Integer Linear Programming and the Analysis of Some ... - CiteSeerX

Comment

Report 3 Downloads 49 Views

Integer Linear Programming and the Analysis of Some Petri Net Problems Hsu-Chun Yen Department of Electrical Engineering National Taiwan University Taipei, Taiwan, Republic of China (E-mail: [email protected])

Abstract A class of Petri nets (called type

L Petri nets in this paper) whose reachability sets

can be characterized by integer linear programming is de ned. Such Petri nets include the classes of con ict-free, normal, BPP, trap-circuit and extended trap-circuit Petri nets, which have been extensively studied in the literature. We demonstrate that being of type

L is invariant with respect to a number of Petri net operations, using which Petri nets can be pieced together to form larger ones. We also show in this paper that for type L Petri nets, the model checking problem for a number of temporal logics is reducible to the integer linear programming problem, yielding an NP upper bound for the model checking problem. Our work supplements some of the previous results concerning model checking for Petri nets.

1.

Introduction

Integer linear programming has long been realized to be closely related to the analysis of Petri nets. In fact, in a Petri net P with initial marking 0, a marking is reachable from 0 in P only if an instance of integer linear programming 0 + Ax = has an integer solution x 2 N m , where m is the number of transitions in P and A is the adjacency matrix of the Petri net. (Such

1

an equation is also known as the state equation.) The converse, however, does not necessarily hold. In the literature, a number of restricted classes of Petri nets have been shown to exhibit integer linear programming characterization for the reachability problem, among which are normal and sinkless Petri nets, which were rst de ned in [19], and subsequently studied from the complexity viewpoint in detail in [7]. The key behind the analysis of normal and sinkless Petri nets lies in showing that given a normal (or sinkless) Petri net, its reachability set can be characterized by an instance of integer linear programming, thus yielding an NP algorithm for the reachability problem. (Recall that the integer linear programming problem is well-known to be NP-complete.) A matching lower bound (i.e., NP-hardness) has also been shown for the two classes of Petri nets in [7]. Taking into consideration that most problems concerning general Petri nets are either of extremely high complexities (such as the EXPSPACE-hardness for the reachability and boundedness problems [13]) or undecidable (such as the containment and equivalence problems [5]), being able to capture reachability by integer linear programming is of great value to the analysis of concurrent systems, provided that such subclasses are `general' enough from a practical viewpoint. Unfortunately, evidence has indicated that almost all the Petri net classes enjoying the nice property of being characterizable by integer linear programming, one way or another, suer from lacking enough expressive power to model real-world problems. For instance, con ict-free PNs are insucient for modeling the well-known producer-consumer and mutual exclusion problems in concurrent systems [7]. Normal and sinkless PNs, although capable of modeling the producer-consumer problem, still lack the required expressive power to model unrestricted mutual exclusion [7]. In view of the above, a natural question arises: Can we nd classes of Petri nets with stronger expressive power, while retaining the nice property that reachability sets are characterizable by integer linear programming. To this end, we de ne a class of Petri nets (called type L) for which from every initial marking, the set of reachable markings can be captured by a system of linear inequalities (over the integers). We then show how modules of type L Petri nets can be pieced together, resulting in Petri nets with stronger expressive power yet still enjoying the nice property of being characterizable by integer linear programming. (In some sense our approach has a similar avor as that of the `reduction-synthesis' approach in Petri net analysis.) For some time, temporal logic has been considered a useful and powerful formalism for reasoning about concurrent systems. Among problems of interest in the study of temporal logic, the model checking problem, i.e., determining whether a given system satis es a property expressed in the temporal logic, has been gaining increasing popularity over the past few years. Much of the early work along this line of research concerned with nite-state systems. Recently, however, there has been a ow of interest in the model checking problem for systems with 2

potentially in nite number of states, namely, in nite-state systems. As it turns out, model checking is very dicult (if it is not undecidable) to solve for the majority of in nite-state concurrent models de ned in the literature. The research of model checking Petri nets can be found in, e.g., [8, 11], and more recently, [4]. (The reader is referred to [2] for a nice survey of research along this line.) The problem can be formally stated as deciding, given a Petri net and a temporal logic formula, whether the Petri net satis es the formula. As one might expect, for general Petri nets the model checking problem is undecidable for a wide variety of temporal logics [2, 4, 6, 8]. Take a rather weak concurrent model Basic Parallel Processes (BPP) for example. It has been shown in [4] that model checking BPP is undecidable for a branching time temporal logic UB (i.e., uni ed system of branching time) [1]. And the undecidability result stands even if we restrict ourselves to a fragment of UB in which only the EG operator (and its dual) is allowed. (EG holds if there exists of a computation along which always holds.) For UB with the EF operator (and its dual) only, the model checking problem is PSPACE-complete for BPP [14]. (EF holds if there exists a computation along which holds at some point.) For linear-time temporal logics (as well as for linear-time -calculus), the model checking problem is known to be decidable and require EXPSPACE for BPP [4]. The reader is referred to [15] for complexity and decidability results of model checking concerning a variety of in nite-state systems, including BPP, BPA, PA, PDA and more. In this paper, we show the model checking problem to be solvable in NP for type L Petri nets with respect to the following three types of temporal logics: 1. a fragment of branching time temporal logic UB augmented with Presburger formulas (de ned in [4]), 2. a linear-time temporal logic L~(F; X ) de ned in [6], and 3. a temporal logic over path formulas de ned in [20]. Our work, in a sense, characterizes a class of Petri nets for which model checking can be equated with solving the integer linear programming problem, which is relatively well-understood. In this regard, our work supplements some of the previous results concerning model checking for Petri nets. The remainder of this paper is organized as follows. In Section 2, some notations and de nitions regarding Petri nets are introduced. Section 3 concerns itself with the composition of Petri net modules in such a way that the nice property of being expressible by integer linear programming is preserved. Finally in Section 4, we show that for the class of Petri nets de ned in Section 3, the model checking problem for some temporal logics is reducible to the integer linear programming problem. 3

2.

Preliminaries

Let ( ) denote the set of (nonnegative) integers, and ( ) the set of vectors of k (nonnegative) integers. For a k-dimensional vector v, let v(i), 1 i k, denote the ith component of v. For a k 2 m matrix A, let a , 1 i k, 1 j m, denote the element in the ith row and the jth column of A, and let a denote the jth column of A. For a given value of k, let (resp. ) denote the vector of k zeros (resp. ones) (i.e., (i) = 0 (resp. (i) = 1) for i = 1,...,k). We let jS j be the number of elements in set S . Given a column vector x, we let x denote the transpose of x (which is a row vector). A Petri net (PN, for short) is a 3-tuple (P,T,'), where P is a nite set of places, T is a nite set of transitions, and ' ( (P 2 T) [ (T 2 P)) is the ow relation. (For convenience, ' is sometimes regarded as a function (namely ow function) ' : (P 2 T) [ (T 2 P) ! f0,1g.) Petri nets can also be viewed from a graph-theoretic perspective, in which P [ T forms the set of vertices of a directed graph, and (u; v) is an edge i '(u; v) = 1. Since ' is a function on (P 2 T) [ (T 2 P), the graph representation of the PN is bipartite. In this paper, k and m will be reserved for jPj (the number of places in P) and jTj (the number of transitions in T), respectively. A marking is a mapping : P ! N. Throughout this paper, each integer is represented by its representation. A transition t 2 T is enabled at a marking i for every p 2 P, '(p,t) (p). A transition t may re at a marking if t is enabled at . We then write 70! 0, where 0(p) = (p) { '(p,t) + '(t,p) for all p 2 P. A sequence of transitions = 1 70! 2 1 1 1 70! for some sequence of markings t ...t is a ring sequence from i 70! ,..., . (We also write ` 70! '.) We write ` 70!' to denote that is enabled and can be red from , i.e., 70! i there exists a marking such that 70! . A marked PN is a pair ((P,T,'), ), where (P,T,') is a PN, and is a marking called the initial marking. Throughout the rest of this paper, the word `marked' will be omitted if it is clear from the context. By establishing an ordering on the elements of P and T (i.e., P = fp ,...,p g and T = ft ,...,t g), we de ne the k 2 m addition matrix A of (P,T,') so that a = '(t ,p ) { '(p ,t ). Thus, if we view a marking as a k-dimensional column vector in which the ith component is (p ), each column a of A is then a k-dimensional vector such that if 70! 0 , then 0 = + a . Let P = ((P,T,'), ) be a PN. The reachability set of P is the set R(P ) = f j 70! for some g. For ease of expression, the following notations will be used throughout the rest of this paper. (Let be a transition sequence, p be a place, and t be a transition.) # (t) represents the number of occurrences of t in . (For convenience, we sometimes treat # as an m-dimensional vector assuming that an ordering on T is established (jTj = m).) Z

N

Z

k

N

k

i;j

0

j

1

0

1

T

unary

t

n

1

0

n

1

0

0

0

0

t

1

n

t

tn

n

0

0

0

0

k

1

m

1

i

i;j

i

i

tj

j

j

j

0

0

4

j

1() = A 1 # de nes the displacement of . (Notice that if 70! 0 , the 1() = 0 0 .) T r() = ftjt 2 T; # (t) > 0g, denoting the set of transitions used in . p =ftj'(p; t) 1; t 2 Tg is the set of output transitions of p; t=fpj'(t; p) 1; p 2 Pg is the set of output places of t; p=ftj'(t; p) 1; t 2 Tg is the set of input transitions of p; t=fpj'(p; t) 1; p 2 Pg is the set of input places of t;

If 70! , then + A1# = . (Note that the converse does not necessarily hold.) 0 is said to be a rearrangement of if # = # 0 . A circuit of a PN is a `simple' closed path in the PN graph. (By `simple' we mean all nodes are distinct along the closed path.) Given a PN P , let c = p t p t 1 1 1 p t p be a circuit and let be a marking. Let P = fp ; p ; 1 1 1 ; p g denote the set of places in c. With a slight abuse of notation, we also use c to denote t t 1 1 1 t when the exact order is not important. We de ne X the token count of circuit c in marking to be (c) = (p). Circuit c is a 8-circuit i for 2 every i; 1 i n, t = fp g. Circuit c is said to be token-free in i (c) = 0. We say c is minimal i P does not properly include the set of places in any other circuit. Circuit c is said to have a sink i for some 2 R(P ) and some and 0 such that 70! 0, (c) > 0, but 0(c) = 0. Circuit c is said to be sinkless i it does not have a sink. (See [19] for more details.) A set of places Q is called a trap i (8t 2 T)((9p 2 Q; t 2 p ) =) (9q 2 Q; t 2 q)), i.e., any transition which has an input place in Q must also have an output place in Q. What follows are several subclasses of Petri nets which have been extensively studied in the literature. Their containment relationships are depicted in Figure 1. All the PN subclasses in Figure 1 have an integer linear programming characterization of reachability, as shown in [7, 21] 0

0

n n 1

1 1 2 2

c

1

n

2

1 2

n

p Pc

i

i

c

Con ict-free Petri nets: A PN P =(P, T, ') is said to be con ict-free i for every place p, either

1. jpj 1, or 2. 8t 2 p , t and p are on a self-loop. In words, a PN is con ict-free if every place which is an input of more than one transition is on a self-loop with each such transition [10, 12]. In a con ict-free PN, once a transition becomes enabled, the only way to disable the transition is0 to re the transition itself. 0 0 0 0 (That is, 8t; t 2 T, t 6= t , 70! and 70! implies 0 70!.) t

t

5

t

General Petri Nets

Sinkless

Normal

TrapCircuit

Extended Trap-Circuit

ConflictFree

BPP

Figure 1: Containment relationships among various Petri net classes.

Normal Petri nets: X A PN is normal [19] i for every minimal circuit c and transition t j , ai;j 0.

(Recall that a = '(t ; p ) 0 '(p ; t ).) Hence, for every minimal circuit c and transition t in a normal PN, if one of t's input places is in c, then one of t's output places must be in c as well. Intuitively, a Petri net is normal i no transition can decrease the token count of a minimal circuit by ring at any marking. Sinkless Petri nets: A PN P is said to be sinkless [19] i each minimal circuit of P is sinkless. BPP nets: A PN (P, T, ') is said to be a BPP-net [3] if 8t 2T, jtj = 1, i.e., every transition has exactly one input place. (Notice that every arc going from a place to a transition has weight 1.) Trap-circuit Petri nets: A PN P is a trap-circuit PN [9] i for every circuit c in P , P is a trap. Extended Trap-circuit Petri nets: A PN P is an extended trap-circuit PN [21] i for every circuit c in P , either P is a trap or c is a 8-circuit. 2

p i Pc

i;j

j

i

i

j

c

c

6

The interested reader is referred to [16, 17, 18] for more about Petri nets and their related problems. 3.

Characterizing PN Computations using Integer Linear Programming

Integer linear programming is known to be a powerful tool for analyzing PNs. Many subclasses of PNs have been shown to have their reachability sets characterizable by integer linear programming. A notable example concerns the classes of normal and sinkless PNs [7, 19]. In [7], the idea behind the analysis of normal and sinkless PNs lies in constructing the reachability set in a greedy fashion. To do so, we build a sequence of small sub-PNs, each has its reachability set characterized by an integer linear programming instance. Furthermore, the number of sub-PNs as well as the size of each integer linear programming instance are polynomial in the size of the original PN. In this way testing reachability for a normal (sinkless) PN can be equated with solving a system of linear inequalities (in the integer domain). Such a strategy has recently been formalized in [21] as the so-called `decomposition approach,' using which certain PN problems were shown to be solvable in NP. Recall that for an arbitrary PN P , the existence of a solution x for the associated state equation + Ax = (where A is the adjacency matrix 3 . of P ) is necessary but not sucient to ensure 70! The insuciency in expressive power for those PNs depicted in Figure 1, to a large extent, has limited the applicability of using such PNs to model real-world problems. For instance, con ict-free PNs are insucient for modeling the well-known producer-consumer and mutual exclusion problems in concurrent systems [7]. Normal and sinkless PNs, although capable of modeling the producer-consumer problem, still lack the required expressive power to model unrestricted mutual exclusion [7]. Now a natural question arises: can we come up with a class (or classes) of PNs with less severe structural constraints (compared to those PNs in Figure 1) while still possessing the desired property of being characterizable by integer linear programming? To answer such a question, we de ne the following class of PNs. L : A PN P = (P; T; ') is of type L i the following holds: For every markings and 0, there exists a system of linear inequalities ILP (P ; ; 0) such that (1) the size of ILP (P ; ; 0) is bounded by a polynomial in the sizes of P , and 0, (2) ILP (P ; ; 0) has an integer solution if and only if 70! 0, and 0

0

Type

Petri Nets

7

(3) for each transition t 2 T , there is a variable x in ILP (P ; ; 0) such that the solution of x exactly equals the number of times transition t res in 70! 0. It is worth pointing out that the class of `sinkless' PNs de ned and studied in [7] does not fall into the category of type L, although the reachability problem for such PNs can be solved using integer linear programming [7]. This is primarily due to the fact that `sinkless' is de ned as a behavioral property of PNs, meaning that whether a PN is sinkless or not depends on the initial marking of the PN. With the exception of sinkless PNs, all the remaining subclasses in Figure 1 are of type L. To show how type L PN modules can be pieced together to form larger type L PNs, we de ne four types of PN operations which are invariant as far as being of type L is concerned. The fundamental idea is similar to that behind the reduction-synthesis approach which has been extensively discussed in the literature over the years (see, e.g., [16]). Unlike those `primitive' rules de ned in the framework of conventional PN reduction-synthesis, our operations naturally re ect four important constructs in programming languages, namely, sequential composition, control, asynchronous type communication, and rendezvous type communication, albeit in a restricted manner. Given PNs P =(P ; T ; ' ) and P =(P ; T ; ' ), consider the following four types of operations, namely s-, c-, a-, and r-operations: 1. s(P ; P ; ) = ((P [ P ); (T [ T ); (' [ ' [ )), where T \ T = ;, T \ T = ; (where T = ftjt 2 T g and T = ftjt 2 T g), ((P 2 T ) [ (T 2 P )). See Figure 2(1). That is, PNs P and P are glued together in a `sequential' fashion, de ned by relation . (Notice that in general, P and P do not have to be disjoint.) 2. c(P ; p; t; ) = ((P [fpg); (T [ftg); (' [f(p; t)g[ )), where ((P 2ftg) [ (ftg2 P )), See Figure 2(2). In this operation, `control' place p and transition t are attached to PN P. 3. a(P ; P ; p) = ((P [ P ); (T [ T ); (' [ ' )), where P \ P = fpg, T \ T = ; and in 3 0 (resp., 70! 3 0 ), P (resp., P ), for every initial marking (resp., ), if 70! then 0 (p) (p) (resp., 0 (p) (p)). See Figure 2(3). PNs P and P are allowed to communicate in an `asynchronous' way through place p. 4. r(P ; P ; t ; t ) = ((P [ P ); ((T [ T [ ft g) 0 ft ; t g); (' j 1 1 2 [ ' j 2 1 2 )), where P \ P = ;, T \ T = ;, t 2 T , t 2 T , t is a new transition, and ' j 1 1 2 (resp., ' j 2 1 2 ) denotes the relation resulting from replacing transition t by t in ' (resp., t by t in ' ). See Figure 2(4). This operation implements the `rendezvous' mechanism between PN modules. That is, the communication between PNs P and P is through a t

t

1

1

1

2

1

1

1

1

2

2

1

1

2

2

2

1

2

1

2

2

1

1

2

2

1

1

2

2

2

1

1

2

1

2

1

1

1

1

1

1

2

1

1

1

2

1

2

2

1

1

2 t

2

1

1

1

1

2

2

1

1

1

1

1

1;2

2

2

2

2

1

1

2

1

2

1 t

t

1;2

t

1 t

1;2

2

1

8

2

2

2 t

;

1

;

1;2

2

2

2

2

2

2

t

1

1

1

2

2

2

;

t

;

1

P1 p

t

P1

P2

(1)

(2)

P1

P1

p t 1,2

P2

P2

(3)

(4)

Figure 2: PN operations.

9

`rendezvous' between transitions t and t . (The newly formed rendezvous transition is t .) 1

2

1;2

Lemma 3.1.

If PN (P; T; ') is of type L, so is ((P [ P 0); T; '), where P 0 is a new set of places.

Obvious. What the above lemma says is that adding new places (without introducing additional transitions) to a type L PN results in a type L PN. Proof:

Applying a polynomial number of previously de ned s0, c0, a0 and r0operations to type L PNs always results in a type L PN.

Theorem 3.2.

In what follows, we write ILP (P ; ; 0), where ; 0 , to denote the system of linear inequalities associated with the reachability of 0 from in P . (s-operation) According to Lemma 3.1, P 0 = ((P [ P ); T ; ' ) and P 0 = ((P [ P ); T ; ' ) are of type L. Since the reability of transitions in P does not depend on those tokens generated as a result of ring transitions in P , any computation 70! 0 can be rearranged into 70!1 00 70!2 0, such that T r( ) T and T r( ) \ T = ;. It follows from P 0 and P 0 being of type L that the following system of linear inequalities suces to capture such a rearranged path. ( ILP (P 0 ; ; 00 ) ILP (P 0 ; 00 ; 0) (c-operation) Suppose P =(P ; T ; ' ) and P =c(P ; p; t; ) is the resulting PN after a c0operation is performed. (See Figure 2(2).) A marking in P can be viewed as ( 00 ; c), where 00 is a marking in the original PN P , and c represents the number of tokens in the control place p. Clearly, any com01 putation from to (in P ) is of the form 70!1 70! 0 70!2 1 1 1 70! 0 70! 0 0 70! , for some r (p), such that T r( ) T ; 1 i r. Since ((P [fpg); T ; ' ) is of type L, the following system of linear inequalities (whose size is polynomial in the sizes of P and ) can easily be set up to capture the above computation. The remaining details are straightforward. 8 = 0 > > < ILP (((P [ fpg); T ; ' ); 0 ; ); 80 i r 0 1 0 > > : =+ 1(t) = ; 80 i < r 0 1 (a-operation) First we claim that if 70! 0 is a path in P with (p) = 0(p), then can be rearranged Proof:

0

1

1

2

1

1

2

2

1

2

2

1

2

1

1

2

1

2

1

1

2

1

1

1

1

1

1

0

0

i

0

1

t

r

r 1

1

1

1

1

t

r 1

1

1

0

0

1

i+1

1

i+1

1

0

r

10

i

i+1

r

0

into such that T r( ) T , T r( ) T , and 701!2 0. In fact, (resp., ) can be taken as the projection of on P (resp., P ). Why such a rearrangement works is rather straightforward, for neither P nor P is capable of adding tokens to p before removing at least the same amount of tokens (de nition of the a-operation). As a result, alone can re without counting on the tokens (in place p) supplied by P . Suppose 70! is a path in P , which is the resulting PN after the a0operation is carried out. Let be the last marking along such a path that (p) = (p). (Let the transition red at be t . That is, the ring1 of t removes a token from p.) Using the above claim, 70! 2 3 such that T r( ) T , T r( ) T , 1 0 70! can be rearranged into 70!1 00 70!1 70! 3 place p never contains more than 0 (p) 0 (p) = ( (p) 0 1), and along the sux path 0 70! tokens. By repeatedly applying the above argument to1 the remaining path,1 it is reasonably 2 1 00 70! 1 0 70! 1 70! 2 00 70! 22 70! 2 easy to see that 70! can be rearranged into 70! 1 2 2 1 +1 00 +1 0 1 1 1 0 0 70! 00 70! 70! 0 1 1 1 0 70! 70! = , for some d (p), such that 81 i d + 1; T r( ) T ; T r( ) T , and (p); 0 (p) 1 1 1 0 (p) 1 1 1 0 (p) is strictly decreasing. (Some of and might be empty.) As P and P are of type L, the following system of linear inequalities can easily be set up to capture the reachability of from ; furthermore, the size of the system is bounded by a polynomial in the sizes of P and , since the number of `stages' (i.e., d) is bounded by (p). (Recall that integers are represented in unary.) 8 > ILP (((P [ P ); T ; ' ); ; 00) > > ILP (((P [ P ); T ; ' ); 00 ; ) > > (p) = (p) > > > + 1(t ) = 0 > > 0 (p) = (p) 0 1 > > > ::: > > < ILP (((P [ P ); T ; ' ); 0 0 ; 00 ) ILP (((P [ P ); T ; ' ); 00 ; ) > > (p) = 0 0 (p) > > + 1(t ) = 0 > > > 0 (p) = (p) 0 1 > > ::: > > > ILP (((P [ P ); T ; ' ); 0 ; 00 ) > > ILP (((P [ P ); T ; ' ); 00 ; ) > : (p) = 0 (p) (r-operation) The proof relies on the fact that if 70!1 0 (resp., 70!2 0 ) is a path in P (resp., P ) and # 1 ( ) = # 2 ( ), then there exists a path ( ; ) 70! (0 ; 0 ) in the combined PN ((P [ P ); ((T [ T [ ft g) 0 ft ; t g); (' j 1 1 2 [ ' j 2 1 2 )) such that # 1 2 () = # 1 ( ) = 1

2

1

1

2

2

1

1

2

1

1

2

1

2

0

1

1

1

1

1

t

1

1

2 1

1

2

1

1

i

0

i 1

1 1

1

1

2

0

0

1

0

i

i

0

d

ti

i

1

2

2

i

i

1

1

i

i

t

2

2

0

0

2

1

1

d+1

d+1

1

i

d

d

i

t

1

1

d

2

0

0

0

1

1

1

2

1

1

0

1

2

2

2

1

1

i 1

0

1

1

0

1

1

1

1

2

1

1

1

2

2

2

i

i

i

i

d+1

i 1

i

i

0

i

i

i

1

2

1

1

d

1

2

2

2

d+1

d

1

t

1

t

1

2

1

2

2

1

1;2

1

2

1 t

2

1

t

11

;

2 t

2

1

2

1

t

;

2

2

t

;

t

1

# 2 ( ). To see this, suppose = t t 1 1 1 t and = t t 1 1 1 t , where f = # 1 ( ) = # 2 ( ), 2 (T 0 ft g)3 and 2 (T 0 ft g)3, for 1 i f + 1. Clearly, = t t 1 1 1 t is reable at ( ; ) in the combined PN. The converse holds as well. Hence, ILP (P ; ; 0 ) [ ILP (P ; ; 0 ) [ fx 1 = x 2 g, where ILP (P ; ; 0 ) (resp., ILP (P ; ; 0 )) is the system of linear inequalities associated with 70!1 0 in P (resp., 70!2 0 in P ) and x 1 (resp., x 2 ) is the variable associated with the ring count of transition t (resp. t ) guaranteed by the de nition of type L PNs, is sucient to ensure the reachability of (0 ; 0 ) from ( ; ). Given a PN P =(P; T; '), we write x ,! y, where x; y 2 T , to denote the existence of a path (in the Petri net graph of P ) from x to y. We de ne the relation on subnets of P =(P; T; ') as follows: P P , where P =(P; T ; 'j 1 ) P =(P; T ; 'j 2 ), i (1) 9 2 1 02 2 , t ,! t0, and (2) :(9 2 2 02 1 , r ,! r0 ). t

2

t

t

1

1 1 1;2 2

2

2 1;2

i

2

2

f 1 f +1

1

1

i

1

2

1

2

1

2

2

1 2

f 2 f +1

2 2

2

2

t

2

t

1

1

2

t

2

2

1

1

1

1

1

t

2

1

1

r T ;r

1 1 2 1

f f 1;2 f +1 f +1 1

2

1

1

2

2

2

1

1

T

2

2

T

t T ;t

T

T

P1

P2

P3

P4

P5

Figure 3: Hierarchical composition of PNs. Let P =((P; T; '); 0 ) be a PN and P1 =(P; T1 ; 'jT1 ), ..., Pn =(P; Tn ; 'jT ) be subnets of P such that fT1; :::; T ng constitutes a partition of T (i.e., Ti \ Tj = ; (for all i 6= j ), S and ni=1 Ti = T ), and is a partial order for fP 1, ..., Png. (See Figure 3.) Suppose each of P1, ..., Pn is of type L, then P is of type L as well.

Corollary 3.3.

n

12

By repeatedly applying Theorem 3.2, the result follows. To show how complex PNs can be analyzed in a hierarchical fashion using integer linear programming, consider the following example. Proof:

Example 1

Consider the PN P shown in Figure 4. Clearly P does not fall into any of the subclasses of PNs described in Figure 1. We de ne the restriction of ' to H ( T ), written as 'j , to be a mapping 'j : (P 2H ) [ (H 2 P) ! f0,1g such that 'j (p; t) = '(p; t) and 'j (t; p) = '(t; p), for every p 2 P, and t 2 H . Suppose we let 1. T = ft ; t ; t g Note that (P; T ; 'j 1 ) is normal (hence, of type L). Also, during the course of any computation, the number of tokens in place p does not grow with respect to the marking at which the computation begins. 2. T = ft ; t ; t g (P; T ; 'j 2 ) is normal (hence, of type L). 3. T = ft g (P; T ; 'j 3 ) is trivially of type L. 4. T = ft g. 5. T = ft ; t g (P; T ; 'j 5 ) is clearly of type L. Also, during the course of any computation, the number of tokens in place p does not grow with respect to the marking at which the computation begins. Since (P; T ; 'j 1 ) (P; T ; 'j 2 ) (P; T ; 'j 3 ), it follows from Corollary 3.3 that (P; (T [ T [ T ); 'j 1[ 2[ 3 ) is of type L. Using Theorem 3.2, we have that (P; (T [ T [ T [ T ); 'j 1[ 2[ 3[ 4 ) is of type L as well, for the number of times transition t can re is bounded by three. Finally, applying Theorem 3.2 to sub-PNs (P; (T [ T [ T [ T ); 'j 1[ 2[ 3[ 4 ) and (P; T ; 'j 5 ) immediately yields our result, i.e., P is of type L. H

H

1

H

1

2

3

1

2

4

3

T

4

8

5

9

T

1

(T

10

T

5

4

6

7

3

3

T

T

2

2

5

H

(T

T

T

2

T

T

3

T

1

T )

1

T )

3

8

1

5

2

2

3

4

(T

T

T

T )

T

Theorem 3.4.

The reachability problem for type L PNs is NP-complete.

As the reachability set of a type L PN can be modeled by an instance of integer linear programming whose size is polynomial in the size of the PN, the NP upper bound follows. The lower bound (i.e., NP-hardness) is straightforward, since type L PNs contain the class of con ict-free PNs for which the reachability problem is known to be NP-hard [10].

Proof:

13

t3

t6

p t4 t8

t2

t1

t5

t9

t10

t7

Figure 4: An example. 4.

Model Checking

In this section, we focus on the model checking problem for type L PNs with respect to the following three types of temporal logics: 1. a fragment of uni ed system of branching time (UB) augmented with Presburger formulas (de ned in [4]), 2. a linear-time temporal logic L~(F; X ) de ned in [6], and 3. a temporal logic over path formulas de ned in [20]. The rst two types of temporal logics are capable of modeling the reachability property. The third type of temporal logic, as shown in [20], can be used to model boundedness, coverability, and various fairness-related properties. 4.1. Uni ed system of branching time

In [4], the uni ed system of branching time (UB, for short) (a logic originally de ned and studied by Ben-Ari, Manna, and Pnueli in [1]) has been de ned for labeled PNs P =(P; T; '; l), where (P; T; ') is a PN and l is a labeling function l : T ! 6, for a set of labels 6. UB de ned in [4] has the following syntax and semantics. Syntax

::= true j : j 1 ^ 2 j E (a) j EF j EG,

14

where a is a label in 6. A marking satisfying a formula , denoted by j= , is de ned inductively as follows. j= true always holds j= : i :( j= ) j= ^ i j= and j= j= E (a) i 9 a marking 0 such that 70! 0 and 0 j= , for some transition t labeled a (i.e., l(t) = a) j= EF i 9 a path 70! 70! 1 1 1 such that = and 9i 1 j= j= EG i 9 a path 70! 70! 1 1 1 such that = and 8i 1 j= Semantics

1

2

1

2

t

1

2

3

1

2

3

1

i

1

i

A labeled PN P =((P; T; '; l); ) is said to satisfy a formula i j= . The model checking problem is that of, given a labeled PN P and a formula , determining whether is satis ed in P . Let EF and EG denote the fragments of UB allowing only EF and EG operators (and their duals), respectively. In [4], EF has been augmented with Presburger formulas of the form A 1 B (where A and B are matrices of dimensions r 2 k and r 2 1, respectively, whose elements are in Z , and , a k 2 1 matrix, represents a marking of the PN) as atomic predicates over markings. Such an extended logic is called EF+Pres in [4]. The following table summarizes some of the results in [4]. Petri nets BPPs Undecidable Undecidable EG Undecidable Decidable3 EF EF+Pres Undecidable Decidable 3 ( The result has recently been improved to PSPACE-complete in [14].) 0

0

In what follows, we supplement the results of [4, 14] by showing that for type L PNs (which properly contain BPP nets), model checking a fragment of EF+Pres can be equated with solving ~ + P res a systems of linear inequalities, thus yielding an NP algorithm for the problem. Let EF be a fragment of EF+Pres with the restriction that the : operator can only be applied to formulas in which E (a) and EF operators are absent. ~ + P res, the model checking problem for type L PNs is NP-complete. For EF Theorem 4.1.

15

~ + P res, we rst Given a labeled PN P =((P; T; '; l); ) and a formula in EF show, in an inductive fashion, how to construct a system of linear inequalities 8 (whose size is polynomial in the sizes of P and ) in such a way that j= i 8 has an integer solution. Hence, the model checking problem is solvable in NP. We use the following function gen to generate 8:

Proof:

0

0

function gen(; ): case 1: =(A 1 B ) return(fA 1 B g) case 2: =:(A 1 B ) guess i, 1 i r /* r is the number of rows of A */ return(f(A 1 )(i) > B (i)g) case 3: = ^ return(gen(; ) [ gen(; )) case 4: = :( ^ ) return either gen(; : ) or gen(; : ) nondeterministically case 5: = E (a)0 guess a transition t with l(t) = a return(f( + 1(t)) = 0 g [ gen(0; 0)) case 6: = EF 0 return(ILP (P ; ; 0) [ gen(0; 0)) 1

2

1

1

2

2

1

2

0

It is easy to see that gen( ; ) can be generated in NP, for the number of recursive calls is bounded by the length of . Furthermore, for PNs being in type L guarantees that j= i gen( ; ) has an integer solution. To show the lower bound, it suces to show that the reachability problem is reducible to the model checking problem. It is known that the reachability problem for con ict-free and BPP ((i) M (i) 0 1)). nets (both are of type L) is NP-hard [3, 10]. Let = ( M ) ^ :(W 3 Clearly j= EF i 70! M . This completes the proof. 0

0

0

i=1;:::;k

0

0

~ + P res, the model checking problem for con ict-free, normal, BPP, For EF trap-circuit, and extended trap-circuit PNs is NP-complete. Corollary 4.2.

16

4.2. A linear-time temporal logic L~(F; X )

In [6], the model checking problem of a fragment of linear-time temporal logic coined L~(F; X ) was investigated for the class of con ict-free PNs. As it turns out, the problem can be reduced to solving a system of linear inequalities, yielding an NP upper bound (for con ict-free PNs) [6]. As mentioned earlier, the primary idea of de ning type L PNs is to provide an umbrella under which many problems can be solved in a uni ed fashion. Taking the strong connection between integer linear programming and type L PNs into account, it is natural to expect that the techniques used in [6] for reasoning about the model checking problem for con ict-free PNs (which are of type L) might be applicable to type L PNs as well. For the sake of completeness, in what follows we give a brief de nition of L~(F; X ). The reader is referred to [6] for more details. Given a marking and a transition sequence enabled at , three types of predicates are de ned in L~(F; X ), namely, ge(s; c), en(t) and fi(t) (where s is a place, t is a transition, and c 2 N ) meaning that `(s) c', `t is enabled at ', and `the rst transition of is t', respectively. A well-formed formula (or formula) is de ned inductively as follows. true, false, and predicates are formulas, :p, ^ , F , and X are formulas, where p is a predicate, , and are formulas. In L~(F; X ), we require that negations (i.e., :) be allowed only on the predicates. The predicates and their negations are called literals. Given a PN P =((P; T; '); ) and a ( nite or in nite) reable sequence of transitions t t :::, the semantics of L~(F; X ) is de ned as follows: 1

2

1

2

0

1 2

< ; n > j= ge(s; c) i (0 + 1(t1 1 1 1 tn))(s) c < ; n > j= en(t) i (0 + 1(t1 1 1 1 tn))(p) '(p; t); 8p 2 P < ; n > j= fi(t) i t n+1 = t < ; n > j= 1 ^ 2 i (< ; n >j= 1 ) ^ (< ; n >j= 2 ) < ; n > j= : i :(< ; n >j= ) < ; n > j= X i < ; n + 1 >j= < ; n > j= F i 9n0 > n such that < ; n0 >j=

Given a formula and a PN P =((P; T; '); ), the model checking problem for the above logic is to determine whether there exists a reable sequence (i.e., 70!) such that < ; 0 >j= . (Is is worth pointing out that in conventional linear-time temporal logics, the question is if all paths satisfy the formula instead.) Our main result is the following. 0

0

17

L~(F; X ), the model checking problem for type L PNs is in NP. Proof: Since our proof closely parallels that of [6] concerning con ict-free PNs, we only provide a proof sketch in the following. A key lemma in [6] says that every formula f in L~(F; X ) has an equivalent regular formula fr . (A formula is said to be regular if it is a literal or of the form ^ f , F f , or Xf , where is a literal and f is regular.) Given an index n, we use the following function gen(; n) (n = 0 initially) to generate the associated system of linear inequalities for a regular formula . The niteness of the system of linear inequalities is due to the niteness of the formula. function gen(; n): case 1: =ge(s; c) return(fn (s) cg) case 2: :(=ge(s; c)) return(fn (s) < cg) case 3: =en(t) return(fn 1(t)g) case 4: =:(en(t)) guess an i; 1 i k, return(fn (i) < 1(t)(i)g) case 5: =fi(t) return(fn = n + 1(t); n 1(t)g) case 6: =:(fi(t)) guess an t0 2 T 0 ftg return(fn = n + 1(t0); n 1(t0)g) case 7: = ^ return(gen( ; n) [ gen( ; n)) case 8: =X0 guess a t 2 T return(fn = n + 1(t); n 1(t)g) [ gen(0; n + 1) case 9: =F 0 return(ILP ((P; T; '); n ; n )) [ gen(0; n + 1) Theorem 4.3.

For

+1

+1

1

2

1

2

+1

+1

The validity proof of the constructed system of linear inequalities is similar to that in [6], and hence, is left to the reader. 18

4.3. Path formulas

In [20], a class of path formulas has been de ned for which the satis ability problem for general PNs has been shown to be solvable in EXPSPACE. For the sake of completeness, we now brie y state the de nition of such path formulas. Let ((P,T,'), ) be a k-place m-transition PN. Each path formula consists of the following elements: 1. Variables: There are two types of variables, namely, marking variables ; ; ::: and variables for transition sequences ; ; :::, where each denotes a vector in Z and each denotes a nite sequence of transitions. 2. Terms: Terms are de ned recursively as follows. (a) 8 constant c 2 N , c is a term. (b) 8 j > i, 0 is a term, where and are marking variables. (c) T + T and T 0 T are terms if T and T are terms. 3. Atomic predicates: There are two types of atomic predicates, namely, transition predicates and marking predicates. (a) Transition predicates: y # < c, y # = c and y # > c are predicates, where i > 1; y (a constant) 2 Z ; c 2 N and denotes the inner product # 1 (t ) c and # 1 (t ) c are predicates, where c 2 N and t 2 T . (b) Marking predicates: Type 1: (i) c and (i) > c are predicates, where is a marking variable and c(2 Z ) is a constant. Type 2: T (i) = T (j ); T (i) < T (j ) and T (i) > T (j ) are predicates, where T , T are terms and 1 i; j k , meaning that the i-th component of T equals, is less than, resp. is greater than the j -th component of T , respectively. F _ F and F ^ F are predicates if F and F are predicates. The satis ability problem is that of, given a PN P = ((P; T; '); ) and a predicate F , determining whether the following formula is true. 0

1

1

2

k

i

2

i

k

j

1

i

2

1

2

i

i

j

1

2

i

i

m

j

1

2

j

j

1

2

1

2

1

2

1

2

1

2

1

2

1

2

0

19

7 ! m) ^ F ( ; :::; m; ; :::; m)) 9 ; :::; m9 ; :::; m (( 0 7 !1 0 7 !2 1 1 1 m0 0 1

1

0

1

1

m

1

1

(From Lemma 3.2 in [20]) Given a Petri net P = ((P; T; '); 0 ) and a formula f , we can construct, in polynomial time, a Petri net P0= ((P 0; T 0; '0 ); 00 ) and a formula f 0 containing no transition predicates such that Pj= f i P0j= f 0 .

Lemma 4.4.

From the above lemma and the fact that all the terms and predicates de ned in our logic are of linear form, the following result is rather obvious. For type L PNs, the satis ability problem for the class of path formulas de ned in [20] is solvable in NP. Theorem 4.5.

5.

Conclusions

We have considered a class of Petri nets (called type L) for which the reachability sets can be characterized by integer linear programming, and have demonstrated that being of type L is preserved under a number of synthesis operations, using which modules of Petri nets can be pieced together to form larger ones. As it turns out, the class of type L Petri nets is strictly larger than many of the previously known Petri net classes (including con ict-free, normal, sinkless, BPP, trap-circuit, and extended trap-circuit) which have an integer linear programming characterization of reachability. We have also shown that for some simple fragments of temporal logics, model checking for type L Petri nets can be reduced to integer linear programming, and can thus be solved in NP. A natural question is whether our investigation of capturing reachability sets by integer linear programming can be extended to a larger class of Petri nets. An equally interesting future investigation is to see whether our synthesis approach can be applied to problems of practical interest. Acknowledgments

The author thanks the anonymous referees for their helpful comments which improved the presentation as well as the correctness of this paper. References

[1] Ben-Ari, M., Manna, Z. and Pnueli, A.: The temporal logic of branching time, Acta Inform., 20(3):207{226, 1983. 20

[2] Burkart, O. and Esparza, J.: More in nite results, Electronic Notes in Theoret. Comput. Sci., 6, 1997. [3] Esparza, J.: Petri nets, commutative context-free grammars and basic parallel processes, Proc. FCT'95, (LNCS 965), pp. 221-232, 1995. [4] Esparza, J.: Decidability of model checking for in nite-state concurrent systems, Acta Inform., 34:85-107, 1997. [5] Hack, M.: Decidability questions for Petri nets, Ph.D. Thesis, Laboratory for Computer Science, MIT, 1976. [6] Howell, R. and Rosier, L.: On questions of fairness and temporal logic for con ict-free Petri nets, In G. Rozenberg, editor, Advances in Petri Nets 1988 (LNCS 340), pp. 200{226, Springer-Verlag, Berlin, 1988. [7] Howell, R., Rosier, L. and Yen, H.: Normal and sinkless Petri nets, J. Comput. System Sci., 46:1{26, 1993. [8] Howell, R., Rosier, L. and Yen, H.: A taxonomy of fairness and temporal logic problems for Petri nets, Theoret, Comput. Sci,, 82:341{372, 1991. [9] Ichikawa, A., and Hiraishi, K.: Analysis and control of discrete event systems represented by Petri nets, Lecture Notes in Control and Information Science 103, pp. 115-134, 1987. [10] Jones, N., Landweber, L., and Lien, Y.: Complexity of some problems in Petri nets, Theoret. Comput. Sci. 4:277-299, 1977. [11] Jancar, P.: Decidability of a temporal logic problem for Petri nets, Theoret. Comput. Sci., 74:71-93, 1990. [12] Landweber, L. and Robertson, E.: Properties of con ict-free and persistent Petri nets, JACM, 25(3):352{364, 1978. [13] Lipton, R.: The reachability problem requires exponential space, TR. 62, Yale University, Dept. of Computer Science, Jan, 1976. [14] Mayr, R.: Weak bisimulation and model checking for basic parallel processes, Proc. of FSTTCS'96, (LNCS 1180), pp. 88-99. Springer Verlag, 1996. [15] Mayr, R.: Decidability and complexity of model checking problems for in nite-state systems, Ph.D. Thesis, Institut fur Informatik, Technische Universitat Munchen, 1998. 21

[16] Murata, T.: Petri nets: properties, analysis and applications, Proc. of the IEEE, 77(4): 541{580, 1989. [17] Peterson, J.: Petri Net Theory and the Modeling of Systems, Prentice Hall, Englewood Clis, NJ, 1981. [18] Reisig, W.: Petri Nets: An Introduction, Springer-Verlag, Heidelberg, 1985. [19] Yamasaki, H.: Normal Petri nets, Theoret. Comput. Sci., 31:307{315, 1984. [20] Yen, H.: A uni ed approach for deciding the existence of certain Petri net paths, Inform. and Comput., 96(1):119{137, 1992. [21] Yen, H.: On the regularity of Petri net languages, Inform. and Comput., 124(2):168{181, 1996.

22

Recommend Documents

Some Perturbation Theory for Linear Programming - CiteSeerX

On the integer max-linear programming problem