Efficient verification of a class of time Petri nets using linear programming

Information Processing Letters 77 (2001) 219–224

Efficient verification of a class of time Petri nets using linear programming Xuandong Li a,1 , Johan Lilius b,∗ a State Key Laboratory of Novel Software Technology, Department of Computer Science and Technology, Nanjing University,

Nanjing, Jiangsu, People’s Republic of China 210093 b Turku Centre for Computer Science (TUCS), Department of Computer Science, Åbo Akademi University, Lemminkäisenkatu 14,

FIN-20520 Turku, Finland Received 13 March 2000; received in revised form 20 September 2000 Communicated by R. Backhouse

Keywords: Real-time systems; Model-checking; Duration calculus; Concurrency

1. Introduction Time Petri nets [7] have been proposed as one powerful formalism for modeling real-time systems. Formal verification of time Petri nets is usually based on investigating the state-space [2]. However this approach suffers from two problems: First the number of states to be checked can be exponential in the size of the system (state-space explosion), and second the timing constraints attached to a state need to be transformed into a normal form, an operation that takes O(n3 ) time for each new state that is generated, where n is the number of enabled transitions in the state. The state-space explosion problem is further aggravated by the fact that the normal form of the timing constraints require space proportional to n2 , where n is the number of enabled transitions in a state. Thus, because traditional state-space search algorithms need to store all visited states, only moderately sized examples can be ∗ Corresponding author.

E-mail address: [email protected] (J. Lilius). 1 Supported by the National Natural Science Foundation of China

and 863 Hi-Tech Programme of China.

studied. In [6,9] methods based on partial-order reduction are proposed to alleviate the state-space explosion problem. In this paper we want to investigate an alternative approach that is based on the investigation of the untimed state-space of the underlying net. This avoids the need to deal with the timing constraints at each step explicitly. Instead we use linear programming to check the runs in the timed state space corresponding to a path in the untimed state-space, but apply this step only when needed. For verifying a time Petri net for a given property, we need to check if all runs of the time Petri nets satisfy the property, i.e., if for any path in the untimed state space, any corresponding run satisfies the property. However since the number of paths in untimed state space and the length of a path could be infinite, we cannot solve the problem by a simple enumeration. We show that for a class of time Petri nets called loop-closed time Petri nets, we can solve the problem efficiently by investigating only all the paths in which there is no repeated node occurrence. The main contribution of this paper is an algorithm for checking the satisfaction of linear duration properties based on the above observation. We give an algo-

0020-0190/01/$ – see front matter  2001 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 0 0 ) 0 0 1 5 6 - 3

220

X. Li, J. Lilius / Information Processing Letters 77 (2001) 219–224

rithm that is a decision procedure for loop-closed time Petri nets, and a semi-decision procedure for general time Petri nets.

2. Time Petri nets Time Petri nets are classical Petri Nets where to each transition t a time interval [a, b] is associated. The times a and b are relative to the moment at which t was last enabled. Assuming that t was enabled at time c, then t may fire only during the interval [c + a, c + b] and must fire at the time c + b at the latest, unless it is disabled before by the firing of another transition. Firing a transition takes no time. Definition 1. Let N be the set of natural numbers. A time Petri net is a six-tuple, N = (P , T , F, Eft, Lft, µ0 ), where P = {p1 , p2 , . . . , pm } is a finite set of places; T = {t1 , t2 , . . . , tn } is a finite set of transitions (P ∩ T = ∅); F ⊆ (P × T ) ∪ (T × P ) is the flow relation; Eft, Lft : T → N are functions for the earliest and latest firing times of transitions, satisfying Eft(t)
Lft(t)

for all t ∈ T

(Lft(t) could be ∞); µ0 ⊆ P is the initial marking of the net. A marking µ of N is any subset of P . For any transition t,
 • t = p ∈ P | (p, t) ∈ F

For the firing of a transition to be possible at a certain time, four conditions must be satisfied. Definition 3. A transition t may fire from state s = (µ, c) after delay δ ∈ T if and only if the following four conditions holds: t ∈ enabled(µ), (µ − • t) ∩ t • = ∅, Eft(t)
c(t) + δ,

∀t ∈ enabled(µ): c(t  ) + δ
Lft(t  ). Not all enabled transitions can fire because of time constraints. The new marking after a firing is calculated as follows. Definition 4. After transition t fires from state s = (µ, c) after delay δ, the new state s  = (µ , c ) is given as follows: • µ = (µ − • t) ∪ t • , and • c (t) = 0 if t ∈ enabled(µ )−enabled(µ), or c (t) = c(t) + δ else. This is denoted by s  = fire(s, (t, δ)). The behavior of a time Petri net is described in term of a run. Definition 5. For a time Petri net, a run is a finite or infinite sequence of states, transitions, and delays (t0 ,δ0 )

and


 t • = p ∈ P | (t, p) ∈ F denote the preset and postset of t, respectively. A transition t is enabled in a marking µ if • t ⊆ µ; otherwise, it is disabled. Let enabled(µ) be the set of transitions enabled in µ. The Petri net (P , T , F, µ0 ) is called underlying net of N . The states of a time Petri net are defined as follows. Definition 2. Let the domain of time values T be the nonnegative real numbers. A state of a time Petri net N = (P , T , F, Eft, Lft, µ0 ) is a pair s = (µ, c), where µ is a marking of N , and c : enabled(µ) → T is called the clock function. The initial state of N is s0 = (µ0 , c0 ) where c0 (t) = 0 for any t ∈ enabled(µ0 ).

and



(t1 ,δ1 )

(tn−1 ,δn−1 )

(tn ,δn )

ρ = s0 −→ s1 −→ · · · −−−−−→ sn −→ · · · such that s0 is the initial state, and for every i  1, si is obtained from si−1 by firing a transition ti−1 after delay δi−1 satisfying   si = fire si−1 , (ti−1 , δi−1 ) . 3. Loop-closed time Petri nets In this paper we investigate properties of time Petri nets based on the behavior of the underlying untimed net. Therefore we need to distinguish between runs of the time Petri net and runs of the underlying untimed Petri nets which we call paths. Definition 6. For a time Petri net N , a path is a finite or infinite sequence of markings and transitions

X. Li, J. Lilius / Information Processing Letters 77 (2001) 219–224 t0

tn −1

t1

221

tn

π = µ0 −→ µ1 −→ · · · −→ µn −→ · · · such that µ0 is the initial marking of N , ti ∈ enabled(µi ) for any • i (i  0), and µi = (µi−1 − • ti−1 ) ∪ ti−1 for any i (i  1). If all µi (i  0) are distinct, then π is a simple path. Clearly we can associate a number of runs to a given path π . We denote the set of all such runs by run(π). In a time Petri net, the number of paths and the length of a path could be infinite. However both the number of simple paths and the length of any simple path are finite. The reason that a path in a time Petri net could be arbitrarily long is that some markings occur many times in the same path, forming loops in the state space. Definition 7. Let N be a time Petri net, and π = tn−1 t0 t1 tn µ0 −→ µ1 −→ · · · −→ µn −→ be a simple path of N . If there exists a µk (0
k
n) such that µk = tk

tk+1

(µn − • tn ) ∪ tn• , then the sequence µk −→ µk+1 −→ tn−1

tn

· · · −→ µn −→ is a loop in N , and µk is a loop-start node. It is easy to see that a time Petri net, the number of loops and the length of each loop are both finite. Our verification approach is based on enumerating these finite sets. However this approach is not suited for all time Petri nets, so we need to restrict ourselves to a subclass of time Petri nets that satisfies the following condition of loop-closedness. t1

Definition 8. Let N be a time Petri net, and µ1 −→ tn−1

t2

tn

µ2 −→ · · · −→ µn −→ is a loop in N . This loop is closed if the following condition holds: • (enabled(µn ) − tn ) ∩ enabled(µ1 ) = ∅, and • for any simple path of N which is of the form t0

t1

 tm−1

 tm

µ0 −→ µ1 −→ · · · −→ µm −→ µm+1 such that  ) ∩ enabled(µ ) = µm+1 = µ1 , (enabled(µm ) − tm 1 ∅. If all loops in N are closed, then we say that N is a loop-closed time Petri net. For example, the time Petri net depicted in Fig. 1 is loop-closed. Loop-closedness means that a loop-start node should always enable a new set of transitions. Thus,

Fig. 1. A loop-closed time Petri net.

the starting node of each loop can be identified in the state-space. The check for loop-closedness is easily implemented, but requires recalculation of the set of enabled transitions at a node in the path. Loopclosedness implies the following property which our algorithm is based on. In a loop-closed time Petri net, the state corresponding to a loop-start node has all clocks set to the value zero (all the transitions enabled in that state were not enabled in the previous state). This implies that the loop-start nodes “split” the state space so that the clock values inside a loop do not depend on their values outside of the loop. This property is formalized below. Lemma 1. Let N be a loop-closed time Petri net, and (t0 ,δ0 )

(t1 ,δ1 )

(tn−1 ,δn−1 )

(tn ,δn )

σ = s0 −→ s1 −→ · · · −−−−−→ sn −→ · · · be a run of N For any si = (µi , ci ) such that µi is a loop-start node (0
i
n), ci (t) = 0 for all t ∈ enabled(µi ). Proof. Since N is a loop-closed time Petri net and µi is a loop-start node, by Definition 8, either i = 0 or (enabled(µi−1 ) − ti−1 ) ∩ enabled(µi ) = ∅. From Definitions 2, 3, 4, and 5, the claim follows immediately. ✷ For a real system (e.g., a control system), the property of loop-closedness means that every repetition of a process starts from the same control conditions. We believe that there are many real systems that have this kind of a property and that can thus be modeled by loop-closed time Petri nets. Lemma 1 will be used in the algorithm in Fig. 2, where we will check for loopclosedness in each step of the verification.

222

X. Li, J. Lilius / Information Processing Letters 77 (2001) 219–224

currentpath := µ0 ; unclosedloop := false; repeat node := the last node of currentpath; if node has no new successor then delete the last node of currentpath else begin node := a new successor of node; check if any run corresponding to currentpath satisfies P; if no then return false; if node is in currentpath then begin if the loop is closed then begin check if the path corresponding to currentpath can violate P; if yes then return false; end else unclosedloop := true; end else append node to currentpath; end until currentpath = ; if unclosedloop = false then return true else return undecided. Fig. 2. Algorithm checking linear duration property.

4. Checking time Petri nets for linear duration properties The main result of this paper is an algorithm for verifying linear duration properties over time Petri nets. Linear duration properties are linear inequalities of integrated durations over system states. The satisfaction problem of such properties over timed automata and hybrid automata have been studied in [1,4,5,8]. Linear duration properties can be represented formally in the Duration Calculus (DC) [3]. In DC, states are modeled as Boolean functions from reals (representing continuous time) to {0, 1}, where 1 denotes state presence, and 0 denotes  state absence. For a state S, the interval variable S of DC is a function from bounded and closed intervals to reals which stands for the accumulated presence time (duration) in state S over the intervals, and is defined formally by 

b S[a, b] = ˆ

S(t) dt, a

where [a, b] (b  a) is a bounded interval of time. A linear duration property in DC is of the form m 

 ei

Si
M,

i=1

where Si is a state and M, ei are real numbers. The satisfaction problem of time Petri nets for linear duration properties is defined as follows. For a system modeled by a time Petri net N , a system state S is a predicate over the set of places in N . For a marking µ of N , let µ ⇒ S denote that S holds  the time the during system stays in state µ. Let P = m i=1 ei Si
M be a linear duration property. For a run ρ, the integrated  duration of Si over ρ can be calculated as Si =  j ∈αi δj where αi = {j | (0
j
n) ∧ (µj ⇒ Si )}.  m Definition 9. Let θ (ρ, P) = i=1 ei ( j ∈αi δj ). A run ρ of a time Petri net N satisfies a linear duration property P if and only if θ (ρ, P)
M. A time Petri net satisfies a linear duration property if and only if every run satisfies the linear duration property.

X. Li, J. Lilius / Information Processing Letters 77 (2001) 219–224

It is clear that we can solve the satisfiability problem by checking if for all paths π of N , all runs ρ ∈ run(π) satisfy P. Here we want to solve the satisfaction problem by checking only the runs corresponding to all simple paths in a time Petri nets using linear programming techniques. To be able to do this we first need to show how to construct a linear programming problem from a path. Let π be a path of N which t0

tn −1

t1

tn

is of the form π = µ0 −→ µ1 −→ · · · −→ µn −→. It follows that any run ρ of N in run(π) is of the (t0 ,δ0 )

(t1 ,δ1 )

(tn−1 ,δn−1 )

form ρ = (µ0 , c0 ) −→ (µ1 , c1 ) −→ · · · −−−−−→ (tn ,δn )

(µn , cn ) −→ . Now let last(t) be the last marking µj (0
j
i) that enables t in π before the occurrence of t such that if j = 0, then t ∈ / enabled(µj −1 ) or tj −1 = ti , for each k (j
k
i − 1), ti = tk , and for each k (j
k
i), t ∈ enabled(µk ). By Definitions 2 and 3, the delays δ0 , δ1 , . . . , δn must satisfy: (1) δj + δj +1 + · · · + δi  Eft(ti ) where j is such that µj = last(ti ), and (2) δk +δk+1 +· · ·+δi
Lft(t) for any t ∈ enabled(µi ), where k is such that µk = last(t). This set of constraints forms a group of linear inequalities on δ0 , δ1 , . . . , δn , which we denote by lp(σ ). We can check if every ρ in run(π) satisfies P by finding the maximum value of the linear function θ (ρ, P) subject to lp(σ ) and checking if it is not greater than M. Next we need to show that in a loop-closed net it is only necessary the verify the property over the set of simple paths. Before this we need some extra t0

definitions. Let N be a time Petri net, and π = µ0 −→ tn−1

t1

tn

µ1 −→ · · · −→ µn −→ be a sequence of markings and transitions in N such that if µ0 is the initial marking of N , then π is a path of N . For a linear duration property P, let ζ (π, P) be the supremum of the set {θ (ρ, P) | ρ ∈ run(π)}. Notice that we can calculate ζ(π, P) by linear programming. Assume now that π is a simple path and that run(π) = ∅. If there is j (0
j
n) such that the sequence tj

tj+1

tn−1

tn

π1 = µj −→ µj +1 −→ · · · −→ µn −→ is a loop and ζ (π1 , P) > 0, then we say that π can violate P. Theorem 1. Let N be a loop-closed time Petri net, and P be a linear duration property. N satisfies P if and only if for all simple path π , all ρ ∈ run(π) satisfy P and π cannot violate P.

223

Proof. The first half of the claim is shown through the following: Since N satisfies P, for all simple paths π , all ρ ∈ run(π) satisfy P. In the following, we show that if there is a simple path π that can violate P, then N does not satisfy P, which implies the t0

t1

tj−1

tj

claim. Suppose π = µ0 −→ µ1 −→ · · · −→ µj −→ tj+1

tn−1

tn

µj +1 −→ · · · −→ µn −→ is a simple path that can tj

tj+1

tn−1

violate P, where π1 = µj −→ µj +1 −→ · · · −→ tn

µn −→ is a loop and ζ(π1 , P) > 0. Since π1 is a loop, we can construct a path π  by appending many π1 s to π . Since run(π) = ∅, by Lemma 1, run(π  ) = ∅. Since ζ(π1 , P) > 0, we can let θ (π  , P) grow unboundedly. It follows that π  does not satisfy P, i.e., N does not satisfy P. The second half of the claim follows from the claim that if N does not satisfy P, then there is ρ ∈ run(π) (π is a simple path) does not satisfy P or there is a simple path π which can violateP. This  can be show as follows: Suppose that P = m i=1 ei Si
M and (t0 ,δ0 )

N does not satisfy P. Then there is a run ρ = s0 −→ (t1 ,δ1 )

(tn−1 ,δn−1 )

(tn ,δn )

s1 −→ · · · −−−−−→ sn −→ such that θ (ρ, P) > M, where si = (µi , ci ), i ∈ (0
i
n). For any loop-start node µ, for any i and j (0
i < j
n) such that µi = µj = µ and µk = µ for any k (i < k < j ) (notice in this case, si , si+1 , . . . , sj −i form a loop), by Lemma 1, we can get a run ρ1 by removing si , si+1 , . . . , sj −1 from ρ. By applying this step repeatedly, we can get a run ρ  ∈ run(π) (π is a simple path). If any simple path cannot violate P, θ (π  , P)  θ (ρ, P) > M, i.e., π  does not satisfy P, which implies that the claim holds. ✷ Based on Theorem 1, an algorithm for checking a given linear duration property P is given in Fig. 2. The algorithm traverses the untimed state space in a depth first manner starting from the initial marking. The simple path we are traversing is stored in the variable currentpath. For each new marking we need to check whether the run corresponding to the current path satisfies P by linear programming, and add the current marking to the current path for further traversing. If the marking that we have found is in the current path we have found a loop. We thus need to check if the loop is closed and set the variable unclosedloop correspondingly, and if the loop is closed, we also need to check if the current path is violable for P. Here

224

X. Li, J. Lilius / Information Processing Letters 77 (2001) 219–224

we backtracks instead of adding the current marking to the current path so that the procedure terminates after traversing all simple paths. The algorithm is guaranteed to return true or false for loop-closed time Petri nets. For a general time Petri net which is not loop-closed, if a run which does not satisfy P can be found out by investigating all simple paths, then the algorithm returns false, otherwise return undecided. The above algorithm is based on liner programming. Linear programming is well studied, and can be solved with a polynomial-time algorithm in general. The number of the linear programs we need to solve equals the number of the simple paths we need to investigate, and the number of the variables in a linear program we need to solve is not larger than the largest length of the simple paths. The complexities of the other operations in the algorithms are negligible in comparison with the complexity of solving the linear programs.

5. Conclusion In this paper we have presented an approach to solving the satisfaction problem of linear duration properties over time Petri nets using linear programming. For loop-closed time Petri nets, we were able to give a efficient decision procedure. The procedure is also a semi-decision procedure for general time Petri nets.

References

[1] R. Alur, C. Courcoubetis, T.A. Henzinger, Computing accumulated delays in real-time systems, Formal Methods in System Design 11 (1997) 137–156. [2] B. Berthomieu, M. Diaz, Modelling and verification of time dependent systems using time Petri nets, IEEE Trans. Software Engrg. 17 (3) (1991) 259–273. [3] C. Zhou, C.A.R. Hoare, A.P. Ravn, A calculus of durations, Inform. Process. Lett. 40 (5) (1991) 269–276. [4] C. Zhou, Z. Jingzhong, Y. Lu, L. Xiaoshan, Linear duration invariants, in: Formal Techniques in Real-Time and FaultTolerant Systems, Lecture Notes in Comput. Sci., Vol. 863, 1994, pp. 88–109. [5] Y. Kesten, A. Pnueli, J. Sifakis, S. Yovine, Integration graphs: A class of decidable hybrid systems, in: Hybrid System, Lecture Notes in Comput. Sci., Vol. 736, 1993, pp. 179–208. [6] J. Lilius, Efficient state space search for time Petri nets, in: Proc. of MFCS Workshop on Concurrency, Brno’98, ENTCS, Vol. 18, 1998. [7] M. Merlin, D.J. Farber, Recoverability of communication protocols—implications of a theoretical study, IEEE Trans. Commun. 24 (9) (1976) 1036–1043. [8] L. Xuandong, D. Van Hung, Z. Tao, Checking hybrid automata for linear duration invariants, in: Advances in Computing Science—ASIAN’97, Lecture Notes in Comput. Sci., Vol. 1345, 1997, pp. 166–180. [9] T. Yoneda, H. Schlingloff, Efficient verification of parallel realtime systems, J. Formal Methods in System Design 11 (2) (1997) 187–215.