Petri Nets: Expressibility and Ease of Modeling Part 2 - Formal Analysis Irina A. Lomazova [email protected] National Research University Higher School of Economics, Laboratory of Process-Aware Information Systems (PAIS Lab) Moscow, Russia International Conference on Software Testing, Machine Learning and Complex Process Analysis (TMPA 2019) Tbilisi, Georgia (7-9 November 2019)

Petri Nets - Agenda Part 1 - Introduction and Extensions on Thursday 07.11 Introduction and Initial Examples Notion of Runs Petri Net Extensions Part 2 - Formal Analysis on Saturday 09.11 Behavioral Properties Structural Analysis Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 1 / 21

Petri Nets - Short Recap Formal Definition A Petri net is a tuple PN = (P, T, F, W , M0) where: P = {p1, p2, ..., pn} is a finite set of places. T = {t1, t2, ..., tn} is a finite set of transitions. P ∩ T = ∅. F ⊆ (P × T) ∪ (T × P) is a set of directed arcs (flow relation). W : F → {1, 2, 3, ...} is a weight function. M0 : P → {0, 1, 2, 3, ...} is the initial marking. A state of a Petri net is defined by a marking M : P → {0, 1, 2, 3, ...} Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 2 / 21

Petri Nets - Short Recap Transition Firing Rule - An Example A Petri net N in a marking M with transition t enabled. H 2 t O 2 2 2 H 2 O N with a new marking M after firing transition t. H 2 t O 2 2 2 H 2 O Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 3 / 21

Formal Analysis of Petri Nets Behavioral Properties

Formal Analysis of Petri Nets Properties of Petri Nets What can we do with the models? A major advantage of Petri nets is their support for a formal analysis of many properties associated with concurrent systems. Two types of properties can be studied: 1 Behavioral properties: Depending on the initial marking. 2 Structural properties: Free from the initial marking. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 4 / 21

Formal Analysis of Petri Nets Some decidable Behavioral Properties 1 Reachability 2 Boundedness 3 Coverability 4 Deadlock freeness 5 Liveness 6 Fairness 7 ... Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 5 / 21

Formal Analysis of Petri Nets Reachability Graph The reachability graph R(N, M0 ) of a Petri net N is a rooted directed graph where: The root node is the initial marking M0 of N. Each node in R(N, M0 ) is a reachable marking from M0 . Each edge in R(N, M0 ) denotes the firing of a transition t leading from marking M to M . t 2 p 2 p 4 t 1 p 1 p 3 t 3 p 5 (1, 1, 0, 0, 0) M 0 = (0, 1, 1, 0, 0) (1, 0, 0, 1, 0) t 1 t 2 (0, 0, 0, 0, 1) t 3 (0, 0, 1, 1, 0) t 2 t 1 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 6 / 21

Behavioral Properties Reachability Problem Find if a marking M is reachable in a Petri net (N, M0 ). M ∈ R(N, M0 ) ? t 2 p 2 p 4 t 1 p 1 p 3 t 3 p 5 (1, 1, 0, 0, 0) M 0 = (0, 1, 1, 0, 0) (1, 0, 0, 1, 0) t 1 t 2 (0, 0, 0, 0, 1) t 3 (0, 0, 1, 1, 0) t 2 t 1 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 7 / 21

Behavioral Properties Boundedness Check whether the number of tokens in each place does not exceed an integer k, for any reachable marking. produce t 1 p 2 p 1 p 3 t 2 dispatch storage ready buffer reception p 6 p 4 t 4 t 3 consume t 5 p 5 request Producer Consumer Producer-Consumer model Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 8 / 21

Behavioral Properties Safety Two processes cannot be within the critical section at the same time. t 1 local Shared Key t 2 t 3 waiting critical t 5 t 6 t 4 waiting critical local Process 1 Process 2 Mutex - Mutual Exclusion Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 9 / 21

Behavioral Properties Liveness and Fairness Liveness: It is always possible to fire any transition by progressing through some firing sequence. Fairness: Each transition is fired infinitely often (no starvation). l 1 thinking b 1 eating r 1 b 2 thinking r 2 eating l 2 fork r 4 eating b 4 thinking l 4 fork b 3 eating l 3 thinking r 3 fork fork Philosopher 4 Philosopher 1 Philosopher 3 Philosopher 2 The Dining Philosophers problem Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 10 / 21

Formal Analysis of Petri Nets Structural Analysis

Structural Analysis Properties of Petri nets can be indeed proved by constructing and analyzing the reachability graph. However, the reachability graph may be huge (exponential in the number of places) or infinite. Structural analysis → Prove properties without constructing the reachability graph. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 11 / 21

Structural Analysis Incidence Matrix of a Petri net N = (P, T, F, W , M0 ) Matrix C : P × T → Z Rows correspond to places, and Columns to transitions. Column t ∈ T denotes how the firing of t affects the net marking. C(t, p) = W (t, p) − W (p, t) t 2 p 2 t 1 p 1 p 3 t 3 critical p 5 t 6 p 7 t 5 critical t 4 p 6 p 4 key -1 0 1 0 0 0 1 -1 0 0 0 0 0 1 -1 0 0 0 0 -1 1 0 -1 1 0 0 0 -1 0 1 0 0 0 1 -1 0 0 0 0 0 1 -1 t 1 t 2 t 3 t 4 t 5 t 6 p 1 p 2 p 3 p 4 p 5 p 6 p 7 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 12 / 21

Structural Analysis Firing Equation M = M + C · u M is a marking written as a column vector, i.e, M = (1 0 0 1 1 0 0)T u is a column vector denoting a finite sequence of firings, i.e, u = (1 1 0 1 0 0)T for the firing of t1 , t2 , and t4 (each once). -1 0 1 0 0 0 1 -1 0 0 0 0 0 1 -1 0 0 0 0 -1 1 0 -1 1 0 0 0 -1 0 1 0 0 0 1 -1 0 0 0 0 0 1 -1 1 0 0 1 1 0 0 M + C 1 1 0 1 0 0 u ⋅ 0 0 1 0 0 1 0 M ' = Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 13 / 21

Structural Analysis Proving Unreachability using the Incidence Matrix Given a Petri net N with incidence matrix C, and M, M two markings of N. If M ∈ R(N, M), then it exists a vector u, such that M = M + C · u, such that all entries of u are natural numbers. Corollary If M = M + C · u has no natural solution for u, then M / ∈ R(N, M) Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 14 / 21

Structural Analysis Proving Unreachability using the Incidence Matrix Corollary If M = M + C · u has no natural solution for u, then M / ∈ R(N, M) Consider the following Petri net N, and a target marking M = (1 1)T t 1 p 1 t 2 p 2 -1 1 1 -1 1 0 M 0 + C ⋅ = u u 1 u 2 1 1 M ' M = M0 + C · u has no natural solution. M is not reachable. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 14 / 21

Structural Analysis Place Invariants (P-invariants) Given a Petri net N and its incidence matrix C, a place invariant is a natural solution for CT · x = 0. x is a vector with one entry for each place. t 2 p 2 t 1 p 1 p 3 t 3 critical p 5 t 6 p 7 t 5 critical t 4 p 6 p 4 key Some P-invariants for N x1 = (1 1 1 0 0 0 0)T x2 = (0 0 1 1 0 0 1)T x3 = (0 0 0 0 1 1 1)T P-invariants indicate that the number of tokens in all markings satisfies some linear invariant. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 15 / 21

Structural Analysis Place Invariants - Properties Let M be a reachable marking by some transition firings expressed by u. M = M0 + C · u. Let x be a P-invariant. Then, the following holds: MT x = (M0 +Cu)T x = MT 0 x +(Cu)T x = MT 0 x +uT CT x = MT 0 x Therefore, MT x = MT 0 x Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 16 / 21

Structural Analysis Place Invariants - Examples Proving Mutual Exclusion CT · x = 0 with C the incidence matrix of Petri net N. x = (0 0 1 1 0 0 1)T , MT x = MT 0 x t 2 p 2 t 1 p 1 p 3 t 3 critical p 5 t 6 p 7 t 5 critical t 4 p 6 p 4 key Process 1 Process 2 M(p3 ) + M(p4 ) + M(p7 ) = M0 (p3 ) + M0 (p4 ) + M0 (p7 ) = 1 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 17 / 21

Structural Analysis Place Invariants - Examples The weighted token sum 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) for the Petri net below is an invariant, i.e, no transition can change it. t 1 man marriage t 2 divorce couple woman 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) = 7 M0 : 2 + 3 + 2 ∗ 1 = 7 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 18 / 21

Structural Analysis Place Invariants - Examples The weighted token sum 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) for the Petri net below is an invariant, i.e, no transition can change it. t 1 man marriage t 2 divorce couple woman 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) = 7 M0 : 2 + 3 + 2 ∗ 1 = 7 M : 3 + 4 + 2 ∗ 0 = 7 (Firing of transition divorce) Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 18 / 21

Structural Analysis Place Invariants - Examples The weighted token sum 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) for the Petri net below is an invariant, i.e, no transition can change it. t 1 man marriage t 2 divorce couple woman 1 ∗ M(man) + 1 ∗ M(woman) + 2 ∗ M(couple) = 7 M0 : 2 + 3 + 2 ∗ 1 = 7 M : 1 + 2 + 2 ∗ 2 = 7 (firing of transition marriage) Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 18 / 21

Structural Analysis Traps A set of places S ⊆ P such that S• ⊆ •S. Each transition which removes tokens from a trap put also at least one token back in the trap. Trap S = {nc1, nc2} t 2 p 2 t 1 p 1 p 3 t 3 critical p 5 t 6 p 7 t 5 critical t 4 p 6 nc 2 nc 1 Transitions t2 and t5 remove and put back tokens in the trap S. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 19 / 21

Structural Analysis Traps - A support for proving mutual exclusion Prove: M(p3 ) + M(p7 ) ≤ 1. Places p3 and p7 (critical sections) must not be marked at the same time. t 2 p 2 t 1 p 1 p 3 t 3 critical p 5 t 6 p 7 t 5 critical t 4 p 6 nc 2 nc 1 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 20 / 21

Structural Analysis Traps - A support for proving mutual exclusion Prove: M(p3 ) + M(p7 ) ≤ 1. Places p3 and p7 (critical sections) must not be marked at the same time. Calculating P-invariants we obtain: (1) M(p3 ) + M(nc1 ) = 1 (2) M(p7 ) + M(nc2 ) = 1 The trap S = {nc1, nc2} is marked at M0 , and therefore in all reachable markings. Thus, (3) M(nc1 ) + M(nc2 ) ≥ 1 Adding (1) and (2) and substracting (3) yields: M(p3 ) + M(p7 ) ≤ 1 Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 20 / 21

Formal Analysis A Short Remark - On the Analysis of Petri net models with extensions The properties and analysis techniques explained so far are considered for the class of ordinary Petri nets. For extensions of Petri nets, to increase the expressibility comes at the price of making less tractable (and in some cases undecidable) the formal analysis of properties. However, several techniques have been proposed for the further analysis of properties on models with such extensions, i.e, compositional approaches. Irina A. Lomazova Petri Nets - Part 2: Formal Analysis 21 / 21