Equivalence by Bisimulation - Model Checking of Reconfigurable Petri Nets

marking{buildPlaces(MRi); MRest}) buildRule(R)

new metadata

if *** for deleted places

freeOfMarking(∀p∈P_Li | MRest)∧

*** for places of deleted transitions emptyNeighbourForPlace(∀p∈P_Li\P_Ri |

pre{MTupleRest1} | post{MTupleRest2})∧

calculate new metadata .

5 Correctness of Model Checking for Maude

Definition 18 (Surjective mapping between states ofLTSRPNandLTSMNC). Given a recon-figurable Petri net(N₀,R)withN₀ = (P₀, T₀,pre₀,post₀,p_name0,t_name0,cap₀, M₀)and Ras in Def. 6 and the corresponding Maude modules NET and RULE as in Theorem 1. Further, the label transition system is given by LTSRPN with Def. 15 and LTSMNC by Def. 16. So that there is a mapping map : S_MNC → S_RPN for some states s ∈ S_MNC of Def. 12 with s = net(Places, Transitions, Pre, Post, Markings) | Rule Int Int IDPoolby

map(s) = [(N, M)]and

• P ={p|pis an atomic element in buildPlace⁻¹(Places)}

• T ={t|tis an atomic element in buildTransition⁻¹(Transitions)}

• pre:T →P^L defined by pre(t)=buildPlace⁻¹(place); if

Transitions=transitions{T : t(t_name | x)}and Pre=pre{MT,(t(t_name | x)→place)}

• post:T →P^L defined by post(t)=buildPlace⁻¹(place); if

Transitions=transitions{T : t(t_name | x)}and Post=post{MT,(t(tname | x)→place)}

• p_name:P →AP defined byp_name(p) =label; if

Places=places{P , p(label | x | x)}

• t_name :T →AT defined byt_name(t) =label; if

Transitions=transitions{T : t(label | x)}

• cap:P →Ndefined by cap(p) =capacity; if

Places=places{P , p(str | x | capacity)}

• cap:P →ωdefined by cap(p) =w; if

Places=places{P , p(str | x | w)}

• M ={m|mis an atomic element in buildMarking⁻¹(M arkings)}

Based on Def. 18, the following Lemma 8 and Lemma 9 define the linked states of both transition systems. Lemma 8 is used to link states fromS_MNCtoS_RPN, whereby the Lemma 9 link states the inverted direction fromS_RPNtoS_MNC.

Lemma 7(map of the initial state). (N, M₀)∈map(initial)is given by map as defined in Def. 18

Proof of Lemma 7. Giveninitial as defined by Def. 12 as initial = net(Places, Tran-sitions, Pre, Post, Markings), then there is a [(N0, M0)] as defined by Def. 6 with N0 = (P₀, T₀,pre₀,post₀,p_name0,t_name0,cap₀, M₀)so that:

• P₀is defined by the inverse function of Lemma 1 withbuildPlace⁻¹so that P₀ ={p|pis a atomic element inbuildPlace⁻¹(Places)}

• T₀is defined by the inverse function of Lemma 2 withbuildTransition⁻¹so that T0 ={t|tis a atomic element inbuildTransition⁻¹(Transitions)}

• pre0is defined by the inverse function of Lemma 3 withbuildPre⁻¹so that pre₀:T →P^L defined bypre(t)=buildPlace⁻¹(place); if

Transitions=transitions{T : t(t_name | x)}and Pre=pre{MT,(t(t_name | x)→place)}

• post0is defined by the inverse function of Lemma 4 withbuildPost⁻¹so that post₀:T →P^L defined bypost(t)=buildPlace⁻¹(place); if

Transitions=transitions{T : t(t_name | x)}and Post=post{MT,(t(t_name | x)→place)}

• p_name0is defined by Def. 5 withp_name :P →A_P so thatp_name(p) =label; if Places=places{P , p(label | x | x)}

• t_name0 is defined by Def. 5 witht_name:T →A_T so thatt_name(t) =label; if Transitions=transitions{T : t(label | x)}

5 Correctness of Model Checking for Maude

• cap0is defined by Def. 5 withcap:P →N^w+so that:

– cap(p) =capacity; if

Places=places{P , p(str | x | capacity)}

– cap(p) =w; if

Places=places{P , p(str | x | w)}

• M₀is defined by the inverse function of Lemma 1 withbuildPlace⁻¹so that M ={m|mis a atomic element inbuildMarking⁻¹(TMarkings)}

Lemma 8(map as function). map:S_MNC→S_RPNis a function given by map as defined in Def.

Proof of Lemma 8. For eachs∈S_MNCthere is oner ∈S_RPNwithmap(s) =r.

Basis:For the initials₀ ∈S_MNCexists by Lemma 7 an initial stater₀ ∈S_RPN

Induction hypothesis:Let be given a statesn∈S_MNCwithsn=net(Places, Transitions, Pre, Post, Markings) | Rule Int Int IDPool, so thatmap(s_n) =r_n= [(N, M)]withN = (P, T,pre,post,p_name,t_name,cap, M) Induction step (n→n+ 1):For each follower statesn+1∈S_MNCwithsn l

−

→sn+1∈ tr_MNCthere is ar_n+1∈S_RPNwithr_n−→^l r_n+1 ∈tr_RPNandmap(s_n+1) =r_n+1so thatl can be applied by:

• Firing bys_n−−−−−→^t^name^(t^s⁾ s_n+1as in Def. 16 withs_n+1 =net(Places, Transitions, Pre, Post, Markings⁰) | Rule Int Int IDPooland by the isomorphism class of Def. 9 there is also ar_n−−−−−→^t^name^(t^r⁾ r_n+1 as in Def. 15 withrn+1 = [(N, M⁰)]so that

– Activation:

If marking{PreValue ; M} can be rewritten by the rewrite rule [fire] defined in Def. 7 and Listing 4, then the PreValue fort_s is less or equal than the marking ofs_n. Hence, ispre^⊕(t_r) ≤ M_r (line one of Def. 7) andrn

t_name(tr)

−−−−−→ rn+1 ∈ trRPNdue toM[triM⁰ inN with r_n+1 = [N, M⁰],t_name(t_s) =t_name(t_r)andt_name(t_r)∈A_RPN.

– Capacity limitation:

If (PreValue ; M) plus PostValuecan be rewritten by the

rewrite rule[fire]defined in Def. 7 and Listing 4, then the Post-Valuefor each place used byt_s is less or equal than the capacity and M+post^⊕(t_r)≤capfort_r(line two of Def. 7)

– New marking:

Ifcalc(((PreValue ; M) minus PreValue) plus Post-Value)can be rewritten by the rewrite rule[fire]defined in Def. 7 and Listing 4, then the following markingMarkings⁰is given and the marking forr_n+1is calculated byM⁰ = (M_r pre^⊕(t_r))⊕post^⊕(t_r).(line three of Def. 7)

• Transformation bysn

r_name(rs)

−−−−−→sn+1as in Def. 16 withsn+1=net(Places, Transitions, Pre, Post, Markings⁰) | Rule Int Int IDPooland the isomorphism class of Def. 9 there is also arn

r_name(rr)

−−−−−→rn+1as in Def. 15 withrn+1 = [(N⁰, M⁰)]so that

– match:

If sn can be rewritten by the rewrite rule[rname] defined in Def. 11 and Listing 5, then is theLa subset ofs_n. Hence, there is an occurrence o:L→N defined in Def. 15 byrrandrn

r_name(rr)

−−−−−→rn+1 ∈trRPNas well asr_name(r_s) =r_name(r_r).

– freeOfMarkingapplies for each deleted placep*MRest, as defined in Def. 11 by the identification condition in Def. 10

– emptyNeighbourForPlaceapplies for each deleted placepno oc-currence inPreandPost, as defined in Def. 11 by the dangling condition in Def. 10

5 Correctness of Model Checking for Maude

Lemma 9(map as surjective function). map:S_RPN→S_MNCis a surjective function given by map as defined in Def. 18

Proof of Lemma 9. For eachr∈S_RPNthere is ones∈S_MNCwithmap(s) =r Basis:For the initialr₀∈S_RPNexists by Theorem 1 an initial states₀ ∈S_MNC

Induction hypothesis:Let be given a statern∈S_RPNwithrn= [N, M]so that there is as_n∈S_MNCwithmap(s_n) =r_n= [(N, M)]of Def. 18 andN = (P, T,pre,post, p_name,t_name,cap, M).

Induction step (n→n+ 1):For each follower statern+1∈S_RPNwithrn l

−

→rn+1∈ tr_RPNthere is as_n+1 ∈S_MNCwiths_n−→^l s_n+1 ∈tr_MNCandmap(s_n+1) =r_n+1so that lcan be applied by:

• Firing byr_n −−−−−→^t^name^(t^r⁾ r_n+1 ∈ tr_RPNas in Def. 15 withr_n+1 = [(N, M⁰)]there is by Def. 16 also as_n −−−−−→^t^name^(t^s⁾ s_n+1 ∈ tr_MNC withs_n+1 =net(Places, Transitions, Pre, Post, Markings⁰) | Rule Int Int IDPoolso that

– Activation:

Ifpre^⊕(tr)≤Mr(line one of Def. 7) andrn

t_name(tr)

−−−−−→rn+1 ∈trRPNdue to M[t_riM⁰ inN withr_n+1 = [N, M⁰], thent_ris activated. Hence, mark-ing{PreValue ; M}can be rewritten by the rewrite rule[fire]

defined in Def. 7 and Listing 4, so that PreValue for ts is the less or equal than the marking of s_n as well ast_name(t_s) = t_name(t_r) and t_name(t_r)∈A_RPN.

– Capacity limitation:

If M +post^⊕(t_r) ≤ cap fort_r, then thePostValue is less or equal than the capacity for each place used byts(line two of Def. 7). Hence, (PreValue ; M) plus PostValue can be rewritten by the rewrite rule[fire]defined in Def. 7 and Listing 4,

– New marking:

If the following marking forr_n+1is calculated byM⁰ = (M_r pre^⊕(t_r))⊕ post^⊕(tr)(line three of Def. 7), thencalc(((PreValue ; M) mi-nus PreValue) plus PostValue)can be rewritten as the fol-lowing markingMarkings⁰ by the rewrite rule[fire]defined in Def.

7 and Listing 4.

• Transformation byr_n−−−−−→^r^name^(r^r⁾ r_n+1∈tr_RPNas in Def. 15 withr_n+1= [(N⁰, M⁰)]

there is by Def. 16 also as_n−−−−−→^r^name^(r^s⁾ s_n+1∈tr_MNCwiths_n+1 =net(Places, Transitions, Pre, Post, Markings⁰) | Rule Int Int ID-Poolso that

– match:

If there is an occurrenceo:L→Ndefined in Def. 15 byr_randr_n−−−−−→^r^name^(r^r⁾ r_n+1 ∈tr_RPN, thens_ncan be rewritten by the rewrite rule[r_name]defined in Def. 11 and Listing 5 byL⊆sn.

– freeOfMarkingapplies for each deleted placep*MRest, as defined in Def. 11 by the gluing condition

– emptyNeighbourForPlaceapplies for each deleted placep*Pre∧

p*Postas defined in Def. 11 by the gluing condition

Remark 4. The function map in Lemma 9 is not injective due to the isomorphism class in Def.

Theorem 2(Bisimulation ofLTSRPNandLTSMNC). LTSRPNand LTSMNCare bisimilar as defined in Def. 2 by map in Def. 18

Proof of Theorem 2. For each relation defined bymapof Def. 18, which consists ofs∈S_MNC andr ∈S_RPNwithmap(s) =r= [N, M], we have:

• s→s⁰: For eacha∈A_MNCthere ismap(s) = randr −→^a r⁰ ∈tr_RPN, due tos−→^a s⁰ ∈ trMNCand the mapping of Lemma 8 and Lemma 9 there ismap(s⁰) =r⁰by Lemma 8 and Lemma 9.

• r →r⁰: For eacha∈A_MNCthere ismap(s) =rands−→^a s⁰ ∈trMNC, due tor −→^a r⁰ ∈ tr_RPNand the mapping of Lemma 8 and Lemma 9 there ismap(s⁰) =r⁰by Lemma 8 and Lemma 9.

So that a bisimulation betweenLTS_RPNandLTS_MNCis defined by the map function.

5 Correctness of Model Checking for Maude

Im Dokument Model Checking of Reconfigurable Petri Nets (Seite 52-59)