Nets, Slices and Fairness

In this section we want develop an intuition on how precisely a slice captures the behaviour of the original net with respect to the places mentioned in the slicing criterion Crit.

48 4. Slicing Petri Nets

p1 p2

p3

p5p4

p6 t1

t2

t5 t3

(a) (1,0,0,0,0,0)

(0,1,1,0,0,0) (0,1,0,1,0,0) (0,1,0,0,1,1) (0,1,0,0,0,1)

t1

t4 t2

t5 t3

(b) _(1,0,0,0)

(0,1,0,0) (0,0,1,0) (0,0,0,1) (0,0,0,0)

t1

t4 t2

t5 t3

(c)

Figure 4.4: Example of a proper but ineffective slice. (a) shows the original net Σ and slice(Σ,{p5}), (b) the state space of Σand (c) the state space of slice(Σ,{p5}).

t1

t2

t5 p4 t3

(a) _(1,0,0)

(0,1,0) (0,0,1) (0,0,0) t1

t4 t2

t5 t3

(b)

Figure 4.5: Example of an effective slice. (a) shows the original net Σ and slice(Σ,{p4})and (b) the state space of slice(Σ,{p4}).

4.2. CTL^∗_-X Slicing 49 Firing Sequences on the Original and its Slices So let us consider the firing sequence σ = t2t0t4t3t5 of Σ1 in Fig. 4.2. Firing σ generates the marking with a token ons1, s2, s5 only. σis certainly not executable onΣ^′₁ as such, sincet0, t2 and t3 are not transitions ofΣ^′₁. Omitting these transitions, proj_T′

1(σ) = t4t5 remains. t4t5 is a firing sequence of Σ^′₁ and generates the marking with only a token ons5. So the markings resulting from firing σ on Σ1 and proj_T′

1(σ)on Σ^′₁ coincide on the places in P₁^′.

Actually, it is always the case that for a firing sequence σ of Σ,proj_T′(σ) is a firing sequence of its slice Σ^′ and that σ andproj_T′(σ) change the token count on P^′ in the same way. In section 4.2.2 we will formally show that every firing sequence σ^′ of a slice Σ^′ is also a firing sequence of Σ, and the projectionproj_T′(σ)of a firing sequenceσofΣis a firing sequence ofΣ^′. But since we are interested in the preservation of temporal properties, reachability of (sub)markings is not enough.

Temporal Properties and Maximal Firing Sequences According to Chapter 2 the satisfiability of path formulas is determined by maximal firing sequences (c.f. Def. 2.3.2 and Def. 2.4.1). Since we would like to preserve LTL or CTL, we would hence like a correspondence of maximal firing se-quences ofΣand Σ^′. Unfortunately this is not the case and we cannot verify CTL or LTL using the slice right away, as the following example illustrates.

Let us consider the formula ϕ =AF(s₅,1), which is an LTL-X and CTL-X

property. The slice Σ^′₁ satisfies this property: Σ^′₁ has two maximal firing se-quencest4t5t6 andt4t5t7. Both sequences firet5 and hence mark eventually s5 with a token. Σ does not satisfy ϕ, since the maximal firing sequence σ = t4t3t3t3... never generates a token on s5. The projection of σ on T₁^′, proj_T′

1(σ) =t4, is not maximal on Σ^′.

Intuitively, the reason for the non-correspondence between maximal firing sequences of Σ and Σ^′ is that the net discard—the bit that is sliced away—

exposes a divergence that is not reflected within the slice. As a consequence maximal firing sequences on Σ are projected onto non-maximal firing se-quences onΣ^′. One way to fix this problem is to rule out divergencies outside the slice by means of a fairness assumption on the original net.

50 4. Slicing Petri Nets Fairness Rules out Divergencies In the following we will use a very weak fairness assumption to rule out divergencies within the net discard. In Def. 2.4.3 we introduced a firing sequence to be relatively fair with respect to a fairness constraintF ⊆T if in case a transitiont ∈F is eventually perman-ently enabled, some transition of F is fired infinitely often. In the following we will set F to the set of transitions of the slice. This fairness assumption guarantees progress within the slice. As long as there are transitions in T^′ permanently enabled, transitions in T^′ will be fired. Our example firing se-quence σ = t₄t₃t₃t₃... is not fair with respect to T^′, as t₅ is permanently enabled, but no transition inT^′ is fired.

Note that we do not always need to make this fairness assumption to verify a property using the slice. Guaranteeing progress is only necessary when studying liveness properties. Also if we want to falsify a property using the slice it is not necessary to assume that Σ is fair w.r.t. T^′, as we will see.

Fairness and Maximality We will show that any firing sequence of Σ that is fair with respect to T^′ is projected onto a maximal firing sequence of Σ^′ and that any maximal firing sequence of Σ^′ corresponds to a fair firing sequence on Σ.

Other fairness assumptions could be made to guarantee progress onT^′and hence to rule out divergencies within the net discard. We may for instance assume stronger fairness notions like weak fairness or strong fairness.

Stuttering Marking Sequences As we consider state based logics we are not primarily interested in correspondences of firing sequences but in the induced changes of the states (=markings). Since a firing sequence ofΣand its projection proj_T′(σ)fired onΣ^′ change the token count on places inP^′ in the same way, the generated marking sequences are quite similar.

Consider again the net Σ₁ in Fig. 4.2 and its slice Σ^′₁. σ₁ =t₄t₁t₅t₆ and σ2 =t4t3t1t5t6 are both maximal firing sequences ofΣgenerating the mark-ingM with a token ons2 ands6 only. σ^′ =t4t5t6 is the projection ontoT₁^′ of bothσ1andσ2. Sinceσ^′,σ1andσ2are from the slice’s point of view the same,

4.2. CTL^∗_-X Slicing 51 we want M(M_init^′ , σ^′) correspond to M(Minit, σ₁) and M(Minit, σ₂). Figure 4.6 illustrates that when we merely restrict the markings ofM(Minit, σ1)and M(Minit, σ2) toP₁^′, the result is the same asM(M_init^′ , σ^′) except for stutter-ing, that is finite repetitions of (sub)markings (c.f. Sect. 2.1). This stuttering is due to the firing of transitions outside the slice. σ1 fires t1 between the slice’s transitions t4 and t5, andσ2 fires t3t1 between t4 and t5.

t

4

t

5

t

6 M(σ^′) =

1 0 0

! ₀ 1 0

! ₀ 0 1

! ₀ 0 0

!

M(σ¹) =













 1 1 1 0 0 0



























 1 1 0 1 0 0



























 0 1 0 1 0 0



























 0 1 0 0 1 0



























 0 1 0 0 0 1















M(σ²) =













 1 1 1 0 0 0



























 1 1 0 1 0 0



























 1 1 0 1 0 0



























 0 1 0 1 0 0



























 0 1 0 0 1 0



























 0 1 0 0 0 1















Figure 4.6: Correspondence of marking sequences. Marking sequences M(Minit, σ₁), M(Minit, σ₂) on Σ₁ are both generated from firing sequences corresponding to σ^′ onΣ^′₁ (cf. Fig. 4.2).

Stuttering and Next-Time When studying the previous example it be-comes obvious that by considering the slice we cannot say how many steps (=

transition firings) the original net will make to reach a certain submarking.

But the next-time operatorXcounts steps. Let us examine what this means for CTL formulas using X.

In Fig. 4.2 the CTL formulas ϕ1 =EX EX EX (s5,1) and ϕ2 =EX EX EX EX (s5,1)are valid onΣ1. M(Minit, σ1)and M(Minit, σ2) represent such marking sequences. But there is no marking sequence onΣ^′₁ satisfying either ϕ1 or ϕ2. The CTL formula ϕ3 =AX AX(s5,1) holds for Σ^′₁, but obviously not forΣ1. Hence the slice can neither be used for verification or falsification of CTL formulas using X.

52 4. Slicing Petri Nets Let us now examine LTL properties using X: The LTL property ψ = AXX (s5,1) is satisfied byΣ^′₁, but not byΣ1. Hence in general Σ^′ cannot be used for verification of LTL formulas using X, as Σ^′ |=ϕ 6⇒ Σ|=ϕ. But we will show later in this section that indeed Σ^′ can be used for falsification of

∀CTL^∗ and hence LTL properties using X.

Im Dokument Slicing and reduction techniques for model checking Petri nets (Seite 59-64)