approaching the coverability problem continuouslyinfo.usherbrooke.ca/mblondin/slides/tacas16.pdf ·...
TRANSCRIPT
Approaching the Coverability Problem Continuously.
Michael Blondin, Alain Finkel, Christoph Haase, Serge Haddad
......
(Discrete) Petri nets
..
.....
.... 2.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
..
.....
.... 2.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
..
.....
.... 2.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
.
.
...
..
.... 2.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
.
.
...
..
.... 2.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
.
....
...... 2
.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
.
....
...... 2
.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
..
.....
.... 2
.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
..
.....
.... 2
.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
(Discrete) Petri nets
..
.....
.... 2
.
..
..Places .Transitions .
Pre =
(1 20 0
).
Post =
(0 10 1
).Marking
1/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.
..
......
.
....
..
...........
..
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.
..
......
.
....
..
...........
..
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.
..
......
.
....
..
...........
..
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.
..
......
.
....
..
...........
..
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.........
.
....
..
...........
..
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.........
.
..................
.
.......
..
.
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
...x = True..while
.
y: pass..# ..critical section
...x = False
.........
.
..................
.
..........
..
..............................................
...
Process 2
.
..while True:.... ..
.
y = True..if .x then:..
.
y = False..while .x: pass
..goto ....# ..critical section
..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while .y: pass
..# ..critical section..
.
x = False
.........
.
..................
.
..........................................................
...
Process 2
.
..while True:.... ...y = True
..if
.
x then:...y = False..while
.
x: pass..goto ..
..# ..critical section...y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
.........
.
..................
.
..........................................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
........
.
..................
.
...........................................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
........
.
..................
.
...........................................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
........
.
..................
.
...........................................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Verifying safety with Petri nets
...
Process 1
.
..while True:
..
.
x = True..while
.
y: pass..# ..critical section
..
.
x = False
........
.
..................
.
...........................................................
...
Process 2
.
..while True:.... ..
.
y = True..if
.
x then:..
.
y = False..while
.
x: pass..goto ..
..# ..critical section..
.
y = False
..
Coverability problem
...Processes at both ..⇐⇒
..each .. ..≥ 1..critical sections .. ..≥ 0
..
Lamport mutual exclusion "1-bit algorithm"
2/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it?
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.
3/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it?
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.
3/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it? Karp & Miller '69
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.
3/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it? Arnold & Latteux '78, Abdulla et al. '96
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.
3/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it? Lipton '76, Rackoff '78
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.
3/12
Coverability problem
ProblemInput: Petri net N , initial marking m0, target marking m
Question: Is some m′ ≥ m reachable from m0 in N ?
How to solve it?
• Forward: build reachability tree from initial marking• Backward: find predecessors of markings covering target• EXPSPACE-complete
.3/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2...
....
What initial markings may cover (0, 2)?
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
Basis size may become doubly exponential(Bozzelli & Ganty '11)
4/12
Backward algorithm
..
Cannot cover
.
target marking
........ 2.
....
We only care about some initial marking...
Speedup by pruning basis!
4/12
Backward algorithm
..
Cannot cover
.
target marking
...... 2.
....
We only care about some initial marking...Speedup by pruning basis!
4/12
(Discrete) Petri nets
........ 2.
1/2
.
1/4
.
1/2n
.
5/12
(Discrete) Petri nets
........ 2.
1/2
.
1/4
.
1/2n
.
5/12
(Discrete) Petri nets
....... 2.
1/2
.
1/4
.
1/2n
..
5/12
(Discrete) Petri nets
....... 2.
1/2
.
1/4
.
1/2n
..
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
..
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
..
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
...
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
...
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
....
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
....
5/12
(Discrete) Petri nets ..Continuous
....... 2.
1/2
.
1/4
.
1/2n
.....
5/12
Continuity to over-approximate coverability
m is coverable from m0
..
⇒
m is Q-coverable from m0
..
⇒..
⇒m0 and m satisfy conditions ofEsparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
..
EXPSPACE
.
PTIME
.
PTIME / NP / coNP
.
Safety
6/12
Continuity to over-approximate coverability
m is coverable from m0
..
⇒
m is Q-coverable from m0
..
⇒.. ⇒
m0 and m satisfy conditions ofEsparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
..
EXPSPACE
.
PTIME
.
PTIME / NP / coNP
.
Safety
6/12
Continuity to over-approximate coverability
m is not coverable from m0
.. ⇒m is not Q-coverable from m0
..
⇒..
⇒m0 and m satisfy conditions ofEsparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
..
EXPSPACE
.
PTIME
.
PTIME / NP / coNP
.
Safety
6/12
Coverability in continuous Petri nets
Fix some continuous Petri net (P, T,Pre,Post)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Fix some continuous Petri net (P, T,Pre,Post)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Fix some continuous Petri net (P, T,Pre,Post)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Fix some continuous Petri net (P, T,Pre,Post)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ {a,b} : vt > 0}
3
• some execution to m′ fires exactly {t ∈ {a,b} : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
3
• some execution from m0 fires exactly {t ∈ {a,b} : vt > 0}
3
• some execution to m′ fires exactly {t ∈ {a,b} : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m
3
• some execution from m0 fires exactly {t ∈ {a,b} : vt > 0}
3
• some execution to m′ fires exactly {t ∈ {a,b} : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {t ∈ {a,b} : vt > 0}
3
• some execution to m′ fires exactly {t ∈ {a,b} : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {t ∈ {a,b} : vt > 0}
3
• some execution to m′ fires exactly {t ∈ {a,b} : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b}
3
• some execution to m′ fires exactly {b}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
........ 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b}
3
• some execution to m′ fires exactly {b}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b} 3
• some execution to m′ fires exactly {b}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b} 3
• some execution to m′ fires exactly {b}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b} 3
• some execution to m′ fires exactly {b}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b} 3
• some execution to m′ fires exactly {b} 7..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
.. Not Q-coverable from
...... 2.
a
.
b
.... m0 = (2,0).m = (0, 2)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and va, vb ∈ Q≥0 such that
• 0 ≤ vb + va ≤ 22 ≤ vb
=⇒ va = 0, vb = 2, m′ = m 3
• some execution from m0 fires exactly {b} 3
• some execution to m′ fires exactly {b} 7..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Logical characterization Contribution
Q-coverability can be encoded in a linear size formula of
existential FO(Q≥0,+, <)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Logical characterization Contribution
Q-coverability can be encoded in a linear size formula of
existential FO(N, +, <)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Logical characterization Contribution
Q-coverability can be encoded in a linear size formula of
existential FO(Q≥0,+, <)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Coverability in continuous Petri nets
Logical characterization Contribution
Q-coverability can be encoded in a linear size formula of
existential FO(Q≥0,+, <)
m is Q-coverable fromm0 iff... Fraca & Haddad '13
there exist m′ ≥ m and v ∈ QT≥0 such that
• m′ = m0 + (Post− Pre) · v
• some execution from m0 fires exactly {t ∈ T : vt > 0}
3
• some execution to m′ fires exactly {t ∈ T : vt > 0}
7
..
Straightforward
.
More subtle
.
Even better approximation
..
Polynomial time!
7/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Testing whether some transitions can be firedfrom initial marking .
8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Testing whether some transitions can be firedfrom initial marking .
8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Testing whether some transitions can be firedfrom initial marking .
8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firing.
8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
...
.....
..
....
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
..
...
.
.
..
..
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
..
...
.
.
..
..
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
..
...
.
.
..
..
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
..
...
.
.
..
..
...
...
.
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
......
.
.....
..
....
.
...
.
..
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
......
.
.....
..
...
.
...
.
...
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
......
.
.....
..
...
.
...
.
...
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
Simulate a "breadth-first" transitions firingby numbering places/transitions
(Verma, Seidl & Schwentick '05) .8/12
Encoding the firing set conditions
.
..
......
.
.....
..
...
.
...
.
...
1.
2.
3.
4
.
1
. a.
b.
c
.
d
.>
. >.
>
.
>
.............
φ(x) = ∃y : ∧p∈P y(p) > 0→∧t∈•p y(t) < y(p) · · · .
8/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True
..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
Backward coverability modulo Q-coverability
if target marking m is not Q-coverable:return False
X = {target marking m}
while (initial marking m0 not covered by X):B = markings obtained from X one step backwardB = B \ {b ∈ B : ¬φ(b)}if B = ∅: return Falseφ(x) = φ(x) ∧
∧pruned b x ≥ b
X = X ∪ B
return True..
Polynomial time
.
Q-coverability pruning
.
(better than poly. time)
.
SMT solver guidance
9/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
An implementation: QCover
• 760 lines of code• uses the MIST .spec format for counter machines• supports dense/sparse matrices through NumPy/SciPy• experimental parallelism support
SMT solver: Z3 (Microsoft research)
• FO(Q≥0,+, <) formula satisfiability• Fraca & Haddad "polynomial time" algorithm
(rational linear programming with <)
10/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites
including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites
including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites
including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites
including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
QCover tested against
• mist: Ganty, Meuter, Delzanno, Kalyon, Raskin & Van Begin '07
• bfc: Kaiser, Kroening & Wahl '14
• Petrinizer: Esparza, Ledesma-Garza, Majumdar, Meyer & Niksic '14
Benchmarks
• 176 Petri nets: average of 1054 places & 8458 transitions• Drawn from 5 existing suites including• Multithreaded C programs with shared memory (bfc)• Mutual exclusion, communication protocols, etc. (mist)• Erlang concurrent programs (soter, D’Osualdo, Kochems & Ong '13)• Message analysis of a medical and a bug tracking system
(Petrinizer)
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
Markings pruning efficiency across all iterations
Instances proven safe
.....1
.4
.16
.64
.256
.2000
.20 .40.
60
.
80
.
100
.
running time in seconds
.
105/115
.
95
.
63
.35
. QCover . Petrinizer . bfc . mist
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
Markings pruning efficiency across all iterations
Instances proven safe
.....1
.4
.16
.64
.256
.2000
.20 .40.
60
.
80
.
100
.
running time in seconds
.
105/115
.
95
.
63
.35
. QCover . Petrinizer . bfc . mist
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
Markings pruning efficiency across all iterations
Instances proven safe
.....1
.4
.16
.64
.256
.2000
.20 .40.
60
.
80
.
100
.
running time in seconds
.
105/115
.
95
.
63
.35
Instances proven safe or unsafe
.....1
.4
.16
.64
.256
.2000
.40 .60.
80
.
100
.
120
.
140
.
running time in seconds
.
142/176
.
122
.
95
.
74
. QCover . Petrinizer . bfc . mist
..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Benchmarks
Markings pruning efficiency across all iterations
.....0.
20.
40.
60.
80.
100.0 .
20
.
40
.
60
..
% pruned markings
.....0.
20.
40.
60.
80.
100.0 .
200
.
400
.
inv. cumulative % pruned markings..
Largest nets proved safe:
.
21143 places7150 trans.
42 secs.
.
6690 places
11934 trans.
21 secs.
.
754 places27370 trans.
3 secs.
11/12
Future work
• Combine our approach with a forward algorithm to betterhandle unsafe instances
• Use more efficient data structures, e.g. sharing trees(Delzanno, Raskin & Van Begin '04)
• Extend to Petri nets with transfer/reset arcs
.....1
.4
.16
.64
.256
.2000
.0 .10.
20
.
30
.
40
.
50
.
60
.
running time in seconds
.
59/61 bfc
.
39 mist
.37 QCover
.
0 Petrinizer (not supported)
.
12/12
Future work
• Combine our approach with a forward algorithm to betterhandle unsafe instances
• Use more efficient data structures, e.g. sharing trees(Delzanno, Raskin & Van Begin '04)
• Extend to Petri nets with transfer/reset arcs
.....1
.4
.16
.64
.256
.2000
.0 .10.
20
.
30
.
40
.
50
.
60
.
running time in seconds
.
59/61 bfc
.
39 mist
.37 QCover
.
0 Petrinizer (not supported)
.
12/12
Future work
• Combine our approach with a forward algorithm to betterhandle unsafe instances
• Use more efficient data structures, e.g. sharing trees(Delzanno, Raskin & Van Begin '04)
• Extend to Petri nets with transfer/reset arcs
.....1
.4
.16
.64
.256
.2000
.0 .10.
20
.
30
.
40
.
50
.
60
.
running time in seconds
.
59/61 bfc
.
39 mist
.37 QCover
.
0 Petrinizer (not supported)
.
12/12
Future work
• Combine our approach with a forward algorithm to betterhandle unsafe instances
• Use more efficient data structures, e.g. sharing trees(Delzanno, Raskin & Van Begin '04)
• Extend to Petri nets with transfer/reset arcs
.....1
.4
.16
.64
.256
.2000
.0 .10.
20
.
30
.
40
.
50
.
60
.
running time in seconds
.
59/61 bfc
.
39 mist
.37 QCover
.
0 Petrinizer (not supported)
.
12/12
Thank you! Dank u!
12/12