parallel ltl-x model checking of high-level petri nets based on unfoldings

Parallel LTL-X Model Checking of High-Level Petri Nets Based on Unfoldings

Claus Schröter* and Victor Khomenko**

*University of Stuttgart, Germany**University of Newcastle upon Tyne, UK

UNIVERSITY OFSTUTTGART

Basis for our work

Esparza and Heljanko (ICALP 2000, SPIN 2001):

A New Unfolding Approach to LTL Model-Checking

Net system is constructed as the product of

• the original net system and

• an Büchi automaton accepting Model-checking problem is reduced to detection of

• illegal ω-traces and

• illegal livelocks

by exploiting finite complete prefixes

Basis for our work

Simplicity of this approach Partial order semantics of Petri nets Alleviates the state space explosion problem

Input are low level Petri nets

Low level Petri nets are not convenient for modelling

Low-level PNs: Can be efficiently

verified Not convenient for

modelling

High-level descriptions: Verification is hard

Convenient for modelling

a good intermediate formalism

Coloured PNs

Gap

Coloured PNs

1 2

w<u+v

vu

w

{1,2} {1,2}

{1..4}

Coloured PNs

w<u+v

vu

w

{1,2} {1,2}

{1..4} 1

Coloured PNs

w<u+v

vu

w

{1,2} {1,2}

{1..4} 2

Expansion

1 2

w<u+v

vu

w

{1,2} {1,2}

{1..4}

Expansion

The expansion faithfully models the original net

1 2

w<u+v

vu

w

{1,2} {1,2}

{1..4}

Blow up in size

Finite complete prefix

Introduced by McMillan in 1992

Relies on the partial order view of concurrent computation

Represents system states implicitly, using an acyclic net

Satisfies two key properties:

• Completeness: Each reachable marking of the original net is represented by at least one reachable marking in the prefix

• Finiteness: The prefix is finite and thus can be used as an input to model-checking algorithms

Relationship diagram

Coloured PNs

unfolding

Low-level prefixColoured prefix

unfolding

Low-level PNs

expansion

?

Relationship diagram

Coloured PNs

unfolding

Low-level prefixColoured prefix

unfolding

Low-level PNs

expansion

~Khomenko and Koutny proved isomorphism (TACAS’03)

Relationship diagram1 2

w<u+v

vu

w

{1,2} {1,2}

{1..4}

1 2

u=1v=2w=1

1 2

u=1v=2w=2

Example: Buffer of capacity 2

0 1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b


0

1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b


01

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b


0

1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b


01

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b


0 1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b

Property: φ = ◊□(p2≠0)

q0 q1

(p2≠0)

true

true

u0

u1

I0

(p2≠0)

q0:{} q1:{}

Büchi automaton Aφ

Synchronisation

Standard technique: Synchronisation on all transitions

Synchronisation sequentialises the system

Not suitable for unfolding based verification

Solution: Synchronisation just on those transitions which ‘touch’ the atomic propositions of the formula

Concurrency can be exploited

Synchronisation

0 1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b

u0

q0:{}

I0

(p2≠0)

q1:{}

u1

Synchronisation

0 1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b

u0

q0:{}

I0

(p2≠0)

q1:{}

u1

p2

p2

Synchronisation

0 1

t1 t2 t3

p1:{0,1} p3:{0,1}

p2:{0,1} p4:{0,1}

a a a a

aa b b

u0

q0:{}

I0

(p2≠0)

q1:{}

u1

B:{}

S:{}

p2

p2

Illegal ω-traces

Infinite transition sequence that touches q1 infinitely often violates φ

To detect such runs we introduce a set I off all transitions putting a token into an accepting Büchi place

An infinite transition sequence of the synchronised net which is fireable from the initial marking and contains infinitely many occurrences of I-transitions violates φ (illegal ω-trace)

q0

S

p10

p31

p31

p10

S

q0

q0

B

u0

t3

p41

I0

Prefix

Experimental Results

Net Formula UnfSmdl Spin Punf

Abp □(p→◊q) 0.19 0.01 0.08

Bds □(p→◊q) 199 0.71 8.47

Dpd(7) ◊□(pqr) 507 2.14 7.25

Furnace(3) ◊□p 1057 1.00 26.90

GasNq(4) ◊□p 240 0.14 8.46

Rw(12) □(p→◊q) 2770 0.44 47.67

Ftp ◊□p >12000 3.99 836

More Results

Net Formula UnfSmdl Spin Punf

Over(5) ◊□p 66.01 0.44 0.12

Cyclic(12) □(p→◊q) 0.38 11.25 0.08

Ring(9) ◊□p 2.13 1.64 0.13

Dp(12) ◊□(pqr) 13.05 117 0.36

Ph(12) ◊□(pqr) 0.04 0.61 0.02

Com(15,0) □(p→◊q) ---- 3.11 0.02

Par(5,10) □(p→◊q) ---- 3.60 0.02

More Results

Net Spin Punf

Cyclic(15)

Cyclic(16)

Cyclic(17)

168

478

1601

0.08

0.07

0.10

Ring(12)

Ring(13)

Ring(14)

75.38

274

1267

0.30

0.50

0.85

Dp(13)

Dp(14)

559

2123

0.53

0.75

Net Spin Punf

Com(20,0)

Com(21,0)

Com(22,0)

232

686

2279

0.02

0.03

0.02

Ph(15)

Ph(18)

Ph(21)

16.69

1570

mem

0.01

0.01

0.02

Par(6,10)

Par(7,10)

161

mem

0.02

0.04

Results for Parallel Mode

Net Spin Punf(1) Punf(2)

Com(20,3)

Com(22,3)

Com(25,3)

mem

mem

mem

8.58

11.51

17.29

6.01

8.51

12.84

Par(20,100)

Par(20,150)

mem

mem

8.60

31.98

4.84

18.28

Buf(20)

Buf(25)

----

----

22.70

142.72

16.95

89.40

Conclusions

Efficient parallel LTL-X model-checker for high level Petri nets

Based on partial order techniques (unfoldings) Alleviates the state space explosion problem Experimental results showed a good

performance of our checker for several examples

parallel ltl-x model checking of high-level petri nets based on unfoldings

Documents

buffer of capacity 201t1t2t3p1

original net system

ltl model

acyclic net

synchronised net

system states

reachable marking

verifiednot convenient