Borrower Reduction - Preservation of Temporal Properties

5.3 Preservation of Temporal Properties

5.3.2 Borrower Reduction

5.3. Preservation of Temporal Properties 91 The cases ψ = ¬ψ₁, ψ = ψ₁ ∧ψ₂ follow directly by the induction hypo-thesis.

ψ = ψ1Uψ2: Let us assume M(M₀^′, σ^′) = M₀^′M₁^′M₂^′... |= ψ1Uψ2. Let M(M0, σ)beM0M1M2.... We can find a prefixσ₁^′ ofσ^′ such thatM_|σ^′ ′

1|M_|σ^′ ′

1|+1...|= ψ2 and ∀i, 0 ≤ i < |σ₁^′| : M_i^′M_i+1^′ ... |= ψ1. We hence can find a pre-fix σ1 of σ corresponding to σ₁^′, i.e. proj_T

k(σ1) = proj_T

k(σ₁^′), and σ1 does not end with a transition t ∈ Te. By the induction hypothesis and Eq.

5.1a M|σ1|M|σ1|+1... |= ψ2. For the case that |σ₁| > 0, let σp be a pre-fix of σ such that |σp| < |σ₁|. Let σ^′_p be a corresponding prefix of σ^′, i.e.

proj_T

k(σp) = proj_T

k(σ^′_p). Since σp truncates at least one transition in Tk,

|σ^′_p|<|σ₁^′|. FromM_|σ^′ ′ p|M_|σ^′ ′

p|+1...|=ψ1, it follows by the induction hypothesis that M|σp|M|σp|+1...|=ψ1.

Analogously, it can be shown that M(M₀, σ) |=ψ1Uψ2 ⇒ M(M₀^′, σ^′) |=

ψ1Uψ2 holds. 2

The correspondence of firing sequences is also cental for establishing pre-servation of CTL^∗_-_X properties. We proof that CTL^∗_-_X is preserved by showing that Σ and the reduced net Σ^′ are bisimilar. We define the bisimulation relation based on the firing of transitions in Tk. But for bisimulation a fur-ther ingredient besides correspondence of firing sequences is needed. For the Borrower, Producer and Dead End reductions we have a kind of Uniqueness Lemma stating that a marking on Σcorresponds to just one marking on Σ^′.

92 5. Cutvertex Reductions

tω

p3 Nk

p3 Σ^bΣe

Figure 5.6: Example of a Borrower reduction For the following we assume: (1) q is 1-safe inΣ.

The next propositions show that (T1) for any firing sequence σ of Σ it holds that its projections toTk orTe are also firing sequences of Σk orΣeq=1, respectively. We use this to show that (T2) for any firing sequence σ of Σ that is fair w.r.t. Tk it holds that its projection to Tk is a maximal firing sequence of the reduced net Σ^′.

Proposition 5.3.7 Let σ be a firing sequence of Σ such that proj_T

k(σ) is a firing sequence of Σ_k.

proj_T_e(σ) is a firing sequence of Σeq=1.

Proof Let M_init^e be M_init^e = (M_init^q=1|Pe). If σ is a firing sequence of Σ but σ^e :=proj_T_e(σ) is not a firing sequence ofΣ_e^q=1, then by Prop. 5.3.3, there are prefixes σp of σ and σ_p^e of σ^e such that Mσp(q) > M_σ^e^e

p(q). Since q is 1-safe in Σ, it follows that Mσp(q) = 1 and M_σ^e^e

p(q) = 0. So σ_p^e consumes a token from q because q is initially marked on Σeq=1. Hence with ∆(σp, q) =

∆(σ_p^e, q) + ∆(σ_p^k, q) whereσ_p^k:=proj_T

k(σp)and from1 = Minit(q) + ∆(σp, q), it follows that2 = Minit(q) + ∆(σ_p^k, q). But since σ_p^k is a firing sequence of Σk

by assumption, this contradicts the 1-safeness of q inΣk by Prop. 5.3.2. 2 For the following we assume: (1) and (2)q is 1-safe inΣeq=1.

Intuitively the next proposition says, given a firing sequence σ that is fair w.r.t. Te, in case proj_T

k(σ) eventually permanently marks q, then proj_T

e(σ) is a maximal firing sequence of Σeq=1.

5.3. Preservation of Temporal Properties 93 Proposition 5.3.8 Let σ be a firing sequence from Minit that is fair w.r.t.

Te. Letσ₁^k, σ^k₂ ∈T_k^∞ and σ₁^k be finite. Let M_init^k be Minit|Pk. If proj_T

k(σ) = σ₁^kσ₂^k is a firing sequence of Σk and M_σ^kk

1(q) = 1 and

∀i,1≤i≤ |σ₂^k|: ∆(σ^k₂(i), q) = 0, thenproj_T_e(σ)is a maximal firing sequence of Σeq=1.

Proof Let M_init^e be M_init^q=1|Pe and let proj_T

k(σ) be σ^k. By Prop. 5.3.7, σ^e :=

proj_T_e(σ)is a firing sequence of Σ_e^q=1. Assumeσ^e is not maximal on Σ_e^q=1. Hence by Prop. 5.3.4, σ^e is finite, M_σ^ee(q) = 1 and σ does not eventually permanently mark q. So there is a finite prefix σp of σ with Mσp(q) = 0 and σp contains σ^e and σ₁^k. From M_init^e (q) = 1 and M_σ^e^e(q) = 1 it follows that

∆(σ^e, q) = 0. It thus follows from Mσp(q) = 0 = Minit(q) + ∆(σp, q) that 0 =Minit(q) + ∆(proj_T_k(σp), q). Since we assume that σ₂^k does not affect q, it follows 0 = Minit(q) + ∆(σ₁^k, q). But this contradicts the assumption that firing σ₁^k places a token onq, that isM_σ^kk

1(q) = 1. 2

Proposition 5.3.9 Σ_e^q=0 |=AG(q,0)

Proof Let M_init^e be M_init^q=0|Pe. Suppose that Σeq=0 6|=AG(q,0). Thus there is a firing sequence σ^e with M_σ^e^e(q) ≥ 1. σ^e is also a firing sequence of Σeq=1

generating two tokens onq, which contradicts the 1-safeness ofq inΣeq=1. 2 Now we can show (T1) of the targeted results: By the next proposition we can fire proj_T

k(σ) on Σk for any firing sequence σ of Σ. And by Prop.

5.3.7 also proj_T_e(σ) is a firing sequence ofΣ^q=1_e . Proposition 5.3.10 Let σ be a firing sequence of Σ.

proj_T

k(σ) is a firing sequence of Σk.

Proof We denote the initial markingMinit|P_k ofΣkasM_init^k . If the above does not hold, then by Prop. 5.3.3, there are prefixes σp of σ and σ_p^k of proj_T

k(σ) such that Mσp(q) > M_σ^kk

p(q). Since M_init^k (q) = Minit(q), it follows that

∆(σ_p^k, q)<∆(σp, q), which implies that 0<∆(σ_p^e, q)where σ_p^e :=proj_T_e(σp).

But since σ^e_p is a firing sequence of Σeq=1 by Prop. 5.3.7, this contradicts assumption (2), i.e. 1-safeness of q inΣeq=1. 2

94 5. Cutvertex Reductions

For the following we assume: (1), (2) and (3) Σeq=1 |=AFG(q,1).

The following lemma is the Uniqueness Lemma: Ifσ1 andσ2 generate the same markingM then proj_T

k(σ1) andproj_T

k(σ2)will also generate the same marking. With other words the corresponding marking ofM is unique. The Uniqueness Lemma will be used to show that Σand the reduced net Σ^′ are bisimilar.

Lemma 5.3.11 (Uniqueness Lemma) Letσ1, σ2 be firing sequences ofΣ.

If ∆(σ1, p) = ∆(σ2, p),∀p∈P,

then ∆(proj_T_k(σ₁), p) = ∆(proj_T_k(σ₂), p),∀p∈Pk. Proof Let σ₁^k denote proj_T

k(σ1) and σ₂^k denote proj_T

k(σ2). Similarly, let σ^e₁ be proj_T

e(σ1) and σ₂^e be proj_T

e(σ2). As ∆(σ1, p) = ∆(σ2, p), ∀p ∈ P, and transitions in Te cannot change the token count on places in Pk, it follows that ∆(σ₁^k, pk) = ∆(σ₂^k, pk), ∀pk ∈ Pk \ {q} holds. Let us assume that ∆(σ₁^k, q) 6= ∆(σ₂^k, q). It follows that also ∆(σ₁^e, q) 6= ∆(σ₂^e, q), because

∆(σ₁^e, q) + ∆(σ₁^k, q) = ∆(σ^e₂, q) + ∆(σ₂^k, q)by assumption. Sinceσ^e₁ andσ₂^eare both firing sequences ofΣeq=1by Prop. 5.3.7 andqis 1-safe inΣeq=1, it follows that ∆(σ₁^e),∆(σ^e₂) ∈ {−1,0}. Without loss of generality let ∆(σ^e₁, q) = −1 and ∆(σ₂^e, q) = 0. SinceΣe is a Borrower and thus Σeq=1 satisfiesAFG(q,1), all maximal firing sequences are non-consuming. Hence a firing sequence σ^e_g is enabled after firing σ₁^e that eventually marks q. But σ_g^e is also a firing sequence fromM_σ^e^e₂ and generates two tokens onq. This contradicts 1-safeness

of q in Σeq=1. 2

Remark 5.3.12 For the Borrower reduction, the reduced net Σ^′ is equal to Σ^k. So Prop. 5.3.10 and the Uniqueness Lemma 5.3.11 also hold for Σ^′ instead of Σ^k.

With the next two propositions we are ready to show that CTL^∗_-_Xis preserved.

According to the next propositions it holds that

• FsN^′,max(M_init^′ ) ⊆proj_T

k(FsN,{T_k,Te}(Minit))and

• proj_T

k(FsN,{Tk}(Minit)) ⊆ FsN^′,max(M_init^′ ).

5.3. Preservation of Temporal Properties 95 Note thatFsN,{Tk,Te}(Minit)⊆FsN,{Tk}(Minit). So it also follows that

• FsN^′,max(M_init^′ )⊆ proj_T

k(Fs_N,{T_k_}(Minit))and

• proj_T

k(FsN,{Tk,Te}(Minit)) ⊆FsN^′,max(M_init^′ ).

In summary, we can derive that FsN^′,max(M_init^′ ) =proj_T

k(FsN,{Tk}(Minit)) = proj_T

k(FsN,{Tk,Te}(Minit))holds.

Proposition 5.3.13 Let σ be a firing sequence of Σ that is fair w.r.t. Tk. proj_T

k(σ) is a maximal firing sequence of Σ^′.

Proof Note that Σ^′ = Σ_k. By Prop. 5.3.10, σ^′ := proj_T

k(σ) is a firing sequence of Σ^′. Let us assume that σ^′ is not maximal. By Prop. 5.3.4 σ^′ is finite and M_σ^′′(q) = 1 and σ does not eventually permanently mark q. Let σp be a prefix of σthat contains σ^′ and does not markq, i.e. proj_T

k(σp) = σ^′ and Mσp(q) = 0. Hence 0 = Minit(q) + ∆(σ^′, q) + ∆(proj_T_e(σp), q) and 1 = M_σ^′′(q) = Minit(q) + ∆(σ^′, q) holds. It follows that ∆(proj_T_e(σp), q) = −1.

Sinceσ^′ is finite andσis maximal, it follows thatσis fair w.r.t. Te. By Prop.

5.3.8,proj_T

e(σ)is a maximal firing sequence ofΣeq=1. AsΣeq=1|=AGF(q,1), σ eventually permanently enables q (contradiction). 2 A stronger version of Prop. 5.3.13, that requires maximality of σ only, instead of fairness w.r.t Tk, does not hold, as we have seen while discussing the need of fairness at the begin of this section. The maximal firing sequence σ = t1tωtω... of the net in Fig. 5.5 has the proj_T

k(σ) = t1, which is not maximal on Σ^bΣe.

By the next proposition it followsFsN^′,max(M_init^′ )⊆proj_T

k(FsN,{Tk,Te}(Minit)).

But more than that, it says that for a maximal firing sequenceσ^′fromM^′and for a pair of markings(M, M^′) = (M, M|P_k)of respectivelyΣandΣ^′, we can find a fair firing sequenceσ that visits M and corresponds to σ^′. This extra is necessary to establish bisimulation. Proposition 5.3.13 has a simpler form, as for a marking M we can pinpoint M^′ (Uniqueness Lemma), whereas, vice versa, we can find for a marking M^′ more than one corresponding marking of Σ.

96 5. Cutvertex Reductions Proposition 5.3.14 Let σ^′ = σ₁^′σ₂^′ be a maximal firing sequence of the Borrower-reduced Σ^′. Let σ1 be a firing sequence of Σwith proj_T

k(σ1) =σ₁^′. If σ1 is finite, then there is a firing sequence σ2 of Σ such that σ1σ2 is fair w.r.t. Tk and Te, and proj_T

k(σ2) =σ₂^′.

Proof The algorithm to construct σ2 can be sketched as follows. First, σ is extended to sufficiently mark q (line 10-16). Then, as long as σ^′ fires transitions whose firing decreases q’s token count, transitions inTe are fired that do not have q as an input place (line 17-25). Then, if σ^′ fires trans-itions that do not changeq’s token count but have qas an input place (line 29-41), first a prefix of σ^′ is fired that places a token on q (line 30). In this case a maximal firing sequenceσ^e of Σ_e is enabled and we know thatσ^e behaves like a Borrower sequence. We fire the “borrowing” prefix of aσ^e, i.e.

the prefix of σ^e up to the point when the token from q is not removed any more. Then (line37-40or42-46) we fire in turn transitions in Tk (the suffix of σ^′) and Te (the suffix of σ^e), since they do not disable each other. In the following M_init^e denotesMinit|Pe.

1 /∗ The a l g o r i t h m ’ s i n p u t i s t h e o r i g i n a l n e t Σ, t h e

2 k e r n e l Σk, t h e environment Σe, t h e f i r i n g s e q u e n c e

3 σ1 o f Σ and f i r i n g s e q u e n c e s σ₁^′ and σ^′₂ o f t h e re d uc e d

4 n e t Σ^′, such t h a t σ^′₁σ^′₂ i s maximal . I t s o u t p u t i s a

5 f i r i n g s e q u e n c e o f Σ t h a t i s f a i r w . r . t . Te and Tk.∗/

6 Input: Σ, Σk, Σe, σ1, σ^′₁, σ₂^′

7 Output: σ2

8 σ := σ1

9 σ^′ := σ^′₂ /∗ n o t y e t p a r t o f σ ∗/

10 i f(Mσ(q)< Mσ^′1(q)){

11 Let σ^e be a maximal f i r i n g s e q u e n c e o f Σ_e^q=1 with

12 p r e f i x proj_T_e(σ) and M(M_init^e , σ^e)|=FG(q,1).

13 Let σ₁^e be a t r a n s i t i o n s e q u e n c e where

14 proj_T_e(σ)σ₁^e i s a p r e f i x o f σ^e and M_proj^e

Te(σ)σ1^e(q) = 1.

15 σ := σσ^e₁

16 }

5.3. Preservation of Temporal Properties 97

17 i f(σ^′ c o n t a i n s a t^′ ∈q^• with W(q, t^′)> W(t^′, q)){

18 Let σ_p^′ be t he minimal p r e f i x o f σ^′ c o n t a i n i n g a l l

19 t r a n s i t i o n s t^′ with W(q, t^′)> W(t^′, q).

20 fo r(i:= 1; i <|σ_p^′|+ 1; i:=i+ 1){

21 σ := σσ_p^′(i)

22 i f(∃te∈(Te\q^•) :Mσ[tei) σ:=σte

23 }

24 σ^′ := σ^′(|σ^′^p^|) /∗ t r u n c a t e by p r e f i x σ^′_p ∗/

25 }

26 /∗ From now on h o l d s t h a t W(q, σ^′(i))≤W(σ^′(i), q),

27 ∀i,1≤i <|σ^′|+ 1. ∗/

28 i f(σ^′ c o n t a i n s a t^′ ∈q^•){

29 Let σ_p^′ be σ^′’ s minimal p r e f i x t h a t i n c l u d e s a t^′ ∈q^•.

30 σ := σσ_p^′

31 σ^′ := σ^′(|σ^′^p^|) /∗ t r u n c a t e by p r e f i x σ^′_p ∗/

32 Let σ^e be a maximal f i r i n g s e q u e n c e o f Σeq=1 with

33 p r e f i x proj_T_e(σ) and M(M_init^e , σ^e)|=FG(q,1).

34 Let σ₁^e and σ₂^e be t r a n s i t i o n s e q u e n c e s with

35 σ^e=proj_T_e(σ)σ₁^eσ₂^e and M(M_proj^e

Te(σ)σ^e1, σ₂^e)|=G(q,1).

36 σ := σσ₁^e

37 fo r(i := 1; i <|σ₂^e|+ 1 o r i <|σ^′|+ 1; i := i+ 1){

38 i f(i <|σ₂^e|+ 1) σ := σσ₂^e(i)

39 i f(i <|σ^′|+ 1) σ := σσ^′(i)

40 }

41 } e l s e { /∗ q6∈ ^•σ^′(i), ∀i,1≤i≤ |σ^′| ∗/

42 fo r(i := 1; i <|σ^′|+ 1; i := i+ 1){

43 σ := σσ^′(i)

44 i f(∃te∈Te:Mσ[tei) σ := σte

45 }

46 while(∃te∈Te:Mσ[tei) σ := σte

47 }

98 5. Cutvertex Reductions

48 r e t u r n σ :=σ^(|σ¹^|)

Listing 5.1: Generating a firing sequence fair w.r.t. Te and Tk.

The transition sequenceσ, constructed in the first if-block, (line 10-16), is a firing sequence of Σ: Since 0 = Mσ(q) < Mσ^′1(q) = 1, it follows that proj_T

e(σ) consumed a token from q. But since Σeq=1 |=AFG(q,1), there is a firing sequence σe that (re)generates the token.

The transition sequence σ, constructed in the second if-block, (line 17-25), is a firing sequence ofΣ, sinceMinit[σ1i, since by constructionMσ(q) = M_σ^′′

1(q) at line 16 and since transitions in t∈ Te\q^• do not disable trans-itions in Tk. Note that at the end of line 25 Mσ(q) = 0 = M_proj^′

T′(σ)(q), since σ_p^′ decreases q’s token count. In case σ_p^′ = σ^′ is infinite, σ is by con-struction fair w.r.t. Tk and obviously fair w.r.t. Te\q^•. Asσ_p^′ infinitely often removes the token from q, the place q is not permanently marked, and thus transitions in q^•∩Te are not permanently enabled. Hence σ is fair w.r.t. Te. Next we show that σ constructed at the third if-block (line 28-41), is a firing sequence ofΣ. SinceMσ[σ^′iat the end of line 24, σ of line 30 is a firing sequence. Let t^′ be the last transition of σ_p^′. As t^′ has q as an input place and does not decrease the token count on q, qhas to be marked at the end ofline 30. Also the firing sequence ofline 32-35 exists: Asproj_T

e(σ) is a firing sequence of Σeq=1 by Prop. 5.3.7 and since Σeq=1 |= AFG(q,1), proj_T_e(σ) can be extended to a maximal firing sequence σ^e whose marking sequence satisfies FG(q,1). It follows that σ^e can be divided into a finite prefix σ^e_p that contains proj_T_e(σ) and restores the token on q and into a suffix σ₂^e that does not remove the token on q, M(M_σ^e^e

p, σ₂^e) |= G(q,1). Let σ^e₁ be the transition sequence such that σ^e_p = proj_T_e(σ)σ₁^e. The transition sequenceσofline 36is a firing sequence ofΣ, since by Eq. 5.1bMσ|Pe\{q} = Mproj_Te(σ))|_P_e_\{q} holds at the end of line 30, and by construction Mσ(q) = 1 ≥ M_proj^e

Te(σ)(q) at the begin of line 36. σ of line 38 and 39 are firing sequences: σ^e₁ does not change the token count of placesPk\{q}andMσ(q) = 1 holds at the end of line 36. It follows that Mσ[σ^′i and Mσ[σ₂^ei. Neither the transitions ofσ₂^e nor the transitions of σ^′ remove the token from q .

We now show that σ is fair w.r.t. Tk and Te. We first show that σ is fair

5.3. Preservation of Temporal Properties 99 w.r.t. Tk. Ifσ^′is infinite,σis fair w.r.t. Tk. Supposeσ^′ is finite. Letσ^′_pbe the already considered prefix ofσ^′, that isproj_T

k(σ) =:σ_p^′. We show that for each σ atline 36, 38 and 39 the generated markingMσ satisfiesMσ|Pk =M_σ^′′

p, since at these lines σ may become maximal or the algorithm may infinitely loop. As σ^′ is maximal, Mσ|Pk = M_σ^′′ = M_σ^′′

p implies that ¬Mσ[ti,∀t ∈ Tk. By Eq. 5.1a it follows that at all times Mσ|P_k\{q} = M_σ^′′

p|P_k\{q}. Mσ(q) = 1 = M_σ^′′

p(q) holds at the end of line 36, which has been shown above.

Neither transitions ofσ₂^e nor transitions ofσ^′ may change the token count on q afterwards, thus Mσ|P_k =M_σ^′′

p holds at line 38 and 39.

Next we show that σ is fair w.r.t. Te. Transitions of σ^′ do not change the token count of q from line 32 to 40. So by construction proj_T_e(σ) is a maximal firing sequence of Σ_e^q=1. At line 36-40 it holds that Mσ(q) = 1, so it follows thatMσ(q)|Pe =M_proj^e

Te(σ). Hence it follows that σ is fair w.r.t.

Te.

Theσconstructed at the else-block (line 41 to 47) is a firing sequence:

By Eq. 5.1a, M|σ||P\{q} = M_|σ^′ ′

p||Pk\{q}. As the enabledness of transitions in σ^′ does not depend on the token count onq, any enabled transition ofTe can be fired in between two transitions ofσ^′. By construction σ is fair w.r.t. Te, as transitions in Te are fired as long as there are any enabled. σ is fair w.r.t Tk because σ^′ is maximal and transitions of σ^′ do not depend on q. 2 The following proposition establishes that every maximal firing sequence ofΣ^′ corresponds to the projection of a firing sequence ofΣthat is fair w.r.t.

Tk (not also fair w.r.t. Te), i.e. FsN^′,max(M_init^′ )⊆ proj_T

k(FsN,{Tk}(Minit)). The proposition also guarantees thatσ starts withσ^′. We need this form to show that we can use the reduced net for falsification of ∀CTL^∗ properties using the next-time operatorX.

Proposition 5.3.15 Let σ^′ be a maximal firing sequence of Σ^′. There is a firing sequence σ of Σ such that proj_T

k(σ) = σ^′ and σ starts with σ^′ and σ is fair w.r.t. Tk.

Proof By Prop. 5.3.1 σ^′ is a firing sequence of Σ. If σ^′ is finite, we fire transitions of Te as long as there are any enabled. Let us assume that σ is

100 5. Cutvertex Reductions not fair w.r.t. Tk. By Prop. 5.3.4σ^′ is finite andM_σ^′′(q) = 0andσ eventually permanently marks q. Hence proj_T_e(σ) generates a token, which contradicts

assumption (2). 2

We are now in the position to show our main verification and falsification results:

Theorem 5.3.16 LetΣe a Borrower environment net and Σbe reducible by Σe. Let ϕ be a CTL^∗-_X formula referring to P \Pe only.

Σ^bΣe|=ϕ ⇔ Σ|=ϕ fairly w.r.t. Tk and Σ^bΣe|=ϕ ⇔ Σ|=ϕ fairly w.r.t. Tk and Te.

Proof We show that (i) TS_Σ and TS_Σ′ are stuttering bisimilar assuming that Σ is fair w.r.t Tk and (ii) TS_Σ and TS_Σ′ are stuttering bisimilar as-suming Σ is fair w.r.t. Tk and Te. In a first step we define the relation B ⊆[Miniti ×[M_init^′ i and then show that∀(M, M^′)∈ B:

(L) L(M) =L^′(M^′)

(SF1) ∀µ ∈ΠTSΣ,{Tk}(M) :∃µ^′ ∈ΠTSΣ′,inf(M^′) :match(B, µ, µ^′) (SF2) ∀µ^′ ∈ΠTS_Σ′,inf(M^′) :∃µ∈ΠTSΣ,{Tk,Te}(M) :match(B, µ, µ^′)

Note, (SF1) implies∀µ∈ΠTSΣ,{Tk,Te}(M) :∃µ^′ ∈ΠTS_Σ′,inf(M^′) :match(B, µ, µ^′) and (SF2) implies that∀µ^′ ∈ΠTS_Σ′,inf(M^′) :∃µ∈ΠTSΣ,{T_k}(M) :match(B, µ, µ) holds, since ΠTSΣ,{Tk,Te}(M) ⊆ ΠTSΣ,{Tk}(M). Thus, it follows from (L), (SF1), (SF2) that B is a stuttering fair bisimulation assuming that Σis fair w.r.t. Tk, and also assuming thatΣ is fair w.r.t. Tk and Te.

We now define B ⊆ [Miniti ×[M_init^′ i. The basic idea is that two markings M and M^′ are bisimilar iff they correspond,M|_P_\{q} =M^′|_P_\{q}, but then for one markingM there might be several markingsM_i^′and we have to be careful with the token count on q. So let M be a reachable marking of Σ. Hence there is a firing sequenceσ that generatesM,Minit[σiM. proj_T

k(σ)is a firing sequence of Σ^′ by Prop. 5.3.10. Let M^′ be the marking of Σ^′ generated by firing proj_T

k(σ), M_init^′ [proj_T_k(σ)iM^′. We define that (M, M^′) ∈ B. Defining Bthis way, it follows that(Minit, M_init^′ )∈ Band since AP ⊆(P^′\ {q})×N, it also follows that ∀(M, M^′)∈ B :L(M) = L(M^′) holds. Note that by Prop.

5.3. Preservation of Temporal Properties 101 5.3.11,M^′ is uniquely defined, i.e. (M, M₁^′)∈ B and (M, M₂^′)∈ B it follows that M₁^′ =M₂^′.

To show (SF1), consider (M, M^′)∈ B and a path µ2 fromM that is fair w.r.t. Tk. Letσ₂ a the corresponding firing sequence, that isM(M, σ₂) =µ₂. Letσ₁ be a firing sequence that generatesM andµ₁ the corresponding path, that isµ1 =M(Minit, σ1). Hence µ:=µ1µ2 is a path fromMinit inTS_Σ that is fair w.r.t. Tk. Let σ := σ1σ2 be the corresponding firing sequence. By Prop. 5.3.13,σ^′ :=proj_T

k(σ)is a maximal firing sequence ofΣ^′. By definition ofB and by the Uniqueness Lemma 5.3.11 firing proj_T

k(σ1)generates M^′. It follows that the marking sequence µ^′₂ generated by proj_T

k(σ2)is a path from M^′ inΠTS_Σ′,inf(M^′).

Based on σ and σ^′ we define partitions θ of µ2 and θ^′ of µ^′₂. Let the partition θ^′ be the identity mapping and let θ be the partition defined as θ(1) = 1 and∀i, 1< i <|σ₂^′|+ 2,θ(i) =j+ 1wherej is such thatσ(j)∈Tk

andσ(1)...σ(j)has exactlyi−1transitions inTk,θ(i) =θ(i−1)+1otherwise.

Fig. 5.7 illustrates the partitioning of µ₂ and µ^′₂.

1 2 3 4

seg. no.

σ µ

µ^′ σ^′

t^′1 t2 t3 t^′2 t5 t^′3 t7 t^′4

...

M⁰ M¹ M² M³ M⁴ M⁵ M⁶ M⁷ M⁸ M⁹ M¹⁰

...

M^′0 M^′1 M^′2 M^′3 M^′4 M^′5 M^′6 M^′7

...

t^′1 t^′2 t^′3 t^′4

...

Figure 5.7: Partitioning of corresponding marking sequences. µ is divided into segments according to occurrences of transitions inTk.

θ partitions µ₂ so that segment 1 contains markings without a change on the token count of Pk \ {q}. Segment i, 1 < i < |σ₂^′|+ 1, starts with the marking generated by firing its first (i−1) transitions in T^′. Note that this defines θ already well, if σ₂^′ =proj_T

k(σ2)is infinite. In case σ₂^′ is finite, segmenti,|σ₂^′|+ 1< i, consists of only one marking, the next marking in µ2. Segment i of µ^′₂, 1≤ i ≤ |σ₂^′|+ 1, contains only one marking M_i^′, which is generated by firing the first i−1 transitions ofσ₂^′.

102 5. Cutvertex Reductions We now show that the partitions ofµandµ^′generate segments of bisimilar markings. Let us consider a segment i, 1 ≤ i < |σ₂^′| + 2. Let M2 be a marking in segment ion µ2. M2 is generated by firing a prefix σp with i−1 transitions inTk. The marking M₂^′ in segment i onµ^′₂ is generated by firing i−1 transitions in T^′. Hence it follows that proj_T

k(σp) = σ₂^′(1)...σ₂^′(i−1) holds and hence (M2, M₂^′)∈ B. Let us assume that σ^′₂ is finite. Segmention µ^′₂,i >|σ^′|+ 1, contains the final marking generated by firing σ^′₂. Segment i onµ, i >|σ^′|+ 1, contains the marking generated by firing a prefix σp of σ2

that contains |σ₂^′| transitions of T^′. So it follows that proj_T

k(σp) = σ₂^′ holds and hence also (M2, M₂^′)∈ B.

To show (SF2), let us consider (M, M^′)∈ Band an infinite path µ^′₂ from M^′ in ΠTSΣ′,inf(M^′). Again let σ1 be a firing sequence generating M and σ^′₁ = proj_T

k(σ1) generating M^′. So µ1 := M(M, σ1) and µ^′₁ := M(M^′, σ₁^′) are the corresponding paths. It follows that µ^′ =µ^′₁µ^′₂ is an infinite path in TS_Σ′. Let σ^′ := σ^′₁σ₂^′ be the corresponding maximal firing sequence of Σ^′ where σ₂^′ generates µ^′₂. By Prop. 5.3.14 there is a firing sequence σ that is fair w.r.t. Tk and Te and corresponds to σ^′. Let σ2 be the suffix of σ that corresponds to σ^′₂. µ2 :=M(M, σ₂) is thus a fair path from M. As above it follows that µ^′₂ and µ₂ are partitioned into segments of bisimilar markings.

We cannot verify LTL or CTL properties using X. Consider the LTL property ψ = AXX(p3,1) and the CTL property ϕ = AXAX(p3,1). The net Σ^bΣe in Fig. 5.6 satisfies both ψ and ϕ but Σ satisfies neither of them.

As ¬ϕ := EXEX(p3,0) is a valid CTL property on Σ but not on Σ^bΣe, CTL properties using X can also not be falsified, but we can falsify ∀CTL^∗ assuming fairness ofΣ w.r.t. Tk.

Theorem 5.3.17 Let Σe be a Borrower environment net and Σ be reducible by Σ_e. Let ψ be an ∀CTL^∗ formula referring to P \Pe only.

Σ|=ψ fairly w.r.t. Tk ⇒ Σ^bΣ_e |=ψ.

Proof We show that (TSΣ, Minit){Tk} simulates (TSΣ^′, M_init^′ ). This implies that if Σ|=ψ fairly w.r.t. Tk then Σ^bΣe |=ψ.

5.3. Preservation of Temporal Properties 103 To define S, we mimic the construction of σ in Prop. 5.3.15. Let M^′ ∈ [M_init^′ ibe a marking of Σ^′. Let σ^′ be a firing sequence generating M^′. IfM^′ is not a final marking, only(Mσ^′, M^′)∈ S. But if M^′ is final, we pick several markingsM to correspond toM^′. Letσbe any finite firing sequence starting with σ^′ and proj_T

k(σ) =σ^′. We set (Mσ, M^′)∈ S whereMσ is generated by such a σ. In both cases it holds that(Minit, M_init^′ )∈ S.

We have to show that all (M, M^′)∈ S satisfy (L) L(M) = L^′(M^′), and (F) ∀µ^′ ∈ ΠTSΣ′,inf(M^′) : ∃µ ∈ ΠTSΣ,{Tk}(M) : (µ(i), µ^′(i)) ∈ S. As we require thatscope(ψ)⊆ Pk\ {q}, (L) holds by Eq. 5.1a. Let (M, M^′) be in S, letµ^′ be an infinite path fromM^′ and letσ^′ be the corresponding maximal firing sequence ofΣ^′, that is µ^′ =M(M^′, σ^′).

By definition of S, there is a firing sequence σg that generates M on Σ and σ_g^′ := proj_T

k(σg) generates M^′. By Prop. 5.3.7 σ_g^e := proj_T_e(σg) is a firing sequence of Σ_e^q=1 and hence does not generate additional tokens on q.

In case M^′ is final, µ^′ is the infinite marking sequence M^′M^′.... As σ_g^e does not generate additional tokens,M enables only transitions in Te. So for any marking Mi reachable from M consequently (Mi, M^′)∈ S holds.

Let us now consider the case that M^′ is not final. By Prop. 5.3.15 there is a firing sequence σ with proj_T

k(σ) = σ_g^′σ^′ that is fair w.r.t. Tk. M is generated by σ_g^′. Let σs be the suffix of σ with proj_T

k(σs) = σ^′, which is also fair w.r.t. Tk and starts with σ^′. µ = M(M, σs) is hence a fair path of TS_Σ starting with markings corresponding to µ^′. So the case that σ^′ is infinite follows trivially. In case σ^′ is finite, the markings generated along σ^′ correspond. The case that we reach a final marking has been discussed

above. 2

Theorem 5.3.17 implies that the weaker version “Σ|=ψ ⇒Σ^′ |=ψ” hold.

To see that a stronger version of the theorem assuming fairness ofΣw.r.t. Tk

andTe does not hold, consider the two nets in Fig. 5.6 and the LTL (∀CTL^∗) propertyψ =AF((p₃,1)∧XXX(p₃,0)). ψ expresses that all paths eventually mark p3 and then do not mark p3 after three transition firings. Obviously, ψ does not hold on Σ^bΣe, butψ holds onΣ, assuming Σis fair w.r.t. Te. Σ has to fire a transition inTe, since otherwise tω is permanently enabled while

104 5. Cutvertex Reductions no transition ofTe occurs.

Im Dokument Slicing and reduction techniques for model checking Petri nets (Seite 103-116)