Verification of Petri net properties in CLP

Transcription

1 V C L I m p l e x e Operational Intelligence Verification of Petri net properties in CLP Guy A. Narboni gulliver.fr In this report, we show how to model a Petri net as a CLP program and how to solve some reachability problems in CLP using the fixed-point semantics of that program. We highlight the structural properties of both the logic part of the rules and the linear part of the constraint systems, which allow us to: traverse the state-space rather efficiently treat integer variables as real-valued ones, while retaining completeness of solving. We decompose the verification problem into two steps: first, we compute the set of all reachable states ; second, we check whether a given state property holds (or can be refuted) on that set. We finally report on our experiments with Prolog III. Introduction Petri nets are a graph-based formalism for concurrent process modeling. They are used in areas ranging from flexible manufacturing systems to telecommunication protocols. Petri nets consist of places (circles) and transitions (bars). Each transition relates a set of input places to a set of output places. An allocation of tokens to places is a marking. It globally describes a state of the concurrent system. A change of state occurs when a transition is fired, provided that all the transition s input places hold at least one token (or more, if explicitly specified). The number of tokens is then decremented in each of the input places and incremented in each of the output places. By starting from an initial marking and repeatedly applying transitions (one at a time), we can explore a system s behaviour. But simulation runs are not enough. To really gain confidence in a system design, we may have to prove some critical invariant properties, such as safety properties: forbidden states can never be reached or all reachable states must satisfy p, where p is a state formula. Checking such requirements (which can be specified in discrete time temporal logic) amounts to searching a state-space that can be infinite. Therefore, a general problem is of determining whether a given marking is reachable from an initial state. Yet, when convenient extensions such as inhibitor arcs are used, this verification problem becomes undecidable. This doesn t mean that proofs cannot be made in practice. Indeed, we know semi-algorithms for such purposes i.e., algorithms with no guarantee of termination. In this work, we follow the approach of Bérard-Fribourg for the analysis of reachability properties in Petri nets, and substitute a program written in Prolog III to the HyTech tool used for proving their examples. In doing so, we make an intensive use of both the constraint solving and the search capabilities of the language. The results we obtain, like those of Delzanno-Podelski, demonstrate the suitability of Constraint Logic Programming for symbolic Model Checking. Page 1 / 10

2 Rule-based search A straightforward correspondence can be drawn between a Petri net, viewed as a nondeterministic automaton (with counters), and a logic program (equipped with linear arithmetic constraints). In that setting, a transition becomes a rule and a marking a tuple of integers. A rule says that a marking M is reachable if it is the output of a transition whose input M is also reachable. The base case of this recursive program corresponds to the statement that the initial marking M 0 is a reachable state. Here is for instance how we can declare a transition relating places 1 and 3 to place 4, in a 5-place network, in Prolog III (using a tuple of numerical variables <x 1,..., x 5 >): reachable(<x 1-1, x 2, x 3-1, x 4 +1, x 5 >) -> reachable(<x 1, x 2, x 3, x 4, x 5 >), {x 1 >= 1, x 3 >= 1, x 2 >= 0, x 4 >= 0, x 5 >= 0} ; The constraints attached to the rule either appear within brackets (e.g., x >= 1) or, in functional form, within predicate arguments (e.g., x = x-1). They express the conditions under which the transition can be fired and the effect of the state change. Since there is no directionality in the constraint statements, we can as easily compute the precessor state from the successor or the successor from the predecessor. (This symmetry will be of interest for running backward and forward computations.) This 100% pure CLP program defines a closure property of the reachability relation. To derive all its logical consequences, i.e. here, the set of reachable states (or the program model), it is a standard practice to interpret the program rules in a bottom-up fashion. To that intent, we choose to operate on a dynamic database initialized with: fact(0, reachable(m 0 )) -> {description of the initial marking} ; At each step, we compute all immediate consequences and assert the reachable markings which are not already known. (This mechanism, similar to tabling, does not impair the declarative nature of our source program.) forward_iteration_step(i) -> fact(j, F) % select a fact rule(f, [F]) % select a rule: equivalent to clause (ISO) conditional_assert(fact(i, F )) fail, {J I} ; % considering only results of preceding iterations J forward_iteration_step(i) -> ; conditional_assert(fact(_, F)) -> fact(_, F)! % fact already asserted fail ; conditional_assert(fact(i, F)) -> assert(fact(i, F), []) ; We iterate the process until there is no new fact we can assert. The least fixed-point model is then reached: the generated database is ready to be queried. Page 2 / 10

3 Note: because of the symmetry of the transition rules, we can proceed in backward chaining in a manner quite similar to the way we proceed in forward chaining from a particular marking. To switch from bottom-up to top-down evaluation, we just havc to permute the antecedent and the consequent. backward_iteration_step(i) -> fact(j, F) rule(f, [F ]) conditional_assert(fact(i, F )) fail, {J I} ; backward_iteration_step(i) -> ; Another interest of this special clause structure (with two literals: one positive, one negative) is that we do not need to scan the whole fact base to produce new facts. Only the facts derived at the preceding iteration are of use. Thus, using our simple indexing of the fact base (by iteration steps), we can slash a great deal of the search. We can also reduce the overhead of meta-interpretation in the fixed-point computations by replacing calls to the rule built-in primitive with standard predicate calls. Therefore, as a pre-processing step, we transform the static rule base defining the unary reachable predicate into an equivalent fact base defining a binary transition predicate. Rewriting the previous example gives for instance: transition(<x 1,x 2,x 3,x 4,x 5 >, <x 1-1,x 2,x 3-1,x 4 +1,x 5 >) ->, {x 1 >= 1, x 3 >= 1, x 2 >= 0, x 4 >= 0, x 5 >= 0} ; The initial marking declaration becomes: fact(0, M 0 ) -> {description of the initial marking} ; and the iteration step simplifies to: forward_iteration_step(i) -> fact(i-1, M) transition(m, M ) conditional_assert(fact(i, M )) fail ; forward_iteration_step(i) -> ; This is almost all we need to show the presence or absence of deadlocks in the manufacturing example of [BF], when an initial marking is given. In this Petri net of 25 places and 14 transitions, the reachability graph happens to be finite for initial markings satisfying: x 2 = x 4 = x 7 = x 12 = x 13 = x 16 = x 19 = x 24 = 1, x 10 = x 15 = 3, and x 3 = x 5 = x 6 = x 8 = x 9 = x 11 = x 14 = x 17 = x 18 = x 20 = x 21 = x 22 = x 23 = x 25 = 0. A deadlock occurs when no transition can be fired, i.e., when, for each transition, there is at least one input place with no token allocated. Here, deadlock patterns are characterized by a simple state formula specifying the empty places : %Indexes: % deadlock(<_,0,_,_,0,_,0,_,0,0,_,0,0,_,_,0,_,_,0,0,_,0,0,_,0>) -> ; Page 3 / 10

4 Once the database is generated (assuming the fixed-point algorithm terminates), we can launch the following query which reads: does there exist a marking M that is both a deadlock state and a reachable state? deadlock(m) fact(_, M) ; If the state-space search done by Prolog III fails to produce an answer solution, it gives a proof of deadlock-freeness. If it succeeds, it returns a selection of states which are counterexamples. The following table summarizes results obtained with this simple procedure when the number of tokens in the initial marking varies from 1 to 12. Value of x1 Table 1: standard bottom-up evaluation Number of Iterations Generated Facts Approx. Time Deadlockfreeness yes yes yes yes yes yes yes yes no no no no Of course, the number of tokens that can be assigned to the first place is unbounded. If we want to know for which values of x 1 there is a chance of getting into a deadlock trap, i.e., if we want to reason symbolically, we need the full power of linear constraint solving. Page 4 / 10

5 Constraint-based reasoning Numerical constraints allow us to reason about markings that are only partially specified. From a geometrical point of view, a marking is a point in an n-dimensional space, namely the set of integer tuples N n. A partially specified marking can denote any point in a given subset (or region) of N n. The constraints present in our rule base are basic linear equations and inequations. They define regions which are closed convex polyhedra. When trying to unify (or match) two markings intentionally defined by two polyhedral regions (for inferring new facts), Prolog III s engine performs equation solving. Unification succeeds if the conjunction of the constraint systems brought together (by the goal and the head of the rule) is satisfiable. In other words, if the two regions in N n share a non-empty intersection. Up to now, no mention has been made of the discrete nature of the numerical variables in these definitions. A first simple reason is that Prolog III does not provide a relation restricting a number to be an integer. But a good reason is: this time we don t need it. This comes from the particular structure of the constraints manipulated. Constraints attached to the transition rules are the form: x Op k or: x - x Op k (where the constant k denotes an integer and where the operator Op is either, or =). These constraints express a difference of potentials. The specific linear systems Ay b built out of such constraints 1 have a well known property: they define the convex hull of their integer elements. If S = {y N m Ay b} is their solution set (possibly infinite) and if R = {y R + m Ay b} is its linear relaxation, proving that S contains members is equivalent to proving the non-emptyness of R which is a basic operation of the linear solver. We can therefore consider that integrality conditions are implicit, without affecting the completeness of solving. Computing the immediate consequences of a marking belonging to a polyhedral region of R n amounts to producing new non-empty polyhedral regions whose projection on to R n define new markings. In other words, abstracting computations on markings leads to computations on regions. Provided we start from a convex hull region, all we can produce are convex hull regions. Incidentally, our dynamic database becomes a database of constrained facts 2. The only change in the procedure affects the conditions for recording a new entry in the database. Checking for inclusion instead of equality between facts is now essential for termination. Unfortunately, Prolog III does not provide a built-in mechanism for deciding whether or not a given constraint system implies another. However, meta-programming 1. A matrix in O/1, b integer vector. 2. Prolog III has the native ability to assert a fact or rule with the constraint system attached to it (which defines the projected set of current solutions). Page 5 / 10

6 facilities are offered for converting constraints into non-interpreted terms (data trees) to manipulate then syntactically. Therefore, we can program by hand the test for inclusion we need to insert in the code: conditional_assert(fact(_, F)) -> fact(_, E) contains(e, F)! % replaces {E = F} fail ; conditional_assert(fact(i, F)) -> assert(fact(i, F), []) ; Note: the facts asserted define a finite union of polyhedra (solutions to a disjunction of conjunctions of linear constraints). In principle, we should only add to the database regions which are not contained in any combination of recorded polyhedra instead of looking up in the current table for a single enclosing polyhedron. But the decision procedure for full subsumption would be far more complex than the one adopted, without guaranteeing termination anyway. Since we are reasoning on fixed-sized markings, the old and new sets we are comparing in E F are two polyhedral subsets of R + n. Assume (to simplify) that E is full-dimensional. Then E is the intersection of a finite number of hyperplanes H p, and testing E F amounts to testing H p F for all ps. Now, a hyperplane H is defined by a single linear inequation: H = {x R n ax ß} (where a is a vector of R n and ß a scalar). The complement of H in R n is also a hyperplane : H = {x R n ax > ß}. Converting the definition of H into the definition of H therefore amounts to reverting the inequality sign and making sure that it is strict. Having done that, we can replace the former test for inclusion: H F by an equivalent test for emptyness: H F =. The latter boils down to checking the satisfiability of a linear constraint system. By going up to the abstract syntaxt level, then down to the concrete interpretation level, we are able to transform the test for inclusion into a series of satisfiability checks that are basic to CLP. Additionally, we can compile the corresponding conditions on the fly and make a virtue of necessity. We can now go back to the manufacturing example and deduce the states that are reachable from an initial marking partially specified as follows: %Indexes: % fact(0, <x 1,1,0,1,0,0,1,0,0,3,0,1,1,0,3,1,0,0,1,0,0,0,0,1,0>) -> {x 1 >= 0} ; forward % computes the constraint database of reachable states deadlock(m) fact(_, M) ; {M = <z,0,1,1,0,1,0,1,0,0,3,0,0,1,2,0,1,1,0,0,1,0,0,1,0>, z >= 0} The answer to the above query shows there is a risk of deadlock: for any (integer) instance of z, M is a deadlock state which is reachable from a marking of the initial region (e.g., we have already proved the case for z = 2 and x 1 = 11). Page 6 / 10

7 If we want to be more precise, we need to add a 26th argument to our model that is passed through in forward mode and will act as a pointer to the initial value of x 1. Thus, we relaunch the search, starting from: fact(0, <x 1,1,0,1,0,0,1,0,0,3,0,1,1,0,3,1,0,0,1,0,0,0,0,1,0,x 1 >) -> {x 1 >= 1} ; forward deadlock(m) fact(m.<q>) ; {M = <z,0,1,1,0,1,0,1,0,0,3,0,0,1,2,0,1,1,0,0,1,0,0,1,0>, q = z + 9, z >= 0} We conclude that a necessary and sufficient condition of deadlock-freeness is: x 1 8. Our results are consistent with those obtained with HyTech. Checker Table 2: manufacturing Number of Iterations Generated Facts Approx. Time Prolog III HyTech a a. we presume our implementation is an order of magnitude slower than HyTech. Comments: With exactly the same number of iterations and generated facts as for x 1 = 12 in the previous experiment, the twenty-fold time increase shows the cost paid for implication checking instead of unification. HyTech s removal of redundant regions explains our greater number of generated facts (we check that no fact is subsumed by an older fact, but an old fact can still be subsumed by a new one). A difference in search strategy might explain our smaller number of iterations. Page 7 / 10

8 Extensions to the method If the fixed-point procedure converges too slowly or does not terminate, generation flounders. When this is the case and it happens for the deceptively simple swimming pool example of [BF] (7 places, 6 transitions but 2 query parameters), we need to resort to some accelerating technique. A possible remedy consists in adding fused transitions as well as moving to metatransitions. Fused transitions are short-cuts corresponding to compositions of transitions that are applied in one step (e.g., r 1 r 2 r 3 vs. r 1 then r 2 then r 3 ). They can speed-up convergence by favouring the production of regions of greater interest. As redundant arcs in the graph, they neither affect the rule structure nor the solution set. In contrast, metatransitions do. A meta-transition corresponds to the repeated application of a transition r an arbitrary number of times in a single step (i.e., r k with k N * ). For instance, the meta-transition generalizing our rule example removes k tokens from places 1 and 3 and deposits k tokens in place 4: transition(<x 1,x 2,x 3,x 4,x 5 >, <x 1 -k,x 2,x 3 -k,x 4 +k,x 5 >) ->, {x 1 >= k, x 3 >= k, x 2 >= 0, x 4 >= 0, x 5 >= 0, k >= 1} ; Meta-transitions change the syntactic structure of the constraint system: first, we move to a higher dimensional space with a new (existentially quantified) variable k that will have to be eliminated by projection second, with equations of the form: x = x - 2k (when the original transition consumes more than a token, e.g., 2), we no longer have the guarantee that the linear relaxation of the integer system corresponds to its convex hull 1, i.e., to its tightest approximation. Assume the generation procedure successfully terminates with the modified rule base. Then the finite union of regions U produced by applying meta-transitions in place of transitions gives an upper approximation of the set of all the reachable states. We can no longer conclude that a marking in U is reachable. But we know there is no reachable marking outside U. By using meta-transitions with the 6 suggested fused transitions, and running the swimming pool example backward, from a deadlock state, we are able to show, as with HyTech, that we can cross the initial state region. Checker Table 3: swimming pool Number of Iterations Generated Facts Approx. Time Prolog III HyTech Now a proof would require to exhibit a deadlock path. But this is a relatively small price to pay compared to the gain in performance improvement. Besides, we can facilitate this new combinatorial search by specifically adorning the constrained facts generated with Prolog III. 1. This property was a consequence of the total unimodularity of the system s matrix [Sc]. Page 8 / 10

9 The expressive power of our constrained rules can be used to model communicating systems that may require an extended Petri net setting (0-tests, inhibitor arcs, etc.) or simply may not be originally defined as such. Therefore, we have a great latitude in choosing examples for performing reachability analysis. Taken from [DP], the backery n and ticket n are two algorithms ensuring that no two processes (among n concurrent ones) can enter a critical section simultaneously. Processes are assigned priorities which are local (and can be reset to zero) in the bakery case, whereas they are global (and can grow indefinitely) in the ticket example. The last two protocols, from the same benchmark suite, model communications without loss of data between a producer and a consumer, using bounded or unbounded buffers respectively. The invariants checked express the balance flow between the number of elements produced, the number of elements consumed and the ones within the buffers. Bench Program Proof of Property Table 4: other case studies Number of Iterations Generated Facts Direct Proof Metatransitions In the above table, the examples are often small enough to be proved by hand. Fused transitions bakery2 mutual exclusion 5 16 yes no no bakery3 mutual exclusion yes no no bakery4 mutual exclusion yes no no ticket2 mutual exclusion 6 19 no yes yes b.buffer prog. invariant 0 1 yes no no u.buffer prog. invariant 0 2 no yes no In contrast, the PNCSA communication protocol is a real example where, before the experiments of [BF], nobody suspected a possible deadlock path. The proof of this property is obtained by an astute combination of fused transitions and meta-transitions. And again, the model checker s results can be reproduced with our CLP prototype. Checker Table 5: PNCSA (simplified) Number of Iterations Generated Facts Approx. Time Prolog III HyTech 9 3 Page 9 / 10

10 Conclusion Following up the method of Bérard-Fribourg, we have shown in this report how to model a Petri net as a CLP program and how solve some reachability problems in CLP using the fixed-point semantics of that program. We have highlighted the structural properties of both the logic part of the rules and the linear part of the constraint systems, which allow us to: traverse the state-space rather efficiently treat integer variables as real-valued ones, while retaining completeness of solving (as long as we don t make use of meta-transitions). We have decomposed the verification problem into two steps: first, compute the set of all reachable states ; second, check whether a given state property holds (or can be refuted) on that set. Step by step, we have moved from computations on markings to computations on regions, then, for the sake of accelerating convergence, to computations on upper approximated marking regions. By giving a polyhedral interpretation of the three basic operations: satisfiability check (non-emptyness of intersection), implication check (inclusion) and variable elimination (projection), we have outlined a prototype implementation in Prolog III which enables us to prove the examples of [BF] in a way similar to HyTech. This approach to model checking is very much in the vein of Delzanno-Podelski s. Their CLP implementation is based on Sicstus Prolog s CLP(Q) library which provides a fully featured meta-interpreted linear constraint solver. While more insight has to be gained into the widening techniques they use in their proofs, table 4 comparisons suggest that fusions and meta-transitions could actually form a viable alternative. References [BF] Bérard B., Fribourg L. Reachability analysis of timed Petri nets using Real arithmetic Proc. CONCUR 99, LNCS 1664, pp , [DP] Delzanno G., Podelski A. Model Checking in CLP Proc. TACAS 99, LNCS 1579, pp , [Co] Colmerauer A. An introduction to Prolog III CACM Vol.33, No. 7, [Ko] Kowalski R. Logic for Problem Solving AI series, The Computer science library, North Holland, [Sc] Schrijver A. Theory of Linear and Integer Programming Wiley-Interscience series in Discrete Mathematics and Optimization, Page 10 / 10