A Model Checking Method for Partially Symmetric Systems

SergeHaddad 1

,Jean-Mi helIlie 2

andKhalil Ajami 2

(1)lab.Lamsade,UniversiteParisDauphine,Fran e,Serge.Haddadlamsade.dauphine.fr

(2)lab.LIP6,UniversiteParisVI,Fran e,Jean-Mi hel.Ilielip6.fr,Khalil.Ajamilip6.fr

Abstra t Anewmethodofmodel he kingisproposedbasedontheexisten eof

symmetries insystem. Weshowhow to fullyhandle thepartial

sym-metriesofbothproperties andsystems. Ourmethoddoesnotdepend

onaparti ularformalismandapriori anbeappliedtoanyone.

Well-formedPetriNetsareusedasanillustration.

Keywords: Veri ation and validation, Temporal logi , model- he king,

symme-tries,partialsymmetries,Bu hiautomata,well-formedPetrinets.

1. INTRODUCTION

Model he kingof temporallogi formulasovernitestatesystems is

now a widely used method of veri ation of proto ols and distributed

algorithms. Su h a te hnique has led to numerous tools (Holzmann,

1997,...). However themain drawba kof thiskindof veri ation is the

omplexityfa tor dependingon thesizeofthespa eofrea hablestates.

Thus dierent improvementshave beenproposed (and implementedin

tools). Thepartialorderanalysisexploitstheindependen eofevents of

thesysteminordertoavoidexplorationsofequivalentpathsinthestate

graph(GodefroidandWolper,1994). Anotherfruitfulresear hdire tion

is based on the symmetries of the system to be analysed. The main

idea is to build a quotient graph where nodes denote set of equivalent

rea hable states. Then the redu edgraph is shown to be equivalent to

theoriginal one w.r.t. to some generi properties (Jensen, 1986,Chiola

etal.,1991).

However the modeller often needs to he k parti ular properties

re-lated to the behaviour of its system. It is then ne essary to adapt the

quotient graph buildingwith the aim of verifyinga temporal logi

for-mula. The key point isthe hara terisationof symmetriesof a formula

our presentation to the linear time logi (e.g. LTL). So let us brie y

re allits usualveri ationalgorithm (Gerth etal.,1993):

thenegationof theformulaistranslated into aBu hiautomaton,

thesyn hronisedprodu toftheautomatonandthestate graphof

thesystemisbuilt(produ tof ompatiblestates andtransitions),

a path is sear hed within the syn hronised produ t, su h that it

ends by a loop ontaining a state asso iated with one of the

a - eptation states of theBu hi automaton. We allsu h a path,an

invalidatingpath.

The formula is true if and only if su h an invalidating path does not

exist. Although the sizeof the automaton is exponentially larger than

thesizeof formula, it remainslow ompared to thenumberof statesin

thesystem. This lastparameteristhe main omplexityfa tor.

Inarstapproa h(Clarkeetal.,1996),onerestri tstheatomi

propo-sitions of the language to symmetri propositions. For instan e, \In a

future state, all pro esses will be idle" or \If some pro ess is waiting

for a resour e, then some pro ess will get it" are symmetri formulas.

In other words, a formula is symmetri if its atomi propositions are

invariant under any pro ess identities permutation. For he king su h

formulas, one substitutesa quotientstate graphto the state graphand

one applies the above algorithm without any hange. Unfortunately,

manyusualformulas arenot onsideredassymmetri . Forinstan e,the

fairnessformula \If some pro ess is waiting for a resour e, then it will

getit" isnot onsideredasa symmetri formula.

These ondapproa h(EmersonandPrasadSistla,1996),denes

sym-metri Bu hiautomata. Anautomatonissymmetri if,givena

(a ept-ing)stateandapro essidentitiespermutation,thereisanother

(a ept-ing) state whose atomi propositions are obtained by the permutation

appliedontheatomi propositionsoftherststateandforanysu essor

ofonestate,thereisasu essoroftheotheroneforwhi hthepropertyis

againfullled(andthisre ursively). Starting from thisautomatonand

the model of the system, one dire tly builds a quotient syn hronised

produ t. It is then shown that the existen e of an invalidatingpath in

theoriginalsyn hronised produ tand thequotient stru tureare

equiv-alent. The symmetri formulas of the previous method, and also new

Anyway,thiste hniquedoesnot overthe aseofpartiallysymmetri

formulas whi hare onsideredasasymmetri al. Hereisapartially

sym-metri formula: \If some pro ess is waiting for a resour e then it will

getit, provided noneof thepro esseswithhigheridentitywillrequirethe

resour e in the future". Therefore in (Ajami et al., 1998), the authors

have proposed a more rened denition of the quotient syn hronised

produ tthanthepreviousone:

One omputesanequivalen erelationbetweenstates oftheBu hi

automatonperitemofthe\symmetry group"ofthemodelinsu h

a way that two states are equivalent whenever they indu e the

same presentand future w.r.t. the a tionofthisitem.

A quotient syn hronised graph is built by applyingthese

equiva-len e relations on the pairs (state of the model, state of the

au-tomaton).

In ase of a symmetri automaton, the quotient graph is identi al to

theprevious one, butthe te hnique also redu es the omplexity of the

veri ationin aseofapartiallysymmetri automaton. Inother words,

itgeneralisesthepreviouste hniques.

Howevernoneoftheexistingmethods overtwoimportantsituations.

At rst,they requirethesystemto be symmetri . Manymodelsdo not

fulll this requirement. In most ases, they are partially symmetri ,

meaning that large parts of the spe i ation is symmetri but some

riti al modules are asymmetri . In (Haddad et al., 1995), a spe i

algorithmis proposed forpartiallysymmetri high-levelPetrinets,but

itmainlydealswiththerea habilityproblemand itdoesnotseemthat

it an be extended to the model he king. In (Emerson and Tre er,

1999), asymmetri behaviour is allowed in \symmetri states" (left

in-variant byanypro essidentitiespermutation). Unfortunately,thiskind

ofasymmetry isvery restri tive.

These ondsituationwhi h annotbeexploitedbytheprevious

meth-ods on ernstheformula. A tually,thetwoautomaton-basedte hniques

assume that some symmetri relations hold on the stru tureof the

au-tomaton. Howeverinautomata ofpartiallysymmetri formula, mostof

thestatesoftheautomatonarepartiallysymmetri ,buttheautomaton

isgloballyasymmetri (i.e. theequivalen erelationsbetweenstates are

almostredu edto the identity).

In the present work, we will show how to over ome these two

automatonis asso iatedwith thegroupof symmetrieswhi hleft its set

of atomi propositions globally invariant. No supplementary ondition

is required on the stru ture of the automaton. The method does not

dependon a spe i formalismfor the system and an be applied over

any model where symmetries an be synta ti ally he ked. So in the

third se tion, we illustrate a possible implementation on well-formed

Petri nets for whi h symmetries have been intensively studied Chiola

et al., 1993. More importantly, we show how to apply our method on

asymmetri systems. The key point isthat su h systems are denedas

syn hronisedprodu ts of asymmetri modeland an asymmetri Bu hi

automaton. In ouropinion,manyproto ols and algorithms an be

rep-resentedwith the help of this formalism. In the on lusion, we dis uss

about ombinationsof te hniquesand experimentations.

2. PRINCIPLES OF OUR METHOD

2.1. VERIFICATION OF TRANSITION

SYSTEMS

Inorder to represent thegeneral aspe ts of our method,we onsider

itat a semanti level, in other terms we onsiderthe transition system

thatisgenerated from thesynta ti model,e.g. a Petrinet.

Denition1 A (nite) transition system S = (Q;Q

0

;R ;Prop;) is

dened by : Q,a (nite) setof states; Q

0

,the set of initial states; R ,a

transition between states R (q;q 0

), also denoted q ! q 0

; Prop, the setof

atomi propositions;  an inje tive mapping from Q to2 Prop

.

Therequirementsthatisinje tiveensuresthatea hstate istotally

hara terisedbythevaluesofitsatomi propositions. Sin ewefo uson

theveri ationofstateformulas,thereisnolabelatta hedto ar s. Our

approa h ould be adapted easily to formulas expressing onditionson

statetransitions. Thenalresult(see proposition8)holdsforanynite

bran hing transition systems, i.e. the number of initial states is nite

and ea h rea hable state hasa nitenumberof su essors.

Onemayexpressalineartimetemporallogi formulawithlanguages

like LTL (Pnueli, 1977) or - al ul (Kozen, 1983). During the model

he king pro ess, the onsidered formula an be translated in a Bu hi

automaton(Vardi,1996).

Denition2 AB u hiautomaton A=(B;B

0

;R ;Prop;;F) isdened

by : B, anite setof states; B

0

, the subsetofB of the initialstates; R ,

a transition relation between states R (b;b 0

), also denoted b !b 0

; Prop,

the set of atomi propositions;  a mapping from B to 2 Prop

The veri ation problem of a formula expressed by the Bu hi

au-tomaton is usually redu ed to the sear h of an innite run within the

system: su harunfq

i g i=0::1 withq 0 2Q 0

must orrespondto an

in-nitepathfb i g i=0::1 withb 0 2B 0

withintheautomaton. Morepre isely,

theatomi propositionslabellingevery state b

i

must also be present in

state q i : (b i )  (q i

). In addition, an a epting state must o ur

innitelyoften in the onsidered path. This leads to the denition of

thefollowingkey on ept, alledthe syn hronised produ t.

Denition3 Let S be a transition system and A a B u hi

automa-ton. The syn hronised produ t between S and A is a graph Gr(S;A)=

(V;V

0

;R ), dened by : V = f(q;b) s.t. (b)  (q)g, the set of

nodes; V 0 = f(q;b) 2 V s.t. q 2 Q 0 ^b 2 B 0

g, the set of initial

states; R , the transition relation between nodes, denoted !, and su h

that (q;b)!(q 0 ;b 0 ) iq !q 0 and b!b 0 .

One standard model he king prin iple onsists of a translation of

the negation of the formula in a Bu hi automaton, the building of the

syn hronised produ t, and the sear h of an "invalidating" path within

thesyn hronisedprodu t.

Denition4 Let S be a transition system and A a B u hi automaton

expressing the negation of formula f. Formula f is valid i thereis no

invalidpathinGr(S;A). Aninvalidatingpathofformulaf isaninnite

path within the syn hronised produ t Gr(S;A),starting from oneinitial

node and in ludinginnitely often the subset of nodes f(q;b)s:t:b2Fg

If the system is nite, the veri ation pro edure is redu ed to the

sear h of an elementary path ending by a state yet visited, s.t.

be-tween the two o urren es, a state referring an a epting ondition is

met. Manyimprovementstothismethod an befoundintheliterature,

among them thereare theon-the- yte hniqueswhi h sear h foran

in-validatingpathsimultaneouslyto thebuildingofGr(S;A)(Gerthetal.,

1993). Allthesete hniques anbeappliedinthe ontextofthequotient

syn hronisedprodu t we develop inse tion2.3.

2.2. SYMMETRIC TRANSITION SYSTEMS

In order to highlight all the developed on epts, we onsiderin this

se tion a model of a proto ol where four pro esses, denoted by C =

fu;v;w;xg,exe utethesameprogram. Forsakeofsimpli ity,weassume

that ommuni ations are instantaneous, so that the global system is

variable, e.g. l(x). The denition domain for l(x) is fidle, transmit,

wait,a essg.

Be ause "symmetries" are usually handledby group theory, we now

re allsome elementarynotionsof group(Lang, 1977).

Denition5 Let G bea group, ontaining a neutral element id, whi h

operation is denoted by ().

LetE bea set,an a tionof Gover E isa mapping fromGE to

E s.t. the image of (g;e), denoted by g:e, fullls : 8e 2Eid:e=

e 8g;g 0 2G(gg 0 ):e=g:(g 0 :e)

The isotropy (sub)group G

e

of an element e is dened by : G

e =

fgs:t:g:e=eg

Let H be a subgroup of G, the orbit H:e of e under H is dened

by : H:e=fg:es:t:g2Hg

Thisa tion anbestraightforwardly extended tothe powerset of E

by : g:E 0

=fg:es:t:e2E 0

g

Let us assume that E is the set of the atomi propositions of our

model. Forinstan e,proposition[l(u)=idle℄meansthatthelo alstate

of pro ess u is idle. If G is the group of permutations of C and if g

is the permutation whi h ex hanges pro esses u and v, then g:[l(u) =

idle℄=[l(v) =idle℄. Let f[l(u)=idle℄;[l(v)=idle℄g be a set of atomi

propositions, then the isotropy group of this subset is the subgroup of

permutations whi h letthesubset fu;vg globallyinvariant.

Wearenowableto hara terisewhatisasymmetri transitionsystem.

Denition6 Let S be a transition system andG be a group a ting on

Prop.

S is said to besymmetri (w.r.t. G) i :

Every state has a \ symmetri " state w.r.t. any element of G :

8q 2Q;8g2G; 9q 0

2Q; (q 0

)=g:(q) The a tion of the group

on the states is extended, by denoting g:q, the unique q 0

of the

former formula.

Thesetofinitialstatesisinvariantunderthea tionofG: G:Q

0 =

Q

0 .

Thea tionofGis ongruentw.r.t. thetransitionrelation: 8q;q 0 2 Q; 8g2G; q !q 0 ,g:q !g:q 0

2.3. MODEL CHECKING OF SYMMETRIC

TRANSITION SYSTEM

As a state is asso iated with a subset of Prop in both the Bu hi

automaton and themodel,we will usethe a tionof G on thepowerset

of Prop. Let b be a state of Bu hi automaton A, G

(b)

will simply be

denoted G

b

(although one annot dene an a tionof Gon B). Observe

that G

b

is strongly related to the symmetry degree of b independently

ofthestru ture oftheBu hiautomaton.

Letus onsiderdierent ases ofG

b

inthe ontext of ourexample. If

thissubgroup equals the group G, then the state is totally symmetri ,

e.g. thisisthe aseforpropositionsetf[l(u)=idle℄;[l(v) =idle℄;[l(w)=

idle℄;[l(x) = idle℄g. In ontrast, whenever the isotropy group is

re-du ed to the identity (denoted fidg), the state is totally asymmetri ,

e.g. f[l(u)=idle℄;[l(v) =transmit℄;[l(w) =wait℄;[l(x) =a ess℄g. In

most ases, the isotropy group is not trivial(i.e. it diers from id and

G). Let us note that in the ontext of our model, the isotropy group

of pro esses impli itly orresponds to a partition of pro esses, namely

thegroupofpermutationswhi h leftea hset ofthepartitioninvariant.

For f[l(u) = idle℄;[l(v) = idle℄g, the partition of C is ffu;vg;fw;xgg.

A ording to a state of the Bu hi automaton, we allsu h a partition

the lo al partition of the state.

Ouraimistobuildaquotientofthesyn hronisedprodu toverwhi h

itispossibleto sear han invalidatingpathdire tly. Inthis\quotient"

stru ture, ea h node is hara terisedbya triple(H;O;b), whereH is a

subgroupofG, O Q, b2B. Moreover, the followingtwopointsmust

hold:

(C1) 8q2O;(b)(q)

(C2) H:O =O

The intuitive idea is that the node (H;O;b) is an aggregation of a

setofnodesofthesyn hronisedprodu t,more pre iselyf(q;b)g

q2O . As

we will see now, H is used in the denition in order to give a sound

denitionof thesu essor relation.

The building of the quotient stru ture starts from the set of initial

nodes, dened asfollows : (G

b0 ;G b0 :q 0 ;b 0 ) with q 0 2Q 0 , b 0 2 B 0 and (b 0 )  (q 0

). Observe that onditionC2 is fullledtrivially be ause

G

b0

isa group,moreover onditionC1isdedu ed fromthedenitionof

G

b0 .

Then, there remainsto denethesu essor relation.

i b 1 ! b 2 and 9q 1 2 O 1 ; 9q 2 2 Q s.t. q 1 ! q 2 and (b 2 )  (q 2 ). ThenO 2 =(H 1 \G b 2 ):q 2 and H 2 G O 2 .

Observe that both onditions C1 and C2 are fullled by the new

node. Ee tively, from O

2 G b 2 :q 2

, one dedu esthat: 8q 0 2 2 O 2 ;9g 2 G b 2 s:t: q 0 2 =g:q 2 . So,(b 2 )=g:(b 2 )  g:(q 2 )=(q 0 2 ). Moreover, asH 2 G O2 thenH 2 :O 2 =O 2 .

Inorder tomake thesu essorrelationoperational, one mustspe ify

howthesubgroupH

2

is hosen. Withregardtothesu essorrelation,it

isinterestingto maximise H 2 ,i.e. to hoose H 2 =G O 2

,butthis hoi e

might not be possible w.r.t. the synta ti al aspe ts of the model. In

any ase, H

2

an be hosen asthe subgroup(H

1 \G

b2

). The following

lemmaand proposition1 showthe validityof our onstru tion.

Lemma1 Let S be a symmetri transition system and A be a B u hi

automaton. LetGr(S;A)bethe orrespondingsyn hronised produ t and

GR Q(S;A)the orresponding quotient stru ture.

Let (H 1 ;O 1 ;b 1 ) and (H 2 ;O 2 ;b 2

) be two nodes of GRQ(S,A).

(H 1 ;O 1 ;b 1 ) ! (H 2 ;O 2 ;b 2 ) ) 8q 2 2 O 2 ; 9q 1 2 O 1 ; (q 1 ;b 1 ) ! (q 2 ;b 2 ) Let (q 0 ;b 0 ) !(q 1 ;b 1 )! :::! (q n ;b n ) !::: bea (innite) path in Gr(S;A),then9(H 0 ;O 0 ;b 0 )!(H 1 ;O 1 ;b 1 )!:::!(H n ;O n ;b n )! ::: a (innite) path in GR Q(S;A)s.t. q i 2O i (i21::n).

Itisworth notingthattherstpointbe omes falseinthe asewhere

one ex hanges its onsequen e bythe following one: \ 8q

1 2 O 1 ;9q 2 2 O 2 ; (q 1 ;b 1 )!(q 2 ;b 2 )".

Proposition 1 Forasymmetri nitebran hingtransitionsystem,there

isaninvalidating path in thesyn hronised produ t ifandonly ifthereis

an invalidating path in the quotient stru ture.

3. APPLICATION TO THE WELL-FORMED

PETRI NETS

Thewell-formedPetrinetmodeloersaglobalsolutionforthedesign,

veri ation and performan e evaluation of distributed systems graphs.

A well-formed Petri net is a high level Petri net model. Its spe i

syntax has made possibleto denemethodswhi htake prot from the

symmetry relations existing in systems. One of the asso iated

De i

Tr i

At i

Sci

Re i

∧

j I

∈

At j

Sc

∧

j I

∈

j

,

p

_i

{ }

i=1

n

∧

j I

∈

Tr j

Figure1 Automatonofonepro ess

analyse some standard properties of the Petri nets aswellas to derive

an aggregated Markov hain in order to ompute performan e indi es

(Chiolaetal.,1993). Weareinterestedinadaptingthis onstru tionto

ourmethod, butwe do notfully des ribeneither the well-formedPetri

netdenitionnortheimplementationofthesymboli rea habilitygraph

building(see Chiolaetal., 1991 for more details). A tually,we will

fo- uson therepresentationof nodesand on the buildingofthe su essor

relation.

3.1. PRESENTATION OF THE

WELL-FORMED PETRI NET MODEL

Des ription of the system and properties to verify. The

systemwhi hisdes ribedhere onsistsofnpro essesfP

i g

i=1::n

a essing

to a riti al se tion. Like in the former model, we onsider that the

pro esses run the same riti al se tion a ess proto ol. They are now

syn hronisedbysharedvariables.

This proto olis des ribedfor apro ess P

i

inFigure 1. Initially,the

pro essisidle(lo alstateR e)thenitmayaskforana esstothe riti al

se tion (lo al state De). Before a essing this se tion (lo al state S )

thepro ess follows asequel of two lo alstates : Transmitting(Tr) and

Waiting (At). We now detail the state transitions : (1) A requesting

pro ess an be in state Tr if there is no pro ess in waiting state. The

s heduler onsiders as privileged all the pro esses in state De. This is

representedinthegurebyaboldar . (2)Apro ess hangesfromstate

Tr to At without spe i ondition. (3) To enter the riti al se tion,

theremustbenopro ess inthisse tion,butalsonopro essinstate Tr.

We aim at demonstrating that the system is (weakly) fair : Every

pro ess whi hasks forthe riti al se tionwillobtainit ina nitetime.

Intuitively,thispropertyholdsdueto the onditionswhi hensuresthat

requests are treated wave after wave. A wave starts from the moment

when there is a requesting pro ess and is ompleted as soon as one

pro ess enters thewaitingstate.

S

S

S

C(Re)=C(De)=C(Tr)=C(At)=C(Sc)=C(Vg);

C(Mu)=

ε

;

S

Vg

Mu

Re

De

Tr

At

Co

S

X

X

X

X

X

X

X

X

X

X

t1

t2

t 4

t 5

t 3

Sc

Figure 2 Modelling of the

symmetri- albehaviourofthesystem

true

b

1

b

2

b

3

b

0

De , Re

_i

_j

Sc , Sc

_i

_j

Sc j

true

b

t

1,2

_{n, n-1}

Figure3 Bu hiautomatonof:f

theprivilegeof the hangefromDeto Tr,arequestingpro essbelongs

either to the urrent wave or to the following one. This ensures the

fairnessproperty.

In a se ond stage, the system ismodied sothat within a wave, the

exe utions ofthe riti al se tion areordered a ording to a priority

re-lation,indu edbythe identitynumberof pro esses. A tually,Therst

systemissymmetri , whilethe se ondis not.

With respe t to this new spe i ation, the two expe ted properties

arethefollowings :

Every requestingpro esswillnally obtainthea ess

The pro esses in state Tr or At will be served a ording to the

orderindu edbythespe iedpriorityrelation.

In ontrast,thestrongfairnessproperty\Arequesting pro ess willbe

served beforeevery pro ess in state idle"is false.

Formal modelling for the System and its properties.

1

At , At , At

₂

₃

Mu

At , At

₂

₃

Mu

At 3

Mu

Sc

Sc2

Sc3

c

2

c

4

c

6

1

c

1

c

3

c

5

1

At , At , At

₂

₃

Mu

c

0

In order to represent our system, we pro eed in two stages : a

sym-metri systemis spe iedrst interms ofthe well-formedPetrinets of

Figure 2, then the runs whi h do not preserve the priorityrelation are

prohibited by means of the additional automaton of Figure 4, namely

ontrol automaton. A tually, the system formally orresponds to the

syn hronised produ t of the well-formed Petri net and the ontrol

au-tomaton.

In a well-formedPetri net,a olourdomainis atta hedto ea hpla e

and transition. Ea h token ina pla e is typed by a olour of thepla e

olourdomain. Ea h olour of a transition indi ates a dierent way to

rethetransition,hen e, thelabelsofthear sarenomore integersbut

olourfun tionswhi hdenote forea h ringthequantitiesoftokensto

be onsumed and produ ed per ea h olour. In well-formed Petri nets,

the olour fun tions are written under a spe i syntax whi h allows

oneto exploitthesystemsymmetries. Fun tionSrepresentsa onstant

fun tion, alledadiusion. Fun tionSisasumoftokenss.t. thereisone

token per olour of the domain, e.g. one forea h pro ess. Fun tion X

representsthe olourwhi hisusedtoinstantiatetheringofatransition

inthenet.

In addition, a priority number is asso iated with ea h transition of

thewell-formedPetrinets. Thus,amongthetransitionsthatareenabled

fromthe urrentmarkingofthenet,onlytheoneswhi hhavethehighest

priorities an bered.

In the well-formed Petri net of Figure 2, the lo al states of the

pro- esses are represented by means of the orresponding pla es. The set

C=fh1i);h2i);h3ig isthe olourdomainof pro esses. It is thedomain

of all the pla es (ex ept Mu) and the domain of all transitions of the

net. The marking of pla e R e by the( onstant)diusion fun tion

or-responds to the fa t that, initially, all pro esses are idle. Three more

pla esallow one to implementthe proto ol me hanism : (1)Pla e Mu

isusedto spe ifythe ontrolof a esses to the riti alse tion; initially,

it is set to an (un oloured) token and prohibits the ringof transition

t

4

,whenever pla e S is marked. (2-3) Pla es Vg and Co (initiallyset

to S) are used to spe ifythe wave me hanism. Vg prohibits thering

of transition t

2

, whenever one of the At or S pla es is marked. Pla e

Coprohibitstheringof transitiont

4

whenever pla e Tr isnotempty.

At last,t

2

isatransitiontheringofwhi hisprivilegedwithrespe tto

theotherstransition,sothat theexpe tedbehaviourof thes heduleris

obtainedby thefollowingpriorityrelation: 8t6=t

2 ,Pri(t

2

)>Pri(t).

The spe i ation of the well-formed Petri net is ompleted by the

ontrolautomaton A

given in Figure 4. The rst state of A

spe ies

norequestforthat. Thethreestatesattheleft sidespe ifythedierent

aseswhereapro essmustbeprivileged,providedthe riti alse tionis

empty. Moreover, thethree pro esses intheright sidedeterminewhi h

pro essesisinthe riti alse tion. Thear sfromleftto right ensurethe

priorityme hanism. The othersfollow thebehaviour ofthenet.

The semanti of the system is dened by the syn hronised produ t

betweenthe ontrolautomaton and therea habilitygraph ofthe net.

In order to illustrate our method, we wish evaluate the following

strong fairness property : \A requesting pro ess will be served before

every idle pro ess". The orresponding LTL formula is the following(

Pnueli, 1977): f =^ i;j2I G[(De i ^R e j ))X(S j US i )℄

The Bu hi automaton A

:f

partially representedby Figure 3 models

the possible runs of the system for whi h the negation of property f

holds. For sake of simpli ity, only one bran h (i;j) is represented. In

this elementary ase, the stru ture of the automaton is immediately

dedu edfrom theformulato invalidate. Withthe helpoftherst state

of the automaton, one waits to the moment when (De

i ^R e

j

) holds,

whi hwill ause theinvalidationof theproperty. Then, thenext states

of the automaton ensures that pro ess j will enter the riti al se tion

beforei. Thelaststate representstheremainingpartoftheinniterun,

withoutmeaning a ording to the onsideredproperty.

We highlight now (for this kind of spe i ation) that the he king

of a formula on an asymmetri system an be redu ed to the he king

of an asymmetri formula on a symmetri system. The sear h of a

pathmust be omputedthrough thesyn hronised produ t of thethree

stru tures : the rea hability graph of the well-formed Petri net, the

ontrol automaton and the automaton of the negation of the formula.

However, the syn hronised produ t is a ommutative and asso iative

operation. It is thus possible to perform the syn hronised produ t of

the two automata, A

and A

:f

, in order to obtaina new one, then to

applyour onstru tiononthisnewautomatonandthewell-formedPetri

net(a symmetri model).

On an he kthatthefollowingpathinthesyn hronised produ t

in-validates thedesiredformula:

(m 0 ;( 0 ;b 0 )) t1(h1i) ! (m 1 ;( 0 ;b 1 )) t2(h1i) ! (m 2 ;( 0 ;b 2 )) t1(h2i) ! (m 3 ;( 0 ;b 2 )) t2(h2i) ! (m 4 ;( 0 ;b 2 )) t 3 (h2i) ! (m 5 ;( 3 ;b 2 )) t 3 (h1i) ! (m 6 ;( 3 ;b 2 )) t 4 (h2i) ! (m 7 ;( 4 ;b 3 ))

Ea h node (m,( ,b)) of su h a sequen e orresponds respe tively to

label of an ar represents some ring in the net. For instan e, t

1 (h1i)

!

orrespondsto the ringof transition t

1

withrespe tto pro ess h1i.

3.2. BUILDING OF THE SYMBOLIC

SYNCHRONISED PRODUCT

The symboli syn hronised produ t is a representation of the

quo-tient syn hronised produ t. We all them symboli due to the analogy

withthesymboli rea habilitygraphrepresentation(Chiolaetal.,1991).

Itsmajorpe uliarityis that obje ts are nevermore represented

expli -itly,but are viewed under a symboli form. For instan e, one an say

symboli ally that two pro esses require the same resour e, instead of

sayingthatpro esses1 and 2require resour e1. From su h asymboli

representation, a symboli ring rule an be dened whi h allows one

to omputethesymboli rea habilitygraph,automati ally anddire tly

fromtheobje tspe i ationwithinthewell-formednet.

Computation of lo al partitions of olours. Before omputing

thequotientsyn hronisedprodu t,one must omputeandrepresentthe

isotropy group of ea h state of the automaton. The most easy way to

pro eed onsists indete ting the olours whi h marks the same

propo-sitions in the states. These olours are gathered in subsets and these

subsets form a partition, named lo al partition. The isotropy group is

impli itly dened as the group of permutations whi h left ea h set of

thepartition globally invariant. Let usgive three examples : (1) For a

statewhere theatomi propositionsarefAt

1 ;At 2 ;At 3 g,thepartitionis

omposed byauniquesingletonfh1i;h2i;h3ig (i.e. allthepermutations

areadmissible). (2)Forastatewheretheatomi propositionsarefAt

2 g,

thepartitionis omposedofasingletonfh2ig andaset omposedofthe

remaining olours,herefh1i;h3ig(thepermutationsmustlefth2i

invari-ant). (3) Fora state wherethe atomi propositions arefAt

2 ;At

3 g, the

partitionis omposedofthreeelements,fh1ig;fh2ig;fh3ig . Theisotropy

groupisredu edto the identitypermutation.

States of the symboli syn hronised produ t. Let us re all

that we want to represent triples (H,O,(b, )), su h that O is subset

of markings whi h is un hanged under the a tion of the subgroup H

(O=H:o, 8o2O). The subgroup H willbe impli itly representedby

a lo al partition, whi h may dier from the partition atta hed to the

state of the automaton (H may be dierent from G

b

). The subset of

markings will be represented in a symboli way : the olour domain

omposition is not known). However for ea h subset, the ardinality

andthe referen e toa lo al partitionis preserved. The markingsof the

netarenowsymboli sin etheirtokensarenomore olourbutdynami

sub lasses. Symboli markings are denotedlikem.b

Inourexample, there isone initialsymboli node,su hthat :

(mb 0 ;(b 0 ; 0 ))wheremb 0

is asymboli markingof thenetsu h that:

b m

0

isdenedfromauniquelo alpartitionfh1i;h2i;h3ig omposed

of a uniquedynami sub lass(denotedZ

1 s.t. jZ 1 j=3), b m 0 =(Z 1 :R e+Z 1 :Co+Z 1

:Vg)+Mu,meaning thatthere is one

token of ea h pro ess inpla es R e, Co and Vg and that there is

one un olouredtoken inpla e Mu.

The atomi propositions of b

0 and 0 (fAt i g i=1::3 ;Mu) are satisedby b m 0 . Observe that b m 0

is asymboli representationforbothsubgroupH

ofpermutationsand subsetO ofmarkings.

Symboli ring inthe quotientsyn hronised produ t. In

or-derto builda su essor of a node (H

0 ;O 0 ;(b 0 ; 0

)) withinthesymboli

syn hronised produ t, a su essor of the urrent state in the

automa-tonis sele ted. Forinstan e from (b

0 ;

0

), one an hoose state (b

1 ;

0 )

as a possible su essor. Then a new lo al partition is omputed, by

interse ting the lo al partition of the state urrently onsidered within

the symboli syn hronised produ t and the lo al partition of the state

newly onsidered withinthe automaton. This is equivalent to onsider

thegroupH 0 \G (b 1 ; 0 ) . For state (mb 0 ;(b 0 ; 0

)), the lo al partition in the symboli syn

hro-nisedprodu t isgiven by fh1i;h2i;h3ig and the one of the state within

the automaton is given by fh1ig;fh2ig;fh3ig . Hen e, a de omposition

identi al to olours isobtained. Let

m 0

0

bethesymboli representation

b m

0

aftertheabove de omposition:

8i2f1;2;3gZ

i

isthe uniquedynami sub lassof fhiig

m 0 0 = (Z 1 :R e+Z 2 :R e+Z 3 :R e)+(Z 1 :Co+Z 2 :Co+Z 3 :Co)+ (Z 1 :Vg+Z 2 :Vg+Z 3 :Vg)+Mu

Then, a symboli ring is performed in the net whi h is similar to

theordinaryone(see Chiolaetal.,1991formoredetails). Forinstan e,

theringoft

1 (Z

1

) leadsto symboli marking m 0 1 =(Z 1 :De+Z 2 :R e+ Z 3 :R e)+(Z 1 :Co+Z 2 :Co+Z 3 :Co)+(Z 1 :Vg+Z 2 :Vg+Z 3 :Vg)+Mu.

Additionally,one mustverify that

m 0

1

satisestheatomi properties of

The last stage onsists ingrouping some lo al partitions whi h

on-tain a single dynami sub lass, provided the distributions of the

on- erned dynami sub lassesoverthe pla es are thesame. A tually,this

doesnotmodiesthesetofordinarymarkingsasso iatedwiththe

sym-boli markingandthismeansthatthegroupofadmissiblepermutations

H

0 \G

(b1; 0)

isextended. Forinstan ein

m 0

1

,setsfh2igandfh3ig anbe

grouped yieldingsymboli marking b

m

1 : Z

1

istheuniquedynami

sub- lassoffh1ig andZ

2

istheuniquedynami sub lassoffh2i;h3ig;

more-over, b m 1 =(Z 1 :De+Z 2 :R e)+(Z 1 :Co+Z 2 :Co)+(Z 1 :Vg+Z 2 :Vg)+Mu. 4. CONCLUSION

Complexity redu tionof theveri ation by use of the symmetries is

now well established. However most of theproposedte hniquesdo not

handle (or in a limited way) the partially symmetri systems. In this

workwe have proposedaneÆ ientwaytodealwithasymmetri models

and/orformulas. Ourmethoddoesnotdependonaparti ularformalism

and a priori an be applied to any one. Here we have illustrated the

methodonwell-formedPetrinetsinorderto larifytheprin iplesbased

ona tions ofgroupson transition systems.

This work needs to be ompleted in two ways. At rst, it must be

integrated in a tool. So the implementation of the presented work is

underprogress. Wehave hosentodevelopourmethodintheGreatSPN

tool(Chiola etal., 1997) as symmetries are already exploited for

well-formed Petri nets. To this implementation, must su eed a stage of

evaluation in order to hara terise systems for whi h our algorithm is

eÆ ient.

Moreover, weplanto ombineourmethodwiththeglobalanalysis of

symmetriesof the automaton as done in (Ajami et al., 1998). At last,

weinvestigate thewaytoextendthismethodto performan eevaluation

ofsto hasti well-formedPetrinets.

Referen es

Ajami, K., Haddad, S., and Ilie,J.-M. (1998). ExploitingSymmetry in

Linear Temporal Model Che king : One Step Beyond. In Pro . of

Tools and Algorithms for the Constru tion and Analysis of Systems

TACAS'98, part of Theory and pra ti e of Software ETAPS'98,

vol-ume 1384 of LNCS,pages 52{67, Lisbon- Portugal. SpringerVerlag.

Chiola,G.,Dutheillet,C.,Fran es hinis,G.,andHaddad, S.(1991). On

Well-FormedColouredNets andTheirSymboli Rea habilityGraph.

InJensen,K.andRozenberg,G.,editors,High-LevelPetriNets.

Chiola, G., Dutheillet, C., Fran es hinis, G., and Haddad, S. (1993).

Sto hasti Well-Formed Colored Nets and Symmetri Modeling

Ap-pli ations.IEEETransa tionson Computers, 42(11):1343{136 0.

Chiola,G.,Fran eshinis,G.,Gaeta,R.,andRibaudo,M.(1997).

Great-SPN1.7: GRaphi al Editor and Analyzer for Timed and Sto hasti

PetriNets. Performan eEvaluation, North Holland Journal, 24.

Clarke,E.,Enders,R.,Filkorn,T.,andJha, S.(1996). Exploiting

Sym-metryinTemporal Logi ModelCha king.Formal Methods and

Sys-tem Design,9:77{104.

Emerson,E.andPrasadSistla,A.(1996). SymmetryandModel

Che k-ing.Formal Methods and System Design,9:307{309.

Emerson,E.A.andTre er,R.J.(1999). FromAsymmetrytoFull

Sym-metry:NewTe hniquesForSymmetryRedu tioninModelChe king.

In Pro of CHARME'99, Le ture Notes in Computer S ien e, pages

142{156, BadHerrenalb- Germany.Springer Verlag.

Gerth,R.,Peled,D.,Vardi,M.,andWolper,P.(1993).SimpleOn-the- y

Automati Veri ation of LinearTemporal Logi . In Pro . Int Conf.

on Proto ol Spe i ation Testing and Veri ation.

Godefroid, P. and Wolper, P. (1994). A Partial Approa h to Model

Che king.Information andComputation, 110(2):305{326.

Haddad,S.,Ilie,J.,Taghelit,M.,andZouari,B.(1995).Symboli

Rea h-ability Graph and Partial Symmetries. In Pro . of the 16 th

Intern.

Conferen e on Appli ation and Theory of Petri Nets, volume 935 of

LNCS,pages 238{257, Turin,Italy.SpringerVerlag.

Holzmann,G.J.(1997).TheSpinModelChe ker.IEEETransa tionon

SoftwareEngineering,23(5):279{295.

Jensen,K. (1986). ColouredPetriNets. InBrauer, W., Reisig,W.,and

Rozenberg, G., editors, Petri Nets: Central Model and their

Proper-ties,Advan es in Petri Nets,Part 1, volume 254 of Le tureNotes in

Computer S ien e, pages 248{299, Bad Honnef, Germany. Springer

Verlag.

Kozen,D.(1983). Resultson thepropositionalmu- al ulus.Theoreti al

Computer S ien e, 27:333{354.

Lang,S.(1977). Algebra.7thprinting.AddisonWesley.

Pnueli,A.(1977).Thetemporallogi ofprograms.InPro eedings ofthe

18th IEEE Symposium on Foundations of Computer S ien e, pages

46{57.

Vardi,M.(1996).AnAutomata-theoreti Approa htoLinearTemporal