Necessity and Sufficiency - Slicing and reduction techniques for model checking Petri nets

which reduction rule is applicable depends onΣei only.

5.4 Necessity and Sufficiency

In this section we will first examine whether the set of reduction rules is sufficient to reduce any environment and whether all six reductions are ne-cessary to replace any environment while preserving LTL-X. Then we discuss sufficiency for CTL-X preserving reductions. Of course, our reductions are not sufficient to replace every environment equivalently w.r.t. CTL-X, as the results of the previous section show. We will show that any set of reductions that is sufficient to replace every environment net by an CTL-X equivalent summary has far more reduction rules.

Necessity and Sufficiency for LTL-XPreservation The reduction rules’

preconditions can be arranged in a full binary decision tree, where every node except a leaf has two children. Such a binary tree is given in Fig. 5.4 on page 83. Since this tree defines a route for every outcome of each inner node’s decision, our set of reduction rules is sufficient to classify all environment nets.

The results for the Dead End reduction (c.f. Sect. 5.3.5) show that a Dead End environment can also be replaced by a Borrower or a Consumer summary. Hence the Dead End reduction is not necessary and we can build a decision tree like in Fig. 5.16. Although the Dead End reduction is not necessary to reduce environment nets, it is convenient to single out Dead Ends since they imply dead transitions and hence indicate a design error of the net.

We will now show, that all reduction rules of Fig. 5.16 are necessary by proving that we cannot find another set of reductions preserving LTL-X with less rules.

We give example netsΣA and ΣB for every two distinct environment net classes such that they are distinguishable by an LTL-X formula only due to their environment nets. Any set of LTL-X preserving reduction rules has to distinguish these.

130 5. Cutvertex Reductions

Σ^qe⁼⁰|= A G(q,0)?

Is q 1-safe inΣ^qe⁼¹? Σ^q_e⁼⁰|=A F G(q,1)?

Σ^qe⁼¹|= A F G(q,1)? Borrower/

Consumer Producer

Consumer Borrower

Σ^qe⁼⁰|=A G((q,1)⇒F G(q,1))?

Unreliable Producer Producer-Consumer

yes no

yes no yes no

Figure 5.16: Decision tree without Dead End environment.

In Fig. 5.17 we give two nets with the same kernel where the right one has a Borrower environment whereas the left one has a Consumer environment instead. The LTL-X property ψ = AF(p3,1) holds for the Borrower net, because the Borrower environment can fire its transitions at most once and eventually places the token on q permanently. So the kernel transition has to mark p₃. In contrast, the Consumer net may firetr and in this case p₃ is not eventually marked.

p1 q

p3 Borrower

Σ|=ψ ψ=AF(p3,1)

p3 Consumer

Σ6|=ψ

Figure 5.17: Borrower versus Consumer

Figure 5.18 demonstrates how a non-producing environment can be dis-tinguished from a producing environment. In the Borrower net the place p3

is never marked, whereas p3 can eventually be marked if the environment is producing. It is shown analogously that a net with a Borrower or Con-sumer environment is distinguishable from a net with a Producer, Producer-Consumer or Unreliable Producer environment.

We are left to show that the producing environments are also distinguish-able from each other by LTL-X formulas. A net with Producer environment can be distinguished from a net with Producer-Consumer environment, be-cause the Producer is guaranteed to place the token on q. Hence p3 is

even-5.4. Necessity and Sufficiency 131

p1 q

p3 ψ=AG(p3,0) Borrower

Σ|=ψ

p1 q

p3 Producer

Σ6|=ψ

Figure 5.18: Borrower versus Producer

tually marked in the Producer net of Fig. 5.19. A Producer-Consumer environment can decide remove the token fromq and an Unreliable Producer environment can decide not mark q. Hence there is an execution that does not eventually markp3.

p1 q

p3 Producer

Σ|=ψ ψ=AF(p3,1)

p1 q

p3 Producer-Consumer

Σ6|=ψ

Figure 5.19: Producer versus Producer-Consumer

Finally, we show that Producer-Consumer environments must be distin-guished from Unreliable Producer environments in Fig. 5.20. The net with an Unreliable Producer environment satisfies ψ, i.e. if p3 eventually gets marked, then it always will eventually be marked again, as the token will cycle within the kernel. In the net with Producer-Consumer environment the token may also cycle within the kernel but every time the token is placed onq the environment may decide to remove the token.

p1 q

p3 ψ=A((F(p3,1))⇒GF(p3,1))Producer-Consumer

Σ6|=ψ

p1 q

p3 Unreliable Producer Σ|=ψ

Figure 5.20: Producer-Consumer versus Unreliable Producer

So we have now shown that the set of rules is sufficient to replace any environment net and that all reductions are necessary to preserve LTL-X. Sufficiency for CTL_-X Preservation Only the Borrower, Producer and Dead End reductions preserve CTL^∗_-_X and hence CTL-X, as we have seen in

132 5. Cutvertex Reductions Sect. 5.3. We will show that any sufficient set of CTL-X preserving rules is much larger than our set of LTL-X preserving rules.

Using CTL we can also distinguish the environment nets discussed above and hence a set of CTL preserving reductions has to distinguish at least all these five environments. Above we used LTL properties that are also CTL properties for all but the last case. The CTL formula ϕ =EF((p3,1)∧ EF(EG(p3,0)))distinguishes the Producer-Consumer from the Unreliable Pro-ducer in Fig. 5.20. ϕ holds on the Producer-Consumer as p3 can be marked and the token can be removed every time it is placed on q. ϕ does not hold on the Unreliable Producer net, because after q is marked the token circles within the kernel forever.

Since not all reductions preserve CTL we have to extend the set of reduc-tions. Fig. 5.21 shows four nets with the same kernel but different Producer-Consumer environments that can be distinguished from each other by CTL-X

formulas. In the following we present and explain the distinguishing formulas.

The formulaϕA=AGEF(p3,1)holds for the net in (A) but not for the nets in (B)-(D), because in (B)-(D) the token can be removed from the contact place q and then p3 is never marked again. The formula ϕB =EG((p3,0)∧ EF(p3,1)) is satisfied if there is a path where every visited state does not mark p3 and from every visited state a path leads to a state where p3 is eventually marked. ϕB does not hold on (B) as the only firing sequence that never marks p₃ fires t₁t₂ and then it is not possible to mark p₃. ϕB holds on (C) and (D) since the token can circle within the environment net. We can distinguish (C) from (D) byϕC =EF((p3,1)∧EFEG((p3,0)∧EF(p3,1))).

We omit some of the quantifiers and motivate the slightly simpler formula ϕ^′_C =EF((p3,1)∧FG((p3,0)∧EF(p3,1))) instead. ϕ^′_C is satisfied if there is a path that leads to a state where p3 is marked and also eventually only visits states where p3 is not marked and where a path starts that leads to a state where p3 is marked. So ϕ^′_C and ϕC hold on (C), since t0 can fire, then the token can finitely often circle within the kernel and finally the token circles forever within the environment net. While circling within the environment net, the token can always be placed ontop3 by firing t4 or t0t4, respectively.

The net in (D) does not satisfy ϕC because p3 can only be marked after t1

5.5. Decomposing Monolithic Petri Nets 133

Im Dokument Slicing and reduction techniques for model checking Petri nets (Seite 141-145)