G-Nets: A petri net based approach for logical and timing analysis of complex software systems

G-Nets: A petri net based approach for logical and timing analysis of complex software systems

G-Nets: A Petri Net Based Approach for Logical and Timing Analysis of Complex Software Systems Angelo Perkusich and Jorge C. A. de Figueiredo Depar...
Download PDF
2MB Sizes 0 Downloads 61 Views
Report

G-Nets: A Petri Net Based Approach for Logical and Timing Analysis of Complex Software Systems Angelo

Perkusich

and Jorge C. A. de Figueiredo

Department of Electrical Engineering, Department of Computer Science, Universidade Federal da Paraiba, Campina Grande, PB, Brazil

When specifying, designing and analyzing complex systems, it is necessary to adopt a modular or compositional methodology. Such a methodology must allow the designer the ability to verify local logical and timing properties of individual modules or components in the system, and also allows the verification of the correct behavior of interacting components. The application of Petri nets for the modeling and verification of systems, at specification and design levels, are well known. Despite powerful structuring mechanisms available in the Petri nets theory for the construction of the model of complex systems, the designer is still likely to face the problem of state explosion when analyzing and verifying large systems. In this work we introduce a modular logical and timing analysis methodology for a kind of high level Petri net named G-Nets that can be applied for complex software systems. 0 1997 Elsevier Science Inc. 1. INTRODUCTION The application of a distributed approach has been increasingly adopted in the design of complex large software systems. A distributed software is composed of communicating processes, or components, that solve cooperatively a common problem [Shatz, 19931. The design of a distributed software system presents many difficulties. Modeling formalisms for the specification and design of distributed software systems must support the coordination and communication of activities at different levels of abstraction.

Address correspondence to Dr. Angelo Perkusich, Dept. of Electrical Ennineering Universidade Federal de Peraiba, Caixn Postale lOlOS,5810%970 Campina Grade PB Brazil. Phone: +X583310 1137 R-412, Fax: +55833101015, e-mail: perkusic@ [email protected], [email protected]

J. SYSTEMS SOFTWARE 1997; 39:39-59 0 1997 Elsevier Science Inc. All rights reserved. 655 Avenue of the Americas, New York, NY 10010

One of the most important aspects that must be considered when specifying and designing a complex distributed software system is its inherent concurrency. Besides this, one must consider structural properties of the system, as well as the behaviors of the components and the communication messages exchanged among these components. Moreover, formal techniques must be employed because they allow the specifier to write unambiguous, clear, and concise specifications, providing a foundation for analyzing specifications for correctness, so that errors can be detected early in the designing process. The problem of managing large systems is mainly a question of modularity. Therefore, it would be desirable to compose larger modules from smaller modules such that the semantics of the larger module could be deduced from the semantics of the smaller modules. Intuitively, this can be characterized by the ability to hide internal details of the modules and take into account only the necessary ones. This work explores the possibility of using the natural decomposition of distributed systems to introduce a modular logical and timing analysis methodology for a class of high level object oriented Petri nets named G-Nets. A system modeled by a set of G-Nets is named a G-Net system. To accomplish this task, we first formalize the concept of G-Nets and G-Net systems, as well as their decomposition. We introduce structural and behavioral restrictions in the communication among G-Nets in a G-Net system. These restrictions allow us to employ the so-called assume/guarantee paradigm [Manna and Pnueli, 19921 to develop a modular analysis methodology for G-Net systems. This modular analysis

0164-1212/97/$17.00 PI1 SO164-12 12(96xX)1 62-8

40

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997; 3939-59

methodology allows the designer to reason about components, processes or software modules, and their interactions with an environment. When designing a component, assumptions are made about the behavior of the environment so that the local behavior of a component can be specified and verified. When designing the components that compose the environment of another component, the designer must guarantee that these components behave as assumed. Indeed, the designer guarantees the commitment of the environment with respect to the assumed environment behavior. In the case of real time systems, besides the logical analysis, timing aspects must be taken into account. For Petri nets a variety of modifications have been proposed to introduce timing aspects. These extensions can be characterized as deterministic [Ghezzi et al., 1989; Merlin and Farber, 1976; Ramchandani 1974; van der Aalst, 19931 or stochastic [Marsan et al., 1984; Molloy, 19811. One of the major problems with these approaches when analyzing complex systems is the lack of modular techniques. In order to perform timing analysis of complex real-time software systems, we introduced an extension for the Petri Net model to characterize timing constraints. In this extension, the positive aspects of the deterministic and stochastic approaches are combined in a complementary fashion, i.e., the proposed extended Petri net is amenable to model real-time systems and to make performance analyses of systems. The proposed extension, called Fuzzy Time Petri Net (FTPN), is based on the fuzzy set theory, where tokens carry a fuzzy time function characterizing the possibility of there being a token in a place in a given instant of time. Also, fuzzy time intervals are associated with the transition to provide the ability to represent the three general categories of timing constraints that are considered in real-time systems: maximum timing constraints, minimum timing constraints and durational timing constraints [Dasarathy, 19851. We integrate the proposed FTPN together with G-Nets in order to define a modular approach to perform timing analysis of systems. The integration is called Fuzzy Time G-Nets. Then, using the concept of Fuzzy Time G-Nets, we can divide a complex system into subsystems which are studied in isolation and the results are later combined to compute the global solution for the entire system. The rest of this paper is structured as follows. Section 2 presents the background on G-Nets and G-Net systems. Section 3 introduces the decomposition and structural properties for G-Net systems. In

Section 4 we detail the modular analysis methodology for logical properties of G-Nets. In Section 5 we introduce the basics of Fuzzy Time Petri Nets. In Section 6 we briefly introduce a verification environment for G-Net systems. And finally, in Section 7, we present some discussion and the conclusion of this paper.

2. G-NETS AND G-NET SYSTEMS In [Deng et al., 19931, the concept of G-Nets and G-Net systems are introduced. G-Nets are a Petri net based framework for the modular design and specification of distributed information systems. The framework is an integration of Petri net theory with the object oriented software engineering approach for system design. The motivation of this integration is to bridge the gap between the formal treatment of Petri nets and a modular, object oriented approach for the specification and prototyping of complex software systems. The G-Net notation incorporates the notions of module and system structure into Petri nets; and promotes abstraction, encapsulation and loose coupling among the modules. A specification or design based on G-Nets consists of a set of independent and loosely-coupled modules (G-Nets) organized in terms of various system structures. A G-Net is encapsulated in such a way that a module can only access another module through a well defined mechanism called G-Net abstraction, avoiding interference in the internal structure of another module. A G-Net G is composed of two parts: a special place called Generic Switch Place (GSP) and an Internal Structure (IS). The GSP provides the abstraction of the module, and serves as an interface between the G-Net and other modules. The internal structure is a modified Petri net, and represents the detailed internal realization of the modeled application. The notion for G-Nets is very close to the Petri net notation [Murata, 19891. Among other features, this notation allows the user to indicate communication among G-Nets and termination. The notation for G-Nets is shown in Figure 1, and is explained as follows: 1. The IS of the net is enclosed by a rounded-corner structure the internal defining rectangle, boundary. 2. The GSP is indicated by the ellipse in the upper left corner of the rectangle defining the IS boundary. The inscription GSP(net_name) defines the name of the net to be referred by other G-Nets.

G-Nets: Logical and Timing Analysis

J. SYSTEMS SOFTWARE 1997;3913%59

41

Figure 1. Notations used to represent a G-Net.

3. The rounded-corner _

rectangle in the upper right corner of the IS boundary is used to identify the methods and attributes for the net, where: l (utttibute_r,ame) = {(type)} defines the attribute for the net where: (attribute-name) is the name of the attribute, and (type) is the type for the attribute. l (methoct_name) is the name for a method, (description) is a description for the method. ( pl: description, . . . , pn: description) is a list of arguments for the method. Finally, (sp) is the name of the initial place for the method.

4. A circle represents a normal place. 5. An ellipse in the internal structure represents an instantiated switching place (isp). The isp is used to provide inter-G-Net communication. The inscription isp(G’.mi) indicates the invocation of the net G’ with the method mi. 6. A rectangle represents a transition, that may have an inscription associated with it. This inscription may be either an attribution or a firing restriction. We will use the standard Language C notation for both attributions and firing restrictions. 7. A double circle represents the termination place or goal place. 8. Places and transitions are connected through arcs that may carry an expression. The GSP of a G-Net G, denoted by GSP(nrt_name) in the ellipse of Figure 1, uniquely identifies the module. The rounded-corner rectangle in the GSP side contains a description of one or more methods, which specify the functions, operations or services defined by the net, and a set of attributes specifying the passive properties of the

module (if any). The detailed structures and information flows of each method are defined by a modified high level-net in the internal structure. More specifically, a method defines the input parameters, the initial marking of the corresponding internal high-level net (the initial state of the execution). The collection of the methods and the attributes (if any) provides the abstraction or the external view of the module. In the internal structure, places represent primit&es, and transitions, together with arcs, represent connections or relations among the primitives. These primitives may be actions, predicates, data entities, and isps. A set of special places called goal places represents the final state of the execution, and the results (if any) to be returned. A transition, together with arcs, defines the synchronization and coordinates the information transfer between its input and output places. Given a G-Net G, an isp of G is denoted by is~(G,,,,. mtd) (or simply isp(G) if no ambiguity occurs), where G,,,,, is the unique identification of G, and mtd is a defined method for G. An isp(G,,,,. mtd) denotes an instantiation of the G-Net G, i.e., an instance of invocation of G based on the method mtd. Therefore, executing the isp primitive implies invoking G (by sending a token to Gj based on the specified method. This token contains the parameters needed to define the tokens for the initial marking of the invoked net. This interaction between G-Nets can be compared to the mechanism of remote procedure call. The isp notation serves as the primary mechanism for specifying the connections or relationships between different G-Nets (modules). Embedding an isp of a lower level G-Net

42

A. Perkusich and J. C. A. de Figueiredo

.I. SYSTEMS SOFTWARE 1997; 3939-59

When G(C) is invoked through GSP(C), if the method is ms, a token is put on place IN. Depending on the state of G(C), which could be either consuming or ready to consume, transitions na or sa will fire. The choice between na and sa is based on the states represented by place RC (ready to consume) and place CO (consuming). If RC is marked, transition sa fires and a token reaches the goalplace GPS with an acknowledge associated with the returning token r (r = ack). Otherwise, a field not acknowledge is associated with the token (r = nak). After firing of sa, a token is put in place Wp, and the consumer is ready to consume. When G(C) is invoked with a method consume, mc, a token is put in place TC. Since Wp was previously marked after a successful execution of method ms, transition SC fires and place CO is marked. At this point G(C) indicates to the producer that the requested action may be either finished or in processing. This is because when transition SC fires, a token is deposited in place CO and another in the goal place GPC. It must be noted that transition UC can or can not fire before the producer receives the returning token from GPC. After firing ac, a token is removed from CO and another one from RC’, and one token is deposited in RC. And G(C) is ready to consume another item.

into the internal structure of a higher level G-Net specifies a hierarchical configuration. 2.1 An Example Based on the Producer/Consumer

Problem

The producer/consumer problem is a well known problem. It consists of the synchronization between one or more producers and one or more consumers. In the example that will be shown we assume, initially, that one producer is capable of producing n items, and that a consumer is able to consume one item at a time. In Figure 2, the G-Net model G(P) for the producer is shown. For this net, one method is defined and named mp. The function of the method mp is to produce 0 items to be consumed. When G(P) is involved through GSP(P), one token, together with a field n expressing the number of items to be produced, is deposited in place PR. The action associated with this place simply decrements the field II. If n < 0, transition pr fires and the invocation of G(P) resumes when the goal place GP is reached. Otherwise, that is IZ 2 0, transition rs fires, the token reaches isp(C.ms>, and the net C is invoked using method ms. This invocation is to inquire of net G(C) whether it is ready to consume an item or not. If G(C) is not ready, transition nr fires, and the net G(C) is inquired again. Otherwise, the consumer is ready and transition cr fires. After the firing of cr, a token is deposited in isp(C.mc) and net C is invoked with the method mc, together with the item to be consumed. When the token is returned from net C, transition co fires and a token is put in place PR again. The G-Net for the consumer G(C), is presented in Figure 3. Two methods are defined for G(C): method status (ms), and method consume (mc).

[n:integer

2.2 Formal Definition G-Net Systems

of G-Nets and

Formally a G-Net system is defined as follows: Definition 2.1 G-Net system. A G-Net system (GNS) is a triple GNS = (TS, GS, AS), where 1. TS is a collection of tokens dynamically generated during the execution of the system;

number of items](

PR: producer ready GP: goal place

rs:request status COns”lner notready

nr:

cons”tner

CT:

send to consmner

co: consumed pr: producer ces”mes

Figure 2. G(P) G-Net modeling the producer.

G-Nets: Logical and Timing Analysis

43

J. SYSTEMS SOFTWARE 1997; 3939 59

ms:status=([nil](lN)) mc:consume=( [item:data](SC)) IN : mqwre

“et

C

RC:ready to consume TC: trigget consumer GPS end statUs

modeling the consumer.

Figure 3. G(C) G-Net

CO: consurmng WP: waiting producer GPC item accepted na. not avadable SC. start consuming ac already consumed \a send acknowledge

2. GS is a set of G-Nets; and 3. AS is a set of decentralized, concurrent computational agents executing the G-Net system. Definition 2.2 G-Net. A G-Net is a tuple (GSP, IS), where

G =

1. GSP is a Generic Switch Place (GSP) providing an abstraction for the G-Net; and 2. IS is the Internal Structure, which is a modified Predicate/Transition Net. Definition 2.3 Generic Switching Place. Let GSP E G be a generic switching place. A GSP is defined

by (NID, MS, AS), where 1. NID is a unique identification

(name) of G-Net

G; 2. MS is the set of methods; and Vmtd, E MS, mtd, ==(m-name, , m__arguments,; m_initiatorl), where m_name, is a name for the mtdi, m_arguments, is a tuple of variables specifying the input token for the mtd,, m_ini?:iatori is mapping from m-arguments, to the initial marking of the net belonging to the

internal

structure

mtd,. 3. AS is a as, E! fV.

set

associated

of attributes,

with the method and

on m-arguments is transformed into tokens of the corresponding type. These tokens will be deposited, in the case that more than one argument is defined. in the initial place for the method.

Vas, E AS,

From Definition 2.3 we say that a GSP is uniquely identified by a name denoted by NZD that abstracts a set of methods denoted by MS. The methods define how the internal structure may be executed. In other words, the set of methods defines all the possible sets of initial markings, and results in different behaviors of the internal structure. In Definition 2.3, m__init iator defines how the information

Definition 2.4 Internal Structure. The internal structure of a G-Net, G.ZS, is a net structure, that is,

a bipartite directed (Z, P, T, I, O), where

graph

defined

by

G.1.S =

1. 2: is a structure consisting of some sorts of predicates together with a set of relations and operations defined over these predicates; 2. P is a set of finite and non-empty set of places. denoted by circles; 3. T is a finite set of transitions, denoted by rectangles; 4. I : T -+ P” is called input function, which defines inscriptions on transitions incoming arc5; 5. 0 : T + P” is called the output function, which assigns inscriptions on transitions outgoing arcs. We have three different types of places in the internal structure of a G-Net, as defined as follows. Definition 2.5 Set @‘places. Let G.IS be the internal structure of a G-Net. The set of places P C: G. IS is defined by P(.B9,JC.Y, FLY), where

1. ._B%’ is a subset of instantiated switching places, 2. J9 is a subset of normal places, 3. g9’ is a subset of goal places. The above definition for the set of places P E G.IS is necessary because each subset of places has different semantics. Now, we will detail the meaning of each one of these subsets of places. An isp l Y99 provides the mechanism used in G-Nets systems to implement an inter-G-Net connec-

44

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997; 3939-59

tion. An isp defined in a net G and invoking a net G’ is denoted by isp(G’m) and is defined as a quadruple: isp(G’m) = (NID,mtd,

action-before,

action-after).

NID is the unique identifier of G’, mtd E G’.GSP.MS, action-after and action-before

are primitive actions whose function is to update the so-called token propagation sequence, which will be introduced below. More specifically, a method mtd E GMS defines the input parameters, the initial marking of the corresponding internal Petri net (the initial state of the execution). The set of goal places represents final states of the execution of each method and the results (if any) to be returned. The collection of methods and attributes (if any) provides the abstraction or the external view of the module. We impose the restriction that the set of goal places must not be empty. Definition

2.6 Token. Let G be a G-Net, and tkn

be a token, then tkn is a tuple of items of the form tkm = (seq, scolor, d,, . . . , d, >, where tkn.seq is the propagation sequence of the token, tkn.scolor E (before, after) is the stutus color of the token, and tkn.d,, i E N, is the message part of the token. The item tkn.seq is a sequence of (NID, isp, PZD), where NZD is the identification of the G-Net, isp is the name of an ZSP and PID is a

unique process identification. The token is only available for enabling and firing of transitions when scolor = after. If tkn = o, it can be matched with any sequence. The propagation sequence of a token is only changed when it reaches an ISP or a GSP. When a G-Net G is invoked from an ZSP ispi in another G-Net G’ (when ispi receives a token), a triple (G’, ispi, Pido,), where Pido, is the identifier of the process executing G’, is appended to the propagation sequence of the token before it is sent to G-Net G. This triple indicates that when the execution of G is over, the resulting token should be returned to the place identified by ispi in G-Net G’. The process identifier is needed to distinguish to which instance by the execution of G’ the returning token belongs. When the input token is received at the GSP G, a triple (O,O, Pido) is appended to the end of its propagation sequence, indicating that the agent re-

sponsible for executing the invocation is identified by Pid,. Because Pid, is unique, the propagation sequence is also unique. The token structure in the G-Net framework thus not only guarantees that all tokens belonging to an instance of a G-Net execution have the same and unique propagation sequence, but also contains the complete propagation history of the tokens, which governs the interactions between the processes executing a G-Net specification. Due to the sequence field associated with a token, more than one invocation of a G-Net can be executed simultaneously. This is because different executions (invocations) can be uniquely identified by the propagation sequence. Indeed tokens carry the execution history of a G-Net system. As mentioned above, the status color of a token has two possible values, either before or after. A token is said to be available if its scolor = after. Otherwise, it is said to be unavailable. When a new token is received at a place, its status color is set to be before, and after the primitive action (if any) at the place is taken, the status color of the token is set to be after, indicating that the token is ready to be used in subsequent transition firing. The message field of a token is a list of application specific values. A normal place NP, E.AC~ has the rules to manipulate the token. When a token is the entry parameters specified by the field msg, the result of the action is associated with the field msg of the token, and a field called brunch color of the token is defined. The branch color of the token serves to define to which output transition the token is available. Therefore the action associated with a normal place performs the same function as arc expressions and transition inscriptions of PrT nets (Murata, 1989). Finally the field scolor of the token is updated to scolor + after, and the token is available for transitions enabling and firing. A goal place GP, E 279 must belong to the final marking of G.ZS. For each method mtd, the goal places must be reachable and must be unique for each method. Therefore, the information resultant from the execution can be returned to the invoking G-Net.

The G-Net transition firing mechanism is defined by the following transition firing rules: Definition 2.7 Transition jiring rules. Let G be a G-Net, the transition firing rules are defined as

1. A transition t is said enabled iff every place p E Z(t) holds at least one token, its content satisfies the condition defined by Z(p, t), and

G-Nets: Logical and Timing Analysis (a) all the tokens stated have the same propagation sequence; (b) all the tokens stated in have their scolor = after; (c) the number of tokens in O(t) is smaller than

the capacities of the places. 2. An enabled transition -t may fire and when firing r: (a) a token which satisfies Z(p, t) is removed from every p E- Z(t); (b) a token whose propagation sequence is the same as the one in tokens removed from r(t), whose scolor = before, and whose message part is determined by O(t, p) is deposited to very place p E O(t). The invocation of a G-Net defines the mechanism to start the execution of the internal structures based on the message associated with the token. Definition 2.8 lm~ocation of a G-Net. Let G be a G-Nrf, the invocation of the net G based on a method mtd E G.MS is carried out in the following way,

1. Determine the initial marking of G based on the definition of mtd (the content of the tokens depends on the content of the input token); 2. Fire enabling transitions, if any; 3. Invoke enabled primitives, if any; 4. Repeat (2)-(3) until a goal place is reached; 5. Send the result of the execution (if defined by mtd) to the invoker.

3. STRUCTURAL SYSTEMS

PROPERTIES

OF G-NET

G-Nets m a G-Net system are loosely coupled and present a very high-level of functional cohesion. Thus, we have to define how G-Nets communicate with each other by means of a high-level protocol, which determines how G-Nets are connected. Basically, net systems can be connected either by fusing transitions, fusing places, or by arcs [Broy and Streicher, 19921. Also, one can use another net as a communication media. The advantage of using this approach is that restrictions can be imposed on the net, or part of the invoked nets, representing the communication media, instead of applying restrictions on the composed ones. To allow this kind of composition, the nets involved in the communication must have some structural and behavioral restric-

J. SYSTEMS SOFIWARE 1997: 39:x9--59

45

tions to allow proper behavior preserving. Also, we assume only static process creation. This assumption is necessary to define a priori the connections among nets. The elements used as the basis for the decomposition of a G-Net are the GSP, isp and goal places. A decomposition for each one of these elements is introduced. We also define the concept of reentrance for a decomposed G-Net. The decomposition approach not only allows the introduction of the concept of reentrance, but it also allows the possibility to apply formal analysis to verify the behavior of a G-Net and a G-Net system. The decomposition of G-Nets follows the basic principles of the object oriented approach. Hence, the functional unity of the nets may be defined during their design in such a way that they are components providing some services to other nets, and apply to other nets the services they offer. As discussed before, the GSP of a G-Net provides the abstraction with explicit definition of the methods (services) available to other nets. Also the isp and the goal places provide means by which a G-Net can be invoked and the processed result (if any) is returned. The general principles that must be satisfied when G-Nets are communicating are very similar to the client-server protocol, and consist of the following steps: 1) the requester G-Nets requests a service; 2) the called G-Net accepts or not the requested service; 3) upon acceptance of the service, the called G-Net attends to the request and provides the results, otherwise the requester G-Net must issue another request, and; 4) the requester G-Net retrieves the result. In fact, in step 4 the processed result is sent back to the requester, which should be waiting for this result. The requester G-Net may be viewed as a client and the called G-Net as a server. Considering that each G-Net interacts with other nets, we define the concept of environment. To analyze the behavior of a G-Net we will assume that the behavior of the environment imposes some restriction on the local behavior. On the other hand, each G-Net will export some of its properties to the environment. These properties should be verified later when analyzing the environment interacting with the analyzed G-Net. The basic principle to be adopted is the natural partition of the state space problem, and then apply an assume/guarantee like paradigm to verify the behavior of the G-Net system. Computation Tree Logic (CTL) [Emerson and Srinivasan, 19881 is employed as a query language to extract the abstraction of a G-Net and to express the properties of the environment.

46

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997; 39:39-59

A decomposed

G-Net is defined as follows:

Definition 3.1 Decomposed G-Net. The decomposition of a G-Net G is a tuple Gd = (IS; 99’9; XF9’;.-E99), where IS is the internal

structure represented by a modified Petri net, gY?Y is the decomposition of the GSP, 279 is the set of goal places, YYY’ is the decomposition of the set of instantiated switching places. The decomposition of each interface element of a G-Net can be found in [Perkusich et al., 19941. The decomposition approach avoids structural problems in the interface between G-Nets, and allows formal analysis. For this decomposition to allow composition in a modular fashion, we have to define mechanisms by which it is possible to consider different components of a model, based on a rigorous structure, allowing the designer to have a better control of the complexity of the system. Hence, different parts of the model might be independently considered. Moreover, analysis, reuse, and correction should be localized and performed at the component level, as long as the component interface remains unchanged. 3.1 Structural

and Behavioral Properties

Reentrance is one of the key concepts we introduced for G-Nets. The objective of introducing reentrance in G-Nets is to permit properties to be preserved when composing nets. The basic properties that must be satisfied by a decomposed G-Nets are reversibility’ and home states [Murata, 19891. Definition

3.2 Reentrant Decomposed G-Net. Let .F9;.339) be its decomposition. Cd is reentrant if:

P4 VGSP?, E FL? 30, : M,,[a,,)M(GSP,,J, that is, for a given method its goal place is always reachable. P5 It is always the case that the net is reversible. P6 The sets of transitions belonging to each method are set conflict-free. Property Pl guarantees that when a G-Net G is invoked with method m, only the initial place associated with the method will be marked when transition tm, E Tmethods fires in the decomposed G-Net Gd. Property P2 guarantees that a decomposed G-Net Gd has no more transitions to fire, for a defined method, when a goal place is reached, for a specific invocation identified by the field tkn.seq associated with the token. Property P3 restricts the existence of one and only one goal place for each method. This restriction is necessary to guarantee that the result is always returned to the correct requester. Also, as will be shown in Section 4, this restriction is also necessary for the analysis approach that will be introduced: Property P4 guarantees that the invocation of a decomposed G-Net always terminates, and considering properties P2 and P3, the invocation always terminates and the result is returned to the requester. Property P.5 is very important because it must be the case that a decomposed G-Net always returns to its initial state, so that new invocation of a defined method can take place. Property P6 has a very important significance for the analysis methodology that will be introduced in Section 4. It guarantees that the execution of the defined methods for a decomposed G-Net can be treated as independent. A set of conflict-free transitions is defined as follows:

G be a G-Net and Gd = (IS; ~99;

Pl lSP = 0, with SP E 2799, that is, there is no incoming arc to a SP. P2 VGP, E %‘9, GPi* = 0, that is, there’ is no outgoing arc from the goal places. P3 For any two methods mi and mj we have that GSP,,,, # GSPyi, that is, each method defined for a G-Net terminates in a different goal place.

‘A Petri net (N, MO) is reversible if for each marking M in R(M,), MO is reachable from M, where R(M,) is the set of all possible markings reachable from MO for the net (N, MO). Therefore, in a reversible net it is always possible to reach the initial marking. A marking M’ is said to be a home state if for each M in R(M,), M’ is reachable from M.

Definition 3.3 Set conflict-free transitions. Let S,, and S,, and Gd = (ZS;J??; ~FL%$J?X~), with S,, E IS and S,, E IS, and S,, and S,, be the sets of transitions belonging to method, and method, respectively. These two sets of transitions are called set conflict-free if lt II et’

= 0, with t # t’, Vt EYES

and Vt’ ES,~.

If the properties Pl to P7 are verified for a decomposed G-Net, we say that it is reentrant. Based on this definition of reentrance we can clearly define how the communication among G-Nets will take place. The set of interface elements (48) implements the communication functions.

G-Nets: Logical and Timing Analysis

J. SYSTEMS SOFTWARE 1991; 39:39-59

Based on the decomposition of an isp, we define the concept of a service request, or for simplicity requester G-Net as follows. Definition 3.4 Requester G-Net. Let GdR = (IS,; %‘YpR; 3’9~;YYY~) be a requester decomposed G-Net. Also, let us consider the request of a service of a decomposed G-Net GdS, and that isp, E GdR is an isp invoking GdS with method mcdS,. We

47

Definition 3.5 Service G-Net. Let GdS be a decomposed G-Net, with starting place SP and goal place GP,, for method,. It is a service net iff for all defined methods: GdS is reentrant.

There exists one minimal place invariant Z such that Z(SP) = Z(GP,,) = 1, Vm, E methods. M, is a marking of GdS such that

have that:

vp E P[Z(p) > 0 3 M,,(p) = 01.

1. For any invocation of GdS with method m, through ispi E GdR there exists a waiting invocation reply place I+$E isp, such that:

For any markings M and M’ such that M(p) = M,(p) for p E P\ {SP} and M + M’, there exists M” such that

W, E si*, lF = {si}, and W, E *t-u,-ra

M’+M”,M”(SP)=O

= {H(}.

and M”(GP,,,,) = M(SP), Vm, E methods.

2. M is marking of GdR such that M(I+o = 0 for

any waiting invocation reply place u/;:. The waiting place W, of an isp corresponds to the state of the requester decomposed G-Net GdR, and is waiting for the invoked decomposed service G-Net GdS, represented by transition G’ in the isp, to complete the requested service and return the result. It is very important to define when an isp will complete its execution, representing that the requested service was successfully executed, and how the control is passed back to the IS of the requester. Lemma 3.1 Clear ‘Termination of a Decomposed G-Net. A decomposed G-Net clearly terminates

its execution, invocations.

independently

of t.he number

of

Proposition 3.1 isp Completion. Let GdR and GdS be a requester and service decomposed G-Net respectively, and let ispRs E PCdR be an isp invoking GdS with method m,. If GdS is reentrant, the isp always receives the result back.

A service G-Net is one that offers services to requesters, hence it is able to accept requests, to process them and to provide results. The interface places of a service net matches with the requesters places, that is, it matches with the decomposition of the isp of the requester. The starting place (SP) in the decomposed GSP and the goal places are used to be merged with places si and ra, in the decomposed isp when substituting the abstracted transition G’ in the isp. Provided that the decomposed service G-Net is reentrant, we can define the requester.

In the above definition P E fS,;,s. Condition 4 in Dehnition 3.5 guarantees that the sequence identifier of the incoming token is safely propagated through the service net, and reaches the goal place with the same propagation sequence. A service decomposed G-Net can put a token in its goal places only after removing a token from its starting place, and it can move any number of tokens from its starting place towards its goal places. Proposition

3.2 Service Net. Let

be a decomposed service G-Net, M be a marking of GdS such that M(SP) > 0 and M(p) =: M,,(p) for p E P \ {SP}, mj is the method invoked with transition tmL as the method transition, lGP,,, = {tGP,,,J the input transition of goal place associated to method mj, and (T E L(GdS, M). 1. v(a,tGP, 1 2 &,t,). 2. 3~’ E T*[a.a’ E L(GdS, M) n $a.a’(tGPm, 2 77(fl, t,y. ProoJ

Considering that Z.M, = 0, we have Z.M = I.M(SP). Let M’ be such that M[cr :> M’. Thus n(g,t,,)

= M(GZ’J - MYGJ’,,) = I.M - M’(SP)=

I.M’ - M’(V)

2 M’(GP,,)=&TJ,,).

Results from condition 4 of Definition 3.5, since = M(GP,,,,) is equivalent to

M”(GP_)

n(c.(T’, tGP,,,,) = ~((T.(T’, t,,),

48

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997; 39:39-59

and we may consider that MW)

= 7#dcr,tJ

= 7j(cr.(+‘, t,,).

cl

We can see the service net as a set of nets providing some services (expressed by the methods) together with the interface places. Therefore, the interface places together with the method transitions (t_>, and the goal places, and their respective input transitions, coordinate the accepting of a request and how the information is sent back to the requester. 4. LOGICAL

ANALYSIS

OF G-NET

SYSTEMS

For analysis purposes, a G-Net system will be considered as obtained by composing a certain number of G-Nets. Havin in mind the objective of avoiding state explosion, an evident method to analyze G-Net systems is decomposition. The methodology that will be shown is a combination of behavioral and logical analysis. Behavioral analysis is applied for verification of local behavior. In this step we can either use invariant analysis or reachability tree analysis. We will apply the reachability tree analysis because we can also extract from the reachability tree the external or observed behavior of a G-Net. Logical analysis is based on the so-called assume/guarantee paradigm for transition systems [Pnueli, 19841. The objective is to avoid state explosion by taking advantage of the natural decomposition of the system. The objective is to verify properties of individual components, infer if these properties hold in the complete system, and use them to deduce additional properties of the system. Furthermore, when verifying properties of the components, is may also be necessary to make assumptions about the behavior of the environment. A decomposed G-Net Gd consists of two parts: the interface and the internal realization. The interface part describes the behavior visible from outside, the abstraction, and the second part describes how methods defined for a given G-Net are implemented by means of a Petri net. As G-Nets interact in a G-Net system, the behavior of a G-Net, or its decomposed view, is dependent on the reaction of other G-Nets, forming its environment. Thus, the interface or abstraction may contain some constraints on the expected reactions of the environment. Hence, interfaces will be defined by a pair (ussm, comm), where comm describes properties of the services (commitment) which will be guaranteed by the G-Net, provided the environment satisfies the assumptions given

by ussm. As the interface or abstraction is the visible or observed behavior of a given G-Net, the internal part (its realization) must satisfy this behavior. Hence, in a design process, the correctness of the implementation has to be verified. Assumptions and commitments may be given by temporal logic formulae. Generally, first order temporal logic is necessary to describe the services of a G-Net, as the realization of the methods are given by a modified PrT net, but we may separate the pure interaction (the protocol), which may be described using only propositional temporal logic, from the proper service specification dealing with the computation of data, where first order logic is necessary. Thus in most cases it is possible to separate the propositional part, describing the pure interaction, and the first order part describing the data transformations. Then, the analysis or correctness verification can be done in two steps: a> verifying the pure interaction, e.g., by applying a model checking procedure; and b) verifying the correctness of the data transformations by the realization of the internal structure by applying well known analysis methodologies for PrT nets like reachability and invariant analysis. Based on this two step analysis, each G-Net is locally analyzed under environmental assumptions, and global properties like deadlock can be globally verified. In order to analyze a G-Net system, we propose another level of decomposition apart from the decomposition already introduced. At this level the starting places, goal places and instantiated switching places will be unfolded. By unfold we mean replace places in the interface of a G-Net in a way that we can eliminate the inscriptions associated to the arcs. For example, for each inscription associated to the outgoing arcs in the starting place in a GSP, we will create a corresponding place in a way that the inscriptions will no longer be necessary. This unfolding process is necessary to eliminate inscriptions from the arcs belonging to the interface places. Also, we have to associate a proposition to each place in the interface of a G-Net. To verify whether the implementation part satisfies the properties imposed in the interaction between a G-Net and its environment, we have to construct a model (in this case, the abstracted reachability graph) representing the implementation, in which the specification or the desired properties can be interpreted. Our target is to consider software components modeled by means of G-Nets. We consider that these G-Nets are asynchronous components that

G-Nets: Logical and Timing Analysis communicate by means of synchronized actions as in CSP. Therefore, we assume that there is no dependency among the clock units of different components, i.e., there is no global clock. The local analysis of a decomposed G-Net system is carried out based on the following procedure: 1) decompose each isp and GSP; 2) decompose, if necessary. the places in the internal structure so that transitions model actions and places states; 3) verify if all the properties for the net are satisfied based on the constructed reachability tree, and; 4) verify in the reachability tree if the reentrance properties are satisfied. The interaction analysis is performed according to the following procedure: 1) unfold the net interface elements for the decomposed G-Nets in a G-Net system; 2) extract from each net the external view corresponding to the interface behavior of each decomposed G-Net; 3) introduce an extra state to each isp output place corresponding to the labels in the output arcs; 4) introduce an extra state to each isp output place corresponding to each transition that can fire before reaching an interface element, and; 5) verify if the interaction properties, expressed in CTL, are satisfied. The unfolding of each decomposed G-Net defines the labeling of interface transitions and association of proposition to interface places. Labeling of transitions helps in defining a composition operator to fuse transitions with same labels. The association of proposition to interface places is necessary to extract the external view characterizing the external behavior of each decomposed G-Net. The objective is to define an abstraction for the behavior of each decomposed G-Net and apply a temporal logic based

Figure 4.

tions.

Unfolding of (7’ and association of proposi-

.I. SYSTEMS SOFTWAKE lYY7: 39:3Y- 50

verification, to verify the composite G-Net system. 4.1 Unfolding

Net

Interfaces

49

behavior of a

Elements

For the unfolding procedure, we define a set of propositions PL and a set of labels TL to be associated to places and transitions in the interface elements of a decomposed G-Net. For the isp transition, G’ will be unfolded in two, as shown in Figure 4. Transition ig represents the invocation of net G’ and transition rg represents the end of the invocation of net G’. For each isp in a set of decomposed G-Nets, a different label from TL will be associated to the corresponding ig and rg transitions. We also associate propositions, defined in PL, to places Rim and RG. We also unfold the starting place of each GSP as shown in Figure 5. We unfold the starting place SP according to the inscriptions in the outgoing arcs. This unfolding will result in one place for each method. To each of these places a proposition, over PL, is associated. We also introduce one transition and an incoming arc to each of these places. These transitions are labeled, over TL, with the same labels used in the transitions representing the invocation of a decomposed G-Net. For example, transition tl in a decomposed GSP will have the same label as transition ig in an isp. The last unfolding is related to the goal places. We present in Figure 6 the general unfolding of a goal place. We will assume an arbitrary number, n, of incoming arcs to a goalplace. We will also assume that each method finishes in one and only one goal place. In this case, for each method, we have to

50

J.

A. Perkusich and J. C. A. de Figueiredo

SYSTEMS SOFTWARE 1997: 39:39-59

12

...

Eii ;

-____

__---_J

___----_

tm2

tmn

...

.

:

I

initial

places:

formetbdml

i

Figure 5. Unfolding

: ‘.

SP

mn

nr2

:

tion properties between G-Nets expressed as temporal logic formulas. In order to exemplify the decomposition and analysis of a G-Net system, we show in Figures 7 and 8 the decomposition and unfolding of the interface elements, that is goal places, starting places and invocation transition G’, for the producer and the consumer respectively. Figures 9 and 10 present the abstracted behavior for the producer/consumer problem. In this case it is clear that transitions pr and rs are the ones that are fired before the interface places isp(C.ms) and GP are reached. In the case of the producer/consumer problem, two properties defining the interaction between the producer and consumer can be informally written as:

In

initial places formethcdm2

...

i I .’

: !

initial places for method nut

a starting place.

a different goal place. In Figure 6 inscriptions, (cl), (~2) **a(cn) define which will be the message associated to the returning token. Recalling the producer/consumer problem, they can be for method status either (ack) or (nak), indicating whether the consumer is or is not ready to receive an item to be consumed. The decomposition will be constituted of one place and one transition for each condition. Each one of these transitions will be connected to a place as shown in Figure 6. Also each one of these places will have a proposition associated to them. A transition with incoming arc from these places will be introduced. This transition will be labeled with the same label as the transition rg representing the end of the invocation of net G’ in the unfolding isp. define

4.2 Analysis of the Interaction

only send an item if an acknowledge is received, always after getting an acknowledge send an item. The previous statements are expressed in CTL using the propositions associated to interface elements in Figure 7 and 8 by:

1. AG(sr U nak): it is always the case that sr (status request) occurs until nak (not acknowledge) occurs. 2. AG(ack + si): it is always the case that if an ack (acknowledge) occurs an si (send item) occurs. Properties 1 and 2 can be verified to hold for the abstracted behaviors for the producer and the consumer (Figures 9 and 10 respectively). For instance, property 2 guarantees that no producer will obtain the right to send an item to the producer and will not send. If property 2 is not satisfied, a producer can cause a dead lock in the consumer.

Behavior

The interaction behavior analysis is based on the temporal logic queries to the reachability graph of the target G-Net and in the unfolding procedure previously introduced. The propositions associated to the interface place, as for example ms and nak in Figure 10, are used to generate the external view representing the external behavior of the G-Net. The external views are then used to verity interac-

5. TIMING

For timing analysis we use Fury Time Petri Nets, which are an extension of Petri nets that use a fuzzy approach to introduce time into Petri nets. The

QQ c2

v




0

ANALYSIS

cc”>

0

-..

cn

Figure 6. Unfolding of a goal place.

G-Nets:

Logical

and Timing

Analysis

51

J. SYSTEMS SOFTWARE 1997; 3939-59

___________(sp 1,

:

GSP(P)

:

RC2

RCI

Figure 7. Decomposition

with unfolding of the producer.

ms : method stahts

Figure 8. Decomposition consumer.

with unfolding

of the

mc: mehod

consum

nuk : not available uck : item accepted

Wf: request acknowledged

52

Q mp

Figure 9.

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997: 39:39-59

Abstracted behavior of the producer.

with real-time systems. We can represent three general categories of timing constraints for real-time systems: maximum timing constraints, minimum timing constraints, and durational timing constraints [Dasarathy, 19851. The timing analysis is based on the fuzzy time function associated with the tokens. The idea is to use the fuzzy reachability graph, where we have the complete state space, in order to compute the FTFs. The fuzzy reachability graph is a modified reachability graph which incorporates the fuzzy time concepts defined in the FTPN model. The basic idea is to extend the concept of reachability graph to include the Fuzzy Time Function (FTF) carried by the token, which is computed after each transition firing, starting from the initial marking. Also, the modified reachability graph considers the fuzzy time intervals associated with the transitions. Thus, the fuzzy reachability graph (FRG) is characterized by: FTF to each token on places in a given state. Attaching to each edge of the graph the timing intervals associated with the corresponding firing transition representing the time restrictions when firing a transition.

1) Assigning a model is intended to serve as a tool suitable for modeling real-time systems and for computing selected performance indices, i.e., this model combines the ability to model real-time systems of the deterministic extensions and the ability to make performance evaluations of stochastic extensions. As shown later, this is accomplished through the combination of time intervals and fuzzy set theory [Dubois and Prade, 19891. In the Fuzzy Time Petri Net model, tokens carry a fuzzy time function representing the possibility of there being a token in a given place from a reference set. Besides the fuzzy time function, two fuzzy intervals are associated with each transition. The enable interval E represents the minimum and maximum time that must elapse between the enabling of a transition and its firing time. The delay interval D represents the firing time, i.e., the delay necessary to execute the action represented by the corresponding transition. The existence of these time intervals associated with transitions is necessary in order to allow the modeling of two different timing concepts: time-outs and processing delays. Moreover, these two types of intervals are important when dealing

2)

5.1 Timing Analysis Issues We assume that the FTFs associated with the initial tokens are known* and defined in the fuzzy reachability graph by the fuzzy time function set of a state (FSETj3 assigned to the root (initial state). Thus, from the initial state in the fuzzy reachability graph and the initial fuzzy time functions, we can compute the FTFs in the other states of the fuzzy reachability graph. Informally speaking, to compute these functions, it is necessary to identify differences among the FSETs of immediate reachable states. Considering two connected states in the FRG and their respective FSETs, we have to consider two cases during the analysis: 1. common elements between FSETs, elements between FSETs.

2. different

Focusing on the dynamic behavior of a FTPN, item 1 indicates that tokens were not removed after

’ The initial FTF can be set to compute specific indices or may _ re resent some different situations. _ ! A state in a Fuzzv Time Petri Net is defined as its marking s = [m(pl), 4~21,. I., m(pn)X where m(pi) represents the amount of tokens in place pi. A fuzzy time function set, FSET, is the set of FTFs considering a given state i.e., FSETW = Figure 10.

Abstracted behavior

of the consumer.

{FTF(pl),

FTF(p2),

. ., FTF(pd}.

G-Nets: Logical and Timing Analysis

J. SYSTEMS SOFTWARE 1997; 39:3v-59

firing a transition. Item 2 may represent two things: tokens removed from input places, and tokens deposited in output places. According to the fuzzy function computation rule, input tokens are combined to determine the FTF of the output tokens.

5.2 Timing

Analysis

is reached, indicating that the invocation finished. Finally, this fuzzy interval is combined with the fuzzy time function assigned to the isp’s token. The analysis of the invoked net depends on the method used in the invocation. In order to define the Fuzzy Time G-Net (FTGNet), we consider the elements that take part in the interaction among G-Nets, that are the isp and the GSP, and the fuzzy time intervals, defined delays, associated with the firing of transitions. More details related to timing analysis can be found in [de Figueiredo et al., 1994; Perkusich et al., 1994; de Figueiredo et al., 1995a and 1995b].

Using Fuzzy Time G-Nets

For timing analysis purpose, we assume that the internal structure of a G-Net will be a FTPN. When one G-Net invokes another G-Net with a given m, this method defines the initial marking for the invoked net. Since the internal structure is a Fuzzy Time Petri Net, the token that arrives in an isp is a fuzzy token. Thus, the initial marking for the invoked net should be composed by fuzzy tokens. Once our main objective is the modular analysis, we have to have conditions to study each G-Net in isolation, i.e., the individual G-Net timing analysis must be independent of the analysis of the G-Net which is invoking it. Due to the commutativity and distributivity properties of fuzzy sets, it is possible to study each invoked G-Net considering that the tokens of the initial marking for the invoked net are not fuzzy. The results are then combined via the isp, i.e., a fuzzy interval that corresponds to the minimum and maximum execution time of the invoked net is computed by combining the enable and delay intervals attached to its transitions. The computation of this fuzzy interval resumes when a goal place

6. VERIFICATION APPLICATION

mph /

behavioral analysis

verification

Figure 11.

I\ local structure and behavior verification

Block diagram of the verification system.

ENVIRONMENT

AND

In this section we discuss implementation aspects and experimental results. We present the structure and implementation of a verification system for G-Nets. The system was implemented in language C, and is portable to different machines. The actual implementation runs on DECStations and SPARCstations under UNIX. The interface was implemented based on the XWindows system. Before detailing the implementation, we show in Figure 11 the block diagram of the verification system. From this figure we can identify the execution of two different kinds of analysis: timing analysis and behavioral analysis.

reachability

reeentrance

53

interaction verification

54

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMSSOFlWARE 1997; 39:39-59

As we show in Figure 11, the verification system has as input a G-Net specification. Actually this is a text description as introduced by Chen in [Chen et al., 19921. This text description is loaded by the reachability tree generator, and is used to generate the reachability tree. In what follows we discuss each of the modules.

6.1 Reachability

Tree Generator

The Reachability Tree Generator (RTG) is the module that loads the text description of the G-Net to be analyzed and generates the reachability tree. We show the block diagram of the module to generate the reachability tree in Figure 12. In order to generate the reachability tree, the RTG needs the following information as input: G-Net specification (a text description); primitive functions, and; environmental assumptions. The primitive functions perform the same function as the arc expressions and transition inscriptions. These functions are written in C language and are executed when a token is deposited on them. When the function is executed, it processes the token (message) corresponding to the variable associated to arc. Before resuming the execution of the function, the token is rebuilt with the new information resultant from the execution of the primitive. Among other things, the token carries the value of the branch color, the value of new parameters and the propagation sequence. The environmental assumptions are necessary to generate the reachability tree, because we can not locally decide when a token is deposited in an initial

place. Therefore, they provide the means by which we can decide when to deposit a token in an initial place, that is, define the initial marking of the net to be analyzed. Environmental assumptions are related to the behavior of the isps and the GSPs. The behavior of an isp corresponds to the abstracted or external behavior of an invoked net for a given method. For implementation purposes we define the possible behaviors of the invoked net by means of a string. For example, when the producer invokes the consumer with method status, the possible behavior of the consumer can be characterized by a string of the form:4 nak* ack. Therefore, we can define the reachability tree assuming that the behavior of the consumer is: nak ack. Although this string is not the unique that can be constructed for the invoked net, it is sufficient to locally generate the reachability tree of the G-Net for the producer. The behavior of the GSP of the net must also be assumed. To do so, we define an invocation sequence procedure based on the concept adopted for the isp. The reachability is created based on the input information described above. The reachability tree generator performs the same function as a token game player, and is based on G-Net simulator [Chen et al., 19921. The procedure reads the text format file for the defined net, and also reads the places and transition names. The names of transitions and places are used to display for the user the marking of the places and firing of transitions, as we will show later. The procedure then takes the environ-

4 The * corresponds to

f Reachability tree generator

Figure

12. Block diagram

of the reachability

tree generator.

the Kleen’s

operator.

G-Nets: Logical and Timing Analysis

_I. SYSTEMS

SOFTWARE

55

1991: 3939 59

mental assumptions (defined on file), establishes the initial marking, and starts firing the transitions and generating the reachability tree. The process ends when no more invocations are defined in the environmental assumptions. The time complexity of the procedure is exponential (O(2”)) with the number of states. Nevertheless, the G-Net can be kept reasonably small so the application of the procedure, considering the time complexity, is still feasible from the practical point of view. After the reachability tree is created, we construct a reachability graph necessary to process the verification, as we will discuss below. In Figure 13 we show a screen dump of the reachability graph generation procedure after the user had selected the option Create (lower left corner in window, Reachability Graph Generation). First we show the list of transitions with their names and enabled and delay intervals-these two intervals are used for timing analysis. Then we show the list of places, each with their associated information. For

analysis purpose we define four different places:

initial places: the information associated with initial places in a G-Net is: its name (for example in

Figure 13, place IN has name IN); its type (is the associated method (is ms); and the external transition associated with it (is ms). In Figure 13 this information associated with the initial place IN has the format

INITIAL);

IN

[Name:IN]

[Type:INITTAI,j

[Method:ms]

[E_Tr,insition:ms]:

normal places: for the normal places we define only their names, for example place RC in Figure 13

has the format RC

[Name:Rc]

[Type:No!-m,il :

goalplaces:

the information associated with the goal places are: its name (for example in Figure 13, goal place GPS has name GPS); its type (is GOAL >; completion

II

I?-lllty

proposition

i c _I’ I opo s i-

Trw Gemoration

The reah&111+u tree will be cQn8tnrted for net:

.im:e.cz,IE_Trans‘t .Im:emslIE_Trans‘t .----

Figure 13. Screen dump for the consumer

kinds of

net showing the reachability

graph generation.

56

A. Perkusich and J. C. A. de Figueiredo

J. SYSTEMS SOFTWARE 1997; 39:39-59

Conflict-freeness Verification: the objective is to check whether the set of transitions belonging to each method defined for the net are conflict-free or not. Local Behavior Verzfication: we verify the local properties for the net. Interaction Verification: the interaction or verification checks whether the abstraction of the net being analyzed verifies or not the environmental assumptions.

t ion) (is mc-that is, it is the goal place for transition method mc); and the external (E-Transit ion) (is @cl. The format shown in Figure 13 is

GPC [Name:GPCl [Type:GOALl [C_Proposition:emc] [E_Transition:gpc]; instantiated switching places:

the information associated with these types of places are: name, type is ISP, the invocation proposition ( I-P), the completion proposition (C-P) , and the delay interval (D-1).D-1 is only used for timing analysis and will not be discussed. The format to display the isp information is (this example is for the producer

In fact for step 4 we have to check whether the net guarantees the behavior that was assumed for it as part of the environment of other nets. In what follows we discuss each one of the above verification steps.

G-Net):

isp(C.mc)

6.2.1 Reentrance Verification. In order to realize reentrance verification, the transition closure RG* of the reachability graph RG is computed. To obtain the transition closure of RG we apply the well known interactive squaring technique. Based on the transitive closure matrix, we can then verify whether the goal places are always reachable and the net is reinitializable. We also verify if the marking of the initial places are empty before a method is invoked. This way we can verify whether the reentrance properties are being violated or not.

[Name:isp(Cmc)]

[Type:ISP] [I_P:si] [C_P:ral [D-1:1, 41.

6.2 Structure and Behavior Analysis In Figure 14 we show a block diagram of the structure and behavior analyzer (SBA). Based on the reachability graph, environmental assumptions and places, and transitions information, the module SBA performs the verification according to the following steps:

6.2.2 Conflict-freeness Verification. We will informally discuss how to verify the property of set dynamic conflict-freeness. To verify the conflictfreeness among the set of transitions belonging to all methods defined for the G-Net being analyzed,

1. Reentrance Verification: the reentrance properties like reachability of goal places and reinitialization are verified.

Environment

Structure/Behavior Analysis GGI

Figure

14. Block diagram

structure

and behavior

analyzer.

G-Nets: Logical and Timing Analysis

J. SYSTEMS SOFTWARE 1997: 39:39-59

we first identify all the places that are input for transitions belonging to each method. To find these places we generate the incidence matrix for the G-Net being analyzed. From this incidence matrix we can identify which places may lead to a potential static conflict set. When these places are identified, we verify whether their output transitions belong to different methods. In case affirmative, these transitions are in set static conflict. After this we have to verify two conditions to characterize dynamic conflict-free: 1) if the places can be marked at the same enabling marking for all sets of transitions, and; 2) if the firing of one of these transitions disables the execution of the other methods that have transitions in set static conflict. Since we have defined which are the places that when marked may lead to a conflict, we analyze the reachability graph to check whether condition 2 above is satisfied. In case affirmative, one of the methods will be unable to progress and the set of transitions belonging to these methods are in set

w .mmmgpobcu OFClttZSl~ mrndo~vtmm rneub0lammr.s .O:-~ =w-

dynamic conflict. Otherwise, are set dynamic conflict-free.

the set of transitions

6.2.3 Local Properties Verification and Abstraction. Local properties are verified based on the reachability tree, and queries expressing properties as temporal logic formulas. To extract the abstracted behavior for each method of a net we first have to identify the interface places for each method. Once these interface places are identified, we verify how to generate the abstracted reachability graph for each method. To perform this task we use the transitive closure of the incidence matrix for the reachability graph, the same used to verify reentrance properties. Based on this transitive closure matrix we identify the path between each interface place. In Figure 15 we show the screen dump for the execution of the analysis procedure. Note that not all of the analysis procedures are implemented yet. We show in this figure the transitive closure for the reachability graph. Based on the transitive closure

5111111111 5211111111 5511111111 Mllllllll 9511111111 5811111111 5711111111 s811111111 ___--_____-~-----_ EENTRMCE =YSIS eemchlng athod and startingplace(s) ... 2 stmrthg pl.sm(s)fmmd place for m&hod 8 ie IN sd is marked in the initial p1-

for method n

ION a

Figure 15.

57

Screen dump for the consumer net showing the analysis.

IS TC sd

1s marked in the ‘nitial

)(ETm_Net ... IN.CPS

58

J. SYSTEMS SOFTWARE 1997: 39:39-59

A. Perkusich and J. C. A. de Figueiredo

we perform reentrance analysis and set conflict-free transitions verification for each method. At the end of the window we present the places belonging to the interface of the net.

tem [Perkusich et al., 19951. Also the verification system outlined in this section has been very helpful in the logical and timing analysis of these two systems.

6.3 Timing Analysis

7. CONCLUSION

Implementation

Aspects

The timing analysis is performed using Fuzzy Time G-Net approach as introduced in Section 5. Thus, we have to determine the Fuzzy Reachability Graph corresponding to the model we want analyzed. This is accomplished by combining the reachability graph generated by the RTG module and fuzzy time information stored in files. By fuzzy time information we mean fuzzy time intervals and initial FTFs. Then, applying the timing analysis algorithm to FRG, we compute some performance predictors based on the FTF of the remaining tokens. Besides the timing analysis based on the reachability graph, we developed a time chart in order to graphically illustrate the time execution behavior of a system by focusing on the interaction between modules (G-Nets). The time chart, named Timing G-Nets Interaction Graph (TGIG), is a 2D graph that depicts the timing and interaction aspects between different G-Nets in a G-Net system. The TGIG can be used as an alternative approach in order to determine some performance indices. In the vertical axis, we represent the G-Nets and their corresponding methods, while in the horizontal axis we represent the G-Nets states and their time duration. For each G-Net we are considering two kinds of states: executing and invoking. Also, for each G-Net and a specific method, we consider the best and worst cases. The invocation of G-Nets are denoted by a direct edge linking two different G-Nets. The direction of the directed edge denotes which G-Net is invoking and which is being invoked. Also, the directed edge represents the ending of the invocation. Different information can be obtained from the TGIG. We can compute the best and worst execution time for a G-Net, and the total executing time and invoking time for a given G-Net. This can be obtained by the sum of time intervals which the G-Net remained in the executing or invoking state. Moreover, by combining the best and worst cases representation, we can determine time intervals in which a given G-Net is for sure in an execution state or in an invocation state. The approach introduced in this paper has been used to model two different kinds of systems: a track vehicle transport system [Perkusich and de Figueiredo, 19951 and a flexible manufacturing sys-

In this paper we have introduced a modular analysis methodology for a class of high-level Petri nets named G-Nets. We described the motivation for such a modular analysis approach: the necessity to avoid the state explosion problem when analyzing a large complex software system. We formalized the concepts of G-Nets by allowing the application of modular analysis and verification. We also defined structural and behavioral properties for G-Nets. When these structural and behavioral properties are satisfied, it is possible to apply a behavioral/logical verification approach to avoid the state explosion problem. The introduction of the concept of reentrance as well as the definition of the properties related to this concept, and the application of them to ‘G-Nets, gives to the designer a very well structured way to design a complex system. Indeed, with the introduction of the concept of reentrance, together with a proper decomposition approach methodology for the G-Net interface elements, a well defined and structured way to compose G-Nets in a G-Net system was defined, allowing the application of a modular analysis methodology based on an assume/guarantee paradigm. This approach has demonstrated that it is possible to successfully adopt a modular approach for the analysis and verification of a complex software system. The external behavior or abstraction of G-Net can then be extracted, and, based on this abstraction, it is possible to define which of the local properties of G-Net will be part of the environment of other G-Nets in a G-Net system. Moreover, we can, based on this abstract view, verify whether the assumptions made about the environment of a G-Net are or are not being satisfied. We also discussed a fuzzy approach to introduce time in Petri nets. The major motivation of this approach is the lack of generality of timing Petri net extensions. This approach, Fuzzy Time Petri Net (FTPN), integrates in a complementary fashion the strength of the deterministic and stochastic extensions. Moreover, in order to deal with large complex systems, we integrated the FTPN model with G-Nets. The integration allows the modular timing analysis of complex systems by considering the internal structure of a G-Net as being a FTPN, and using a decomposition approach. Thus, we can divide a sys-

G-Nets:

Logical

and Timing

Analysis

tern in subsystems, study them in isolation and integrate their results to get the global solution. We have to say that the emphasis given in this paper is on the engineering aspects of the methodology. Theoretical matters are introduced to give a formal basis for the claims. Moreover, we believe that the marriage between formal methods and engineering approaches is the best way to face the difficulties associated with the design and verification of complex software systems. The advantages of this convenient marriage are evident. From one aspect it is possible to share the methodological aspects inherent to an engineering approach for the design and verification of complex software systems. On the other hand, powerful formal methods are then available for the designer, so that early in the design phase of a system it is possible to verify whether the system possesses or not the specified properties.

REFERENCES Broy, M., and Streicher, T., Modular functional modelling of petri nets with individual tokens, in Adounces in Petri Nets 1992, (G. Rozenberg, editor), Lecture Notes in Computer 70-88.

Science,

vol. 609, Springer-Verlag,

1992, pp.

Chen, T. c’., Deng, Y., and Chang, S. K., A simulator for distributed systems using g-nets, in Proceedings of 2992 Pittsburgh Simulation Conference, 1992.

Dasarathy, B., Timing constraints of real-time systems: Constructs for expressing them. methods of validating them. IEEE Transactions on Software Engineering 1 l(l), 80-8h (1985). de Figueiredo, J. C. A., and Perkusich, A., Fault tolerance in real-time distributed systems using petri nets extension, in Proc. of 7th International Conference on Computing and Information, ZCCZ’95, 1995, pp. 924-946.

de Figueiredo, J. C. A., Perkusich, A., and Chang, S. K., Timing analysis of real-time software systems using fuzzy time petri nets, in Proc. of The Sixth International Conference on Software Engineen’ng and Knowledge Engineering, 1994, pp. 243-253.

de Figueiredo, J. C. A., Perkusich, A., and Chang, S. K., Anticipated faults in real-time distributed systems, in Proc. of The Seventh Zntemational Conference on Software Engineering and Knowledge Engineering, SEKE’95, 1995, pp. 411-418. Deng, Y., Chang, S. K., de Figueiredo, J. C. A., and Perkusich, A., Integrating software engineering methods and petri nets for the specification and prototyping of complex software systems, in Application and Theory of Petri Nets 1993 (M. Ajmone Marsan, editor), Lecture Notes on Computer Science, vol. 691, Springer-Veriag, 1993, pp. 206-223.

Dubois, D., and Prade, H., Processing fuzzy temporal knowledge. IEEE Transuctions on Systems, Mun. and Cybernetics, 19(4), 729-744 ( 198Y ).

Emerson, E. A. and Srinivasan, J.. Branching time: tcmporal logic, in Linear Time, Branching Time mnd Partial Order in Logics and Models fbr Concuwenc~ (J. W. Bakkar, W.-P. de Roevcr, and G. Rozenbcrg, editors), Lecture Notes in Computer Science. vol. 354. SpringcrVerlag, 1988. Ghezzi, C., Mandrioli, D., Morasca. S., and Pczzc, M., A general way to put time in petri net. in 5th /nternationu/ Workshop on SofnYare Specificatiom anti De.sign, I 989, pp. 60-66. Manna, Z., and Pnueli, A., The Temporal Logic, o/‘Keactir,c und Concurvent Systems, Springer-Vcrlag. NW York. NY, 1902. Ajmone Marsan, M., Balbo, D., and C’onte, G., A class ol generaliscd stochastic petri nets for the pcrl’ormance evaluation of’ multiprocessor systems. A( ‘M /‘TMn.suctions on Computer Systems 2(2), Y3p I22 ( I Y84). Merlin, P. M.. and Farber, D. .I., Recoverability ot’ communication protocols-implications of a theoretical study. IEEE Trunsactions on Communication, (‘OMM-14(9). 1036~ 1043 ( 1976). Molloy, M. K., On the Integration of Dcluy and Zhroughpur Measure.r in Distributed Process& Modc*ls. Ph 1.) thesis, UCLA, 1981. Murata, T., Petri nets: Properties, analysis and applications. Proc. of the IEEE, 77(4). 54 I - 580 ( I Y8Y).

Perkusich, A., and de Figueiredo, J. C. A., (Ibject oriented design of a track-vehicle system, in Proc. or The Sellenth International Conference on Software E‘ngineering and Knowledge Engineeting, SEKE’YS, 1095.

Perkusich, A., de Figueiredo, J. c‘. A., and Chang, S. K.. Embedding fault-tolerant properties in the design ot complex systems. Journal of Systems and Sofiwure, X25). 23~37 (1994). Perkusich, M. L. B., Perkusich, A., and Schicl, IJ., Integrated design of object-oriented real-time control and database systems, in Proc. of the Sellenth International Conference on Software Engineering und Knowledge Engineering, SEKE’95, 1995.

Pnueli, A., In transition from global to modular temporal reasoning about programs, in Logics and Models of Concurrent Systems (K. R. Apt. editor), NATO ASI series, Series F, Computer and Systems Sciences. vol. 13, Springer-Verlag, 1984. Ramchandani, C., Analysis of asychronous concurrent systems by petri nets, Technical Report Project MACTR120, M.I.T., Cambridge, MA, 1974. Shatz, S. M., Der>elopment of Distributed Joftware, Macmillan Publishing Company. New York, 1993. van der Aalst, W. M. P., Interval timed coloured petri nets and their analysis, in Applicution and ‘Theory of Petri Nets 1993 (M. Ajmone

in Computer pp. 4535472.

Marsan,

editor).

Lecture

Science, vol. 691, Springer-Verlag,

Notes

1993,