Contributions to the symbolic and
modular verification of Petri
nets
KAIS KLAI
S. Haddad, J-M Ilié and M. Reniers
08/06/2006
Kais Klai TU/e OAS
1
Verification of concurrent systems
Specification
Property
System
Specific
LTL, CTL, -calculus, …
Petri nets, process algebra, UML, …
General
Verification
Counter-example
OK
KO
Combinatory explosion of state space size
08/06/2006
Kais Klai TU/e OAS
2
Tackling the explosion problem
Behavioral approaches
"Model checking"
Structural approaches
On-the-fly verification, Partial order,
Symmetries, …
Model reduction, Refinement,
Linear invariants, …
Symbolic representation
Modularity
• Compact representation
• Efficient set operations
Decomposition of the
system into components
Linear-time Temporal
Logic (LTL)?
Application in model checking
08/06/2006
Conditions of
preservation ?
Composition of the verification
Kais Klai TU/e OAS
3
3 contributions
Symbolic and Modular Verification of Petri nets
Behavioral approach
Symbolic Observation Graph
(SoG)
• Observe the actions of the property
• Aggregation of states : Meta-states
• Symbolic encoding
• Validation : model-checker
Structural approach
Preservation of properties by
decomposition of Petri nets
(Semi-decidable)
• N=N1+N2
• Abstraction of the environment
• Preservation of general and specific
properties
Mixed approach
Incremental modular approach
(Decidable)
• Structure (formula + model)
• Behavioral checking of the
preservation conditions
08/06/2006
Kais Klai TU/e OAS
4
Contribution 1
Compact representation of the state space graph
Goal :
Verification on an abstraction of the system
Symbolic Observation Graph
Symbolic encoding using (OBDD)
LTL \ X
Reduction and canonization of the graph nodes
Counter example extraction
Experimental results
08/06/2006
Kais Klai TU/e OAS
5
The Symbolic Observation Graph
Goal:
Check LTL properties on an abstraction of the state space
Principle:
Observe the actions occurring in the formula
f : action-based formula observed transitions Tobs
G ( t1 F t2 )
Tobs = {t1, t2}
Projection of language on the observed transitions
t1
t
...
t'
t2
Ignore the unobserved transitions
keep the state changes due to observation
Loose the immediate successor information
Equivalence with respect to LTL\X
1.
2.
3.
Maximal infinite observed sequences
Maximal finite sequences
Maximal infinite divergent sequences
08/06/2006
Kais Klai TU/e OAS
(immediate)
6
The Symbolic Observation Graph
New labeling of the Petri net: L(t) Tobs{e}
t Tobs L(t)= e
t Tobs L(t)= Id(t)
deadlock
cycles
t1
e e
e
...
e
e
e
maximal finite sequences
maximal divergent sequences
SoG = a deterministic state graph
t2
deadlock
t1
Set of states, deadlock , cycle
Arcs: labeled with observed transitions only cycle
...
t2
Nodes:
Meta-state
The SoG is useful for a set of LTL\X formulae: All combinations on Tobs
08/06/2006
Kais Klai TU/e OAS
7
Example: the SoG of the philosophers model
Two philosophers
G(GoToEat1 F Release1)
m0
GoToEat1
m6
GetRight1
m10
Eat1
m15
GoToEat2
m7
GetLeft1
GetRight1
GetLeft1
GetLeft2
GetRight2
GetRight1
GoToEat2
GoToEat2
m11
m12
m13
Release1
GetRight2
GetRight2
m18
GetRight2
GetLeft2
m14
Eat2
GoToEat1
m5
GetRight2
Release1
m19
GetLeft2
GoToEat1
Release2
m20
Eat2
m21
Reachabilitygraph: 22 nodes and 40 arcs
08/06/2006
GoToEat1
m4
GoToEat1
GetLeft1
GetLeft2
Release2
m3
GetRight2
m2
GetLeft1
m17
m9
GetLeft2
GoToEat1
m16
Eat1
m1
GoToEat1
m8
GetRight1
GoToEat2
GoToEat2
GetLeft1
Release1
GoToEat2
Kais Klai TU/e OAS
SoG: 2 nodes and 4 arcs
8
Efficient implementation of the SoG
Symbolic encoding of the meta-states (BDDs)
Compact representation of the nodes
Efficient set operations
Example: Equality test between nodes in O(1)
Symbolic algorithms
1.
2.
3.
Deadlock detection
Cycle detection
Reduction of meta-states
1.
2.
3.
Using input states
Using output states
Mixed approach
deadlock
t1
cycle
t2
BDD structure
Extraction of an explicit counter-example
1.
2.
08/06/2006
First symbolic pass (backward)
Second explicit pass (forward)
Kais Klai TU/e OAS
9
Reduced and canonical nodes
One representative per ISCC
Canonize (S,i)
S : set of states of the meta state
i : index of a BDD variable
Canonize (S={5,7},2)
(S={1,2,3,4,5,6,7,8,9},1)
(S={3},2)
1
2
4
6
8
9
Canonise={3, 7}
08/06/2006
new dichotomic
approach
3
5
7
Idea: a BDD variable can partition S
in two subsets and one is privileged
if an ISCC belongs to both
partition S = S1S2 w.r.t. the value of vi=1
remove the states of S2 reached by S1 -> S’2
remove the states of S1 reached by S’2 -> S’1
return
Canonize(S’1 ,i+1) Canonize(S’2 ,i+1)
and keep singletons as representatives of ISCCs.
Kais Klai TU/e OAS
10
Experimental results: the philosophers model
Size of the SoG:
1400
OBDD
G. O. 2 philo observed
G. O. 1 philo observed
2 3 4 5
6 7 8 9 10 12 14 16 18 20 22 24 26 28 30
0
0
50
200
100
400
150
600
200
250
800
300
1000
350
Evolution of the number of BDD nodes w.r.t.
the number of philosophers
1200
Evolution of the execution time w.r.t. the
number of philosophers
400
450
1 philo observed : 2 nodes and 2 arcs the number of philosophers
2 philo observés : 4 nodes and 8 arcs the number of philosophers
2 3 4
5
6
7 8
9 10 12 14 16 18 20 22 24 26 28 30
Gain both space and time
08/06/2006
Kais Klai TU/e OAS
11
Intermediary BDD sizes
2 observed transitions
OBDD
G. O. 1 philo observé
G. O. 2 philo observés
0
0
500
5000
1000
10000
15000
1500
2000
20000 25000
2500
20 philosophers :
evolution of the intermediary BDD size
during the iterations to the iterations
Evolution of the maximal
intermediary BDD w.r.t. the number
of philosophers
1
4
7
10 13 16 19 22 25 28 31 34 37 40 43 46 49 52
2 3 4 5 6 7 8 9 10 12 14 16 18 20 22 24 26 28 30
Reduced intermediary BDD
08/06/2006
Kais Klai TU/e OAS
12
Contribution 2
Structural modular verification approach
Goal :
Preservation of properties by decomposition of Petri nets
Decomposition scheme
Abstraction of the environment
The non constraining relation
Preserved properties
08/06/2006
Kais Klai TU/e OAS
13
Decomposition scheme
N = N1 || N2
N
N2
N1
T1
P1
TI
P2
T2
Interface
A set of shared transitions
08/06/2006
Kais Klai TU/e OAS
14
Abstraction of the environment
Abstracting a sub-net
The interaction with the environment ?
N2
N1
T1
P1
TI
P2 A(N2) T2
N
Control the interface with additional places
Exploitation of the positive invariants
One abstraction place per "global" invariant
A component sub-net : Ñ1 = N1 + A(N2)
08/06/2006
Kais Klai TU/e OAS
15
Example: Client-server protocole
Interface = {Send, Cons, Nvons}
Idle
Idle+ Fail+ WaitServ+ WaitAck
Active+ Passive +Treat
Idle +Fail+ WaitServ+ Mess+ Treat+ Neg+ Pos
Fail
Retry
On
Try
Active
WaitServ
Rec
Send
Passiv
e
Off
Mess
Treat
WaitAc
k
Cons
08/06/2006
KO
OK
Neg
Pos
Ncons
Kais Klai TU/e OAS
16
The component sub-nets
Idle
ḿ0(aserv)=m(Idle)+m(Fail)+m(WaitServ)
ḿ0(aclt)=m(Mess)+m(Treat)
Fail
On
Try
Retry
Rec
Send
WaitServ
aserv
Send
WaitAck
Passive
Active
Mess
Off
Treat
KO
aclt
OK
Cons
Cons
Ncons
Neg
Pos
Ncons
08/06/2006
Kais Klai TU/e OAS
17
Properties preservation
Covering the projected language of the system
Proj(L(N,m),T1) L(Ñ1,ḿ1)
f : observable formulae f L(Ñ1,ḿ1)
Ñ1 ⊨ f
Ñ1 ⊨ f
N⊨f
Checking the non-constraining of (Ñ2,ḿ2) for (Ñ1, ḿ1)
Proj(L(Ñ1, ḿ1), interface) Proj(L(Ñ2, ḿ2), interface)
Proj(L(N,m),T1) L(Ñ1, ḿ1)
08/06/2006
Kais Klai TU/e OAS
N⊨f
18
The non constraining relation
Sufficient conditions for the non constraining relation
Proj(L(Ñ1, ḿ1), interface) Proj(L(Ñ2, ḿ2), interface)
Send
The interface component subnet Ĩ(1,2)
aserv
aclt
The interface transitions
The abstraction places from both sides
Cons
Proposition:
Ncons
Ñ2 non constraining for Ĩ(1,2) Ñ2 non constraining for Ñ1
1.
First solution
Behavioral local conditions
Structural and algebraic conditions
2.
Second solution
Behavioral on the fly test
1.
2.
08/06/2006
Observe the interface transitions
Synchronize the SoG of N1 with the reachability graph of Ĩ(1,2)
Kais Klai TU/e OAS
19
Preservation results
• General properties
– Hypothesis: (Ñ1, ḿ1) and (Ñ2, ḿ2) are mutually non
constraining
• Liveness
– (N,m) live (Ñ1, ḿ1) and (Ñ2, ḿ2) are live
• Boundedness
– (N,m) bounded (Ñ1, ḿ1) and (Ñ2, ḿ2) are bounded
• Observable specific properties
– Hypothesis: (Ñ2, ḿ2) non constraining for (Ñ1, ḿ1)
• (N,m) ⊨ f (Ñ1, ḿ1)⊨f
• Limits:
– The interface is known in advance
– What happens when the n.c. relation doesn’t hold?
08/06/2006
Kais Klai TU/e OAS
20
Contribution 3
An incremental modular approach
Goal :
Exploit both the structure of the formula and the system
Principle
Decomposition scheme
A modular verification algorithm
A modular verification of n. c. relation
08/06/2006
Kais Klai TU/e OAS
21
An incremental modular approach for LTL-X
Inputs:
1. Action-based LTL-X formula
2. A Petri net model N
Iterative decomposition scheme
T
P1
I(1,2)
N1
N(1,2)
P2
I(2,3)
N2
I(n-1,n)
Pn
In
Nn
N(1,n)=N
L(N1,m1)TL(N(1,2),m(1,2))T … L(N,m)T
Using invariants to abstract the environment
L(Ñ1, ḿ1)TL(Ñ(1,2), ḿ(1,2))T … L(N,m)T
08/06/2006
Kais Klai TU/e OAS
22
Example: Client-server protocole
T = {Try, Retry}
Idle
v= Idle+ Fail+ WaitServ+ WaitAck
v’= Idle +Fail+ WaitServ+ Mess+ Treat+ Neg+ Pos
v”= Active+ Passive +Treat
Fail
Retry
On
Try
Active
WaitServ
Rec
Send
Passiv
e
Off
Mess
Treat
WaitAc
k
Cons
08/06/2006
KO
OK
Neg
Pos
Ncons
Kais Klai TU/e OAS
23
The client- server example
T = {Try,Retry}
Ñ1
Cons
Try
Ñ2
Cons
Idle
a2
Send
KO
Pos
a2(v)
Ñ3
KO
a3(v’)
Active
(v)
Off
a2(v’)
Mess
Ncons
08/06/2006
Off
On
Wack
a2(v’)
Retry
Passive
Send
Wserv
Fail
a2(v’)
Ncons
Neg
On
Receive
a3(v’’)
a2(v’’)
Receive
Analyze
OK
Kais Klai TU/e OAS
OK
24
Modular verification algorithm
Modular checking of
Modular Checking of
the n. c. relation
08/06/2006
Kais Klai TU/e OAS
25
Modular checking of the NC relation
08/06/2006
Kais Klai TU/e OAS
26
Perspectives
• The SoG technique
–
–
–
–
Modular SoG, distributed SoG
Parameterized verification
Extension to other formalisms like Process Algebra
Real case studies
• Mixed approach
– Implementation (master project)
• Heuristics on the choice of involved invariants
• Heuristics on the choice of the interfaces
– Refine the n. c. relation
• Check the counter-example sequences individually
08/06/2006
Kais Klai TU/e OAS
27
© Copyright 2026 Paperzz