have that φj ∈ Φj and thereis no constraint φi ∈ Φi with i < j and φi v φj . In other words, wehave an infinite sequence of constraints where there are no i and j withi < j and φi v φj . This is a contradiction since it violates the wellquasi-ordering assumption.

Chapter 4

Petri Nets

Petri nets are graphical and mathematical modelling tools. They arebased on a theory of communication between asynchronous componentsof a computer system. The theory was part of the seminal work of CarlAdam Petri [87].

A net is a directed graph with two types of nodes, places and tran-sitions. Each arc of a net connects a place and a transition. Input arcsstart in places and end in transitions and output arcs go from transitionsto places. Tokens reside in the places of the net. The state of the mod-elled system is called a marking and is given by the number of tokensin each place. The state can be changed by firing transitions. Whena transition is fired, tokens are removed from input places and addedto output places. Addition and removal of tokens is guided by the flowrelation which is a description of the arcs of the Petri net.

Petri nets are used to model system that are concurrent, asyn-chronous, distributed, parallel, nondeterministic, etc. The graphicalrepresentation of Petri nets can be used as a visual communication aidsimilar to flow charts and block diagrams. Tokens can be used to sim-ulate the dynamic and concurrent behaviour of systems. At the sametime, it is possible to set up mathematical models describing the be-haviour of systems which can be formally analysed.

4.1 MULTISETSOur Petri net formalism is based on multisets, an extension of sets. Amultiset M over a set A is a mapping from A to N such that for anelement a ∈ A, M(a) is the number of occurrences of a in M. Wesometimes write multisets as lists, so e.g. M = (a, a, b) means thatM(a) = 2, M(b) = 1 and M(x) = 0 for x 6∈ {a, b}. We also sometimeswrite M as

(a2, b

).

AM is used to denote the set of multisets over A. We define anordering on multisets such that given two multisetsM1 andM2 we havethat M1 ≤ M2 if M1(a) ≤ M2(a) for each a ∈ A. We also define the

22 CHAPTER 4. PETRI NETS

addition M1+M2 to be the multiset M where M(a) = M1(a)+M2(a)and, assuming M2 ≤M1, the subtraction M1−M2 is the multiset Mwhere M(a) = M1(a) −M2(a) for each a ∈ A. Otherwise, M1 −M2

is undefined. We use ∅ to denote the empty multiset, i.e., ∅(a) = 0 foreach a ∈ A.

4.2 PETRI NETSFormally, a Petri net is a triple (P, T, F ) where P is a finite set of places,T is a finite set of transitions and F ⊆ (P × T ) ∪ (T × P ) is the flowrelation. By a node we mean a place or a transition. The preset •x ofa node x is the set of nodes that are connected to x by an arc directedtowards x. More precisely, •x is the set {y | (y, x) ∈ F}. Similarly wedefine the postset x• to be the set {y | (x, y) ∈ F}. Note that the preset(postset) of a transition is a set of places and vice versa.

A state of a net is a multiset over P called a marking. Intuitively,a marking assigns a number of tokens to each place in the net. We saythat a transition t is enabled, i.e., it may be fired, in a marking M if•t ≤ M , which means that the tokens needed as input when firing thetransition are present in the marking. When the transition is fired inputtokens are removed from the places in •t and output tokens are addedto the places in t•. A Petri net induces a transition system (M,−→)where M is the set of markings and −→ is a transition relation on Mthat captures the behaviour of the net. We say that M1 −→ M2 if thereis a transition t ∈ T that is enabled in M1 and M2 = M1 − •t + t•. Welet ∗−→ denote the reflexive transitive closure of −→.

Example 4.1. Figure 4.1 shows a Petri net consisting of three places,p1, p2 and p3, and three transitions, t1, t2 and t3. The preset of thenode p1, •p1, is the set {t2, t3} of transitions and the postset t•1 is theset {p2, p3}. Consider the marking M = (p1) with one token in p1 andno token in the other places. We see that transition t1 is enabled in M .If we fire transition t1 we get a new marking M ′ = (p2, p3) where thetoken in p1 has been removed and a new token has been added to eachof the places p2 and p3.

The set of markings is well quasi-ordered under the relation ≤. Fur-thermore, the transition relation is monotonic with respect to ≤. Con-sequently (M,−→,≤) is a well-structured transition system.

4.3 COVERABILITYApplying the definition of reachability of upward closed sets of statesfrom Section 3.4 on Petri nets, we get that an upward closed set M′ ofmarkings is reachable from a marking M1 if there is a state M ′

2 ∈ M ′

4.4. PARAMETERIZED SYSTEMS 23

t t t

pp

p

3

1

2

2 1 3

Figure 4.1: A small Petri net.

such that M ′2 is reachable from M1. If the upward closed set M ′ is taken

to be the upward closure of a marking M2 we get that it is decidablewhether there is a marking M ′

2 such that M2 ≤ M ′2 and M ′

2 is reachablefrom M1, that is M1

∗−→ M ′2. In the analysis of Petri nets this problem

is usually called the coverability problem. We say that the marking M2

is coverable from the marking M1.A net system is a tupleN = (P, T, F,Minit ,Mfin), where (P, T, F ) is a

net and Minit ,Mfin are markings, called the initial and the final markingof N respectively. We define the coverability problem as follows.

Instance: A net system (P, T, F, Minit ,Mfin).

Question: Is Mfin coverable from Minit?

Example 4.2. Consider the Petri net in Figure 4.1. Let Minit = (p1)and Mfin = (p2). We find that Mfin is coverable from Minit sinceMinit

∗−→ (p1, p2) (see Example 4.1) and (p1, p2) ≥ Mfin .

4.4 PARAMETERIZED SYSTEMSParameterized systems (see Section 2.6) are systems consisting of anarbitrary number of identical components. Petri nets allow for easymodelling of such systems by constructing a net representing the controlstructure of one component and then placing a token per component inthis net. This means that the net does not grow as the number ofcomponents in the system increase. It is only the number of tokensin the net that is affected. Figure 4.2 shows a system consisting of 3components and a Petri net of the system where 3 tokens correspond tothe 3 components.

24 CHAPTER 4. PETRI NETS

Figure 4.2: A system consisting of three processes and a Petri netmodel of the system.

4.5 A CONSTRAINT SYSTEMWe will present a constraint system for verification of Petri nets anduse the framework described in Section 3.5 to show that the constraintsystem is well quasi-ordered. We want constraints that characterize setsof markings that are upward closed with respect to ≤, such sets canbe represented by their minimal elements. As markings are well quasi-ordered under ≤ we know that the set of minimal elements is finite.We take our constraints to be minimal elements or markings. Moreprecisely, a constraint is a marking M and characterizes the set M ↑,i.e., the upward closure of M .

Recall that a marking is a multiset over a finite set P of places.Following the method from Section 3.5 we can construct our constraintsin two steps. We start with constraints over P ordered by =. This isa well quasi-ordering since P is a finite set. The next step is to buildmultisets over P . Since well quasi-ordering is closed under buildingmultisets, the resulting constraint system is well quasi-ordered.

Chapter 5

Unfoldings

A limiting factor in model checking is the state explosion problem whichoccurs as the number of states grow exponentially with the number ofcomponents in a system. One approach to solving this problem is basedon the observation that not all interleavings of concurrent actions need tobe explored during model checking. In fact, considering all interleavingsgreatly contributes to the state explosion problem. Methods based onthis observation are called partial order methods. Several partial ordermethods have been proposed, e.g. stubborn sets [94], persistent sets [55]or ample sets [85].

A method that has drawn considerable attention recently is that ofunfoldings [84]. Unfoldings are occurrence nets, unrollings of Petri netsthat preserve their semantics. Although unfoldings are usually infinite,it is observed in [76] that we can always construct a finite initial prefixof the unfolding that captures its entire behaviour, and which in manycases is much smaller than the state space of the system. In [49] theprefix algorithm was improved by a new termination condition whichreduces the size of prefixes. Unfoldings have been applied to n-safe(i.e., finite-state) Petri nets, and more recently to other classes of finite-state systems such as synchronous products of finite transition systems[68, 46].

In this chapter we will show how the unfolding technique can bemade to work in the context of infinite-state systems. More precisely,we present an unfolding algorithm for symbolic verification of unboundedPetri nets. We adapt the algorithm described in Section 3.6 for back-ward reachability analysis, which can be used to verify general classesof safety properties. Instead of working on individual markings (as isthe case with the previous approaches [76, 47, 46, 68]) we let our un-folding algorithm operate on constraints each of which may representan (infinite) upward closed set of markings. We start from a constraintdescribing a set of “final” markings, typically undesirable configurationswhich we do not wish to occur during the execution of the net. From

26 CHAPTER 5. UNFOLDINGS

the set of final markings we unroll the net backwards, generating a Re-verse Occurrence Net (RON). In order to achieve termination we presentan algorithm to compute a postfix of the RON, which gives a completecharacterization of the set of markings from which we can reach a fi-nal marking. Using concepts from the theory of well quasi-orderings weshow that the postfix is always finite. In fact, our method offers thesame advantages over the algorithm in Section 3.6, as those offered bythe algorithms of [47, 76] in the context of finite-state systems.

Given that net unfoldings represent the state space in a distributed,implicit manner the verification process is a two step process: generationof the unfolding and reasoning about the unfolding. This contrasts withtraditional approaches where the verification problem is done in a singlestep. In his seminal work McMillan [75] showed that deadlock detectionon complete prefix of a 1-safe Petri net is NP-complete. Since the dead-lock problem on Petri nets is PSPACE-hard it is generally expected thatthe two step process will yield savings (in time and space) provided theunfoldings are small.

We show how to reason with unfoldings of unbounded Petri nets byreducing the problem of deciding whether a final marking is coverablefrom some initial marking to satisfiability of a propositional formula. Wehave implemented the two step process – that of the generating a postfixand the use of Prover, a satisfiability checker based on the StalmarkMethod [93], to verify safety properties for a number of examples. Weoffer an end-to-end comparison of the time and space required for thecoverability problem. The comparison pits on one hand a combinationof the unfolding construction and the use of Prover for reasoning andon the other a backward reachability algorithm, which considers all in-terleavings. Our experiments lead us to conclude that the space andtime required for reasoning based on unfoldings is significantly lesserthan the space and time required for reasoning based on considerationof all interleavings.

5.1 COVERABILITYLet N be the set of natural of numbers. For a, b ∈ N, we define aª b tobe equal to a − b if a ≥ b and equal to 0 otherwise. For multisets, wedefine M1 ªM2 to be M1 −M2 if M1 ≥M2 and ∅ otherwise.

We are interested in solving the coverability problem as defined inChapter 4. To do so, we perform a backward reachability analysis. Wedefine a backward transition relation [6] such that for markings M1 andM2 and a transition t, we have M2 Ãt M1 if M1 = (M2ªt•)+•t. We let

Ã be the union⋃

t∈T Ãt and let MkÃ M ′ denote that M ′ can be reached

from M by k steps of Ã, that is, M = M0 Ã M1 Ã · · · Ã Mk = M ′

5.2. REVERSE OCCURRENCE NETS 27

for markings M0, . . . , Mk. We define ∗Ã to be the reflexive transitiveclosure of Ã. Observe that for each marking M2 and transition t thereis a marking M1 with M2 Ãt M1. In other words, transitions are alwaysenabled with respect to Ã.

Example 5.1. Consider the Petri net in Figure 4.1 and the markingMfin = (p2). We have that Mfin Ãt1 (p1) and Mfin Ãt2 (p2, p2).

The following lemma relates the forward and backward transitionrelations.

Lemma 5.1.

1. If M1 −→ M2 and M ′2 ≤ M2 then there is M ′

1 ≤ M1 such thatM ′

2 Ã M ′1.

2. If M2 Ã M1 and M ′1 ≥ M1 then there is M ′

2 such that M ′2 ≥ M2

and M ′1 −→ M ′

2.

5.2 REVERSE OCCURRENCE NETSA Reverse Occurrence Net (RON) corresponds to “unrolling” a Petrinet backwards. In fact, a RON is also a Petri net where the places arecalled conditions and the transitions are called events. Formally, a RONR is a net (C,E, F) where C is the set of conditions, E is the set of eventsand F is the flow relation. Furthermore, R satisfies the following threeconditions

(i) |c•| ≤ 1 for each c ∈ C.

(ii) there is no infinite sequence of the form c1Fe1Fc2F · · · . This con-dition implies that there are no cycles in the RON, and that thereis a set max(F) of nodes that are maximal with respect to F.

(iii) max(F) ⊆ C.

A set of events E ⊆ E is considered to be a configuration if e ∈ E andeF∗e′ implies e′ ∈ E.

Remark. In [76, 47], a configuration E is upward closed in the sensethat if an event e belongs to E then all events above e (with respect toF) also belong to E. In our case, configurations are downward closed.Furthermore, in [76, 47], configurations are required to be conflict free,that is, for all events e1, e2 ∈ E we have •e1 ∩ •e2 = ∅. Notice that thisproperty is always satisfied by our configurations, since we demand that|c•| ≤ 1 for each condition.


14e

p3

p2

t33e2t2e

p1

p2

t1e1

p1

t

Figure 5.1: An unfolding of the net in Figure 4.1

Consider a net system N = (P, T, F,Minit ,Mfin) and a RON(C,E,F). We let each node in the RON be labelled by a node in the netsystem. More precisely, we define a labelling function µ : C ∪ E → P ∪ Tsuch that µ(c) ∈ P if c ∈ C and µ(e) ∈ T if e ∈ E. For a set C ⊆ Cof conditions, we define #C to be a marking such that, for each placep, the value of #C(p) is equal to the size of the set {c ∈ C | µ(c) = p}.In other words #C(p) is the number of conditions in C labelled with p.We say that (C, E, F, µ) is a (backward) unfolding of N if the followingtwo conditions are satisfied:

(i) # max(F) = Mfin , i.e., the set of conditions that are maximal withrespect to F correspond to the final marking; and

(ii) µ preserves F, in other words, if (x, y) ∈ F then (µ(x), µ(y)) ∈ F .

For a configuration E, we define Cut(E) = ({•e | e ∈ E} ∪ max(F)) −{e• | e ∈ E} . We define the marking mark(E) = #(Cut(E)).

Example 5.2. Figure 5.1 shows an unfolding of the net in Figure 4.1assuming a final marking Mfin = (p2). To increase readability, weshow both names and labels of events in the figure while we omitnames of conditions. Examples of configurations in the unfolding are

5.3. AN UNFOLDING ALGORITHM 29

E1 = {e1, e2, e3} with mark(E1) = (p2, p3) and E2 = {e1, e2, e3, e4} withmark(E2) = (p1).

5.3 AN UNFOLDING ALGORITHMWe present an algorithm (Algorithm 1) which, for a given net systemN = (P, T, F,Minit , Mfin) generates an unfolding of N in an incrementalmanner. Similar to [47], an unfolding U = (C,E,F, µ) is represented asa list of objects corresponding to conditions and events in the underly-ing RON. An event e is represented as an object (C, t) where t is thelabel µ(e) of e and C is its set e• of post-conditions. A condition c isrepresented by an object (e, p) where p is the label µ(c) of c and e isits (single) post-event c•. We observe that the flow relation F and thelabelling function µ are included in the encoding.

A non-empty set C of conditions is said to be t-enabled if there isa configuration E such that C ⊆ Cut(E) and all the conditions in Care in the postset of t, i.e., ∅ < #C ≤ t•. Furthermore, C is consideredto be maximally t-enabled provided there is no other set C ′ such thatC ⊂ C ′ ⊆ Cut(E) and C ′ is t-enabled. We will write MEt(C) to denotethat C is maximally t-enabled. The set of events by which U can beextended is denoted by Xtnd(U) and is formally defined as follows:

Xtnd(U) = {(C, t) | MEt(C) and (C, t) 6∈ U}Observe that the definition implies that there are no redundancies inthe unfolding. In other words we will not have two different events bothhaving the same label and the same postcondition.

The unfolding algorithm is shown as Algorithm 1. It maintains twovariables, namely the current unfolding U (initialized to the final mark-ing Mfin), and a set X of events by which the unfolding can be extended.The algorithm proceeds by considering the events in X in turn (this pro-cedure is fair in the sense that each event added to X will eventuallybe considered). At each iteration an event in X is picked and movedto U . Furthermore, the possible extensions of the new unfolding arecomputed, using the function Xtnd , and added to X. Notice that thealgorithm does not necessarily terminate.

The unfolding algorithm gives a symbolic representation of the up-ward closed sets from which Mfin is coverable. More precisely (The-orem 5.4), the upward closure of the markings appearing in U givesexactly the set of markings from which Mfin is coverable. Notice thateach event in the unfolding corresponds to a step in the backward un-rolling of the net. The efficiency we gain through applying unfoldingson upward closed sets, as compared to the standard symbolic algorithmbased on the backward transition relation Ã, can be explained in a


Algorithm 1 Unfolding AlgorithmInput: net system N = (P, T, F, Minit ,Mfin), where Mfin =(p1, . . . , pn)var U : unfolding of N , X: set of eventsU := (p1, ∅) , . . . , (pn, ∅) X := Xtnd(U)while X 6= ∅ do

Pick and delete e = (C, t) from XAdd (C, t) to U and also add ∀p ∈ •t a new condition (p, e) to UX := X ∪ Xtnd(U)

end while

manner similar to the finite-state case [47, 76]; namely the addition of aset of concurrent events to the unfolding corresponds to an exponentialnumber of applications of the Ã relation.

In the sequel we let U i denote the value of the variable U after iiterations of the loop. The following lemmas relate unfoldings with thebackward transition relation Ã.

Lemma 5.2. If MfinkÃ M then there is an ` and a configuration E in

U ` such that mark(E) ≤ M

Proof. By induction on k.Base case: Follows from the first step of the algorithm (initializing thevalue of U).

Induction case: Suppose that MfinkÃ M ′ Ãt M . By the induc-

tion hypothesis there is an `′ and a configuration E′ in U `′ such thatmark(E′) ≤ M ′. Let C1 be a maximal subset of Cut(E′) such that#C1 ≤ t•. There are two cases.

1. If C1 is empty. We define E = E′. We show that mark(E)(p) ≤M(p) for each place p. We have two subcases.

(a) If p 6∈ t•, then mark(E)(p) = mark(E′)(p) ≤ mark(E′)(p) +•t(p) ≤ M ′(p) + •t(p) = M(p).

(b) If p ∈ t• we know by maximality of C1 that mark(E′)(p) = 0,and hence mark(E)(p) = mark(E′)(p) ≤ M(p).

2. If C1 is not empty. Notice that MEt(C1) holds. Given that ouralgorithm is fair in selecting transitions that are backward firable,an event e = (C1, t) will be chosen and added at some point `.We define E = E′ ∪ {e}. Clearly, E is a configuration in U `.Observe that mark(E) = (mark(E′) ª t•) + •t. This means thatmark(E) = (mark(E′)ª t•) + •t ≤ (M ′(p)ª t•) + •t = M .

5.4. TERMINATION 31

We now present the lemma in the other direction which shows thatthe marking associated with every configuration in an unfolding is back-wards reachable.

Lemma 5.3. For each ` and configuration E in U `, there is a markingM such that M ≤ mark(E) and Mfin

∗Ã M .

Proof. By induction on `.Base case: Follows from the first step of the algorithm (initializing thevalue of U).Induction case: Suppose that in step ` + 1 we add an event e = (C, t)(together with its preset) to U `. Take any configuration E in U `+1. Ife 6∈ E then we know that E is also a configuration in U ` implying theresult by induction hypothesis. Hence, we can assume that E = E′∪{e}where E′ is a configuration in U `. By the induction hypothesis we knowthat there is a marking M ′ such that M ′ ≤ mark(E′) and Mfin

∗Ã M ′.We define M = (M ′ ª t•) + •t. Clearly M ′ Ã M and hence Mfin

∗ÃM . Observe that mark(E) = (mark(E′) ª t•) + •t. This means thatmark(E) = (mark(E′)ª t•) + •t ≥ (M ′(p)ª t•) + •t = M .

From Lemma 5.1, Lemma 5.2, and Lemma 5.3 we get the followingtheorem.

Theorem 5.4. Mfin is coverable from a marking M if and only if thereis an ` and a configuration E in U ` such that mark(E) ≤ M .

Notice that as a special case we can take M in Theorem 5.4 to beequal to Minit .

Example 5.3. Recall that in Example 4.2, we concluded that Mfin =(p2) is coverable from Minit = (p1) in the net in Figure 4.1. Accordingto the theorem above, there is a configuration E in the unfolding inFigure 5.1 such that mark(E) ≤ Minit . The configuration {e1} withmark({e1}) = (p1) is such a configuration.

5.4 TERMINATIONIn this section we show how to compute finite postfixes of unfoldings.We define special types of events which we call cut-off points. In The-orem 5.6 we show that cut-off points do not add any markings to theupward closed sets characterized by the unfolding. This means that inthe unfolding algorithm (Algorithm 1) we can safely discard all cut-offpoints, without ever adding them to the unfolding U . Furthermore, we


use concepts from the theory of well quasi-orderings (Theorem 5.6) toshow that if all cut-off points are discarded then the variable X in theunfolding algorithm eventually becomes empty implying termination ofthe algorithm. We start with some definitions and auxiliary lemmas.

We assume a net system N and an unfolding U of N . For an evente, we use e↓ to denote the configuration {e′ | eF∗e′}. For configurationsE1 and E2, we use E1 ≺ E2 to denote that |E1| < |E2| and mark(E1) ≤mark(E2). For an event e, we say that e is a cutoff point in U if thereis a configuration E in U such that E ≺ e↓.Example 5.4. Consider the event e2 in the unfolding in Figure 5.1.We have that e2 ↓= {e1, e2} and mark(e2 ↓) = (p2). Now look at theconfiguration E = ∅ with mark(E) = (p2). We have that E ≺ e2 ↓ andhence e2 is a cutoff point.

We recall from the previous section that U i denotes the value of thevariable U after i iterations of the loop in the unfolding algorithm. Inorder to prove the cutoff theorem we need the following lemma:

Lemma 5.5. Consider configurations E1, E2, and E′2 in Uk where E1 ≺

E2 and E2 ⊆ E′2. There is an ` and a configuration E′

1 in U ` such thatE′

1 ≺ E′2.

Proof. We show the claim for a configuration E′2 = E2 ∪ {e2} where

e2 6∈ E2. The result follows using induction on |E′2| − |E2|. Let e2 be of

the form (C2, t).We know that mark(E′

2) = (mark(E2)ª t•)+ •t. We define C1 to bea maximal subset of Cut(E1) such that #C1 ≤ t•. There are two cases:

1. If C1 is empty we define E′1 = E1. We have |E′

1| = |E1| < |E2| <|E′

2|. We show that mark(E′1)(p) ≤ mark(E′

2)(p) for each place p.There are two subcases.

(a) If p 6∈ t• we have mark(E′2)(p) = mark(E2)(p) + •t(p) ≥

mark(E1)(p) + •t(p) ≥ mark(E1)(p) = mark(E′1)(p).

(b) If p ∈ t• we know, by maximality of C1, that mark(E1)(p) =0. This means that mark(E′

2)(p) = (mark(E2)(p) ª •t(p)) +•t(p) ≥ •t(p) ≥ mark(E1)(p) = mark(E′

1)(p).

2. If C1 is not empty then, by fairness of the algorithm in selectingtransitions that are backward firable, an event e1 = (C1, t) will bechosen and added at some point `. We define E′

1 = E1∪{e1}. It isclear that E′

1 is a configuration in U `. We have |E′1| = |E1|+ 1 <

|E2|+ 1 ≤ |E′2|. We know that mark(E′

1) = (mark(E1)ª t•) + •t.

5.4. TERMINATION 33

This means that mark(E′2) = (mark(E2)ª •t)+ •t ≥ (mark(E1)ª

•t) + •t = mark(E′1)(p).

Now we are ready to show in the following theorem that cutoff pointscan be discarded safely.

Theorem 5.6. For each k and configuration E2 in Uk, there is an `and configuration E1 in U ` where mark(E1) ≤ mark(E2) and E1 doesnot contain any cutoff points.

Proof. We use induction on |E2|. The base case is trivial. If E2 doesnot contain any cutoff points, then the proof is trivial. Otherwise let e2

be a cutoff point in E2. Clearly, e2 ↓⊆ E2. Since e2 is a cut-off point,we know that there is a configuration E in Uk such that E ≺ e2 ↓. ByLemma 5.5 there is an ` and a configuration E1 in U ` such that E1 ≺ E2,that is, |E1| < |E2| and mark(E1) ≤ mark(E2). The claim follows byinduction hypothesis.

To prove termination of the unfolding algorithm, we use the fact thatmarkings are well quasi-ordered (consequence of Dickson’s lemma [39]),that is, for any infinite sequence M0,M1, . . . of markings, there are i andj with i < j and Mi ≤ Mj .

Theorem 5.7. The unfolding algorithm terminates if all cut-off pointsare discarded.

Proof. Suppose that the algorithm does not terminate. Since all nodesare finitely branching we have an infinite sequence e0, e1, e2, . . . , of eventswhere ei+1FciFei, for some condition ci. Notice that |ej ↓ | > |ei ↓ |,whenever j > i. By Dickson’s lemma, it follows that there are i and jwith i < j and mark(ei ↓) ≤ mark(ej ↓). This implies that ej is a cut-offpoint, which is a contradiction.

Remark. Theorem 5.4, Theorem 5.6, and Theorem 5.7 give a completeterminating procedure for checking coverability in unbounded Petri nets:use the unfolding algorithm discarding all cutoff points. The final mark-ing Mfin is coverable from the initial marking Minit if and only if aconfiguration E appears in the unfolding with mark(E) ≤ Minit .

Example 5.5. Figure 5.2 shows a finite postfix of the unfolding inFigure 5.1. The postfix does not contain any cutoff points and for eachconfiguration E in the unfolding, there is a configuration E′ in the post-fix such that mark(E′) ≤ mark(E). For example, let E = {e1, e2, e3}and E′ = {e′1, e′2}. We see that mark(E′) = (p3) ≤ (p2, p3) = mark(E).


t1

p2

c2

1

t3

e’

e’2

p1

p3

c1

c3

Figure 5.2: A finite postfix of the unfolding in Figure 5.1.

5.5 CHECKING COVERABILITY USING SAT-SOLVERSThe problem of checking coverability from a marking M once an unfold-ing U has been generated is, as stated above, the problem of finding aconfiguration E such that mark(E) ≤ M . Since the number of configu-rations of U could be very large (|P(E)| in the worst case) a brute forcemethod based on computing the set of all configurations is not practical.Consequently, we propose to use a SAT-solver, in our case Prover, tocarry out the task. This depends upon encoding the coverability prob-lem as the problem of checking satisfiability of a propositional formula.

By the definition of configurations we know that for each configura-tion E the following holds:

(i) if an event e ∈ E then for all events e′ s.t. eFcFe′ we have e′ ∈ E.

(ii) a condition c ∈ Cut(E) if and only if c• ⊆ E and for all eventse ∈ •c, e 6∈ E.

Finally, a configuration E satisfies mark(E) ≤ M for a marking M ,provided that for each place p we have

#Cut(E)(p) ≤ M(p)

Given a net system N = (P, T, F,Minit ,Mfin) and an unfolding U =(C,E,F, µ) of N we can construct a formula F , where each node x in Uis represented by a variable vx, according to the following

5.5. CHECKING COVERABILITY USING SAT-SOLVERS 35

1. For each event e ∈ E, add a conjunct ve ⇒ ve1 ∧ · · · ∧ ven where{e1, . . . , en} is the set {ei | ∃c ∈ C : eFcFei}

2. For each condition c ∈ C, add a conjunct vc ⇔ vep ∧ ¬ve1 ∧ · · · ∧¬ven where {ep} = c• and {e1, . . . , en} is the set {ei | eiFc}

3. For each place p ∈ P , add a conjunct LTEk(k, [vc1 , . . . , vcn ]) wherek = Minit(p), and {c1, . . . , cn} is the set {ci | µ(ci) = p}. Further-more, the predicate LTEk(k, [v1, . . . , vn]) is true exactly when thenumber of propositions in the set {v1, . . . , vn} that are assignedtrue is lesser than or equal to k.

Now a model of F is an assignment of variables corresponding to aconfiguration E in the following way

• For each event e, e ∈ E iff ve

• For each condition c, c ∈ Cut(E) iff vc

• mark(E) ≤ Minit

The problem of checking coverability has now been reduced to the satis-fiability of the propositional formula F , i.e., F is satisfiable if and onlyif Mfin is coverable from Minit .

Example 5.6. Following the description above, we can construct thefollowing formula from the unfolding in Figure 5.2 assuming that Minit =(p1).

F =

ve′1 =⇒ T ∧ ve′2 =⇒ ve′1∧(

vc1 ⇔ ¬ve′1

)∧

(vc2 ⇔ ve′1 ∧ ¬ve′2

)∧

(vc3 ⇔ ve′2

)

∧LTEk(1, [vc2 ]) ∧ LTEk(0, [vc1 ]) ∧ LTEk(0, [vc3 ])

The third line of the formula ensures that the cut of the configurationdescribed by the true variables corresponds to a marking that is smallerthan Minit =, i.e., that the marking has at most one token in the placep1, which is the label of condition c2, and no token in the other places.

F is satisfied if ve′1 and vc2 are true while the rest of the vari-ables are false. This corresponds to the configuration {e′1} satisfyingmark({e′1}) = (p1) ≤ (p1) = Minit .

The formula F is, of course, a simple propositional formula exceptfor the third set of conjuncts, those containing LTEk. These formulaecan be encoded in propositional logic; however, the naive translationwould involve an exponential blow up. The SAT-solver used in thiswork, Prover, has support for such predicates, which comes to our aid.


5.6 PROVERTo determine satisfiability we use a commercial tool called Prover.Though Prover is not part of our work, we will describe the tool brieflyto show why it is suitable to use for analysing unfoldings.

Prover is a proof procedure for propositional logic that has beenaugmented with finite domain integer arithmetic and enumerated types.The theorem prover underlying Prover is an implementation of theStalmarck Method [93] that is based on a system for natural deduc-tion. The proof procedure has been know to be versatile and has beenused with propositional formulae containing as much as 350,000 con-nectives. Prover deals with formulae involving all the usual logicalconnectives, conjunction, disjunction, implication, equivalence and nega-tion. In addition, it also provides a number of predicates of the formLTEk(k, [f1, . . . , fn]) which are statements about how many of the n for-mulae f1, . . . , fn are true, in this case the number of true formulae is lessthan or equal to k. These predicates can be defined using the basic con-nectives, but the naive way to do so results in a number of connectivesthat grows as a k-order polynomial in n, whereas the calls in Prover useapproximatively 2 ∗ k ∗ (n− k) connectives. Finally, Prover also dealswith the arithmetic connectives, addition, subtraction, multiplication,division, remainder and negation.

5.7 IMPLEMENTATIONIn our experimentation, we have compared two implementations of theunfolding algorithm and an implementation of a backward reachabilityalgorithm.

The implementation of the backward reachability algorithm is astraightforward rendition of the abstract algorithm in Section 3.6 andis as given in Algorithm 2. Note that this algorithm does not makeuse of partial-order techniques and therefore considers all possible in-terleavings. We also wish to point out that if a marking that is smallerthan Minit is generated then the algorithm terminates immediately with-out generating the entire backward reachable set. This contrasts withour unfolding algorithm where we have to build the whole prefix beforechecking whether Minit is represented in the unfolding.

Issues in the unfolding algorithm: The implementation of the un-folding algorithm is a straight-forward rendition of the abstract algo-rithm given in Section 5.2. There are, however, two issues that needexplanation; computation of Xtnd and checking of termination. In thecomputation of Xtnd we maintain a queue of sets of conditions whereeach set denotes a set of conditions that could hold concurrently and

5.8. EXPERIMENTAL RESULTS 37

Algorithm 2 Backward Reachability AlgorithmInput: net system N = (P, T, F, Minit ,Mfin).var Min: Set of minimal markings, Q: Queue of markings to beconsideredMin := ∅Q := {Mfin}while Q 6= ∅ do

Pick and delete a marking M from Qif M ≤ Minit then

return “yes”else if @M ′ ∈ Min such that M ′ ≤ M then

Add M to Min while removing any M ′ ∈ Min such that M ≤ M ′

Add to Q all M ′ such that M Ã M ′

end ifend whileReturn “No”

can, consequently, be the postset of an event. As new conditions aregenerated we check whether a new condition can be added to a set ofconditions that is already under consideration. In this way, a seeminglycombinatorial problem is converted to one of carrying out depth-firstsearches.

The two implementations that we will report upon, Unfolding 1 andUnfolding 2, use the same abstract program and the same strategy forcalculating Xtnd . However they differ on how the termination conditionsare checked. In Unfolding 1 when a new event e is generated we computemark(e′ ↓) and |e′ ↓ | for all events e′ in the current unfolding. Clearly,there is a lot of wasted time with this design choice but it does save onspace. With Unfolding 2 with each event e′ we maintain both mark(e′ ↓)and |e′ ↓ |.

5.8 EXPERIMENTAL RESULTSThe thesis of our experimental work is that although analysis with un-foldings is is done in two steps, constructing the unfolding and reason-ing about it, the time and space required is less than for an interleavingbased backward analysis for the coverability problem of unbounded Petrinets.

We will now show three examples that illustrate convincingly thatunfoldings provide significant savings in space and time. In each case,we give the size of the Petri net in terms of the number of places, |P |,and the number of transitions, |T |. We compute (a) the maximum num-


A process

A token ring of processes

Time ×10−2 s Space# proc. |P | |T | U1 U2 B U1 U2 B

2 4 6 3 1 1 14 20 374 8 12 14 7 10 30 44 1478 16 24 79 26 284 62 92 55016 32 48 596 134 12124 126 188 2006

Note: U1 and U2 are Unfolding 1 and Unfolding 2 respectively and B is thebackward algorithm. Space is the number of markings (or nodes) that need to bestored.

Figure 5.3: A Simple Token Ring Network

ber of markings that need to be maintained for the traditional backwardanalysis [11] and (b) the total number of nodes generated by the unfold-ing algorithm. Given that the storage requirements of a node is boundedby the storage required for a marking, comparing the number of mark-ings from backwards analysis against the total number of nodes in anunfolding is appropriate. Furthermore, we report on the time taken forboth generating the unfolding and using Prover to analyse it.Example 1: The first example we consider, presented in Figure 5.3, isthat of a simple token ring consisting of a number of processes. As weincrease the number of processes the number of places and transitions in-crease too. Note, however, that Minit and Mfin were so chosen that theyhave the same total number of tokens in each case and furthermore, thatMfin is not coverable from Minit . Consequently, the backwards analy-sis algorithm would have to compute the basis for the entire backwardreachability set.


A token ring of processes

A process

# tokens Time ×10−2 s Space& proc. |P | |T | U1 U2 B U1 U2 B

2 8 8 18 7 20 30 42 1974 16 16 56 18 3053 54 78 17008 32 32 313 70 553324 102 150 1463716 64 64 2611 409 ∗ 198 294 ∗

Note: ∗ implies non-termination after a reasonable amount of time.

Figure 5.4: A more complicated token ring network

Example 2: This is a slightly more complicated version of Example 1designed with the aim of introducing more branching (see Figure 5.4).In this case, though the number of processes was changed (and thus thesize of the petri net changed), Mfin was kept the same. However, theinitial marking was changed with every instance. Finally, in all of thesecases too Mfin was not coverable from Minit .Example 3: In this example of a buffer process, from Figure 5.5, theoriginal Petri net was kept the same while the number of tokens inMfin was changed with each instance while Minit was kept the same.Furthermore, in all of the instances Mfin is coverable from Minit .

There are several conclusions that can be drawn from these experi-ments:

• Unfolding 2 is a better algorithm than Unfolding 1. While it usesapproximately 1.5 times the memory that Unfolding 1 uses, thesavings in time is indeed significant. The time falls by much morethan a factor of 1.5.


Time ×10−2 s Space# tokens U1 U2 B U1 U2 B

2 4 3 2 20 30 364 18 9 14 40 60 1308 105 26 526 80 120 72316 708 95 78733 160 240 6068

Figure 5.5: A buffer process

• Both Unfolding 1 and Unfolding 2 are better than a traditionalbackward analysis that uses interleaving semantics.

• The cost of using Prover to reason about the unfolding is in-significant compared to the time and space needed to compute theunfolding.

• Unfoldings do offer great savings in time and space.

5.9 RELATED WORKThe most well known algorithm for analysing unbounded Petri nets isdue to Karp and Miller [66]. The tree constructed by the algorithm(called KM-tree) is a pseudo-reachability tree where token values arereplaced by limit points when execution sequences that lead from onestate to a strictly larger state are discovered. The resulting tree canbe used to answer the coverability problem. Furthermore, boundednesscan also be checked with KM-trees. While the construction of KM-trees can be very useful its worst case complexity has been shown tobe non-primitive recursive [89] (its complexity is not bounded by anyfixed height of 2’s in 222···

). However, the coverability problem is shownto be in EXPSPACE [89]. Given that the coverability problem can beused to answer safety properties the goals of this work, we believe, arereasonable.

Previous unfolding algorithms [46, 47, 68, 76] have been limited tothe analysis of finite-state systems. Assuming a finite prefix has beenconstructed for a 1-safe Petri net there have been several attempts to

5.9. RELATED WORK 41

check for deadlock based on the prefix. These include the use of mixedinteger programming [78] and the use of logic programming [58]. Toour knowledge, this the first time that the unfolding technique has beenapplied to infinite-state systems.

Chapter 6

Timed Petri Nets

Over the years several extensions of Petri nets have been proposed. Onesuch extension is timed Petri nets which allows modelling of real timesystems. Timed Petri nets cannot be modelled as timed automata [19]since timed automata operate on a finite number of clocks while a timedPetri net may generate an unbounded number of clocks. In fact, a timedPetri net has an infinite control part, as does an untimed Petri net, andit also operates on infinite data structures, namely clocks.

A timed Petri net is a generalization of a Petri net where each tokenis equipped with a real-valued clock. The value of the clock is usuallycalled the age of the token. To model the passing of time, the ages ofthe tokens are increased continously and at the same rate. Each arc ofthe net is labelled by an interval defined by two natural numbers. Whenfiring transitions, the only tokens allowed to travel the arcs are thosewhose ages are in the intervals labelling the corresponding arcs.

Let Intrv be the set of intervals of the form [a : b] where a ∈ N andb ∈ N ∪ {∞}. For a real number x we say that x ∈ [a : b] if a ≤ x ≤ b.A timed Petri net N is a tuple (P, T, In,Out) where P is a finite set ofplaces and T is a finite set of transitions. The flow relation consists oftwo mappings, In and Out , that map each element of P×T to a multisetover Intrv . More precisely, for a place p and a transition t, In(p, t) is amultiset of intervals where each interval labels an arc from p to t. Theinterval is a restriction on the ages of tokens travelling the arc. In thesame manner, Out(p, t) is a multiset of intervals labelling arcs leadingfrom t to p. If In(p, t) 6= ∅ (Out(p, t) 6= ∅) we say that p is an input(output) place of t.

A marking of a timed Petri net defines the number and ages of thetokens in each place. More precisely, a marking M is a multiset overP×R≥0 where M(p, x) is the number of tokens with age x in place p. Wedefine M(p) to be a multiset over R≥0 satisfying (M(p))(x) = M(p, x).

A transition t is enabled in a marking M if for each input arc, thereis a token in the corresponding input place whose age is in the interval

44 CHAPTER 6. TIMED PETRI NETS

[1:3]

[1:3][3:5]

[5:7]

A

B C

a b c

[5:7]

[0:0] [0:0]

Figure 6.1: A small timed Petri net.

labelling the arc. When the transition is fired, tokens satisfying the agerestrictions imposed by the intervals labelling the input arcs are removedfrom the input places and new tokens are added to the output places ofthe transition, one for each output arc. The ages of the new tokens arein the intervals of the corresponding arcs.

Example 6.1. Figure 6.1 shows an example of a timed Petri net whereP = {A,B, C} and T = {a, b, c}. For instance, In(a) = ((B, [5 : 7]))and Out(b) = ((B, [0 : 0]) , (C, [0 : 0])). The initial marking of this net isthe marking Minit = ((A, 0.0)) with only one token with age 0 in placeA. None of the transitions is enabled since the age of the only token isnot in the interval labelling the input arc to transition b, namely [3 : 5].However, if we let time pass for 3 time units transition b will be enabled.

Recall that a region [19] defines the integral parts of clock values upto max (the exact age of a token is irrelevant if it is greater than max ),and also the ordering of the fractional parts among clock values. Fortimed Petri nets, we need to use a variant that also defines the place inwhich each token (clock) resides. We define an ordering ¹ on markingssuch that M1 ¹ M2 if there is a marking M3, such that we can derive M3

from M2 by deleting tokens and such that M1 and M3 belong to the sameregion. More precisely, M1 ¹ M2 if there is an injection h : M1 → M2

such that for each tokens t ∈ M1 there is a token h(t) ∈ M2 such that

• t and h(t) reside in the same place

• if the age of t is greater than max , then so is the age of h(t),otherwise

• the integral part of the age of t is equal to the integral part of theage of h(t)

45

a

[1:3]

[3:5]

[5:7]

a b c

[5:7]

[0:0] [0:0]

B C

A

[1:3]

b c

[5:7]

[0:0] [0:0]

B C

[1:3]

A

[1:3]

[3:5]

[5:7]

9.0

8.2

0.5

3.1

M2M1

0.5 0.3

0.9

3.2

Figure 6.2: Graphical illustration of M1 ¹ M2.

• if the fractional part of the age of t is 0, then so is the fractionalpart of the age of h(t)

Furthermore, the order of the fractional parts of ages of tokens is pre-served by h.

Example 6.2. Figure 6.2 shows two different markings of a timed Petrinet, the marking M1 = ((A, 3.2) , (A, 8.2) , (C, 0.5)) and the markingM2 = ((A, 3.1) , (A, 9.0) , (B, 0.5) , (C, 0.9) , (C, 0.3)). M1 ¹ M2 sincewe can define the injection h according to the following. h((A, 3.2)) =(A, 3.1), h((A, 8.2)) = (A, 9.0) (both ages are greater than max = 7) andh((C, 0.5)) = (C, 0.9). In M2 both of the tokens in C have ages with frac-tional parts that are greater than that of the token (A, 3.1). This meansthat we could just as well have chosen to let h((C, 0.5)) = (C, 0.3).

We define two types of transition relations on markings. The setof discrete transitions −→D, which is the union

⋃t∈T −→t where −→t

correspond to firing transition t, and timed transitions −→δ that corre-spond to letting time pass. More precisely, we define M1 −→t M2 if, foreach place p with In(p, t) = (I1, . . . , Im) and Out(p, t) = (J1, . . . ,Jn),there are multisets MIn = (x1, . . . , xm) and MOut = (y1, . . . , yn) overR≥0 such that

• MIn ≤ M1(p)

• xi ∈ Ii for i ∈ {1, . . . , m}• yi ∈ Ji for i ∈ {1, . . . , n}• M2(p) = M1(p)−MIn +MOut


A timed transition increases the age of all tokens by the same realnumber. Formally, M1 −→δ M2 if M1 = ((p1, x1) , . . . , (pn, xn)) andthere is δ ∈ R≥0 such that M2 = ((p1, x1 + δ) , . . . , (pn, xn + δ)).

We define the relation −→ to be the union −→D ∪ −→δ and de-fine ∗−→ to be the reflexive transitive closure of −→. We define thecoverability problem for timed Petri nets as follows.

Instance: A timed Petri net (P, T, In,Out), an initial marking Minit

and an upward closed set of final markings Mfin .

Question: Is there a state Mfin ∈ Mfin with Minit∗−→ Mfin?

Notice that we assume that timed Petri nets are lazy or non-urgent.In other words, we may choose to let time pass instead of firing anenabled transition even though the transition may be disabled due totokens becoming too old. In an urgent timed Petri net, timed transitionsthat disable discrete transitions are not allowed. This means that theset of transitions of an urgent timed Petri net is a subset of the set oftransitions of the corresponding lazy net. Therefore, if a set of markingsis not reachable in the lazy net it is not reachable in the urgent net either.In other words, safety properties that hold for the lazy net also hold forthe corresponding urgent net, the lazy net is an over approximation ofthe urgent net. It can be shown [64] that even simple classes of timedPetri nets with urgent behaviours can simulate two-counter machines,and thus almost all verification problems are undecidable for them.

6.1 EXISTENTIAL REGIONSExistential regions is a constraint system that was developed for theanalysis of timed networks [12] and it also lends itself to the analysis ofother formalisms for timed systems such as Timed CCS [97] and timedPetri nets [27, 54, 79]. Existential regions is a generalization of regions,a constraint system used in the analysis of timed automata [19]. Regionscan only be used in the analysis of systems with a finite number of clockswhile existential regions can be used when analysing systems with anunbounded number of clocks.

Existential regions are minimal condition constraints. They define aset of minimal conditions that should be satisfied by a marking satisfyingthe constraint. More precisely, an existential region defines a minimumnumber of tokens that should be present, the places in which they shouldreside and some conditions on their ages.

The representation of existential regions used here is similar to thatused by Godskesen [56]. We let max be the largest number occurringin the intervals labelling the arcs of the net. Formally, an existential

6.2. FISCHER’S PROTOCOL 47

region is a list of multisets over pairs (p, n) where p is a place and n is anatural number less than or equal to max . Each pair (p, n) represents atoken residing in p where n is the integral part of the age of the token.A multiset represents a set of tokens whose ages have equal fractionalparts and the list orders the multisets according to increasing fractionalparts. The region contains two special multisets, the first and the last.The first multiset represents tokens whose ages have the fractional part0 and the last multiset represent tokens whose ages are greater thanmax , regardless of fractional parts.

A marking satisfies an existential region if for each pair (p, n) occur-ring in the existential region, there is a token in the marking such thatthe token resides in p and the integral part of the age of the token is n.Furthermore, the fractional parts of the ages of the tokens are orderedas defined by the existential region.

Existential regions can be generated according to the methodologydescribed in the Section 3.5. We start from a finite set, namely P ×{0, . . . ,max}, and take equality to be the ordering. This is a well quasi-order by the first property. The next step is to build multisets overP × {1, . . . ,max}. By the second property, these multisets ordered by¹M is a well quasi-order. Finally, we get existential regions by makinglists or strings of multisets and the ordering, which is also the entailmentrelation, is the relation ¹∗. By the second property, existential regionsare well quasi-ordered under the entailment relation.

6.2 FISCHER’S PROTOCOLWe will now describe a timed Petri net model of a parameterized versionof Fischer’s protocol [92]. The model will be used to demonstrate fea-sibility of some of the algorithms that are presented later in the thesis.The purpose of Fischer’s protocol is to guarantee mutual exclusion in aconcurrent system consisting of an arbitrary number of processes. Theexample was suggested by Schneider et al. [92]. The protocol analysedhere is in fact a weakened version of Fischer’s protocol but since the setof reachable states of the weakened version is a superset of the reachablestates of the original protocol, the results of our analysis are still valid.

The protocol consists of each process running the code that is graph-ically described in Figure 6.3. Each process i has a local clock, xi, anda control state that assumes values in the set {A,B, C,CS} where A isthe initial state and CS is the critical section. The processes read fromand write to a shared variable v, whose value is either ⊥ or the index ofone of the processes.

All processes start in state A. If the value of the shared variable is⊥, a process wishing to enter the critical section can proceed to state


xi := 0 xi := 0 xixi

v := ⊥A B C CS

⊥v =

v ≠ i

> 1v = i

≤ 1

v := i

Figure 6.3: Fischer’s Protocol for Mutual Exclusion

B and reset its local clock. From state B, the process can proceed tostate C within one time unit or get stuck in B forever. When makingthe transition from B to C, the process resets its local clock and setsthe value of the shared variable to its own index. The process now hasto wait in state C for more than one time unit, a period of time thatis strictly greater than the one used in the timeout of state B. If thevalue of the shared variable is still the index of the process, the processmay enter the critical section, otherwise it may return to state A andstart over again. When exiting the critical section, the process resetsthe shared variable to ⊥.

We will now make a model of the protocol in our timed Petri netformalism. The processes running the protocol are modelled by tokensin the places A, B, C, CS, A†, B†, C† and CS†. The places markedwith † represent that the value of the shared variable is the index ofthe process modelled by the token in that place. We use a place udf torepresent that the value of the shared variable is ⊥. A straightforwardtranslation of the description in Figure 6.3 yields the Petri net model inFigure 6.4. q is used to denote an arbitrary process state. The criticalsection is modelled by the places CS and CS†, so mutual exclusion issatisfied when the number of tokens in those places is less than two.

6.2. FISCHER’S PROTOCOL 49

fail

C

enter[2:inf]

udf

exit2

CS

exit3 exit1

q

B qinitiateA

choose1 choose3choose2

A

CCSq

q

[2:inf]

[0:0] [0:0] [0:0]

[0:1]

[0:0]

[0:1] [0:1]

B

Figure 6.4: Timed Petri net model of Fischer’s Protocol for Mu-tual Exclusion

Chapter 7

Better-StructuredSystems

In this chapter we present a framework for developing compact wellquasi-ordered constraint systems. We use the general algorithm de-scribed in Section 3.6 to solve the reachability problem. Recall that thealgorithm works on constraints representing sets of states and that thealgorithm is guaranteed to terminate exactly when the constraints arewell quasi-ordered under the entailment relation. Thus, an importantpart in using the algorithm is to develop methods for generating newwell quasi-ordered constraint systems. One such methodology that isbased on Higman’s theorem [61], is described in [7, 11, 51]. The mainidea is to start from a set of basic constraints and repeatedly derivenew ones using the fact that well quasi-ordering is closed under certainoperations on constraints such as building finite strings, vectors, sets,multisets, trees, etc.

Many constraint systems based on the theory of well quasi-orderingsuffer from a constraint explosion problem as the number of constraintsgenerated during the analysis grows exponentially with the size of theproblem. In order to make the analysis feasible in practice we needto develop more compact constraint systems, systems that increase thenumber of states represented by a single constraint. We suggest orderingstate spaces by a stronger relation than well quasi-ordering, namely thatof better quasi-ordering [80, 88]. We call such systems better-structuredtransition systems. We also present a methodology to develop betterquasi-ordered constraint systems that can be used together with existingalgorithms designed for well-quasi ordered constraints.

There are two properties of better quasi-orderings that make themappropriate for symbolic model checking. (i) Better quasi-ordering im-plies well quasi-ordering, and (ii) in addition to the operations mentionedabove, better quasi-ordering is closed under disjunction (in contrast towell quasi-ordering). The first property implies that all verification al-

52 CHAPTER 7. BETTER-STRUCTURED SYSTEMS

gorithms designed for well quasi-ordered constraint systems are also ap-plicable for better quasi-ordered ones. The second property allows usto derive new constraint systems where each constraint is a finite dis-junction of constraints in an existing constraint system, thus making thenew system more compact than the old one.

We introduce a new constraint system called existential zones forverification of systems with unboundedly many clocks. Existential zonesare related to existential regions, which were used in [12] for verificationof timed networks. Using our methodology we can show better quasi-ordering of existential regions since they are constructed by repeatedlybuilding finite strings and multisets. Each existential zone is equal tothe disjunction of a set of existential regions. Since better quasi-orderingis closed under disjunction it follows that existential zones are betterquasi-ordered (and hence well quasi-ordered).

To demonstrate practical feasibility of existential zones, we have im-plemented a prototype for verifying safety properties for timed Petrinets. The tool allows us to verify a parameterized version of Fischer’sprotocol (see Section 6.2) within a few seconds.

We also consider broadcast protocols, which consist of an arbitrarynumber of finite-state processes communicating through rendezvous orbroadcast. In [44], constraints that characterize upward closed sets ofvectors of natural numbers are used to check safety properties for broad-cast protocols. In [37] several new constraint systems are proposed.Constraints in these systems are represented by different forms of lin-ear inequalities over natural numbers. Since these constraint systemscannot be constructed using the previously mentioned constraint oper-ations, these classes require an explicit termination proof for the under-lying reachability algorithm. Applying our methodology we are able toprove well quasi-ordering of these constraint systems in a uniform man-ner. More precisely, we show that the constraints characterizing upwardclosed sets of vectors of natural numbers are better quasi-ordered. Us-ing the fact that each inequality in the new constraint systems is a finiteunion (disjunction) of such upward closed sets we conclude that theyare also better quasi-ordered and hence well quasi-ordered.

Finally, we provide new better quasi-ordered constraint systems forverification of lossy channel systems [10] and integral relational automata[33]. The new constraint systems are exponentially more succinct thanexisting ones.

7.1 WELL QUASI-ORDERED CONSTRAINT SYSTEMSWe will perform reachability analysis for well-structured transition sys-tems using the general algorithm presented in Section 3.6. Assume a

7.1. WELL QUASI-ORDERED CONSTRAINT SYSTEMS 53

well-structured transition system (S,−→,¹). We will use a symbolicanalysis method, that is, the analysis will be performed on constraintsrepresenting sets of states that are upward closed with respect to ¹.Recall that, in order to be able to implement the reachability algorithmwe need four properties of the constraint system.

1. Computability of the membership relation.

2. Computability of the entailment relation between constraints.

3. Computability of the function Pre on constraints.

4. Guaranteed termination.

An interesting characterization of the fourth property is that the algo-rithm will terminate exactly in the case where the set of constraints iswell quasi-ordered (see Section 3.2) under the entailment relation.

In [7, 11, 51] a methodology for deriving new well quasi-ordered con-straint systems from existing ones is described. The methodology isbased on the fact that all finite domains are well quasi-ordered underequality and that well quasi-orderings are closed under a set of basic op-erations including building finite trees, strings, vectors, sets, multisets,etc. This means that we can start from a set of constraints over finitedomains and then repeatedly generate new constraints by building moreand more compound data structures. A typical application of this ap-proach is a constraint system called existential regions (see Section 6.1),which is used for verification of systems with unboundedly many clocks.Existential regions were introduced in [12].

There are three properties of a given constraint system that decidehow efficient the reachability analysis will be in practice. The proper-ties are the size of the set Pre(φ), the cost of checking entailment andthe number of iterations needed before termination. Constraint systemsdeveloped according to the above methodology are often infeasible forpractical use due to a constraint explosion problem caused by the setPre(φ) being too large. This problem can often be reduced be by con-sidering new, more compact constraint system that are disjunctions ofthe ones derived using the operations above. In Section 7.3 we present aconstraint system called existential zones where each zone correspondsto the disjunction of a (sometimes exponential) number of existentialregions.

Using disjunctions of constraints allows us to develop much morecompact constraint systems. Existential zones are compact enough toallow us to verify a parameterized version of Fischer’s protocol in a fewseconds, but as we show in Example 7.1, well quasi-ordered constraint


2 5 7 8 103 4 6 91 2 5 7 8 103 4 6 91

1

2

3

4

5

6

7

8

9

10

11

1

2

3

4

5

6

7

8

9

10

11

φ2,5 ψ5

Figure 7.1: A graphic illustration of [[φ2,5]] and [[ψ5]]. Filled circlesrepresent points satisfying the corresponding constraint.

systems are not closed under disjunction. In fact, we cannot prove wellquasi-ordering of existential zones within the framework of [7, 11, 51].

Example 7.1 (Rado’s Example). Let R be the set {(a, b) ∈ N | a < b}and let ≤rado be a relation on R defined by (a1, b1) ≤rado (a2, b2) ifand only if b1 < a2 or a1 = a2 and b1 ≤ b2. We define a setC1 = {φa,b | (a, b) ∈ R} of constraints such that the denotation [[φa,b]]is the upward closure of (a, b) with respect to ≤rado, i.e., [[φa,b]] is the set{(a′, b′) ∈ R | (a, b) ≤rado (a′, b′)}. Recall that we define an entailmentrelation v on constraints where φa1,b1 v φa2,b2 if [[φa2,b2 ]] ⊆ [[φa1,b1 ]]. Infact, it follows that φa1,b1 v φa2,b2 if and only if (a1, b1) ≤rado (a2, b2).

We will show that (C1,v) is a well quasi-order and define a newconstraint system C2 where each constraint is a disjunction of constraintsin C1. We will then show that (C2,v) is not a well quasi-order and hencethat well quasi-ordering is not closed under disjunction.

We start by showing that (C1,v) is a well quasi-order. Supposethat we have an infinite sequence φa1,b1 , φa2,b2 , . . . where φai,bi 6v φaj ,bj ifi < j. Consider the sequence (a1, b1) , (a2, b2) , . . .. We know that aj ≤ b1

for all j > 1. This means that we have an infinite subsequence of theform (a, bi1) , (a, bi2) , . . . and hence there are k < l such that bik < bil,but then φa,bik

v φa,bil, which is a contradiction.

Now, we define a set C2 = {ψj | ψj = φ0,j ∨ · · · ∨ φj−1,j} of con-straints. The sequence ψ1, ψ2, . . . violates the well quasi-ordering prop-erty since for each k, l : k < l we have (k, l) ∈ [[ψl]] but (k, l) 6∈ [[ψk]] andhence [[ψl]] 6⊆ [[ψk]], i.e., there are no k < l with ψk v ψl.

7.2. BETTER-STRUCTURED TRANSITION SYSTEMS 55

We have shown that (C2,v) is not a well quasi-order and that wellquasi-ordering is not closed under disjunction. In Figure 7.1, we givegraphic illustrations of [[φ2,5]] and [[ψ5]].

It seems that in order to perform the analysis on disjunctions of con-straints we need an ordering that is stronger than well quasi-ordering. Inthe 1960’s, Nash-Williams addressed this problem by introducing betterquasi-ordering [80, 83].

7.2 BETTER-STRUCTURED TRANSITION SYSTEMSWe let N∗ (Nω) be the set of finite (infinite), strictly increasing sequencesover N. For a finite sequence s ∈ N∗ we let λ(s) denote the set of naturalnumbers occurring in s and if s is not empty, we let tail(s) be the resultof deleting the first element of s. For s1 ∈ N∗ and s2 ∈ N∗∪Nω we writes1 ¿ s2 to denote that s1 is a proper prefix of s2 and if s1 is not emptywe write s1 ¿∗ s2 to denote that tail(s1) ¿ s2.

An infinite set β ⊆ N∗ is said to be a barrier if the following condi-tions are satisfied.

• there are no s1, s2 ∈ β such that λ(s1) ⊂ λ(s2)

• for each s2 ∈ Nω there is s1 ∈ β with s1 ¿ s2

Let (A,¹) be a quasi-order. An A-pattern is a mapping f : β → Awhere β is a barrier. We say that f is a good A-pattern if there ares1, s2 ∈ β such that s1 ¿∗ s2 and f(s1) ¹ f(s2). If each A-pattern isgood we say that (A,¹) is a better quasi-ordering [83, 80].

A better-structured transition system is a triple (S,−→,¹) where(S,¹) is a better quasi-ordering and (S,−→) is a transition system thatis monotonic with respect to ¹. In verification of better-structuredconstraint systems, we need to be able to construct better quasi-orderedconstraint systems. We will now state two properties of better quasi-orderings from [80] which are essential for construction of constraintsystems.

Lemma 7.1 ([80]).

• If β is a barrier and β = β1 ∪ β2 then there is a barrier α suchthat α ⊆ β1 or α ⊆ β2. (Using induction on n we can generalizethis property to β = β1 ∪ · · · ∪ βn).

• If (A,¹) is a better quasi-ordering then (Aω,¹ω) is a better quasi-ordering.


Using the properties above, we will derive some properties that allowusing better quasi-ordered constraint systems in verification and whichwe will use to form a methodology for developing new constraint systems.

Theorem 7.2.

1. Each better quasi-ordering is a well quasi-ordering.

2. If A is finite, then (A, =) is a better quasi-ordering.

3. If (A,¹) is a better quasi-ordering, then (A∗,¹∗) is a better quasi-ordering.

4. If (A,¹) is a better quasi-ordering, then (AM,¹M) is a betterquasi-ordering.

5. If (A,¹) is a better quasi-ordering, then (P(A),≺) is a betterquasi-ordering.

Proof.

1. Define an order @ on sequences such that s1 @ s2 if

• hd(si) < hd(sj), or

• hd(si) = hd(sj) and tail(s1) @ tail(s2)

Note that si ¿∗ sj imply si @ sj . Assume a better quasi-ordering(A,¹) and a barrier β. Let β = s1, s2, . . . such that si @ si+1 forall i. Now, look at the sequence a1, a2, . . . where ai = f(si) and fis an A-pattern. Since (A,¹) is a better quasi-ordering there arei and j such that si ¿∗ sj and f(si) ¹ f(sj) for each A-patternf . That is, for each sequence a1, a2, . . . we have that there are iand j such that i < j and ai ¹ aj . In other words, (A,¹) is a wellquasi-ordering.

2. Consider (A,=) where A = {a1, . . . , an} is finite. Let f : β → Abe an A-pattern. Define βi = f−1(ai) for i ∈ {1, . . . , n}. ByLemma 7.1 there is a barrier α ⊆ βi for some i : 1 ≤ i ≤ n. Takeany s1 ∈ α and any s2 ∈ Nω where s1 ¿∗ s2. Since α is a barrier,we know that there is s3 ∈ α such that s3 ¿ s2 and that s3 6⊆ s1.It follows that s1 ¿∗ s3 and hence f is good and (A,=) is a betterquasi-ordering.

7.2. BETTER-STRUCTURED TRANSITION SYSTEMS 57

3. Assume that (A,¹) is a better quasi-ordering. We will show that(A∗,¹∗) is also a better quasi-ordering. Take any b 6∈ A. Forw ∈ A∗, we let w′ denote w • bω (we add infinitely many bs tothe end of w). It is clear that w1 ¹∗ w2 if and only if w′1 ¹ω w′2.Let f : β → A∗ be an A∗-pattern. We know that f ′ : β → Aω,where f ′(s) = w′ if and only if f(s) = w, is an Aω-pattern. ByLemma 7.1 it follows that there are s1, s2 ∈ β such that s1 ¿∗ s2

and f ′(s1) ¹ω f ′(s2) and hence f(s1) ¹∗ f(s2). This means thatf is good and that (A∗,¹∗) is a better quasi-ordering.

4. Follows from 3.

5. This property was proved by Marcone in [72]. In [63], Jancarproved a weaker version of the theorem, namely that better quasi-ordering of (A,¹) is sufficient for well quasi-ordering of (P(A),≺).

Since better quasi-ordering is a stronger relation than well quasi-ordering it is sufficient to prove better quasi-ordering of a constraintsystem under entailment to prove termination of the reachability algo-rithm of Section 3.6. All constraint systems derived earlier in the litera-ture based on the approach of [7, 11, 51] use properties 2, 3 and 4. Thisimplies that all these constraint systems are also better quasi-ordered.A direct consequence of the property 5 is that better quasi-ordering ofa set of constraints implies better quasi-ordering of disjunctions of theseconstraints.

In the following sections we shall introduce several constraint systemsthat have been derived by applying the following two steps.

1. We show better quasi-ordering of a constraint system C1 usingproperties 2, 3 and 4 in Theorem 7.2 (following a methodologysimilar to that described in [7, 11, 51]).

2. We use property 5 to derive better quasi-ordering of a new, morecompact constraint system C2 where the constraints are definedas disjunctions of constraints in C1.

We notice that, although C2 is more compact, the computational com-plexity for checking membership and entailment may be higher for C2

than for C1. Furthermore, the reachability algorithm of Section 3.6 ingeneral needs more iterations in case C2 is employed. However, in al-most all cases the compactness offered by C2 is the dominating factorin the efficiency of the algorithm.


As mentioned earlier, an important difference compared to the ap-proach of [7, 11, 51] is that the second step of our methodology cannot beperformed within that framework since well quasi-orderings in generalare not closed under disjunction (see Example 7.1).

7.3 EXISTENTIAL ZONESExistential zones are constraints developed for verification of systemswith an unbounded number of clocks, which we will use to verify timedPetri nets. An existential zone characterizes an upward closed set ofmarkings by specifying a minimum number of tokens that should be ina marking satisfying the zone and then imposing conditions on thesetokens. The conditions specifies the places in which the tokens shouldreside and restricts their ages. The age restrictions are stated as boundson values of clocks and bounds on differences between pairs of clockvalues. A marking M satisfying a zone Z should have at least thenumber of tokens specified by Z. Furthermore, the places and ages ofthese tokens should satisfy the conditions imposed by Z. In such a caseM may have any number of additional tokens whose places and ages areirrelevant for the satisfiability of the zone.

An existential zone Z is a triple(m, P , D

)where m is a natural num-

ber, the placing P is a mapping P : {1, . . . , m} → P and the differencebound matrix) D is a mapping D : {0, . . . ,m} × {0, . . . ,m} → N ∪ {∞}.Intuitively, m denotes the minimum number of tokens in a marking sat-isfying Z, P maps each token to a place and D defines restrictions onages of the tokens and on differences between the ages of the tokens.Difference bound matrices, or DBMs, are widely used in verification oftimed automata, e.g. [40, 70].

Example 7.2. Consider again the timed Petri net in Figure 6.1. As-sume that we are interested in checking the coverability of markings withat least two tokens, one in place B and one in place C, such that theages of the tokens are at most 8 and the token in B is at most 4 timeunits older than the one in C. The markings satisfying these constraintscan be described by the existential zone Z =

(2, P , D

)where P (1) = B,

P (2) = C and D is described by the following table where, for example,D(0, i) = 0 and D(2, 1) = 4.

D =

0 1 20 − 0 01 8 − 82 8 4 −

Figure 7.2 shows a graphical illustration of the age restrictions of Z.

7.3. EXISTENTIAL ZONES 59

x1

x2

Figure 7.2: Example of restrictions on ages of tokens.

Consider a marking M = ((p1, x1) , . . . , (pn, xn)), a zone Z =(m, P ,D

)and an injection h : {1, . . . ,m} → {1, . . . , n} which we call a

witness. We say that M satisfies Z with respect to h, written M, h |= Z,if the following conditions are satisfied.

• P (i) = ph(i), for each i : 1 ≤ i ≤ m.

• xh(j) − xh(i) ≤ D(j, i), for each i, j ∈ {1, . . . , m} with i 6= j.

• xh(i) ≤ D(i, 0) and −D(0, i) ≤ xh(i), for each i ∈ {1, . . . , m}.We say that M satisfies Z, written M |= Z if there is a witness h suchthat M, h |= Z. Notice that if M satisfies Z then m ≤ n (since h isan injection), that is, M has at least the number of tokens requiredby Z, and furthermore, the places and ages of the tokens satisfy therequirements of Z. We define [[Z]] = {M | M |= Z}. Note also that thevalue of D(i, i) is irrelevant for the satisfiability of Z.

From the above definitions the following lemma is straightforward.

Lemma 7.3. For an existential zone Z and a marking M , it is decidablewhether M |= Z.

We observe that Z defines a number of minimal requirements on M ,in the sense that M should contain at least m tokens whose places andages are constrained by the functions P and D respectively. This meansthe set [[Z]] is upward closed since M |= Z and M ≤ M ′ implies M ′ |= Z.

An existential zone Z =(m, P , D

)is said to be consistent if [[Z]] 6=

∅. We say that Z is normal if for each i, j, k ∈ {0, . . . , m}, we haveD(i, j) ≤ D(i, k) + D(k, j). It is easy to show the following.


Lemma 7.4. For each existential zone Z there is a unique (up to re-naming of the index set) normal existential zone, written Z, such that[[Z]] = [[Z]].

This means that we can assume without loss of generality that allexistential zones we work with are normal.

EntailmentBy the definitions in Section 3.5 we get that entailment between exis-tential zones is defined by Z1 v Z2 if [[Z2]] ⊆ [[Z1]]. We reduce checkingentailment between zones into validity of formulae in a logic that we callDifference Bound Logic (DBL). Atomic DBL-formulae are of either ofthe forms v ≤ c or v − u ≤ c, where v and u are variables interpretedover R≥0 and c ∈ N. Furthermore the set of formulae is closed under thepropositional connectives. It is easy to see that validity of DBL-formulaeis NP-complete.

For two existential zones, Z1 =(m1, P1, D1

)and Z2 =

(m2, P2, D2

),

we translate the relation Z1 v Z2 into validity of a DBL-formula F .Intuitively, each token specified by Z2 is represented by a free variablein F . The value of the variables represent the ages of the tokens. Theidea is that the formula F is valid if and only if whenever the variableshave values satisfying the age restrictions imposed by Z2, there is amapping h from indices of Z1 to indeces of Z2 such that token i in Z1

reside in the same place as token h(i) in Z2, and the value of variablevh(i) satisfy the age restrictions that Z1 imposes on token i.

We construct the formula F according to the following. We let theset of free variables in F be the set {vi | i ∈ {1, . . . ,m2}}. We define aset H of witnesses, injections from {1, . . . , m1} to {1, . . . ,m2}, where awitness h ∈ H if and only if P1(i) = P2(h(i)) for each i ∈ {1, . . . ,m1}.We define F =

(F1 =⇒ (∨

h∈H F2

))where F1 = F11 ∧ F12 ∧ F13 and

F2 = F21 ∧ F22 ∧ F23 and

• F11 =∧

i,j∈{1,...,m2},i6=j (vi − vj ≤ D2(i, j)).

• F12 =∧

i∈{1,...,m2} (vi ≤ D2(i, 0)).

• F13 =∧

i∈{1,...,m2} (−D2(0, i) ≤ vi).

• F21 =∧

i,j∈{1,...,m1},i6=j

(vh(i) − vh(j) ≤ D1(i, j)

).

• F22 =∧

i∈{1,...,m1}(vh(i) ≤ D1(i, 0)

).

• F23 =∧

i∈{1,...,m1}(−D1(0, i) ≤ vh(i)

).


Example 7.3. Consider the zones Z1 =(1, P2, D1

)and Z2 =(

2, P2, D2

)where P1(1) = P2(1) = P2(2) = C and D1 and D2 are

described by the tables below.

D1 =0 1

0 − 01 8 −

D2 =

0 1 20 − 0 −21 5 − 32 8 4 −

The relation Z1 v Z2 is equivalent to validity of the following formula

F =

v1 − v2 ≤ 3 ∧ v2 − v1 ≤ 4∧

v1 ≤ 5 ∧ v2 ≤ 8∧

0 ≤ v1 ∧ 2 ≤ v2

=⇒v1 ≤ 8 ∧ 0 ≤ v1

∨v2 ≤ 8 ∧ 0 ≤ v2

We now have the following.

Lemma 7.5. The entailment relation is decidable for existential zones.

Notice that in contrast to zones for which entailment can be checkedin polynomial time, the entailment relation for existential zones can bechecked only in nondeterministic polynomial time (as we have to considerexponentially many witnesses). This is the price we pay for working withan unbounded number of clocks. On the other hand, when using zones,the size of the problem grows exponentially with the number of clocksinside the system.

Computing PredecessorsWe define a function Pre such that for a zone Z, Pre(Z) characterizesthe set of markings from which we can reach a marking satisfying Zthrough the performance of a single discrete or timed transition. Thevalue of Pre(Z) is a finite set {Z1, . . . , Zm} of zones. In other words[[Pre(Z)]] = [[Z1]] ∪ · · · ∪ [[Zm]]. We define Pre = PreD ∪ Preδ, wherePreD corresponds to firing transitions backwards and Preδ correspondsto running time backwards.

We define PreD =⋃

t∈T Pret, where Pret characterizes the effectof running the transition t backwards. To define Pret, we need thefollowing operations on zones. In the rest of the section we assumea normal existential zone Z =

(m, P , D

), and a timed Petri net N =

(P, T, In,Out). From Lemma 7.4 we know that assuming Z to be normaldoes not affect the generality of our results.

For an interval I = [a : b], and i ∈ {1, . . . , m}, we define the conjunc-tion Z⊗(I, i) of Z with I at i to be the existential zone Z ′ =

(m, P , D′),

where


• D′(i, 0) = min(b,D(i, 0)).

• D′(0, i) = min(−a,D(0, i)).

• D′(k, j) = D(k, j), for each j, k ∈ {1, . . . , m} with k 6= j, (k, j) 6=(i, 0), and (k, j) 6= (0, i).

Intuitively, the operation adds an additional constraint on the age oftoken i, namely that its age should be in the interval I. For example,for a zone

Z =

2, P ,

0 1 20 − 0 01 8 − 82 8 4 −

the conjunction Z ⊗ ([1 : 6], 1) is the zone2, P ,

0 1 20 − −1 01 6 − 82 8 4 −

while the conjunction Z ⊗ ([0 : 10], 1) = ZFor a place p and an interval I = [a : b], we define the addition

Z ⊕ (p, I) of (p, I) to Z to be the existential zone Z ′ =(m + 1, P ′, D′),

and

• D′(m + 1, 0) = b, and D′(0,m + 1) = −a.

• D′(m + 1, j) = ∞, and D′(j, m + 1) = ∞, for each j ∈ {1, . . . , m}.• P ′(m + 1) = p.

• D′(k, j) = D(k, j), for each j, k ∈ {0, . . . , m}, and P ′(j) = P (j),for each j ∈ {1, . . . ,m}.

Intuitively, the new existential zone Z ′ requires one additional token tobe present in place p such that the age of the token is in the interval I.For example, for a zone

Z =

2,

P (1) = BP (2) = C

,

0 1 20 − 0 01 8 − 82 8 4 −


the addition Z ⊕ (A, [1 : 2]) is the zone

3,P (1) = BP (2) = CP (3) = A

,

0 1 2 30 − 0 0 −11 8 − 8 ∞2 8 4 − ∞3 2 ∞ ∞ −

For i ∈ {1, . . . , m}, we define the abstraction Z\i of i in Z to be thezone Z ′ =

(m− 1, P ′, D′), where

• D′(j, k) = D(j, k), for each j, k ∈ {0, . . . , (i− 1)}.• D′(j, k) = D(j, k + 1) and D′(k, j) = D(k + 1, j), for each j ∈{0, . . . , (i− 1)} and k ∈ {i, . . . , m− 1}.

• D′(j, k) = D(j + 1, k + 1), for each j, k ∈ {i, . . . ,m− 1}.• P ′(j) = P (j), for each j ∈ {0, . . . , (i− 1)}, and P ′(j) = P (j + 1),

for j ∈ {i, . . . ,m− 1}.Intuitively, the operation removes all constraints related to token i fromZ, so the number of required tokens is reduced by 1 and the restrictionsrelated to the age and place of the token disappear. For example, for azone

Z =

3,P (1) = BP (2) = CP (3) = A

,

0 1 2 30 − 0 0 −11 8 − 6 72 8 4 − 73 2 2 2 −

the abstraction Z\2 is the zone2,

P (1) = BP (2) = A

,

0 1 20 − 0 −11 8 − 72 2 2 −

Notice that the existential zones we obtain as a result of performingthe three operations above need not be normal.

We are now ready to define Pre.

Lemma 7.6. Consider a timed Petri net N = (P, T, In,Out), a tran-sition t ∈ T , and an existential zone Z =

(m, P , D

). Let In(t) =

((p1, I1) , . . . , (pk, Ik)), and Out(t) = ((q1,J1) , . . . , (q`,J`)). Pret(Z) isthe smallest set containing each existential zone Z ′ such that there is apartial injection h : {1, . . . , m} −→ {1, . . . , `} with a domain {i1, . . . , in},and an existential zone Z1 satisfying the following conditions.


• P (ij) = qh(ij), for each j ∈ {1, . . . , n}

• Z ⊗ (Jh(i1), i1)⊗ · · · ⊗ (Jh(in), in

)is consistent.

• Z1 = Z\i1\ · · · \in.

• Z ′ = Z1 ⊕ (p1, I1)⊕ · · · ⊕ (pk, Ik).

Lemma 7.7. For an existential zone Z =(m, P , D

), the set Preδ(Z)

is the existential zone Z ′ =(m, P ,D′),where D′(0, i) = 0 and D′(j, i) =

D(j, i) if j 6= 0, for each i, j ∈ {0, . . . ,m}, with i 6= j.

From Lemma 7.6 and Lemma 7.7 we get the following.

Lemma 7.8. For an existential zone Z, the set Pre(Z) is computable.

TerminationAs stated in section 3.6, the reachability algorithm is guaranteed to ter-minate if the constraint system, existential zones, is well quasi-orderedunder entailment. To prove well quasi-ordering of zones we prove betterquasi-ordering using the methodology presented in Section 7.2. Sinceeach better quasi-ordering is a well quasi-ordering Theorem 7.2 (Prop-erty 1) it follows that zones are well quasi-ordered and the algorithmterminates.

In order to prove that existential zones are better quasi-ordered werecall a constraint system related to existential zones, namely that ofexistential regions introduced in [12] (see Section 6.1). An existentialregion is a list of multisets (M0,M1, . . . ,Mn,Mn+1) where n ≥ 0 andMi is a multiset over P ×N. In a similar manner to existential zones, anexistential region R defines a set of conditions that should be satisfiedby a marking M in order for M to satisfy R. Intuitively M0 repre-sents tokens with ages that have fractional parts equal to 0. The multi-sets M1, . . . ,Mn represent tokens whose ages have increasing fractionalparts. The ages of tokens belonging to the same multiset have the samefractional part and the ages of tokens belonging to Mi have a fractionalpart that is strictly less than the fractional part of the ages of those inMi+1. Finally the multiset Mn+1 represents tokens with ages greaterthan the maximum natural number occurring in the enabling conditionsof a given timed Petri net (regardless of their fractional parts).

We show better quasi-ordering of existential zones by showing betterquasi-ordering of existential regions and then showing that each zone isequal to the disjunction of a finite number of existential regions. ByTheorem 7.2 (Property 5) we have that better quasi-ordering is closedunder disjunction, hence existential zones are better quasi-ordered.


Lemma 7.9. Existential zones are better quasi-ordered (and hence wellquasi-ordered).

1. Existential regions are built starting from finite domains, and re-peatedly building finite strings, bags, and sets. From the propertiesmentioned above, it follows that existential regions are better quasi-ordered.

2. For each existential zone Z, there is a finite set R of existentialregions such that Z ≡ ∨

R∈R R. Since better quasi-ordering isclosed under disjunction, it follows that existential zones are betterquasi-ordered.

7.4 EXPERIMENTAL RESULTSWe have implemented a prototype to perform coverability analysis fortimed Petri nets. In our experimentation we use a constraint systemcalled existential DDDs, which is described below. The implementa-tion is based on a DDD package developed at Technical University ofDenmark [81]. We have used the tool to verify Fischer’s protocol (Sec-tion 6.2).

Existential CDDs and DDDsClock Difference Diagrams (CDDs) [24] and Difference Decision Dia-grams (DDDs) [82] are constraint systems that have been invented togive representations of real-time systems that are more compact thanzones. In the same manner as zones were modified into existentialzones, we modify the definitions of CDDs (DDDs) into existential CDDs(DDDs) to make them suitable for verifying systems with an unboundednumber of clocks. Below we give the definition of existential DDDs. Thedefinition of existential CDDs can be stated in a similar manner.

An existential DDD Y is a tuple(m, P , V, E

), where m is a natural

number denoting the minimum number of tokens in a marking satisfyingY and the placing P maps each token to a place in the same manneras in an existential zone (Section 7.3). (V, E) is a finite directed acyclicgraph where V is the set of vertices and E is the set of edges. The set Vcontains two special elements v0 and v1. The outdegrees of v0 and v1

are zero while the outdegrees of the rest of vertices are two. Each vertexv ∈ V\{v0, v1

}has the following attributes: pos(v),neg(v) ∈ {0, . . . , m},

op(v) ∈ {<,≤}, const(v) ∈ Z, and high(v), low(v) ∈ V. The set Econtains the edges (v, low(v)) and (v, high(v)), where v ∈ V − {

v0, v1}.

In a similar manner to BDDs, the internal nodes of Y correspond tothe if-then-else operator φ → φ1, φ2, defined as (φ ∧ φ1) ∨ (¬φ ∧ φ2).Intuitively, the attributes of the node represent the DBL-formula φ =


xpos(v) − xneg(v) op(v) const(v), and high(v) and low(v) are children of vcorresponding to φ1 and φ2 respectively. The special vertices v0 and v1

correspond to false and true.Consider an existential DDD Y =

(m, P , V, E

), a vertex v ∈ V, a

marking M = ((p1, x1) , . . . , (pn, xn)) and an injection h : {1, . . . ,m} →{1, . . . , n}. We say that M satisfies Y at v with respect to h, writtenM,h |= (Y, v), if P (i) = ph(i), for each i ∈ {1, . . . ,m}, and either

• v = v1; or

•

xh(pos(v))

−xh(neg(v))

∼ const(v)

→

M, h |= (Y, high(v)),

M, h |= (Y, low(v))

where ∼= op(v).

As with existential zones, we can modify the operations defined in [82] tocompute predecessors of existential DDDs with respect to transitions ofa timed Petri net. To check entailment we must, as we did for existentialzones, take into consideration all variable permutations.

For each existential DDD Y there is a finite set Z of existential zonessuch that [[Y ]] = [[

∨Z]]. Intuitively this means that an existential DDD

can replace several existential zones, and hence existential DDDs give amore compact (efficient) representation of sets of states. Note that eachexistential DDD is a disjunction of existential zones. This together withLemma 7.9 and Theorem 7.2 (Property 5) gives us the following result.

Lemma 7.10. Existential DDDs are better quasi-ordered (and hencealso well quasi-ordered).

ResultsWe have used our prototype to analyse the parameterized version ofFischer’s protocol that is presented in Section 6.2. In order to provemutual exclusion we examine the reachability of the existential zonesstating that at least two processes are in the critical section, i.e., thefollowing zones:

• Z1 =(2, P1, D

)where P1(1) = P1(2) = CS

• Z2 =(2, P2, D

)where P2(1) = CS and P2(2) = CS†

• Z3 =(2, P3, D

)where P3(1) = P3(2) = CS†

For all three zones D(0, i) = 0, D(i, j) = ∞ for i 6= j.The reachable state space, represented by 45 existential DDDs, takes

3.5 seconds to compute on a Sun Ultra 60 with 512 MB memory and a360 MHz UltraSPARC-II processor. In the process, pre was computedfor 51 existential DDDs.

7.5. BROADCAST PROTOCOLS 67

7.5 BROADCAST PROTOCOLSA broadcast protocol consists of an arbitrary number of identical finite-state processes communicating through rendezvous or through broad-cast. We assume a finite set {s1, . . . , sn} of states and a set {x1, . . . , xm}of variables ranging over the natural numbers. A global state of a pro-tocol is called a configuration. A configuration γ is a tuple (a1, . . . , an)of natural numbers where ai represents the number of processes thatare in the state si. [44] defines a constraint system, which we hererefer to as B, where each constraint is a tuple (b1, . . . , bn). The deno-tation [[(b1, . . . , bn)]] of a constraint (b1, . . . , bn) is the upward closed set{(a1, . . . , an) | (b1, . . . , bn) ≤ (a1, . . . , an)}. In [37] several new constraintsystems for broadcast protocols are proposed and compared with regardto the efficiency parameters mentioned in Section 7.1. The most generalof these constraint systems is called AD in [37] and consists of conjunc-tions of constraints each of the form xi1 +· · ·+xik ≥ b, where xi1 , . . . , xik

are distinct variables of {x1, . . . , xn}. Two special cases are considered:NA where k is always equal to 1 and DV where the set of variablesoccurring in the different conjuncts are assumed to be disjoint. Sincethese new constraint systems are not constructed applying the basic setof constraint operations (described in Section 7.1), a separate proof oftermination is required for them.

Applying the method of Section 7.2 we can show better quasi-ordering of AD, NA, and DV uniformly as follows. From properties 2and 3 in Theorem 7.2 it follows that B is better quasi-ordered. Further-more, it is straightforward to show that each constraint in AD, NA,and DV is equivalent to the disjunction of a finite set of constraints inB. From property 5 of Theorem 7.2 we get

Theorem 7.11. AD, NA, and DV are better quasi-ordered.

In fact we can derive the better quasi-ordering property for a moregeneral constraint system than AD, namely that consisting of basic con-straints of the form a1x1 + · · ·+akxk ≥ b combined through conjunctionand disjunction.

7.6 LOSSY CHANNEL SYSTEMSA lossy channel system is a finite state machine communicating overunbounded and unreliable FIFO buffers. In [10] we present a constraintsystem, here denoted L1, for verification of such systems. The con-straints in L1 represent upward closed sets of strings over a finite al-phabet Σ. For strings w1, w2 ∈ Σ∗ we let w1 ¹ w2 denote that w1 isa (not necessarily continuous) substring of w2. A constraint in L1 isrepresented by a string w ∈ Σ∗ where [[w]] = {w′ | w ¹ w′}.


&

a1 a2 an

φ2

●

&

ba c

φ1

+

Figure 7.3: Two constraints in L2

.

Here, we introduce a new constraint system L2 defined as the smallestset such that L2 contains:

• a, for each a ∈ Σ, where [[a]] = {w | a ¹ w}and L2 is closed under:

• concatenation:

[[φ1 • φ2]] = {w1w2 | w1 ∈ [[φ1]] and w2 ∈ [[φ2]]}• conjunction:

[[φ1&φ2]] = {w | w ∈ [[φ1]] and w ∈ [[φ2]]}• disjunction:

[[φ1 + φ2]] = {w | w ∈ [[φ1]] or w ∈ [[φ2]]}

Example 7.4. φ1 in Figure 7.3 is the constraint (a & b) • (b + c). Thedenotation [[φ1]] is the set

{w1w2 | (a ¹ w1) and (b ¹ w1) and ((b ¹ w2) or (c ¹ w2))}The constraint φ1 is equivalent to the disjunction of the following set ofconstraints in L1: {abb, abc, bab, bac}.

The constraint system L2 is exponentially more succinct than L1.More precisely, each constraint in L1 has a linear-size translation intoan equivalent constraint in L2 through the concatenation operator. Onthe other hand a constraint of the form a1& · · ·&an (φ2 in Figure 7.3) canonly be represented in L1 by the disjunction of a set of constraints of sizen!, namely {b1 • · · · • bn | (b1, . . . , bn) is a permutation of (a1, . . . , an)}.

As in Section 7.3 and Section 7.5, we can use properties of L1 andL2 to conclude the following

7.7. INTEGRAL RELATIONAL AUTOMATA 69

Theorem 7.12. L2 is better quasi-ordered.

7.7 INTEGRAL RELATIONAL AUTOMATAAn Integral Relational Automaton (IRA) operates on a set X of vari-ables assuming values from the set Z of integers. The transitions of theautomaton are labelled by guarded commands of the form g → stmtin which the guard g is a boolean combination of inequalities of formx < y, c < x or x < c for x, y ∈ X and c ∈ Z and where the body stmtcontains, for each x ∈ X, an assignment of one of the forms x := y,x := c or x := {?} for y ∈ X and c ∈ Z. The assignment x := {?} isa “read” operation putting an arbitrary integer into the variable x. Astate s of an IRA is a mapping from X to Z. Sometimes, we write s asa tuple (s(x1), . . . , s(xn)) where X = {x1, . . . , xn}. For c ∈ Z we use theconvention that s(c) = c.

A constraint system, called the sparser than system S1, is definedin [33] for verification of IRAs as follows. Let cmin (cmax ) be thesmallest (largest) constant occurring syntactically in the IRA. DefineC = {cmin , . . . , cmax} to be the set of integers between cmin and cmax .A constraint φ in S1 is a mapping from X to Z. As we did with states,we assume φ(c) = c for c ∈ Z. A state s satisfies φ if and only if for eachx, y ∈ X ∪C, we have (i) s(x) ≤ s(y) if and only if φ(x) ≤ φ(y) and (ii)if φ(x) ≤ φ(y) then φ(y)− φ(x) ≤ s(y)− s(x).

Example 7.5. Assume X = {x1, x2, x3} and C = {5}. Considera constraint φ = (10, 5, 12), then s1 = (12, 5, 17) ∈ [[φ]] while s2 =(8, 5, 16) 6∈ [[φ]] (since φ(x1) − φ(x2) = 5 6≤ s2(x1) − s2(x2) = 3)and s3 = (12, 4, 17) 6∈ [[φ]] (since φ(5) = 5 ≤ φ(x2) = 5 whiles3(5) = 5 6≤ s3(x2) = 4).

We introduce a new constraint system S2 such that a constraint φ inS2 is a conjunction of conditions of the forms c ≤ x, x ≤ c and c ≤ y−xwhere x, y ∈ X and c ∈ Z. The satisfiability of φ by a state s is definedin the obvious way.

Example 7.6. Assume X = {x1, x2} and C = {5}. The constraint5 < x2 in S2 is equivalent to the disjunction of the following set ofconstraints in S1: {(4, 7) , (5, 7) , (6, 7) , (7, 7) , (8, 7)}. Notice that theconstraints correspond to the different relative values that x1 may havewith respect to the constant 5 and the variable x2.

In the same way as in the previous sections, we can show that S2

is exponentially more succinct than S1 and that the following theoremholds.

Theorem 7.13. S2 is better quasi-ordered.


7.8 RELATED WORKTo our knowledge this work is the first application of the theory of betterquasi-orderings in the context of symbolic model checking.

Existential zones are variants of zones, a symbolic representationused in several tools for verification of timed automata, for exampleKronos [98] and Uppaal [69]. However, zones characterize finite sets ofclocks and therefore cannot be used to analyse timed Petri nets.

A model close to timed Petri nets, timed networks, was consideredin [12]. A timed network consists of an arbitrary number of timed pro-cesses and hence contain an unbounded number of clocks. The constraintsystem used in that work was that of existential regions, a constraintsystem that is far less efficient than existential zones and the numberof existential regions generated during analysis explode even on smallapplications.

Most earlier work on studying decidability issues for timed Petri nets,e.g. [90, 27, 54, 91], either report undecidability results or decidabilityunder the assumption that the net is bounded. A work closely relatedto ours is [36]. The authors consider the coverability problem for a classof timed Petri nets similar to our model. The main difference is thatin [36], it is assumed that the ages of the tokens are natural numbers.Furthermore, it is not evident how efficient the constraint system is inpractical applications.

Chapter 8

Forward Analysis

In the previous chapters we have considered backward analysis and usedconstraints representing upward closed sets of states. We will now turnour attention to forward reachability analysis. In forward analysis, wecompute the set of reachable states by computing post-images of a set ofinitial states. While forward and backward analysis seem to be symmet-ric, they exhibit surprisingly different behaviours in many applications.For instance, for several classes of infinite-state systems, it turns outthat backward analysis is feasible while forward analysis is not [10, 73].

Nevertheless, forward analysis is still practically very attractive fromthe model checking point of view [1, 2, 52]. It often turns out [4, 21, 22]that it is possible to design semi-algorithms for forward analysis that ter-minate on almost all interesting examples. For some systems modelledby Petri nets, it is more efficient to do forward analysis than backwardanalysis [52]. Moreover, forward analysis gives much more understand-ing of the system. This is due to the fact that forward analysis givesa characterization of the set of states that may arise during executionof the system whereas backward analysis gives only those states fromwhich a system can fail. More interestingly, forward analysis can oftenbe used for constructing symbolic graphs that constitute finite abstrac-tions of the systems, and on which standard techniques for finite-statemodel checking can be applied [1, 22, 26, 67].

In the context of infinite-state systems, both methods can obviouslyonly be implemented using a symbolic approach. The basic ingredi-ent in any symbolic approach is to device a symbolic representation ofthe state space. The representation should be “adequate” in the sensethat it allows computability of a number of basic operations presentin implementations of all symbolic algorithms, such as union, intersec-tion, checking entailment, post-images (or pre-images). Once algorithmshave been designed for computing post-images, they can be used bothto generate and verify invariants.

72 CHAPTER 8. FORWARD ANALYSIS

In Chapter 7 we presented a theory for designing symbolic repre-sentations when performing backward reachability analysis, for a wideclass of infinite-state systems. The symbolic representation relies on lan-guages that are upward closed with respect to some given ordering onthe state space.

The work of this chapter complements that work and describes aformalism for performing forward analysis of infinite-state systems. Weuse downward closed languages as symbolic representation for sets ofstates. There are at least two reasons why downward closed languagesare useful in forward reachability analysis. First, some systems, e.g.lossy channel systems [10], have state spaces that are downward closed.More significantly, it is often the case that bad states are representedby upward closed sets (see e.g. [7, 10, 16, 38, 44]). Therefore, if aninvariant has an empty intersection with the set of bad states, then thedownward closure of the invariant has also an empty intersection. Thismeans that, in order to analyse safety properties formulated as upwardclosed sets, it is sufficient to consider downward closed invariants. Thedownward closure of an invariant has usually a much simpler structureand is therefore much easier to analyse.

While an upward closed language can simply be represented by theset of its minimal elements [7, 16, 38], the situation is more complicatedin the case of downward closed languages. In this chapter, we introducedownward closed language generators (dlgs), which characterize down-ward closed sets of words over a (potentially) infinite alphabet. We showthat dlgs satisfy the general adequacy criteria mentioned above, that is,they allow computability of union, intersection, and checking entailment,and describe how to compute post-images of dlgs for several computa-tion models such as Petri nets, lossy channel systems, and timed Petrinets. A timed Petri net operates on a potentially unbounded number ofreal-valued clocks, and is therefore more powerful than classical timedautomata.

Furthermore, we generalize our theory in two directions. We con-sider other data structures than words, and study languages that aresets of multisets, sets, vectors, etc. Such languages arise in the analysisof infinite-state systems (see [7, 17, 37, 44] for some examples). Also,in a similar manner to the case with upward closed languages [7, 16],we present a methodology for defining downward closed languages overcomplicated data structures in a hierarchical manner. We use the hierar-chical definition to derive a novel formalism for representing downwardclosed sets of markings in timed Petri nets.

We have implemented a prototype based on our representation fortimed Petri nets. We use the prototype for proving an invariant for

8.1. DOWNWARD CLOSED LANGUAGE GENERATORS 73

Fischer’s protocol (Section 6.2). The invariant is sufficiently strong forshowing that the protocol satisfies mutual exclusion regardless of thenumber of processes inside the protocol.

8.1 DOWNWARD CLOSED LANGUAGE GENERATORSAssume a quasi-ordering (A,¹), that is, a reflexive and transitive binaryrelation ¹ on a set A. For B ⊆ A, we use A6ºB to denote the set{a ∈ A | ∀b ∈ B. b 6¹ a}. For a, b ∈ A we use a t b to denote the set ofleast upper bounds of a and b, i.e., the set of all elements c such thata, b ¹ c, and there is no c′ ∈ A with a, b ¹ c′ ≺ c. For B1, B2 ⊆ A, weuse B1 t B2 to denote the set

⋃a1∈B1,a2∈B2

(a1 t a2). For B1, B2 ⊆ A,we use B1 4 B2 to denote that for each b2 ∈ B2 there is a b1 ∈ B1 withb1 ¹ b2.

We assume that ¹ is computable. In other words, for each a, b ∈ A,we can decide whether a ¹ b. We also assume that the set at b is finiteand computable for each a, b ∈ A. The above implies that B1 4 B2 iscomputable and that B1 tB2 is finite and computable for finite sets B1

and B2.A language L over A is a set of words over A, i.e., L ⊆ A∗. We use

L = A∗ − L to denote the complement of L. For a word w ∈ A∗ we use|w| to denote the length of w, and w(i) to denote the ith element of wwhere 1 ≤ i ≤ |w|. We use w1 • w2 to denote the concatenation of thewords w1 and w2.

We define the ordering ¹∗ on A∗ such that w1 ¹∗ w2 if there ismonotonic injection h : {1, . . . , |w1|} → {1, . . . , |w2|} where w1(i) ¹w2(h(i)) for i : 1 ≤ i ≤ |w1|.

In the remainder of this section we consider the case where L isdownward closed with respect to ¹∗, that is, w1 ∈ L and w2 ¹∗ w1

imply w2 ∈ L.We define downward closed language generators (dlgs) (over A) as

follows. An expression e is either an atomic expression ∼ B or a starexpression ∗∼ B, where B is a finite subset of A. A product p is ofthe form e1 • · · · • em where e1, . . . , em are expressions. A dlg φ is a sump1| · · · |pn, where p1, . . . , pn are products. The dlg φ defines a downwardclosed language L(φ) in the following manner:

L(∼ B) = A6ºB ∪ {ε} (8.1)

L( ∗∼ B) = {w1 • · · · • wk | w1, . . . , wk ∈ L(∼ B)} (8.2)L(e1 • · · · • em) =

{w1 • · · · • wm | w1 ∈ L(e1), . . . , wm ∈ L(em)} (8.3)L(p1| · · · |pn) = L(p1) ∪ · · · ∪ L(pn) (8.4)


There are a number of special cases in the above definition. More pre-cisely, if B = ∅ then L(∼ B) = L(∼ ∅) = A ∪ {ε}, and L( ∗∼ B) =L( ∗∼ ∅) = A∗. Furthermore, if m = 0 then L(e1 • · · · • em) = {ε}, and ifn = 0 then L(p1| · · · |pn) = ∅.

For dlgs φ1 and φ2 we use φ1 • φ2 to denote the dlg φ withL(φ) = {w1 • w2 | w1 ∈ L(φ1) and w2 ∈ L(φ2)}. Observe that φ alwaysexists and is computable (by distributing • over |).

In the sequel, if the set A is known in the context, we only say alanguage (dlg) rather than a language (dlg) over A. Often, we identifydlgs with the languages they represent, so for example, we write φ1 ∩φ2

instead of L(φ1) ∩ L(φ2). We observe that from the above definition itfollows that it is trivial to compute the union of dlgs. For singleton setswe often omit the set notation, so for example, we write ∼ a instead of∼ {a}.

There are a number of simplification rules which we will always applyto dlgs as follows. For instance, we can assume that the set B in thedefinition of atomic and star expressions is canonical. That is, there areno a, b ∈ B with a 6= b and a ¹ b. For each product p, there is anotherproduct p′ = e1•· · ·•em such that L(p′) = L(p) and for each i : 1 ≤ i < mit is the case that L(ei • ei+1) 6⊆ L(ei) and L(ei • ei+1) 6⊆ L(ei+1). Infact, we can derive p′ from p by deleting redundant expressions accordingto above, using the entailment algorithm described in Section 8.3. Foreach dlg φ, there is another dlg φ′ = p1| · · · |pn such that L(φ′) = L(φ)and there are no i, j : 1 ≤ i 6= j ≤ n with L(pi) ⊆ L(pj). Again, we canderive φ′ from φ using the entailment algorithm.

Notice that when we write dlgs or languages we implicitly meanword dlgs or languages. In the later sections we will introduce dlgs andlanguages for multisets, sets, etc.

Example 8.1. We consider dlgs over the finite set {a, b, c, d} with theordering being equality. Consider the dlgs φ1 = ∼ a • ∗∼ {b, c} andφ2 = ∗∼ {b, d} • (∼ c) . Then, for example, bdddd ∈ φ1 and acaac ∈ φ2

while bb 6∈ φ1 and aabcc 6∈ φ2.The downward closed language consisting of all words that contain

at most one a and at most one b is characterized by the dlg( ∗∼ {a, b} • ∼ a • ∗∼ {a, b} • ∼ b • ∗∼ {a, b}

)

|( ∗∼ {a, b} • ∼ b • ∗∼ {a, b} • ∼ a • ∗∼ {a, b})

8.2. INTERSECTION 75

Example 8.2. We now consider dlgs over N with the ordering being ≤.Consider the dlgs φ1 = ∗∼ 2 • ∼ 5 and φ2 = ∗∼ 3 • ∼ 4 . Then, forexample, 101014 ∈ φ1 and 20123 ∈ φ2 while 010135 6∈ φ1 and 2034 6∈ φ2.

The downward closed language consisting of all words w, such thatthe total number of elements greater than 3 is at most two and the totalnumber of elements greater than 5 is at most one, is characterized bythe dlg( ∗∼ 3 • ∼ ∅ • ∗∼ 3 • ∼ 5 • ∗∼ 3

)|

( ∗∼ 3 • ∼ 5 • ∗∼ 3 • ∼ ∅ • ∗∼ 3)

8.2 INTERSECTIONIn this section, we give an algorithm for computing the intersectionφ = φ1 ∩ φ2 of two dlgs φ1 and φ2,

In case φ1 and φ2 are atomic expressions or star expressions, we cancompute φ using the following equalities.

∼ B1 ∩ ∼ B2 = ∼ (B1 ∪B2)∗∼ B1 ∩ ∼ B2 = ∼ (B1 ∪B2)∗∼ B1 ∩ ∗∼ B2 = ∗∼ (B1 ∪B2)

If φ1 and φ2 are products, then if either of them is empty, φ will alsobe empty. Otherwise, let φ1 = e1 • p1 and φ2 = e2 • p2. We have fourcases depending on the form of e1 and e2.

1. e1 and e2 are atomic expressions,

φ = (e1 ∩ e2) • (p1 ∩ p2) | (φ1 ∩ p2) | (p1 ∩ φ2)

2. e1 is an atomic expression and e2 is a star expression.

φ = (e1 ∩ e2) • (p1 ∩ φ2) | (φ1 ∩ p2)

3. e1 is a star expression and e2 is an atomic expression.

φ = (e1 ∩ e2) • (φ1 ∩ p2) | (p1 ∩ φ2)

4. e1 and e2 are star expressions.

φ = (e1 ∩ e2) • (φ1 ∩ p2) | (e1 ∩ e2) • (p1 ∩ φ2)

Finally, if φ1 = p1| · · · |pn1 and φ2 = q1| · · · |qn2 are sums, then φ =φ11| · · · |φn1n2 , where φij = pi ∩ qj for i : 1 ≤ i ≤ n1 and j : 1 ≤ j ≤ n2.

We prove that the algorithm is correct.

Proof. The case when φ1 and φ2 are expressions is obvious.


For products φ1 and φ2, we let Alg(φ1, φ2) be the dlg computed bythe algorithm (when given φ1 and φ2 as input). We show that w ∈Alg(φ1, φ2) if and only if w ∈ φ1 ∩ φ2 for each word w.

Assume w ∈ φ1 ∩ φ2. We show that w ∈ Alg(φ1, φ2). We useinduction on the number of expressions in p1 and p2. If either φ1 orφ2 is empty then the result follows trivially. Otherwise let φ1 = e1 • p1

and φ2 = e2 • p2 (as described by the algorithm). If w ∈ p1 thenw ∈ p1∩φ2. By the induction hypothesis it follows that w ∈ Alg(p1, φ2).From definition of the algorithm and downward closedness it follows thatw ∈ Alg(φ1, φ2). The case when w2 ∈ p2 is similar. If w 6∈ p1 andw 6∈ p2, there are w1, w2, w3, w4 such that w1 and w3 are not empty, andw = w1 • w2 = w3 • w4, w1 ∈ e1, w2 ∈ p1, w3 ∈ e2, and w4 ∈ p2.

We consider four cases corresponding to those in the definition of thealgorithm.

1. If e1 and e2 are atomic expressions. This means that w1 = w3 = afor some a in the alphabet, and that w2 = w4. By induction hypothesis,it follows that a ∈ Alg(e1, e2) and that w2 ∈ Alg(p1, p2). By definitionof case 1 of the algorithm it follows that w ∈ Alg(φ1, φ2).

2. If e1 is an atomic expression and e2 is a star expression. Thismeans that w1 = a, and that w3 is of the form a • w′3. By downwardclosedness we know that a ∈ e2 and that w′3•w4 = w2 ∈ φ2. By inductionhypothesis, it follows that a ∈ Alg(e1, e2) and that w2 ∈ Alg(p1, φ2). Bydefinition of case 2 of the algorithm it follows that w ∈ Alg(φ1, φ2).

3. Similar to case 2 above.4. If e1 and e2 are star expressions. There are two symmetric cases:

If w1 is a prefix of w3, that is, there is a w′3 with w3 = w1 • w′3 (andtherefore w2 = w′3 •w4). By downward closedness we know that w1 ∈ e2

and that w′3 • w4 = w2 ∈ φ2. By induction hypothesis, it follows thatw1 ∈ Alg(e1, e2) and that w2 ∈ Alg(p1, φ2). By definition of case 4 ofthe algorithm it follows that w ∈ Alg(φ1, φ2). If w3 is a prefix of w1,thenthe proof is similar.

Now, we consider the other direction. Suppose that w ∈ Alg(φ1, φ2).Again, we use induction on the number of expressions in p1 and p2. Thebase case is similar to above. For the induction step, we have to provethe following:

1. w ∈ φ1 ∩ p2 ⇒ w ∈ φ1 ∩ φ2.

2. w ∈ p1 ∩ φ2 ⇒ w ∈ φ1 ∩ φ2.

3. w ∈ (e1 ∩ e2) • (p1 ∩ p2) ⇒ w ∈ φ1 ∩ φ2.

4. w ∈ (e1∩e2)• (φ1∩p2) ⇒ w ∈ φ1∩φ2 when e1 is a star expression

8.2. INTERSECTION 77

5. w ∈ (e1∩e2)• (p1∩φ2) ⇒ w ∈ φ1∩φ2 when e2 is a star expression

We show the proof for case 4. The other cases can be analysed in asimilar manner.

Assume w ∈ (e1 ∩ e2) • (φ1 ∩ p2). Let w1, w2 be words such thatw = w1 • w2, w1 ∈ e1 ∩ e2 and w2 ∈ φ1 ∩ p2. Since, w1 ∈ e1 andw2 ∈ φ1, we have w ∈ e1 • φ1. Since e1 is a star expression, we havee1 • φ1 = φ1. Also, w1 ∈ e2 and w2 ∈ p2 imply that w ∈ φ2. Therefore,w ∈ φ1 ∩ φ2.

Correctness of the case for sums follows immediately from correctnessfor products.

From this we conclude that

Theorem 8.1. Given dlgs φ1 and φ2, we can compute φ = φ1 ∩ φ2.

A side effect of Theorem 8.1 is the following. Recall that ¹ is a wellquasi-ordering if for any infinite sequence a0, a1, a2, . . . of elementsin A there are i and j with i < j and ai ¹ aj . Then, we have

Theorem 8.2. For a well quasi-ordering ¹ and a language L that isdownward closed with respect to ¹∗, there is a dlg φ such that L = L(φ).

Proof. For a word, we let w↑ denote the set {w′ | w 6¹∗ w′}. Consider aword w = a1a2 · · · ak. It is clear that w↑ is equal to(A6ºa1

)∗• (A ∪ {ε}) •

(A6ºa2

)∗• (A ∪ {ε}) • · · · • (A ∪ {ε}) •

(A6ºak

)∗

which, in turn is characterized by the dlg( ∗∼ a1

)• (∼ ∅) •

( ∗∼ a2

)• (∼ ∅) • · · · • (∼ ∅) •

( ∗∼ ak

)

This gives the following

Lemma 8.3. For a w over A, there is a dlg φ such that L(φ) = w↑.Now, assume a downward closed language L. The complement L is

upward closed and can be characterized by its minimal elements, i.e.,L = min(L)↑. Let min(L) be the set {w1, . . . , wn}. This set is finite bywell quasi-ordering. It follows that L = w1 ↑ ∩ · · · ∩ wn ↑.

By Lemma 8.3 we know that there are dlgs φ1, . . . , φn such thatwi ↑ = φi and by Theorem 8.1 there is a dlg φ = φ1 ∩ · · · ∩ φn.


8.3 ENTAILMENTIn this section, we show how to check entailment between dlgs. Recallthat we define the entailment relation w such that φ1 w φ2 if and onlyif L(φ1) ⊆ L(φ2). For dlgs φ = p1| · · · |pn and φ′, it is clear that φ w φ′

if and only if pi w φ′ for each i : 1 ≤ i ≤ n. Therefore, in the rest ofthis section, we concentrate on the problem of checking entailments ofthe form p w p1| · · · |pn.

First, we consider the special case, where all the products are ex-pressions. We have

e w( ∗∼ B1

)| · · · |

( ∗∼ Bm

)| (∼ Bm+1) | · · · | (∼ Bn)

if and only if either

• e is an atomic expression ∼ B, and B 4 (B1 t · · · t Bn) ; or

• e is a star expression ∗∼ B, and there is an i : 1 ≤ 1 ≤ m withB 4 Bi .

From above and the assumption on computability of 4 and t (Sec-tion 8.1), we get the following lemma.

Lemma 8.4. For expressions e, e1, . . . , en, we can check whether e we1 | · · · | en.

Next, we consider the general case. For a product p = e1 • · · · • en,we define #p to be ∪1≤i≤nL(ei).

Consider a dlg φ = p1 | · · · | pn. A factorization of φ with respectto e is a set {q1, . . . , qm} of (possibly empty) products, such that thereis a partitioning Q1, Q2 of the set {p1, . . . , pn}, where Q1 is not empty.Furthermore, the set Q1 is of the form {p′1 • e1 • p′′1, . . . , p

′m • em • p′′m},

and one of the following conditions is satisfied

• e is an atomic expression and

#e1 ∩ · · · ∩ #em ∩ #e 6⊆ #p′1 ∪ · · · ∪ #p′m ∪ #Q2

Furthermore, either ei is an atomic expression and qi = p′′i , or ei

is a star expression and qi = ei • p′′i , for each i : 1 ≤ i ≤ m.

• e is a star expression, e w ei for each i : 1 ≤ i ≤ m, and there is noexpression e′ in any of the products in the set {p′1, . . . , p′m} ∪ Q2,with e w e′. Furthermore, we have qi = ei • p′′i for each i : 1 ≤ i ≤m.

8.3. ENTAILMENT 79

Now we are ready to present the entailment algorithm. For productsp, p1, . . . , pn, where p = e • p′, we have p w p1 | · · · | pn if and only ifeither p is empty or the following two conditions are satisfied:

1. #e ⊆ #p1 ∪ · · · ∪ #pn

2. For each factorization {q1, . . . , qm} of {p1, . . . , pn} with respect toe, it is the case that p′ w q1 | · · · | qm.

In fact the above characterization gives us an algorithm for checkingentailment. This follows from Lemma 8.4, computability of intersection(Section 8.2),and the fact that there are finitely many possible factoriza-tions (limited by the number of products and the number of expressionsin each product).

We give a proof of correctness of the algorithm.

Proof. For a product p and a dlg φ, we use Alg(p, φ) to indicate thatthe algorithm answers “yes” to the question whether p w φ, and use¬Alg(p, φ) to indicate that the algorithm answers “no”.

Suppose that Alg(p, φ) holds. We show that p w φ. We use inductionon the number of atomic expressions in p.Base Case If p is empty, the result is trivial.Induction step Let φ be of the form p1 | · · · | pn. Suppose that p is ofthe form e • p′. There are two cases:

1. e is an atomic expression. Let w ∈ p. We show that w ∈ φ.

If w ∈ p′ then by definition of the algorithm, it follows thatAlg(p′, φ), so by the induction hypothesis, we have w ∈ φ.

Otherwise, let w be of the form a•w1 where a ∈ e and w1 ∈ p′. Bydefinition of the algorithm, we know that there is a factorizationof φ with respect to e of the form shown in the algorithm such thata ∈ ei for each i : 1 ≤ i ≤ m, and such that p′ w q1 | · · · | qm .This means that w1 ∈ qi for some i : 1 ≤ i ≤ m, and hencew = a • w1 ∈ ei • qi. This implies w ∈ φ.

2. e is a star expression. Let w ∈ p.

If w ∈ p′ then the same argument as in case 1 applies.

Otherwise, we know that w = w1 • w2, where w1 is not empty,w1 ∈ e, and w2 ∈ p′. By definition of the algorithm, we know thatthere is a factorization of φ with respect to e of the form shownin the algorithm such that w1 ∈ ei for each i : 1 ≤ i ≤ m, andsuch that p′ w q1 | · · · | qm. This means that w2 ∈ qi for somei : 1 ≤ i ≤ m, and hence w = w1 •w2 ∈ ei • qi. This implies w ∈ φ.


Now, we show the other direction. Suppose ¬Alg(p, φ). We showthat there is a w ∈ p such that w 6∈ φ. We use induction on the lengthof p.Base Case If p is empty, then the result is trivial.Induction Step Let p be of the form e • p′. We distinguish betweentwo cases.

1. e is an atomic expression. We consider two subcases.

(a) If #e 6⊆ #p1 ∪ · · · ∪ #pn then there is an a ∈ #e witha 6∈ #p1 ∪ · · · ∪ #pn. Take w = a.

(b) There is a factorization of φ with respect e of the form shownin the algorithm, with ¬Alg(p′, q1 | · · · | qm). By defini-tion we know that there is a ∈ e with a 6∈ #p′1 ∪ · · · ∪#p′m ∪ #Q2. Also, by induction hypothesis we know thatp′ 6w q1 | · · · | qm, so there is w1 ∈ p′ with w1 6∈ q1 | · · · | qm.This implies that a • w1 6∈ pi for each i : 1 ≤ i ≤ n. Takew = a • w1.

2. e is a star expression. We consider two subcases.

(a) #e 6⊆ #p1 ∪ · · · ∪ #pn. There is a w1 ∈ #e withw1 6∈ #p1 ∪ · · · ∪ #pn. Take w = wk

1 (w is the concatenationof k copies of w1), where k is the largest number of expressionspresent in any pi with i : 1 ≤ i ≤ n. It is clear that w ∈ eand hence w ∈ p, and that w 6∈ pi for each i : 1 ≤ i ≤ n.

(b) There is a factorization of φ with respect e of the form shownin the algorithm, with ¬Alg(p′, q1 | · · · | qm). It follows thatthere is a w1 ∈ e with w1 6∈ #p′1 ∪ · · · ∪ #p′m ∪ #Q2. Definek as in the previous case. Also, by induction hypothesis, thereis a w2 ∈ p′ with w2 6∈ q1 | · · · | qm. Take w = wk

1 • w2.


Theorem 8.5. For dlgs φ1 and φ2, we can check whether φ1 w φ2.

8.4 MULTISETSIn the following sections, we show how to extend the theory presentedin Section 8.1-8.3 to data structures other than words such as multisets,sets and vectors.

Assume a quasi-ordering (A,¹). A multiset M over A of size n, isa mapping from {1, . . . , n} to A. For a ∈ A, we write M(a) to denote

8.4. MULTISETS 81

the size of the set {i | M(i) = a}. In other words, M(a) is the numberof occurrences of a in M. We use a ∈M to denote that M(a) ≥ 1. Wedefine the ordering ¹M on the set AM of multisets over A as follows. Formultisets M1 with size n1 and M2 with size n2, we have M1 ¹M M2

if there is a (not necessarily monotonic) injection h from {1, . . . , n1} to{1, . . . , n2} with M1(i) ¹M2(h(i)) for every i : 1 ≤ i ≤ n1. Notice thatM1 ¹M M2 means that for each element inM1 there is a correspondinglarger element (with respect to ¹) in M2.

A multiset language (over A) is a subset of AM. The notions ofdownward and upward closedness (with respect to ¹M), complement,etc, are defined in a similar manner to words.

Now, we show how to use dlgs for characterizing downward closedmultiset languages. We do that by introducing multiset dlgs, which aremodifications of dlgs. The idea is to change the interpretation of theproduct operator, taking into consideration that it is commutative (inaddition to being associative) in the case of multisets. More precisely,we take the new product operator, which we denote by ¯, to be multisetaddition (rather than concatenation in the case of words). We also use~ for multiset star expressions. This means that we change (8.2) and(8.3) in the definition of dlgs (Section 8.1) obtaining

L(∼ B) = A6ºB ∪ {ε} (8.5)

L(~∼ B) ={M1 +M2 + · · ·+Mk | M1, . . . ,Mk ∈ L(∼ B)} (8.6)

L(e1 ¯ · · · ¯ em) ={M1 + · · ·+Mm | M1 ∈ L(e1), . . . ,Mm ∈ L(em)} (8.7)

L(p1| · · · |pn) = L(p1) ∪ · · · ∪ L(pn) (8.8)

Each multiset product p can be simplified into a product p′ of the form(~∼ B

)¯ (∼ B1) ¯ · · · ¯ (∼ Bm)

such that L(p) = L(p′). This follows from the fact that all star expres-sions in p can be merged into one, using the relation

(~∼ B)¯

(~∼ B′)

= ~∼ (B tB′)

In the sequel we will assume that all multiset dlgs are of this form.

IntersectionComputing intersection for multiset expressions and sums is done inthe same manner as in the word case. Regarding the fact that multiset


addition is commutative, we can derive the following algorithm for inter-section of multiset dlg products. Suppose that we are given two productsp1 = e11¯ · · · ¯ e1k and p2 = e21¯ · · · ¯ e2m. Define p1i to be the resultof deleting the expression ei from p1. Define p2j in a similar manner.Then, p1 ∩ p2 is the union of all multiset dlgs φij , for i : 1 ≤ i ≤ k andj : 1 ≤ j ≤ m, computed according to one of the following four cases.

1. if e1i and e2j are atomic expressions.

φij = (e1i ∩ e2j) ¯ (p1i ∩ p2j).

2. if e1i is an atomic expression and e2j is a star expression.

φij = (e1i ∩ e2j) ¯ (p1i ∩ p2).

3. if e1i is a star expression and e2j is an atomic expression.

φij = (e1i ∩ e2j) ¯ (p1 ∩ p2j).

4. if e1i and e2j are star expressions.

φij = (e1i ∩ e2j) ¯ (p1i ∩ p2) | (e1i ∩ e2j) ¯ (p1 ∩ p2j)

We give proof of correctness of the algorithm.

Proof. For products p1 and p2, we let Alg(p1, p2) be the dlg computedby the algorithm (when given p1 and p2 as input). We show that M ∈Alg(p1, p2) if and only if M∈ p1 ∩ p2 for each multiset M.

Assume M ∈ p1 ∩ p2. We show that M ∈ Alg(p1, p2). We useinduction on the number of expressions in p1 and p2. If either p1 or p2 isempty then the result follows trivially. Otherwise let p1 = e11¯· · ·¯e1k

and p2 = e21 ¯ · · · ¯ e2m (as described by the algorithm).Assume M ∈ p1 ∩ p2. We show that M ∈ Alg(p1, p2). Let M be of

the form M1+M2 where M1 ∈ e1i and M2 ∈ p1i for some i : 1 ≤ i ≤ k.There are two cases

1. e1i is an atomic expression. Since M∈ p2 we know that there is jsuch that M1 ∈ e2j and either e2j is atomic and M2 ∈ p2j , or e2j

is a star expression and M2 ∈ p2.

(a) If e2j is atomic, then it follows that M1 ∈ e1i ∩ e2j andM2 ∈ p1i ∩ p2j . By induction hypothesis, we have thatM2 ∈ Alg(p1i, p2j). It follows that M ∈ φij = (e1i ∩ e2j) ¯Alg(p1i, p2j), i.e., M∈ Alg(p1, p2).

(b) If e2j is a star expression we obtain the result by followingthe same reasoning as in the above case.

8.4. MULTISETS 83

2. e1i is a star expression. Let M = M3 +M4 such that there is jwith M3 ∈ e2j and either e2j is atomic and M4 ∈ p2j , or e2j is astar expression and M4 ∈ p2. Furthermore, either M1 ≤ M3

1 orM3 ≤M1.

(a) If e2j is atomic, then M1 = M3 + M′1 and by downward

closure we know that M3 ∈ e1i and M′1 +M2 = M4 ∈ p1.

By induction hypothesis, we have that M4 ∈ Alg(p1, p2j). Itfollows that M∈ Alg(p1, p2).

(b) If e2j is a star expression then either M3 ≤ M1, in whichcase the reasoning in the previous case applies, or M1 ≤M3,which is symmetric.

Now, we consider the other direction. Suppose thatM∈ Alg(p1, p2).Again, we use induction on the number of expressions in p1 and p2. Thebase case is similar to above. For the induction step, we have to provethe following:

1. M∈ (e1i ∩ e2j)¯ (p1i ∩ p2j) ⇒M ∈ p1 ∩ p2.

2. M ∈ (e1i ∩ e2j) ¯ (p1 ∩ p2j) ⇒ M ∈ p1 ∩ p2 when e1 is a starexpression.

3. M ∈ (e1i ∩ e2j) ¯ (p1i ∩ p2) ⇒ M ∈ p1 ∩ p2 when e2 is a starexpression.

We show the proof for case 2. The other cases can be analysed in asimilar manner.

Assume M ∈ (e1i ∩ e2j) ¯ (p1 ∩ p2j). Let M1,M2 be multisetssuch that M = M1 +M2, M1 ∈ e1i ∩ e2j and M2 ∈ p1 ∩ p2j . Since,M1 ∈ e1i and M2 ∈ p1, we have M ∈ e1i ¯ p1. Since e1i is a starexpression, we have e1i ¯ p1 = p1. Also, M1 ∈ e2j and M2 ∈ p2j implythat M∈ p2. Therefore, M∈ φ1 ∩ φ2.

In a corresponding manner to words, we can show that each down-ward closed multiset language L over a well quasi-ordered set can becharacterized by a multiset dlg.

EntailmentWe derive the multiset entailment algorithm from the algorithm forwords (Section 8.3), using the fact that multiset addition is commu-tative. Entailment for sums where all products are expressions is thesame as for words. We consider the general case.

1The relation ≤ is defined by M1 ≤M2 iff M1(a) ≤M2(a) for all a.


Consider a dlg φ = p1 | · · · | pn. A factorization of φ with respectto e is a set {q1, . . . , qm} of (possibly empty) products, such that thereis a partitioning Q1, Q2 of the set {p1, . . . , pn}, where Q1 is not empty.Furthermore, the set Q1 is of the form {p′1 ¯ e1 ¯ p′′1, . . . , p

′m ¯ em ¯ p′′m},

and one of the following conditions is satisfied

• e is an atomic expression and

#e1 ∩ · · · ∩ #em ∩ #e 6⊆ #Q2

Furthermore, either ei is an atomic expression and qi = p′i¯ p′′i , orei is a star expression and qi = p′i¯ ei¯ p′′i , for each i : 1 ≤ i ≤ m.

• e is a star expression, e w ei for each i : 1 ≤ i ≤ m, and there isno expression e′ in any of the products in the set Q2, with e w e′.Furthermore, we have qi = p′i ¯ ei ¯ p′′i for each i : 1 ≤ i ≤ m.

Since the products are commutative, we can drop the requirement onprefixes, which was used in the algorithm for words, and we use the wholeproduct (not only the postfix) in the next step of the analysis. Whenthe requirement on prefixes is dropped, a subset of L(e) may cause morethan one factorization. Given a set F = {f1, . . . , fk} of factorizations,we let the union f1 ∪ · · · ∪ fk be the set {q1, . . . , qM}. The number ofsuch sets is finite due to the fact that it is limited by the number ofpossible factorizations, which is in turn limited by the number and sizesof the products.

For a factorization f , we will use cause(f) to denote the subset ofL(e) that causes the factorization, that is the set #e1 ∩ · · · ∩ #em ∩ #e.We say that a set F = {f1, . . . , fk} of factorizations is caused by the setcause(f1) ∩ · · · ∩ cause(fk) denoted by cause(F ).

Now we are ready to present the entailment algorithm. For productsp, p1, . . . , pn, where p = e¯ p′, we have p w p1 | · · · | pn iff either p isempty or the following two conditions are satisfied:

1. #e ⊆ #p1 ∪ · · · ∪ #pn

2. For each set F of factorizations such that cause(F ) is nonemptyand and there is no factorization f ′ with cause(f ′) ⊆ cause(F ), itis the case that p′ w q1 | · · · | qM .

In fact the above characterization gives us an algorithm for checkingentailment. This follows from Lemma 8.4, computability of intersection(Section 8.2), and the fact that there are finitely many possible factoriza-tions (limited by the number of products and the number of expressionsin each product).

We give a proof of correctness of the algorithm.

8.4. MULTISETS 85

Proof. For a product p and a dlg φ, we use Alg(p, φ) to indicate thatthe algorithm answers “yes” to the question whether p w φ, and use¬Alg(p, φ) to indicate that the algorithm answers “no”.

Suppose that Alg(p, φ) holds. We show that p w φ. We use inductionon the number of atomic expressions in p.Base Case If p is empty, the result is trivial.Induction step Let φ be of the form p1 | · · · | pn. Suppose that p is ofthe form e¯ p′. There are two cases:

1. e is an atomic expression. Let M∈ p. We show that M∈ φ.

If M ∈ p′ then by definition of the algorithm, it follows thatAlg(p′, φ), so by the induction hypothesis, we have M∈ φ.

Otherwise, let M be of the form a+M1 where a ∈ e and M1 ∈ p′.By definition of the algorithm, we know that there is a set F offactorizations of φ with respect to e of the form shown in thealgorithm such that a ∈ cause(F ). Let the union

⋃F be the set

{q1, . . . , qM}. We have that a ∈ ei for each i : 1 ≤ i ≤ M . We alsoknow that p′ w q1 | · · · | qM . This means that M1 ∈ qi for somei : 1 ≤ i ≤ M , and hence M = a + M1 ∈ ei ¯ qi. This impliesM∈ φ.

2. e is a star expression. Let M∈ p.

If M∈ p′ then the same argument as in case 1 applies.

Otherwise, we know that M = M1+M2, where M1 is not empty,M1 ∈ e and M2 ∈ p′. By definition of the algorithm, we knowthat there is a factorization of φ with respect to e of the formshown in the algorithm such that M1 ∈ ei for each i : 1 ≤ i ≤ m,and such that p′ w q1 | · · · | qm. Since we assume that there isat most one star expression in each product, we know that thereis only one such factorization. This means that M2 ∈ qi for somei : 1 ≤ i ≤ m, and hence M = M1 +M2 ∈ ei ¯ qi. This impliesM∈ φ.

We will now show the other direction. Suppose ¬Alg(p, φ). We showthat there is a M∈ p such that M 6∈ φ. We use induction on the lengthof p.Base Case If p is empty, then the result is trivial.Induction Step Let p be of the form e ¯ p′. We distinguish betweentwo cases.

1. e is an atomic expression. We consider two subcases.


(a) If #e 6⊆ #p1 ∪ · · · ∪ #pn then there is an a ∈ #e witha 6∈ #p1 ∪ · · · ∪ #pn. Take M = (a).

(b) There is a set F of factorizations of φ with respect to e of theform shown in the algorithm such that ¬Alg(p′, q1 | · · · | qM )where

⋃F = {q1, . . . , qM}. By definition we know that there

is a ∈ e with a 6∈ #Q2. Also, by induction hypothesis weknow that p′ 6w q1 | · · · | qM , so there is M1 ∈ p′ withM1 6∈ q1 | · · · | qM . This implies that a +M1 6∈ pi for eachi : 1 ≤ i ≤ n. Take M = a +M1.

2. e is a star expression. We consider two subcases.

(a) #e 6⊆ #p1 ∪ · · · ∪ #pn. There is a M1 ∈ #e with M1 6∈#p1 ∪ · · · ∪ #pn. TakeM = Mk

1 (M is the concatenation ofk copies of M1), where k is the largest number of expressionspresent in any pi with i : 1 ≤ i ≤ n. It is clear that M ∈ eand hence M∈ p, and that M 6∈ pi for each i : 1 ≤ i ≤ n.

(b) There is a factorization of φ with respect e of the form shownin the algorithm, with ¬Alg(p′, q1 | · · · | qM ). It followsthat there is a M1 ∈ e with M1 6∈ #Q2. Define k as inthe previous case. Also, by induction hypothesis, there is aM2 ∈ p′ with M2 6∈ q1 | · · · | qM . Take M = Mk

1 +M2.


Theorem 8.6. For multiset dlgs φ1 and φ2, we can check whether φ1 wφ2.

8.5 SETSA set is s special case of a multiset where each element occurs at mostonce in the set. We let AS denote the set of sets over A. We define theordering ¹S in the same manner as we did for ¹M. We define set dlgsin a similar manner to multisets by taking the product operator to be

set union. Notice that this operator is now also idempotent. We cancompute the intersection and entailment of two set dlgs using similaralgorithm to those for multisets.

8.6 VECTORSFor a natural number k, we let Ak denote the set of vectors of size kover A. As usual, we write members of Ak as tuple (a1, . . . , ak), wherea1, . . . , ak ∈ A. We define the ordering ¹k such that (a1, . . . , ak) ¹k

8.7. HIERARCHICAL DLGS 87

(a′1, . . . , a′k) iff ai ¹ a′i for i : 1 ≤ i ≤ k. We define vector dlgs in a

similar fashion to above. In fact, vector dlgs, can be viewed as specialcases of word dlgs where each product is of the form e1¯· · ·¯ ek, whereei is an atomic expression. This enables us to allow vector dlgs wherethe atomic expressions are dlgs of different types. An example is (e1, e2)where e1 is a set dlg over a set A and e2 is a word dlg over B.

8.7 HIERARCHICAL DLGSindexhierarchical dlg In this section, we present a methodology thatenables us to derive dlgs in a hierarchical manner. Such dlgs are neededfor example in the analysis of timed Petri nets (Section 6).

At the lowest level of the hierarchy, we consider dlgs of the form de-fined in Section 8.1 (possibly interpreted over multisets, sets, or vectors,rather than over words). Higher levels of the hierarchy are built by usingdlgs at a certain level as atomic expressions at the next level.

Formally we define hierarchical dlgs as follows

• A first-order dlg over an ordered set A is of the same form asdefined in Section 8.1. A dlg may be interpreted as a set of words,multisets, sets, vectors, etc.

• We build k + 1-order dlgs, by taking the set of atomic expressionsto be the set of k-order dlgs. We will allow mixing different kindsof dlgs (word, multiset, set, and vector dlgs) at the different levels.For instance a k + 1-order multiset dlg over a set A∗ is built byusing atomic expressions that are (word) dlgs over the set A

If dlgs at a certain level allow computability of intersection and en-tailment, then the same operations can be computed also at the nextlevel. This is due to the fact that the algorithms presented in Sec-tion 8.1, Section 8.2, and Section 8.3 depend only on the fact that thecorresponding operations are computable for atomic expressions. Thisgives the following theorem

Theorem 8.7. Intersection and entailment are computable for hierar-chical dlgs.

In [4] simple regular expressions , which are first-order dlgs, wereintroduced (Section 8.10). In Section 8.8 we introduce a class of third-order dlgs and use them for verification of timed Petri nets.

Example 8.3. We show how to hierarchically build dlgs that generatewords over multisets over a finite alphabet.

We start with a finite set A = {a, b, c, d} and take the ordering tobe equality. Examples of first-order multiset dlgs over A are φ1 =


( ∗∼ a)¯ (∼ {b, c}) and φ2 =

( ∗∼ {a, b, c})¯ (∼ d) . Multisets in the

corresponding languages are(b2, d3

) ∈ φ1,(b4, a

) ∈ φ1,(d4, b

) ∈ φ2 and(d6, c

) ∈ φ2.An example of a (word) dlg over AM is ψ = φ∗1 • φ2. The elements

of L(ψ) are words over multisets over A, for example(b2, d3

) • (b4, a

) •(d4, b

) ∈ ψ.

8.8 REGION GENERATORSIn this section we introduce region generators, third order dlgs which weuse for verification of timed Petri nets.

Regions are predicates commonly used in verification of timed au-tomata [19]. We propose a formalism, called region generators, for defin-ing downward closed sets of markings in timed Petri nets. Regions can-not be used for characterizing such sets since they can only deal witha finite number of clocks. Intuitively, a region generator g correspondsto an infinite set of regions, and thus characterizes an infinite set ofmarkings, namely all markings belonging to regions generated by g.

We recall some basic concepts of regions. A region [19] defines theintegral parts of clock values up to max (the exact age of a token is ir-relevant if it is greater than max ), and also the ordering of the fractionalparts among clock values. For verification of timed Petri nets, we needto use a variant that also defines the place in which each token (clock)resides. Following Godskesen [56] we represent a region in the followingmanner. Each token in a marking satisfying a region is represented bya pair (p, n) (for simplicity of notation, we write such a pair as p(n)),where p is the place in which the token resides and n is the integral partof the age of the token. The region is defined by a triple (M0, w,Mmax )where

• M0 is a multiset of pairs (of the form p(n)) representing tokenswhose ages have fractional parts equal to 0.

• w is a word over multisets of pairs of the above form where pairsin the same multiset represent tokens whose ages have equal frac-tional parts. The order of the multisets in w corresponds to theorder of the fractional parts.

• Mmax is a multiset over P representing tokens with ages strictlygreater than max . Since the actual ages of these tokens are ir-relevant, the integer representing the integral part of their ages isomitted.

8.9. COMPUTING POST-IMAGES 89

In Section 6, we defined an ordering on markings such that M1 ¹ M2

if there is a marking M3, such that we can derive M3 from M2 by deletingtokens and such that M1 and M3 belong to the same region.

A region generator is a third-order dlg constructed as follows.

• We start from the set of pairs of the form p(n). Notice that the setof such pairs is finite. At the first level, we build multiset dlgs overthe set of pairs where the ordering is taken to be equality. Eachsuch a multiset is used to characterize a number of tokens whoseages have equal fractional parts. Using such dlgs we can expressconditions of the form “there may exist an unbounded number oftokens in place p1 and p2 with equal fractional parts”.

• At the second level we build word dlgs over the dlgs in the firstlevel. These words are used to capture the ordering of fractionalparts in the same manner as in regions. We use these dlgs toexpress conditions of the form “there is an unbounded number oftokens with increasing fractional parts in places p1 and p2”.

• And finally, at the third level we build vector dlgs of the form(ψ0, φ, ψmax ) where

– ψ0 is a multiset dlg over P × {0, . . . ,max} and correspondsto M0 in a region.

– φ is a second-order dlg of the form described above.

– ψmax is a multiset dlg over P and corresponds toMmax wherethe ages of the tokens have been omitted.

Notice that a region generator characterizes a (potentially) infinite setL(g) of regions. Therefore, a region generator g characterizes also aninfinite set [[g]] of markings, namely all markings belonging to regions inthe language L(g). It is straightforward to show that [[g]] is downwardclosed with respect to ¹.

8.9 COMPUTING POST-IMAGESWe define a function Post such that for a region generator g, Post(g)is a set of region generators. Post(g) characterizes the downward clo-sure of the set of markings that can be reached from a marking in [[g]]by a single transition. We define Post(g) to be the union of Postδ(g),which corresponds to performing timed transitions, and PostD(g), whichcorresponds to performing discrete transitions. Notice that, from eachmarking, an infinite number of timed transitions are possible (namelya timed transition corresponding to time progress by any nonnegative


real number). Our algorithm computes the post-image of an input dlgwith respect to all such transitions, i.e., it gives a dlg characterizing allmarkings that are reachable through progress of time from the originaldlg.

We use the notation introduced in Section 8.4 for multisets. Also, weuse ε to denote the word (multiset) dlg ψ such that L(ψ) only containsthe empty word (multiset). We recall that, in a region generator, eachfirst-order dlg is a multiset dlg defined over a finite set A, namely the setA = P × {0, . . . ,max}, with the ordering being equality. Since we aredealing with a finite alphabet, we know that an atomic expression willhave the form ∼ (A \ S) and that a star expression will have the form~∼ (A \ S). In this section, we denote such expressions simply by S andS~, respectively. Furthermore, without loss of generality, we assumethat all multiset products are of the form S~ ¯ S1 ¯ · · · ¯ Sk such thatS ∩ Si = ε and such that Si is a singleton for all i : 1 ≤ i ≤ k. It isstraightforward to show that, for each multiset dlg, we can construct anequivalent multiset dlg of the above form.

Postδ

Postδ(g) is computed through an iterative procedure that simulates suc-cessively increasing the age of the tokens in the markings in [[g]]. Eachtime the aging makes the markings enter new regions, a set of regiongenerators characterizing these new regions is added to Postδ. After afinite number of steps, the procedure will terminate. More precisely,the procedure terminates when we reach a point where the newly addedregion generators characterize markings where token ages are all strictlygreater than max .

For an input region generator ginp , we compute Postδ(ginp), whichcharacterizes the set of all markings reachable from ginp through progressof time. We compute Postδ(ginp) as a set of of region generators asfollows. We maintain two sets O and W of region generators. Intuitively,the set O contains those region generators that will be part of the setPostδ(ginp), while W is a waiting list of region generators that are yetto be analysed. We start with W = {ginp} and O = ∅. We perform anumber of iterations. During each iteration we pick a region generatorg ∈ W , move it to O, and add a number of new region generators to Wand O as follows:

1. If g is of the form (ψ0, φ, ψmax ), where ψ0 6= ε. In other words,the set of tokens with zero fractional parts is not empty. Let usconsider the tokens in ψ0. The next thing that occurs when timeadvances is that the fractional parts of these tokens become pos-


itive, but smaller than the fractional parts of all other tokens.Furthermore, those tokens with integral parts equal to max , willnow have ages strictly greater than max . Each product p in ψ0

will add a new region generator (ε, young • φ, ψmax ¯ old) to W .Intuitively young and old are dlgs that correspond to “splitting”the set of tokens corresponding to ψ0 into two sets: those with in-tegral parts strictly less than max (young), and those with integralparts equal to max (old). Since the fractional parts of the tokensin young are smaller than all other tokens, we put young first inthe second component of the region generator. Also, the ages ofthe tokens in old are now strictly greater than max , so they areadded to the third component of the region generator.

Formally, let p be of the form S~¯S1¯· · ·¯Sk . We define youngto be of the form T~ ¯ T1 ¯ · · · ¯ Tk, and define old to be of theform R~ ¯R1 ¯ · · · ¯Rk, where

• p(n) ∈ T if and only if p(n) ∈ S and n < max .

• Ti = Si if Si is of the form {p(n)} and n < max . Otherwise,Ti = ε.

• p ∈ R if and only if p(max ) ∈ S.

• Ri = {p} if Si is of the form {p(max )}. Otherwise, Ri = ε.

2. If g is of the form (ε, w • ψ, ψmax ). In other words, there are notokens with zero fractional parts. Furthermore, the second com-ponent of the region generator is of the form w • ψ. That is, thelast expression ψ is an atomic expression (which is a multiset dlg).The tokens in ψ are those with highest fractional parts (amongthose tokens whose ages are not strictly greater than max ). Whentime increases the tokens corresponding to ψ will change age, suchthat their integral parts will be increased by one and their frac-tional parts will become equal to zero. This means that we addthe region generator (ψ′, w, ψmax ) to W , where ψ′ is derived fromψ by replacing each pair p(n) in ψ by the pair p(n + 1).

3. If g is of the form (ε, w • ψ∗, ψmax ). In other words, there are notokens with zero fractional parts. Furthermore, the second com-ponent of the region generator is of the form w • ψ∗. That is, thelast expression ψ∗ is a star expression. This case is similar to theprevious one. However, the tokens corresponding to ψ∗ now forman unbounded sequence with strictly increasing fractional parts.When time is increased, the elements of the sequence will succes-sively reach a point where their integral part is increased by one


and their fractional parts become equal to zero (in a similar man-ner to case 2), and then they are split (in a similar manner to case1). We add a region generator

(ψ′, young∗ • w • ψ∗, ψmax ¯ old~)

to O, and a region generator(ψ′, young∗ • w,ψmax ¯ old~)

to W ,where

• ψ′ is derived from ψ in a similar manner to case 2. Let ψ′ beof the form c1| · · · |cm.

• young is of the form young1| · · · |youngm, where young i isderived from ci in a similar manner to case 1.

• p ∈ old if and only if p(max ) occurs in some of the productsc1, . . . , cm of ψ′.

Notice that we add one of the newly generated region generatorsdirectly to O (and its “successor” to W ). This is done in order toguarantee reaching the termination condition.

4. If g is of the form (ε, ε, ψmax ), i.e., all tokens have ages that arestrictly greater than max , then we do not add any elements to W .

The algorithm terminates when the set W becomes empty. In such acase, the set O will contain Postδ(ginp). Termination is guaranteed sincewe will eventually reach a point where all added region generators willonly characterize tokens with ages greater than max (i.e. will be of theform of case 4).

Postt

We define Postt(g) to be the post-image of g with respect to a transitiont. PostD(g) is computed as the union of Postt(g) for all transitions t inthe timed Petri net. We compute Postt(g) by defining two operationson region generators, namely addition and subtraction (of tokens). Themain challenge in defining these operations is posed by the hierarchicalnature of region generators. This implies that an operation on one levelof the hierarchy is defined in terms of the operation on the level below.

We define an addition and a subtraction operation for region gen-erators. An addition (subtraction) corresponds to adding (removing)a token in a certain age interval. These operations have hierarchicaldefinitions reflecting the hierarchical structure of region generators. Anoperation on one level is defined in terms of the operation on the levelbelow.

We start by defining addition and subtraction for multiset dlgs, de-fined over a finite set P ×{0, . . . ,max}, with the ordering being equality.


Given a multiset product c = S~ ¯ S1 ¯ · · · ¯ Sk and a pair p(n)where p is a place and n is natural number (value of the integral partof the age of a token in p), we define the addition c ⊕ p(n) to be themultiset product c¯ p(n).

The subtraction cª p(n) is defined by the following three cases.

• If S contains the token we want to remove, that is p(n) ∈ S,then c ª p(n) = c. Intuitively, the region generator in which cappears describes markings with an unbounded number of tokenseach with an integral part equal to n, and each residing in placep. Therefore, after removing one such a token, we will still be leftwith an unbounded number of them.

• If p(n) 6∈ S and Si is of the form {p(n)} for some i : 1 ≤ i ≤ kthen cª p(n) = S~ ¯ S1 ¯ · · · ¯ Si−1 ¯ Si+1 ¯ · · · ¯ Sk.

• Otherwise, the operation is undefined.

For a multiset dlg ψ we define ψ ª p(n) to be the set of all products c′

such that c′ = cª p(n) for some product c in ψ.Now, we extend the operations to second-order word dlgs defined

over multiset dlgs of the above form.The addition w⊕p(n) is a set of word products corresponding to the

union of the following three sets.

• For each w1, w2, and ψ with w = w1 • ψ • w2, we have

w1 • (ψ ⊕ p(n)) • w2 ∈ (w ⊕ p(n)).

• For each w1, w2, and ψ with w = w1 • ψ∗ • w2, we have

w1 • ψ∗ • (ψ ⊕ p(n)) • ψ∗ • w2 ∈ (w ⊕ p(n)).

• For each w1 and w2 with w = w1 • w2, we have

w1 • p(n) • w2 ∈ (w ⊕ p(n)).

Intuitively, elements added according to the first two cases correspondto adding a token with a fractional part equal to that of some othertoken. In the third case the fractional part differs from all other tokens.

We define the subtraction w ª p(n), where w is a word product, tobe a set of word products, according to the following two cases.

• If there is a star expression containing the token we want to re-move, that is if w is of the form w1 • ψ∗ • w2, and ψ ª p(n) isdefined, then w ª p(n) = {w}.


• Otherwise, the set w ª p(n) contains all word dlgs of the formw1•ψ′•w2 such that w is of the form w1•ψ•w2 and ψ′ ∈ (ψ ª p(n)).Notice that this set may be empty.

For a word sum, the result of addition and subtraction is the unionof the sets obtained by performing the same operations on the productsof the sum (in a similar manner to multisets above).

Now we describe how to use the addition and subtraction operationsfor computing Postt. Addition and subtraction of pairs of the form p(n)can easily be extended to pairs of the form p(N), N ⊆ {0, . . . ,max},where gªp(N) characterizes all all markings that belong to gªp(n) forsome n ∈ N . g ⊕ p(N) is defined in a similar manner.

We recall that, in a timed Petri net, the effect of firing a transitionis to remove tokens from the input places and add tokens to the out-put places. Furthermore, the tokens that are added or removed shouldhave ages in the corresponding intervals. The effect of of firing tran-sitions from the set of markings characterized by a region generatorg = (ψ0, φ, ψmax ) can therefore be defined by the following operation.We assume an (open or closed) interval I of the form [a : b]. The sub-traction g ª (p, I) consists of the following region generators.

• (ψ0 ª p(N), φ, ψmax ) where N is the subset of {0, . . . ,max} that isin the interval I. Intuitively, if the age of the token that is removedhas a zero fractional part, then N contains the valid choices ofintegral part.

• (ψ0, φª p(N), ψmax ) where N is the subset of {0, . . . ,max} whereeach element n satisfies a ≤ n < b, i.e., each n is a valid choice ofintegral part for the age of the token if it has a non-zero fractionalpart.

• (ψ0, φ, ψmax ª p) if I is of the form [a : ∞], i.e., the age of thetoken may be greater than max .

Addition is defined in a similar manner.

8.10 OTHER MODELSIn this section we will show how dlgs can be used to explain existingrepresentations used in forward reachability analysis of classes of infinite-state systems other than timed Petri nets.

Lossy Channel SystemsA lossy channel system [10] consists of a finite-state process that operateson a set of unbounded FIFO buffers, which are unreliable in the sense


that they can nondeterministically lose messages. A state of a lossychannel system defines the local state of the process, and the contentsof the channels, which are described as words over a finite alphabet.In [4, 3], Simple Regular Expressions (SREs) are considered and used tocharacterize sets of reachable states in lossy channel systems. Algorithmsfor computing post-images of SREs are also presented. SREs are first-order word dlgs, where the underlying alphabet is finite and where theordering on the alphabet is equality.

Petri NetsRecall that a Petri net is a special case of a timed Petri net where theages of the tokens are irrelevant. Sets of markings of a Petri net can berepresented by multiset dlgs over a finite set (of places). This impliesthat the algorithms of Section 8.8 can also be applied to Petri nets.Dedicated and efficient symbolic representations for forward analysis ofPetri nets are presented in [52].

8.11 EXPERIMENTAL RESULTSWe have implemented a prototype that can be used to prove invari-ants of timed Petri nets. The tool is based on region generators andcontains implementations of intersection, entailment checking, member-ship checking and Post. We have used our prototype to verify Fischer’sprotocol (Section 6.2).

We prove that mutual exclusion is guaranteed by providing a set ofregion generators and then verifying that the set is an invariant. The mu-tual exclusion property is specified as an upward closed set U , where Uis characterized by its set of minimal elements. Therefore, the emptinessof intersection of U with the invariant is equivalent to the membershipof the set of minimal elements in the invariant.

Figure 8.1 shows the invariant used in our analysis. The post-imageof the invariant, computed by our tool, consists of a set of region gener-ators all of which are subsumed by region generators in the invariant.

The implementation takes 1.01 s and 2 MB memory to compute the21 region generators in the post-image of the invariant due to discretetransitions and the 9 region generators due to timed transitions, on anIntel Pentium III 1 Ghz processor with 256 MB RAM.

8.12 RELATED WORKThe work presented here is a generalization of that in [4, 3], where simpleregular expressions (SRE) are presented as representations for downwardclosed languages over a finite alphabet. The main difference comparedis that in this work, we allow infinite alphabets and we also work with


g1

({A(0), A(1), B(0), B(1), C(0), C(1)}~ ¯ {U(0), U(1)} ,({A(0), B(0), C(0)}~)∗, {A, B, C}~

)

g2

({A(0), A(1), B(0), B(1), C(0), C(1)}~,({A(0), B(0), C(0)}~)∗ • ({A(0), B(0), C(0)}~ ¯ U(0)) • ({A(0), B(0), C(0)}~)∗,

{A, B, C}~)

g3

({A(0), A(1), B(0), B(1), C(0), C(1)}~,

({A(0), B(0), C(0)}~)∗,

{A, B, C}~ ¯ U)

g4

({A(0), A(1), B(0), B(1), C(0), C(1)}~ ¯ C!(0),({A(0), B(0), C(0)}~)∗, {A, B, C}~

)

g5

({A(0), A(1), B(1), C(0), C(1)}~,({A(0), C(0)}~)∗ • ({A(0), B(0), C(0)}~ ¯ C!(0)) • ({A(0), B(0), C(0)}~)∗,

{A, B, C}~)

g6

({A(0), A(1), B(1), C(0), C(1)}~ ¯ C!(1),

({A(0), C(0)}~)∗, {A, B, C}~

)

g7

({A(0), A(1), C(0), C(1)}~,

({A(0), C(0)}~)∗, {A, B, C}~ ¯ C!

)

g8

({A(0), A(1), C(0), C(1)}~ ¯ {CS!(0), CS!(1)} ,

({A(0), C(0)}~)∗, {A, B, C}~

)

g9

({A(0), A(1), C(0), C(1)}~,({A(0), C(0)}~)∗ • ({A(0), C(0)}~ ¯ CS!(0)) • ({A(0), C(0)}~)∗, {A, B, C}~

)

g10

({A(0), A(1), C(0), C(1)}~,

({A(0), C(0)}~)∗, {A, B, C}~ ¯ CS!

)

Figure 8.1: An invariant of Fischer’s protocol.

other data structures than words. This is crucial for several classes ofinfinite-state systems such as timed Petri nets, which are beyond thecapabilities of the theory of SREs.

Both [38] and [52] consider Petri nets and give symbolic representa-tions for upward closed and downward closed sets of markings, respec-tively. [50] gives a symbolic representation for FIFO automata. Since,these representations are designed for weaker models (Petri nets andFIFO automata), they are not sufficiently powerful for capturing thebehaviour of timed Petri nets.

[12] also consider timed Petri nets and represent upward closed setsof markings by existential regions, existentially quantified constraints.Each existential region corresponds to a region as defined in the classicaltheory of timed automata [19]. A region generator, as presented here,corresponds to the union of an infinite number of regions and representsa downward closed set of markings. Both existential regions and regiongenerators can model markings with unbounded numbers of clocks andare therefore strictly more powerful than regions.

Chapter 9

Undecidability

In the literature, a number of logics have been used to specify propertiesof systems. In model checking concurrent programs, different temporallogics have proven themselves useful. There are two types of temporallogics: linear-time and branching-time. Linear-time temporal logicsconsiders only one possible future while in branching-time logics youhave several alternative futures. In branching-time temporal logics youhave quantifiers over the set of futures. We will now give a brief overviewof decidability of different types of temporal logic formulae for Petri netsand timed Petri nets.

First, we note that the reachability problem, that is the questionof whether a specific marking is reachable from the initial marking, isdecidable for Petri nets. For timed Petri nets, on the other hand, thereachability problem is undecidable [91]. The coverability problem, i.e.,the question of whether an upward closed set of markings is reachable,is decidable however. Since safety properties are usually upward closed,coverability is sufficient to check safety properties. In Chapter 7 we showhow to characterize the set of markings from which a set of markings isreachable.

All branching-time logics are undecidable for Petri nets [43]. So forexample, CTL model checking is undecidable for Petri nets. It is evenundecidable to model check fragments of CTL, such as the logics EF [74],where you can express formulae of the form “in some future, eventuallyφ” and EG where you have formulae of the form “there is a future inwhich φ always holds”. Since (standard) Petri nets is a subclass oftimed Petri nets, it follows that branching-time logics are undecidablefor timed Petri nets.

Model checking action-based linear-time temporal logic, e.g. LTL,formulae for Petri nets is decidable [42]. In [29], Bouajjani and Mayrshowed that the set of markings that satisfies such a formula can beconstructed effectively.

98 CHAPTER 9. UNDECIDABILITY

If state-based predicates, e.g. “at least 5 tokens in place p” or “atmost 3 tokens in place q”, are added to a temporal logic, the result is ageneralized logic that is undecidable for Petri nets [43] and hence alsofor timed Petri nets. State-based predicates do not affect decidabilityin finite-state model checking and is indeed used in some checkers, forexample SPIN [62].

We will now show that action based linear-time temporal logics, suchas LTL, are undecidable for timed Petri nets. Recall that LTL is decid-able for untimed Petri nets.

9.1 UNDECIDABILITY OF LTLIn the following we show that action based linear-time temporal logic(LTL) is undecidable for Timed Petri Nets. In fact, we show that it isalready undecidable to check a certain fixed property expressible in LTL.More precisely, we show undecidability of whether there is a computationof the timed Petri net along which a given transition is fired infinitelyoften. The undecidability result is shown through a reduction froma similar problem for lossy counter machines [73]. The reduction isa modification of a reduction of a problem for (non-lossy) 2-countermachines, which was used to prove undecidability of reachability for amodel similar to timed Petri nets in [91].

9.2 THE RECURRENT PLACE PROBLEMFor a marking M0 of a timed Petri net N , an M0-computation cÃ ofN is of the form M0,M1,M2, . . ., where Mi −→ Mi+1, for i ≥ 0. Wesay that cÃ visits a place p infinitely often if there are infinitely many isuch that Mi(p) 6= ∅. The recurrent place problem for timed Petri nets(RPP-TPN) is defined as follows.

Instance A timed Petri net N , a marking M of N and a place p of N .

Question Is there an M -computation of N visiting p infinitely often?

In Theorem 9.2, we will show that RPP-TPN is undecidable.

9.3 LOSSY COUNTER MACHINESA lossy counter machine (LCM) is a tuple L = (Q,C, δ), where Q isa finite set of states, C is a finite set of counters and δ is a finite setof transitions. A transition is a triple of the form (q1, instr , q2), whereq1, q2 ∈ S and instr is an instruction. An instruction is of one of thefollowing three forms

• c+ which increases the value of counter c by 1.

9.4. UNDECIDABILITY PROOF 99

• c− which decreases the value of counter c by 1.

• c? which tests whether the value of counter c is equal to 0.

A configuration γ of L is of the form (q,Val), where q ∈ Q and Val isa mapping from the set C of counters to the set N of natural numbers.We define a transition relation −→ on the set of configurations such that(q1,Val1) −→ (q2,Val2) if and only if one of the following conditions issatisfied:

1. (q1, c+, q2) ∈ δ, Val2(c) = Val1(c) + 1 and Val2(c′) = Val1(c′) ifc′ 6= c.

2. (q1, c−, q2) ∈ δ, Val1(c) > 0, Val2(c) = Val1(c)− 1 and Val2(c′) =Val1(c′) if c′ 6= c.

3. (q1, c?, q2) ∈ δ, Val1(c) = 0 and Val2 = Val1.

4. q2 = q1, Val2(c) = Val1(c) − 1 for some c ∈ C, and Val2(c′) =Val1(c′) if c′ 6= c.

Let γ0 be a configuration. A γ0-computation π of L is of the formγ0, γ1, γ2, . . ., where γi −→ γi+1, for i ≥ 0. For a state q ∈ Q, we saythat π visits q infinitely often if there are infinitely many i such that γi isof the form (q,Val i). The recurrent state problem for LCMs (RSP-LCM)is defined as follows.

Instance A LCM L, a configuration γ of L and a state q of L.

Question Is there a γ-computation of L visiting q infinitely often?

Theorem 9.1 (Mayr [73]). RSP-LCM is undecidable.

9.4 UNDECIDABILITY PROOFWe show that RPP-TPN (see Section 9.2) is undecidable through areduction from RSP-LCM (Section 9.3). It is straightforward to showthat RPP-TPN is reducible to the problem of checking whether there is acomputation of the timed Petri net along which a given transition is firedinfinitely often. It follows that (action based) LTL is also undecidable.

Theorem 9.2. RPP-TPN is undecidable.

We show this through a reduction from RSP-LCM.

Theorem 9.3. RSP-LCM can be reduced to RPP-TPN.


q2 c

q1 cq1

[0:0]

q2

[0:1)

(a) (b)

Figure 9.1: (a) Simulating the operation of increasing a counter.(b) Simulating the operation of decreasing a counter.

Proof. We say that an instance of RSP-LCM or RPP-TPN is a positiveinstance if there is a computation such that the state or place is visitedinfinitely often, that is if the answer to the question in the definitionof the problem is yes. Given an instance of RSP-LCM we construct aninstance of RPP-TPN such that one of them is a positive instance if andonly if the other one is a positive instance. Suppose that we are givenan instance of RSP-LCM, that is an LCM L, a configuration γ of L anda state q of L. We construct an equivalent instance of RPP-TPN, inother words we derive a timed Petri net N , a marking M of N and aplace p of N , such that RPP-TPN has a positive answer if and only ifRSP-LCM has a positive answer.

Suppose that LCM L = (Q,C, δ). We construct a correspondingtimed Petri net N = (P, T, In,Out) as follows. For each state q ∈ Qthere is a place in P which we call place q. We use PQ to denote tothe set of places of N corresponding to states. Also, for each counterc ∈ C there is a place in P which we call place c. We use PC to denoteto the set of places corresponding to counters. Intuitively, the state ofL is defined in N by the element of PQ that contains a token. (Thetimed Petri net N satisfies the invariant that there is at most one placein PQ that contains a token). The value of counter c in L is definedin N by the number of tokens in place c which have ages less than 1(tokens that have ages more than 1 are considered to have been lost anddo not affect the value of the counter). Losses in L are simulated eitherby making the age of the token at least 1, or by firing a special losstransition that can always remove tokens from the places in PC . Theflow relation corresponding to In and Out reflects these properties andis defined as follows.

• A transition (q1, c+, q2) in δ is simulated by a transition in T whichis of the form in Figure 9.1(a). The transition moves a token fromplace q1 to place q2 and adds a token to place c.


q2

q1

[0:0]

[1:1]

r1 r2

c2

c1

cn

[0:1)

[0:1)

[0:1)

[0:0]

[0:0]

[0:0]

t

t’

t1

t2

tn

Figure 9.2: Simulating the operation of testing the value of acounter.

• A transition (q1, c−, q2) in δ is simulated by a transition in T whichis of the form in Figure 9.1(b). The transition moves a token fromplace q1 to place q2 and removes a token from place c.

• Transitions of the form (q1, c?, q2) have the most complicated sim-ulations. The construction is shown in Figure 9.2. We use twointermediate places r1 and r2. The transition t is first fired addinga token to each of the places r1 and r2. The token in r2 will eitherstay in r2 for exactly on time unit, or it will forever stay in placer2 after which no tokens will ever reside in any place in PQ. Theidea is that we reset the value of counter c to 0, by making theages of all tokens in place c at least 1. Observe that we simulatetesting for 0 in L by resetting the counter in N . This is possi-ble since L is lossy and therefore it may choose to decrease thecounter c to 0 each time c is tested for 0. Furthermore, in order toavoid resetting the values of the rest of the counters, we add, foreach c′ ∈ C − {c} a new transition. In Figure 9.2, we assume thatC − {c} = {c1, . . . , cn}, and thus we add the transitions t1, . . . , tn.The transition is used to refresh the ages of the tokens in the placesin PC−{c}. For instance, if a token in place c1 is about to become1 and thus become too old, the transition t1 can be fired replacingthe token by a new fresh token with age 0. When the transition t′

is fired, the new control state will be q2, and each token in placec will have an age that is at least 1. The resulting marking willtherefore correspond to the counter c having the value 0. We also


q1

lossn

loss1

qn

Figure 9.3: Simulating losses.

observe that the refreshing process for the rest of the counters willbe stopped after firing t′, since the token in r1 will now be removed.

• For each place c in PC there is a transition that we call lossc

(Figure 9.3).

Consider a marking M of N and a configuration γ = (q,Val) of L.We say that M is an encoding of γ if M contains one token in place qand the number of tokens with ages less than 1 in place c is equal toVal(c). Furthermore, all other places in M are empty.

We derive N from L as described above. We define M to be theencoding of γ and define p to be q.

Consider a γ-computation π = γ0, γ1, γ2, . . . of L. We show thatthere is a M -computation π′ = M0,M1,M2, . . . of N , such that for eachi there is a j ≥ i where Mj is an encoding of γi. This implies that if πvisits q infinitely often then π′ visits p infinitely often. We use inductionon i. The base case is trivial. We know that γi −→ γi+1. This meansthat we can derive γi+1 from γi, using one of the four possible typesof transitions described above. We explain only the least obvious case,namely when γi+1 is derived from γi by testing the value of a counterc for 0. The other cases can be explained in a similar manner. Letγi = (qi,Val i). We know that Val i(c) = 0. By induction hypothesis weknow that there is a j such that Mj is a encoding of γi. This meansthat place qi in Mj contains a token. From the construction describedabove (Figure 9.2) we know that we can fire a sequence of transitions,which result in moving the token from place qi to place qi+1, makingthe ages of all tokens in place c at least 1 and keeping the number oftokens in PC − {c} that have ages less than one. This means that thenew marking will be a encoding of γi+1.

Suppose that there is an M -computation π of N visiting place qinfinitely often. Let π be of the form M0,M1,M2, . . .. Consider themaximal subsequence π′ = M ′

0,M′1,M

′2, . . . of π, where each M ′

i is anencoding of some configuration of L. The sequence π′ exists and isinfinite since q is visited infinitely often. Let γi = (qi,Val i) be the con-figuration that is encoded by M ′

i . We show that γi∗−→ γi+1. It follows


immediately that there is a computation π′′ of L visiting q infinitelyoften.

Since M ′i

∗−→ M ′i+1 we know that there are M0,M1, . . . , Mm such

that M0 = M ′i , Mm = M ′

i+1 and M0 −→ M1 −→ · · · −→ Mm. Thereare two cases. If m = 1, i.e., M ′

i −→ M ′i+1, we know that M ′

i+1 can bederived from M ′

i by firing a transition corresponding to one of those inFigure 9.1 or Figure 9.3. In this case the proof is straightforward. If m >1, then M ′

i+1 is obtained from M ′i by firing transitions corresponding to

those in Figure 9.2 (these are the only transitions in N that can make allplaces in PQ empty and thus prevent the markings M1, . . . , Mm−1 frombeing encodings of configurations of L). This means that (qi, c?, qi+1) is atransition in L, for some counter c. From the construction of Figure 9.2,we know that all tokens in place c will eventually have ages that are atleast 1. Furthermore, the ages of some of the tokens in PC − {c} mayalso exceed 1, since not all tokens need to be refreshed. We can deriveγi+1 from γi by first performing loss transitions corresponding to tokensthat become too old followed by the transition (qi, c?, qi+1).

Chapter 10

Conclusions andFuture Work

We have investigated different techniques to increase efficiency in theanalysis of infinite-state systems. In particular, we have aimed at reduc-ing the effect of constraint explosion in symbolic verification.

In Chapter 5, we applied the unfolding technique to unbounded Petrinets. In contrast to earlier unfolding algorithms, our algorithm is sym-bolic and works in the analysis of infinite-state systems. We have shownthat our approach is significantly better than techniques that considerall possible interleavings of concurrent transitions in a Petri net.

There are several problems that need to be explored. First, theapproach would benefit from a new notion of cut-off that would allowconstruction of the smallest possible postfix for a net system. Anotherinteresting problem is that of generalizing the technique to other systemssuch as lossy channel systems, timed Petri nets, broadcast systems, etc.

In Chapter 7, we proposed better quasi-orderings, a refinement ofthe theory of well quasi-ordering, as a framework for symbolic modelchecking since they allow us to build constraint systems that are morecompact than previous ones. For instance, we show that complex ex-pressions for upward closed sets of strings, which are used for verificationof lossy channel systems, are better quasi-ordered. We also show bet-ter quasi-ordering of arbitrary boolean combinations of linear equalities,used for verification of broadcast protocols. Similar results are achievedfor binary constraints that can be applied for model checking of real-timesystems and relational automata.

We have introduced a new constraint system, existential zones forverification of real-time systems with an unbounded number of clocks.Each existential zone corresponds to a large number of existential re-gions [12] thus offering a more compact representation of the state space.Using and modifying efficient data structures for verification of real-time automata, we have obtained some encouraging experimental re-

106 CHAPTER 10. CONCLUSIONS AND FUTURE WORK

sults. One direction for future work is to design efficient data structuresfor manipulating the new constraint systems. It would also be inter-esting to investigate the feasibility of defining a general framework forimplementation of better quasi-ordered constraint systems.

Furthermore, in addition to disjunction, better quasi-orderings areclosed under several other operations that do not preserve well quasi-ordering. An example is that better quasi-orderings are closed undertaking infinite sets and infinite strings. This means that we can considermuch richer structures for building constraints. Therefore, this approachmay eventually also lead to decidability results for new classes of infinite-state systems.

In Chapter 8 we proposed a formalism, called downward closed lan-guage generators (dlgs), for representing infinite sets of states, whicharise during forward reachability analysis of infinite-state systems. Wehave used dlgs to derive a representation for downward closed sets ofmarkings of timed Petri nets, which we call region generators. We havealso built a prototype based on region generators and used the prototypefor verifying a parameterized description of Fischer’s protocol.

There are two interesting directions for future research. In this work,we show how to compute post-images for dlgs with respect to single tran-sitions in timed Petri nets. A remaining challenge is to define generalacceleration techniques based on computing meta-transitions which cor-respond to iterating a given sequence of transition an arbitrary numberof times (see for example [21, 4]). These techniques will allow us to au-tomatically compute the downward closure of the set of markings thatare reachable from a given initial marking.

It would also be interesting to investigate designing data structuresfor efficient application of our methodology to concrete models. A firststep is to investigate using zone generators for analysing behaviours oftimed Petri nets. Zones are constraints widely used in existing tools forverification of timed automata [69, 23, 98]. Each zone generator willcorrespond to a large number of region generators and therefore givesa much more compact representation (in a similar manner to the wayexistential zones are superior to existential regions [17, 16]).

Index

A-pattern, 55In, 43Out, 43Post, 89Pre, 18, 61Prover, 26, 36

age, 43

barrier, 55BDD, 6better quasi-ordering, 51, 55, 64broadcast protocol, 67

CDD, 11, 65condition, 27configuration, 27constraint, 7, 17

minimal condition, 11, 46constraint explosion, 9, 53constraint system, 24

better quasi-ordered, 56well quasi-ordered, 8, 17, 52

coverability, 23, 26, 29, 34cut-off point, 31

DDD, 11, 65Dickson’s lemma, 33difference bound logic, 60difference bound matrix, 58discrete transition, 45dlg, 73

hierarchical, 87

multiset, 80set, 86vector, 87

downward closed, 15downward closure, 15

enabled, 22, 43entailment, 17, 60, 78, 83, 87event, 27eventuality, 8existential CDD, 65existential DDD, 65existential region, 46, 64, 70existential zone, 52, 58

consistent, 59normal, 59

expression, 73, 81atomic, 73, 81star, 73, 81

factorization, 78, 84finite partitioning, 2, 7fire, 22, 44Fischer’s protocol, 47, 66, 73flow relation, 22, 43

infinite-state system, 7integral relational automata, 69intersection, 75, 81, 87interval, 43invariant, 72

KM-tree, 12, 40

107

108 INDEX

language, 73least upper bound, 73lossy channel system, 9, 67, 94lossy counter machine, 98LTL, 97

marking, 22, 43model checking, 1monotonic, 16multiset, 21, 80multiset dlg, 80

net system, 23node, 22

occurrence net, 6, 25

parameterized system, 2, 11, 23,47

partial order methods, 5, 25Petri net, 11, 21, 22, 95

timed, 43place, 21, 22, 43product, 73, 81

quasi-ordering, 15, 73better, 51, 55, 64well, 15, 64

Rado’s example, 54reachability, 1, 8, 16

backward algorithm, 18, 36forward analysis, 71

recurrent place problem, 98recurrent state problem, 99region, 3, 7, 10, 44, 88region generator, 89

Post, 89regular model checking, 11reverse occurrence net, 27

safety property, 1, 26, 72set, 86set dlg, 86

simple regular expression, 95simple regular expressions, 87simulation, 8state explosion, 5, 25symbolic verification, 2, 6, 17, 71

temporal logicbranching-time, 97linear-time, 97

termination, 8, 18, 31, 57, 64timed automata, 10timed network, 70timed Petri net, 43timed transition, 45token, 22transition, 21, 22, 43transition relation, 22, 45

backward, 26transition system, 16

better-structured, 55well-structured, 7, 16

unfolding, 6, 25algorithm, 29backward, 28

upward closed, 15upward closure, 15urgent, 46

vector, 86vector dlg, 87

well quasi-ordering, 15, 64well-structured system, 3word, 73

zone, 10, 70

References

The numbers in braces indicate on which pages each citation occured.

1. Parosh Aziz Abdulla, Aurore Annichini, Saddek Bensalem, AhmedBouajjani, Peter Habermehl, and Yassine Lakhnech. Verificationof infinite-state systems by combining abstraction and reachabilityanalysis. In Halbwachs and Peled, editors, Proc. 11th Int. Conf.on Computer Aided Verification, volume 1633 of Lecture Notes inComputer Science, pages 146–160. Springer Verlag, 1999. {10, 71}

2. Parosh Aziz Abdulla, Aurore Annichini, and Ahmed Bouajjani. Al-gorithmic verification of lossy channel systems: An application tothe bounded retransmission protocol. In Proc. TACAS ’99, 5th Int.Conf. on Tools and Algorithms for the Construction and Analysis ofSystems, volume 1579 of Lecture Notes in Computer Science, 1999.{10, 71}

3. Parosh Aziz Abdulla, Luc Boasson, and Ahmed Bouajjani. Effectivelossy queue languages. In Proc. ICALP ’2001, 28th InternationalColloquium on Automata, Languages, and Programming, volume2076 of Lecture Notes in Computer Science, pages 639–651, 2001.{10, 95}

4. Parosh Aziz Abdulla, Ahmed Bouajjani, and Bengt Jonsson. On-the-fly analysis of systems with unbounded, lossy fifo channels. InHu and Vardi, editors, Proc. 10th Int. Conf. on Computer AidedVerification, volume 1427 of Lecture Notes in Computer Science,pages 305–318. Springer Verlag, July 1998. {10, 71, 87, 95, 106}

5. Parosh Aziz Abdulla, Ahmed Bouajjani, Bengt Jonsson, and Mar-cus Nilsson. Handling global conditions in parameterized systemverification. In Halbwachs and Peled, editors, Proc. 11th Int. Conf.on Computer Aided Verification, volume 1633 of Lecture Notes inComputer Science, pages 134–145. Springer Verlag, 1999. {11}

109

110 REFERENCES

6. Parosh Aziz Abdulla, Karlis Cerans, Bengt Jonsson, and Tsay Yih-Kuen. General decidability theorems for infinite-state systems. InProc. LICS’ 96 11th IEEE Int. Symp. on Logic in Computer Science,pages 313–321, 1996. {26}

7. Parosh Aziz Abdulla, Karlis Cerans, Bengt Jonsson, and Tsay Yih-Kuen. Algorithmic analysis of programs with well quasi-ordereddomains. Information and Computation, 160:109–127, 2000. {3, 7,8, 9, 11, 12, 13, 16, 17, 18, 19, 51, 53, 54, 57, 58, 72}

8. Parosh Aziz Abdulla and Bengt Jonsson. Verifying programs withunreliable channels. In Proc. LICS’ 93 8th IEEE Int. Symp. on Logicin Computer Science, pages 160–170, 1993. {9}

9. Parosh Aziz Abdulla and Bengt Jonsson. Undecidable verificationproblems for programs with unreliable channels. Information andComputation, 130(1):71–90, 1996. {9}

10. Parosh Aziz Abdulla and Bengt Jonsson. Verifying programs withunreliable channels. Information and Computation, 127(2):91–101,1996. {7, 9, 10, 52, 67, 71, 72, 94}

11. Parosh Aziz Abdulla and Bengt Jonsson. Ensuring completeness ofsymbolic verification methods for infinite-state systems. TheoreticalComputer Science, 256(1-2):145–167, 2001. {3, 7, 8, 9, 11, 12, 16,17, 18, 38, 51, 53, 54, 57, 58}

12. Parosh Aziz Abdulla and Bengt Jonsson. Model checking of systemswith many identical timed processes. Theoretical Computer Science,290(1):241–264, 2003. {11, 46, 52, 53, 64, 70, 96, 105}

13. Parosh Aziz Abdulla, Bengt Jonsson, Mats Kindahl, and DoronPeled. A general approach to partial order reductions in symbolicverification. In Hu and Vardi, editors, Proc. 10th Int. Conf. on Com-puter Aided Verification, volume 1427 of Lecture Notes in ComputerScience, pages 379–390. Springer Verlag, July 1998. {5, 10}

14. Parosh Aziz Abdulla and Mats Kindahl. Decidability of simulationand bisimulation between lossy channel systems and finite state sys-tems. In Lee and Smolka, editors, Proc. CONCUR ’95, 6th Int. Conf.on Concurrency Theory, volume 962 of Lecture Notes in ComputerScience, pages 333 – 347. Springer Verlag, 1995. {7}

15. Parosh Aziz Abdulla, Mats Kindahl, and Doron Peled. An im-proved search strategy for Lossy Channel Systems. In Tadanori

REFERENCES 111

Mizuno, Nori Shiratori, Teruo Hegashino, and Atsushi Togashi, ed-itors, FORTE X / PSTV XVII ’97, pages 251–264. Chapman andHall, 1997. {5, 10}

16. Parosh Aziz Abdulla and Aletta Nylen. Better is better than well:On efficient verification of infinite-state systems. In Proc. LICS’ 0016th IEEE Int. Symp. on Logic in Computer Science, pages 132–140,2000. {11, 72, 106}

17. Parosh Aziz Abdulla and Aletta Nylen. Timed Petri nets and BQOs.In Proc. 22th Int. Conf. on Application and Theory of Petri Nets,volume 2075 of Lecture Notes in Computer Science, pages 53 –70,2001. {13, 72, 106}

18. R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems. In Proc. LICS’ 90, 5th IEEE Int. Symp. on Logic inComputer Science, pages 414–425, Philadelphia, 1990. {10}

19. R. Alur and D. Dill. Automata for modelling real-time systems. InProc. ICALP ’90, volume 443 of Lecture Notes in Computer Science,pages 322–335, 1990. {3, 7, 10, 43, 44, 46, 88, 96}

20. R. Alur and T. Henzinger. A really temporal logic. In Proc. 30th

Annual Symp. Foundations of Computer Science, pages 164–169,1989. {7}

21. A. Annichini, E. Asarin, and A. Bouajjani. Symbolic techniques forparametric reasoning about counter and clock systems. In Emersonand Sistla, editors, Proc. 12th Int. Conf. on Computer Aided Verifi-cation, volume 1855 of Lecture Notes in Computer Science. SpringerVerlag, 2000. {10, 71, 106}

22. A. Annichini, A. Bouajjani, Y. Lakhnech, and M. Sighireanu. An-alyzing fair parametric extended automata. In P. Cousot, editor,Proceedings of the International Symposium on Static Analysis, vol-ume 2126 of Lecture Notes in Computer Science, 2001. {10, 71}

23. Gerd Behrmann, Kim G. Larsen, Oliver Moller, Alexandre David,Paul Pettersson, and Wang Yi. UPPAAL - present and future. InProc. CDC’2001, the 40th IEEE Conference on Decision and Con-trol, 2001. {106}

24. Gerd Behrmann, Kim G. Larsen, Justin Pearson, Carsten Weise,and Wang Yi. Efficient timed reachability analysis using clock dif-ference diagrams. In Halbwachs and Peled, editors, Proc. 11th Int.

112 REFERENCES

Conf. on Computer Aided Verification, volume 1633 of Lecture Notesin Computer Science, pages 341–353. Springer Verlag, 1999. {11,65}

25. J. Bengtsson, W. O. D. Griffioen, K. J. Kristoffersen, K. G. Larsen,F. Larsson, P. Pettersson, and W. Yi. Verification of an audio pro-tocol with bus collision using UPPAAL. In Alur and Henzinger,editors, Proc. 8th Int. Conf. on Computer Aided Verification, vol-ume 1102 of Lecture Notes in Computer Science, pages 244–256.Springer Verlag, 1996. {11}

26. S. Bensalem, Y. Lakhnech, and S. Owre. Computing abstractions ofinfinite state systems automatically and compositionally. In Hu andVardi, editors, Proc. 10th Int. Conf. on Computer Aided Verification,volume 1427 of Lecture Notes in Computer Science, pages 319–331.Springer Verlag, 1998. {71}

27. B. Berthomieu and M. Diaz. Modeling and verification of time de-pendent systems using time Petri nets. IEEE Trans. on SoftwareEngineering, 17(3):259–273, 1991. {46, 70}

28. A. Bouajjani, B. Jonsson, M. Nilsson, and T. Touili. Regular modelchecking. In Emerson and Sistla, editors, Proc. 12th Int. Conf. onComputer Aided Verification, volume 1855 of Lecture Notes in Com-puter Science, pages 403–418. Springer Verlag, 2000. {11}

29. A. Bouajjani and R. Mayr. Model checking lossy vector additionsystems. In Symp. on Theoretical Aspects of Computer Science,volume 1563 of Lecture Notes in Computer Science, pages 323–333.Springer Verlag, 1999. {97}

30. R. K. Brayton, G. D. Hachtel, A. L. Sangiovanni-Vincentelli,F. Somenzi, A. Aziz, S.-T. Cheng, S. Edwards, S. Khatri, Y. Kuki-moto, A. Pardo, S. Qadeer, R. Ranjan, S. Sarwary, T. Shiple,G. Swamy, and T. Villa. VIS: A system for verification and synthe-sis. In Alur and Henzinger, editors, Proc. 8th Int. Conf. on Com-puter Aided Verification, volume 1102 of Lecture Notes in ComputerScience, pages 332–334. Springer Verlag, 1996. {7}

31. R. E. Bryant. Graph-based algorithms for boolean function manip-ulation. IEEE Trans. on Computers, C-35(8):677–691, Aug. 1986.{6}

REFERENCES 113

32. J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J.Hwang. Symbolic model checking: 1020 states and beyond. Infor-mation and Computation, 98(2):142–170, June 1992. {5, 7}

33. K. Cerans. Deciding properties of integral relational automata. InAbiteboul and Shamir, editors, Proc. ICALP ’94, 21st InternationalColloquium on Automata, Languages, and Programming, volume820 of Lecture Notes in Computer Science, pages 35–46. SpringerVerlag, 1994. {7, 52, 69}

34. E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verifi-cation of finite-state concurrent systems using temporal logic spec-ification. ACM Trans. on Programming Languages and Systems,8(2):244–263, April 1986. {1}

35. E. M. Clarke and O. Grumberg. Avoiding the state explosion prob-lem in temporal logic model checking algorithms. Technical ReportCMU-CS-87-137, CMU, July 1987. {7}

36. David de Frutos Escrig, Valentin Valero Ruiz, and Olga MarroquinAlonso. Decidability of properties of timed-arc Petri nets. In Proc.21th Int. Conf. on Application and Theory of Petri Nets, volume1825 of Lecture Notes in Computer Science, pages 187–206. SpringerVerlag, 2000. {70}

37. G. Delzanno, J. Esparza, and A. Podelski. Constraint-based analysisof broadcast protocols. In Flum and Rodriguez-Artalejo, editors,Proceedings of the Computer Science Logic Conference (CSL’99),volume 1683 of Lecture Notes in Computer Science, pages 50–66.Springer Verlag, 1999. {13, 52, 67, 72}

38. G. Delzanno and J. F. Raskin. Symbolic representation of upward-closed sets. In Proc. TACAS ’00, 6th Int. Conf. on Tools and Algo-rithms for the Construction and Analysis of Systems, volume 1785of Lecture Notes in Computer Science, pages 426–440, 2000. {72,96}

39. L. E. Dickson. Finiteness of the odd perfect and primitive abundantnumbers with n distinct prime factors. Amer. J. Math., 35:413–422,1913. {33}

40. D. L. Dill. Timing assumptions and verification of finite-state con-current systems. In J. Sifakis, editor, Automatic Verification Meth-ods for Finite-State Systems, volume 407 of Lecture Notes in Com-puter Science. Springer Verlag, 1989. {58}

114 REFERENCES

41. J. Esparza. Model checking using net unfoldings. Science of Com-puter Programming, 23, 1994. {5, 6}

42. J. Esparza. On the decidability of model checking for several mu-calculi and Petri nets. In CAAP ’94, volume 787 of Lecture Notesin Computer Science, pages 115–129. Springer Verlag, 1994. {97}

43. J. Esparza. Decidability of model checking for infinite-state concur-rent systems. Acta Informatica, 34:85–107, 1997. {97, 98}

44. J. Esparza, A. Finkel, and R. Mayr. On the verification of broadcastprotocols. In Proc. LICS’ 99 14th IEEE Int. Symp. on Logic inComputer Science, 1999. {13, 52, 67, 72}

45. J. Esparza and K. Heljanko. A new unfolding approach to LTLmodel checking. In Proc. ICALP ’2000, 27th International Collo-quium on Automata, Languages, and Programming, volume 1853 ofLecture Notes in Computer Science, pages 475–486. Springer Verlag,2000. {12}

46. J. Esparza and S. Romer. An unfolding algorithm for synchronousproducts of transition systems. In Proc. CONCUR ’99, 10th Int.Conf. on Concurrency Theory, volume 1664 of Lecture Notes inComputer Science, pages 2–20. Springer Verlag, 1999. {6, 25, 40}

47. J. Esparza, S. Romer, and W. Vogler. An improvement of McMil-lan’s unfolding algorithm. In Proc. TACAS ’96, 2nd Int. Conf. onTools and Algorithms for the Construction and Analysis of Systems,volume 1055 of Lecture Notes in Computer Science, pages 87–106.Springer Verlag, 1996. {25, 26, 27, 29, 30, 40}

48. J. Esparza and C. Schroter. Unfolding based algorithms for thereachability problem. Fundamenta Informaticae, 47(3-4):231–245,2001. {6}

49. Javier Esparza, Stefan Romer, and Walter Vogler. An improvementof McMillan’s unfolding algorithm. Formal Methods in System De-sign, 20(3):285–310, 2002. {6, 12, 25}

50. A. Finkel, S. Purushothaman Iyer, and G. Sutre. Well-abstractedtransition systems. In Proc. CONCUR 2002, 13th Int. Conf. onConcurrency Theory, pages 566–580, 2000. {96}

51. A. Finkel and Ph. Schnoebelen. Well-structured transition systemseverywhere! Theoretical Computer Science, 256(1-2):63–92, 2001.{3, 7, 8, 9, 11, 12, 16, 17, 51, 53, 54, 57, 58}

REFERENCES 115

52. Alain Finkel, Jean-Francois Raskin, Manuel Samuelides, and Lau-rent Van Begin. Monotonic extensions of Petri nets: Forward andbackward search revisited. In Kucera and Mayr, editors, Proc. 4th

Int. Workshop on Verification of Infinite State Systems (INFIN-ITY’2002), volume 68 of Electronic Notes in Theoretical ComputerScience. Elsevier, 2002. {10, 71, 95, 96}

53. S. M. German and A. P. Sistla. Reasoning about systems with manyprocesses. Journal of the ACM, 39(3):675–735, 1992. {11}

54. C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezze. A unified high-level Petri net formalism for time-critical systems. IEEE Trans. onSoftware Engineering, 17(2):160–172, 1991. {46, 70}

55. P. Godefroid and P. Wolper. Using partial orders for the efficient ver-ification of deadlock freedom and safety properties. Formal Methodsin System Design, 2(2):149–164, 1993. {1, 5, 12, 17, 25}

56. J.C. Godskesen. Timed Modal Specifications. PhD thesis, AalborgUniversity, 1994. {46, 88}

57. Klaus Havelund, Arne Skou, Kim G. Larsen, and Kristian Lund.Formal modelling and analysis of an audio/video protocol: An in-dustrial case study using UPPAAL. In Proc. 18th IEEE Real-TimeSystems Symposium, 1997. {11}

58. K. Heljanko. Using logic programs with stable model semanticsto solve deadlock and reachability problems for 1-safe Petri nets.Fundamenta Informaticae, 37:247–268, 1999. {6, 12, 41}

59. T. A. Henzinger. Hybrid automata with finite bisimulations. InProc. ICALP ’95, 22nd International Colloquium on Automata, Lan-guages, and Programming, 1995. {7}

60. T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolicmodel checking for real-time systems. In Proc. LICS’ 92 7th IEEEInt. Symp. on Logic in Computer Science, pages 394–406, 1992.{10}

61. G. Higman. Ordering by divisibility in abstract algebras. Proc.London Math. Soc., 2:326–336, 1952. {8, 17, 51}

62. G. J. Holzmann. The model checker SPIN. IEEE Trans. on SoftwareEngineering, SE-23(5):279–295, May 1997. {98}

116 REFERENCES

63. Petr Jancar. ω2-well quasi-orderings and reachability analysis. Tech-nical Report 158, Department of Computing Systems, Uppsala Uni-versity, 1999. {57}

64. N. D. Jones, L. H. Landweber, and Y. E. Lyen. Complexity of someproblems in Petri nets. Theoretical Computer Science, 4:277–299,1977. {46}

65. Bengt Jonsson and Marcus Nilsson. Transitive closures of regu-lar relations for verifying infinite-state systems. In S. Graf andM. Schwartzbach, editors, Proc. TACAS ’00, 6th Int. Conf. on Toolsand Algorithms for the Construction and Analysis of Systems, vol-ume 1785 of Lecture Notes in Computer Science, 2000. {11}

66. R. M. Karp and R. E. Miller. Parallel program schemata. Journalof Computer and Systems Sciences, 3(2):147–195, May 1969. {7,12, 40}

67. Y. Lakhnech, S. Bensalem, S. Berezin, and S. Owre. Symbolic tech-niques for parametric reasoning about counter and clock systems.In Proc. TACAS ’01, 7th Int. Conf. on Tools and Algorithms forthe Construction and Analysis of Systems, volume 2031 of LectureNotes in Computer Science. Springer Verlag, 2001. {71}

68. R. Langerak and E. Brinksma. A complete finite prefix for processalgebra. In Halbwachs and Peled, editors, Proc. 11th Int. Conf.on Computer Aided Verification, volume 1633 of Lecture Notes inComputer Science, pages 184–195. Springer Verlag, 1999. {6, 25,40}

69. K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a nutshell.Software Tools for Technology Transfer, 1(1-2), 1997. {10, 70, 106}

70. Kim G. Larsen, Paul Pettersson, and Wang Yi. Model-Checkingfor Real-Time Systems. In Proc. of Fundamentals of ComputationTheory, volume 965 of Lecture Notes in Computer Science, pages62–88, August 1995. {58}

71. Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Con-current Systems. Springer Verlag, 1992. {1}

72. A. Marcone. Fine and axiomatic analysis of the quasi-orderings onP(q). Technical Report 17/99/RR, Rapporto di Ricerca del Diparti-mento di Matematica e Informatica dell’Universita di Udine, 1999.{57}

REFERENCES 117

73. R. Mayr. Undecidable problems in unreliable computations. In The-oretical Informatics (LATIN’2000), number 1776 in Lecture Notesin Computer Science, 2000. {9, 71, 98, 99}

74. R. Mayr. Decidability of model checking with the temporal logicEF. Theoretical Computer Science, 256:31–62, 2001. {97}

75. K. L. McMillan. Symbolic Model Checking. Kluwer Academic Pub-lishers, 1993. {5, 6, 7, 26}

76. K. L. McMillan. A technique of a state space search based on un-folding. Formal Methods in System Design, 6(1):45–65, 1995. {6,12, 25, 26, 27, 30, 40}

77. S. Melzer. Verifikation verteilter Systeme mit linearer - undConstraint-Programmierung. PhD thesis, Technische UniversitatMunchen, 1998. {6}

78. S. Melzer and S. Romer. Deadlock checking using net unfoldings.In O. Grumberg, editor, Proc. 9th Int. Conf. on Computer AidedVerification, volume 1254 of Lecture Notes in Computer Science,Haifa, Israel, 1997. Springer Verlag. {6, 12, 41}

79. P. Merlin and D. J. Farber. Recoverability of communication pro-tocols - implications of a theoretical study. IEEE Trans. on Com-puters, COM-24:1036–1043, Sept. 1976. {46}

80. E. C. Milner. Basic wqo- and bqo-theory. In I. Rival, editor, Graphsand Orders, pages 487–502. D. Reidel Publishing Company, 1985.{12, 51, 55}

81. Jesper Møller and Jakob Lichtenberg. Difference decision diagrams.Master’s thesis, Department of Information Technology, TechnicalUniversity of Denmark, Building 344, DK-2800 Lyngby, Denmark,August 1998. {65}

82. Jesper Møller, Jakob Lichtenberg, Henrik R. Andersen, and HenrikHulgaard. Difference decision diagrams. Technical Report IT-TR-1999-023, Department of Information Technology, Technical Univer-sity of Denmark, February 1999. {11, 65, 66}

83. C. Nash-Williams. On well quasi-ordering infinite trees. Proc. Cam-bridge Phil. Soc., 61:697–720, 1965. {55}

84. M. Nielsen, G. D. Plotkin, and G. Winskel. Petri nets, event struc-tures and domains. Theoretical Computer Science, 13(1), 1981. {6,25}

118 REFERENCES

85. D. Peled. All from one, one for all, on model-checking using repre-sentatives. In Courcoubetis, editor, Proc. 5th Int. Conf. on Com-puter Aided Verification, volume 697 of Lecture Notes in ComputerScience, pages 409–423. Springer Verlag, 1993. {5, 12, 25}

86. W. Peng and S. Purushothaman. Analysis of a class of communicat-ing finite state machines. Acta Informatica, 29(6/7):499–522, June1992. {7}

87. C. A. Petri. Kommunikation mit Automaten. PhD thesis, Universityof Bonn, 1962. {21}

88. M. Pouzet. Applications of well quasi-orderings and better quasi-orderings. In I. Rival, editor, Graphs and Orders, pages 503–519. D.Reidel Publishing Company, 1985. {12, 51}

89. C. Rackoff. The covering and boundedness problems for vector addi-tion systems. Theoretical Computer Science, 6:223–231, 1978. {40}

90. R. Razouk and C. Phelps. Performance analysis using timed Petrinets. In Protocol Specification, Testing, and Verification IV, pages561–576. North-Holland, 1985. {70}

91. V. Valero Ruiz, F. Cuartero Gomez, and D. de Frutos Escrig. Onnon-decidability of reachability for timed-arc Petri nets. In Proceed-ings of the 8th Int. Workshop on Petri Net and Performance Models(PNPM’99), pages 188–196, 1999. {16, 70, 97, 98}

92. F. B. Schneider, B. Bloom, and K. Marzullo. Putting time intoproof outlines. In de Bakker, Huizing, de Roever, and Rozenberg,editors, Real-Time: Theory in Practice, volume 600 of Lecture Notesin Computer Science, 1992. {47}

93. Mary Sheeran and Gunnar Stalmarck. A tutorial on Stalmarck’sproof procedure for propositional logic. In G. Gopalakrishnan andP. Windley, editors, Proc. 2nd Int. Conf. on Formal Methods inComputer-Aided Design, FMCAD’98, volume 1522 of Lecture Notesin Computer Science, pages 82–99. Springer Verlag, 1998. {26, 36}

94. A. Valmari. Stubborn sets for reduced state space generation. InAdvances in Petri Nets, volume 483 of Lecture Notes in ComputerScience, pages 491–515. Springer-Verlag, 1990. {5, 12, 25}

95. Antti Valmari. The state explosion problem. In Lectures on PetriNets I: Basic Models, volume 1491 of Lecture Notes in ComputerScience, pages 429–528. Springer Verlag, 1998. {5}

REFERENCES 119

96. M. Y. Vardi and P. Wolper. An automata-theoretic approach toautomatic program verification. In Proc. LICS ’86, 1st IEEE Int.Symp. on Logic in Computer Science, pages 332–344, June 1986.{17}

97. Wang Yi. CCS + Time = an interleaving model for real time sys-tems. In Leach Albert, Monien, and Rodriguez-Artalejo, editors,Proc. ICALP ’91, 18st International Colloquium on Automata, Lan-guages, and Programming, volume 510 of Lecture Notes in ComputerScience. Springer Verlag, 1991. {46}

98. S. Yovine. Kronos: A verification tool for real-time systems. Journalof Software Tools for Technology Transfer, 1(1-2), 1997. {10, 70,106}

user.it.uu.seuser.it.uu.se/~aletta/papers/thesis.pdf · Dissertation for the Degree of Doctor of...

Documents

Transcript of user.it.uu.seuser.it.uu.se/~aletta/papers/thesis.pdf · Dissertation for the Degree of Doctor of...