Post on 03-Jan-2016
description
Branching Processes of High-Level Petri Nets and
Model Checking of Mobile Systems Maciej Koutny
School of Computing ScienceNewcastle University
with: R.Devillers, V.Khomenko, H.Klaudel, A.Niaouris
UFO'07, Siedlce, Poland 2007
2
Outline• Motivation
• Coloured Petri nets
• Expansion and unfolding
• Relationship diagram
• Experimental results
• Application: mobile systems
• π-calculus to Petri nets
• Implementation issues
• Experimental results
• Further work
3
Motivation
Low-level PNs:• Can be efficiently
verified
• Not convenient for modelling
High-level descriptions:
• Convenient for modelling
• Verification is hard
Gap
Coloured PNs:a good intermediate formalism
4
Coloured PNs
1 2
w<u+v
vu
w
{1,2} {1,2}
{1..4}
5
Expansion
1 2
w<u+v
vu
w
{1,2} {1,2}
{1..4}
• The expansion faithfully models the original net
• Blow up in size
6
Unfolding
1 2
w<u+v
vu
w
{1,2} {1,2}
{1..4}
1 2
u=1v=2w=1
1
u=1v=2w=2
2
7
Example: computing GCD
3 2
2 1
1 0
1
u=3, v=2
u=2, v=1
u=1
v0m n
v
u%v
u
v
0u
u
{0..100}{0..100}
{0..100}
8
Relationship diagram
Coloured PNs
unfolding
Low-level prefixColoured prefix
unfolding
Low-level PNsexpansion
?
9
~
Relationship diagram
Coloured PNs
unfolding
Low-level prefixColoured prefix
unfolding
Low-level PNsexpansion
10
Relationship diagram1 2
w<u+v
vu
w
{1,2} {1,2}
{1..4}
1 2
u=1v=2w=1
1 2
u=1v=2w=2
11
Relationship diagram
Coloured PNs
unfolding
Prefix
unfolding
Low-level PNsexpansion
12
Benefits
• Avoiding an exponential blow up when building
the expansion
• Definitions are similar to those for LL
unfoldings, no new proofs
• All results and verification techniques for LL
unfoldings are still applicable
Model checking algorithms
Canonicity, completeness, finiteness
13
Benefits
• Existing unfolding algorithms for LL PNs can
easily be adapted
Usability of the total adequate order
proposed in
All the heuristics improving the efficiency can
be employed (e.g. concurrency relation and
preset trees)
Parallel unfolding algorithm
14
Extensions: infinite place types
v0m n
v
u%v
u
v
0u
u
{0..100}{0..100}
{0..100}
15
Extensions: infinite place types
v0m n
v
u%v
u
v
0u
u
N N
N
3 2
2 1
1 0
1
u=3, v=2
u=2, v=1
u=1
16
Extensions: infinite place types
v0m n
v
u%v
u
v
0u
u
3 2
2 1
1 0
1
u=3, v=2
u=2, v=1
u=1
{0..2}{1..3}
{1}
17
Refined expansion
Coloured PNs
unfolding
Prefix
unfolding
Low-level PNsexpansion
18
Experimental results
• Tremendous improvements for colour-intensive
PNs (e.g. GCD)
• Negligible slow-down (<0.5%) for control-
intensive PNs (e.g. Lamport’s mutual exclusion
algorithm)
19
Application: mobility • One of the main features of many crucial modern
distributed computing systems
• Formal analysis and verification using process algebras like π-calculus
• Our aim: to alleviate the state space explosion problem during reachability analysis of mobile systems
• Using/adapting model checking algorithms based on unfoldings
20
Syntax (finite)
Basic elements are channel (names) like a, b, c, ...
ab input prefix
ab output prefix
τ internal prefix
pref.P first execute pref then P
P+Q execute P or Q
P | Q execute P and Q in parallel
(νc) P restrict c within P
A ├ P A is the set of all “known” channels
_
21
Operational semantics
Operational semantics defined using SOS rules such as:
¬ b є A
______________________________________
A ├ ac.P A {b} ├ {b/c} P
One can then consider LTSs generated by π-terms, the associated behavioural properties, etc.
∩ab
22
p-nets
High level Petri nets where tokens can, e.g., be channels
τ
u
v v
a
b
transition is enabled if there is a suitable
binding for u and v
read arcs(non-directed)only for testing
23
p-nets
High level nets where tokens can be, e.g., channels
τ
u
v v
a
b
transition is enabled if there is a suitable
binding for u and v for instance
u=av=b
24
p-nets
High level nets where tokens can be, e.g., channels
τ
u
v v
a
b
transition is enabled if there is a suitable
binding for u and v for instance
u=av=b
which leads tob
25
Holder places and read arcs
τ
u u
u
v v v v
a
bsnd rcv
Blue part (holder places) is related to channels
Black part is related to control flow
26
Tag-place Used to maintain information about Known, New and Restricted channels
Δ
u
v
a
UV_
V.v.K
U.u.K
v.RV.N
e.Na.a.K
Δ.R
27
Tag-place Used to maintain information about Known, New and Restricted channels
Δ
u
v
a
UV_
V.v.K
U.u.K
v.RV.N
e.Na.a.K
Δ.R
suitable bindingu=U=a
v=ΔV=e
28
Tag-place Used to maintain information about Known, New and Restricted channels
Δ
u
v
a
UV_
V.v.K
U.u.K
v.RV.N
e.Δ.Ka.a.K
suitable bindingu=U=a
v=ΔV=e
generates aeand then LTS can be defined
_
29
p-nets
p-nets can be composed to mirror the operators in the process algebra:
prefixingparallel compositionchoicecommunication
30
Model checking π-calculus
Pi-calculusexpression
SafeHigh-level PN
(p-nets)
Automatic translation
31
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.Nb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
{b,d} ├ ba.ad
Uv
UV_
_
32
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.Nb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
Uv
UV_ binding
u=U=bv=e
33
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.e.Kb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
Uv
UV_ binding
u=U=bv=e
generates be
e
34
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.e.Kb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
Uv
UV_
e
35
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.e.Kb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
Uv
UV_ binding
u=U=ev=V=d
e
36
Example 1
d
u
v
UV
V.v.K
U.u.K
v.v.K
v.N
e.e.Kb.b.K
vv
u u
U.u.KV.v.K
U.u.K d.d.Kb
Uv
Uv
UV_ binding
u=U=ev=V=d
generates ed
e
_
37
Example 2
b
u
v
f.N
b.b.K
v
Δ
Δ.R
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
{a,b} ├ (νc)ac.cb__
V.v.K
U.u.K
38
Example 2
b
u
v
f.N
b.b.K
v
Δ
Δ.R
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
V.v.K
U.u.Kbindingu=U=a
V=f
v= Δ
39
Example 2
b
u
v
b.b.K
v
Δ
f.Δ.K
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
V.v.K
U.u.Kbindingu=U=a
V=f
v= Δ generates af
_
40
Example 2
b
u
v
b.b.K
v
Δ
f.Δ.K
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
V.v.K
U.u.K
41
Example 2
b
u
v
b.b.K
v
Δ
f.Δ.K
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
V.v.K
U.u.K
bindingU=fu=Δ
V=v=b
42
Example 2
b
u
v
b.b.K
v
Δ
f.Δ.K
a.a.K
UV
a
UV
_
_u
V.Nv.R
U.u.K
V.v.K
V.v.K
U.u.K
bindingU=fu=Δ
V=v=b generates fb
_
43
Example 3
v
f.N
e.e.Kv
Δ.Ra.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
{a,e,d} ├ (νc)(ac.ec | ab.bd)___
44
Example 3
v
f.N
e.e.Kv
Δ.Ra.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
45
Example 3
v
f.N
e.e.Kv
Δ.Ra.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
Δ
46
Example 3
v
f.N
e.e.Kv
Δ.Ra.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
Δ
47
Example 3
v
e.e.Kv
f.Δ.K
a.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
Δ
48
Example 3
v
e.e.Kv
f.Δ.K
a.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
Δ
49
Example 3
v
e.e.Kv
f.Δ.K
a.a.K
a
u
de
Δ
d.d.KUV UV
τv
vu
u
U.u.K
v.RV.N
V.v.K
V.v.K
U.u.K
__
Δ
50
Model checking π-calculus
pi-calculusexpression
SafeHigh-level PN
(p-nets)
PN unfoldingPropertyChecking
PUNF
MPSat
51
Implementation issues• Infinity of new channels
• Read arcs
• Non-safeness
• Partial-transition expansion
• Reducing the number of holder places
52
Example
Tness
1S
2S3S
4S
NESSa
h1
h2 h3
h4
a?ness
53
Example
Tness
1S
2S3S
4S
NESSa
h1
h2 h3
h4
h1!ness | h2!ness | h3!ness | h4!ness
ness
nessness
ness
54
Example
Tness
ness ness
nessness
1S
2S3S
4S
NESSa
h1
h2 h3
h4
h1?addr1 | h2?addr2| h3?addr3 | h4?addr4
nessness
nessness
55
Example
Tness
ness ness
nessness
1S
2S3S
4S
NESSa
h1h2 h3
h4
56
Example
T
1S
2S3S
4S
NESSa
h1
h2 h3
h4
h
h
h!h1. h1!done. STOP +h?another1.addr1!h1.addr1!another1.h1!done.STOP
ness ness
ness
ness ness
ness
ness
57
Experiments
Problem Net Prefix
|B| |E|
Time
Punf MPSat
Time
MWB |P| |T|
Ness(2) 157 200 1413 127 <1 <1 <1
Ness(3) 319 415 5458 366 1 <1 <1
Ness(4) 537 724 24561 1299 6 <1 7
Ness(5) 811 1139 93546 4078 46 <1 -
Ness(6) 1141 1672 281221 10431 411 311 -
Ness(7) 1527 2335 701898 22662 2904 8 -
58
Further work• We need efficient extensions of the unfolding approach
for read arcs
• Introduce a restricted form of recursion still allowing one to use model-checking
• Deal with the state space explosion caused by aspects other than high level of concurrency
• Further performance comparisons of this model with other model checkers
59
Thank you!