Without further clarification, the term system is highly ambiguous. For our purposes, systems are abstract views on real or imagined dynamic processes in nature, technology, or society. These processes can usually be observed (at least hypothetically) in terms of quantities that change over time. The major tool of abstraction is the concept of state. A state comprises all quantities relevant to the further evolution of a system. If these entities suffice to determine the future of a system uniquely, we call this systemdeterministic, otherwise nondeterministic. Nondeterminism is an inevitable consequence of abstraction, independently of our believes about existence of nondeterminism in the real world.
Systems can be distinguished by the nature of the quantities compris-ing their states. If all quantities range over dense domains, such system is called continuous. If all entities range over countable domains, the system is called discrete. If states comprise both discrete and continuous quantities, we call such a systemhybrid. Continuous systems are widely and successfully used for studying processes in nature. Hybrid systems have recently raised attention of control theorists, since, in the context of embedded systems, the behavior of discrete controllers in a continuous environment is a major concern. In the digital realm of computer science, various processes can be modeled by means of discrete systems. States of a real-time system con-tain time as a particular quantity, and otherwise solely discrete quantities.
Real-time systems that assume a discrete time scale fall into the category of
5
6 discrete systems while real-time systems that assume a dense time scale are hybrid.
Continuous and hybrid systems typically have uncountable state spaces (i.e. sets of states that they pass during their evolution). This makes them intractable for explicit state space verification without further abstraction since explicit state space verification is essentially about enumerating sin-gle states Thus, we confine all our forthcoming considerations to discrete systems.
In a reasonable discrete system, state changes occur only at singular points of time. These time points can then be referred to as events. Once having introduced the notion of events, the evolution of a system can be regarded as a finite or infinite sequence of events, and it is possible to ab-stract from an explicit notion of time. When reasoning about systems, it is convenient to tie together events supposed to be related to a common cause to an action. Using the concepts of state, event, and action, discrete systems can be formalized as labeled transition systems, a class of automata.
Definition 1 (Labeled transition system) A labeled transition system [S, E, A] consists of a countable set S of states, a countable set A of actions, and a set E (E ⊆S×A×S) of events1.
Some setI of states of a labeled transition system may be qualified as ini-tialstates, extending the notation of labeled transition systems to [S, E, A, I].
The relation [s, a, s0] ∈E can be written as s −→a s0. We write [s, s0] ∈E, or s −→s0 for: there exists an actiona such that [s, a, s0]∈E. The arrow notion for events can be extended to finite sequences of actions by definings−→ε sfor arbitrary states s and the empty sequence ε, and defining s −→wa s0 iff there is a state s00 such that s−→w s00 and s00 −→a s0. We say thats0 isreachable from s (s −→∗ s0) iff there is a sequence w of actions holding s −→w s0. For a labeled transition system [S, E, A, I] with initial states, one usually requires that S consists only of states that are reachable from some state in I.
An action a isenabledat a state s iff there is a states0 such that s−→a s0. Action a isdeterministic iff for every state s there is at most one s0 holding s −→a s0. It isinvertibleiff for every states0there is at most one statesholding s −→a s0.
1In the literature, the term transitionis usually used instead. We decided to stick to eventin order not to overload forthcoming definitions oftransition.
Labeled transition systems are a reasonably simple formal approach to discrete systems. It is fairly easy to use them for the formal definition of system properties (see next section), or to devise decision procedures for such properties in the case offinite state systems(systems with finiteS). They link the concept of discrete systems to the powerful theory of automata. Labeled transition systems have, however, a prohibitively large number of states in most cases of practical relevance, and even for a large number of toy examples.
This phenomenon, known as thestate explosion problem, calls for other, more concise formalisms to be used in the actual design of systems. Consequently, it is these formalisms that systems are given in as input to a verification algorithm. Thus, we account some system description formalisms.
Various formalisms set up upon a set of variables each ranging on a data domain. A state is an assignment of feasible values to these variables. In the guarded commands approach [Dij76], actions are formalized one by one by specifying their enabling condition (a boolean valued expression over the state variables), and their effect (a concurrent assignment of new values to the state variables; the new values are expressions over the state variables themselves).
Figure 1.1: Guarded command program and labeled transition system, as-suming x= 0 andy= 3 as initial state.
Every guarded command program, consisting of a list of variable decla-ration and a set of guarded commands, defines a labeled transition system.
In this system, all feasible assignments to the declared state variables serve as states. Every guarded command g defines a set of events [s, g, s0] such that the enabling condition of g becomes true in s, and in s0 variables are replaced by the values of the assigned expression (evaluated using values from s). Variables not mentioned in a guarded command are assumed not to change values.
8 Traditional high level programs without recursion can be rephrased as guarded command programs. It is sufficient to introduce a new state variable and assign values to it that correspond to control flow locations of the original program.
Actions defined by guarded commands are deterministic (at least, it is not common to have nondeterministic operations occurring within guarded command expressions). Usually, they are not invertible, though. For in-stance, two states differing in their value of a variable x can share the same successor via an action that contains a constant assignment such as x := 0.
Several verifiers, among them SMV [McM93], Spin, [Hol91], and Murφ [DDHC92], support input of system descriptions in guarded command style.
They differ in details of the execution semantics (whether one command is executed at a time, as described above, or whether all enabled guarded commands are executed simultaneously).
In another paradigm of system description, a copy of each variable is introduced (usually as the primed version of the original variable). The set of events in the system is then formalized as a boolean valued expression, called transition relation, that ranges over both sets of variables. An event from a statesto a states0 is associated to having the assignments ofsto the original variables, and s0 to the primed variables let the expression evaluate to true. Among others, SMV, and Lamport’s TLA [Lam94] support this approach. In the transition relation approach, there is no canonical notion of action. Actions can either be left out completely, specified separately, or be introduced by having a separate transition relation for each action. In general, transition relations yield nondeterministic actions.
(x= 2·x0∧y0 =y)∨(x < y∧x0 =x+1∧y=y0+1)∨(y >0∧y=y0+1∧x0 =x) Figure 1.2: The same system as above, written in primed variable style
Variables can also be used to get only partially away from an explicit, i.e.
graphical notion of labeled transition systems. A skeleton labeled transition system graph having a vertex for each state and an edge for each event, can be annotated by variables (not attached to a particular graphical object) while expressions are attached to graphical objects. A state of the actual system consists of a state of the skeleton, plus an assignment to the variables. An
event corresponds to replacing a vertex by a successor vertex, and rewriting the variables according to assignments annotated at the taken edge. Boolean expressions annotated at the edge (transition guards) , or at the successor vertex (state invariant) can prevent an edge from being taken in a state where the variable values render such expressions false. The real-time verification tool UPPAAL [LPY97] has an input language using this paradigm. Actions in this approach are deterministic if the skeleton is deterministic and the assignments do not introduce nondeterminism.
0 1 2
y>0
y:=y-1; y>0 y :=y-1;
y:=y-1;
y>0
y :=y-1;
y>0
y :=y-1;
y>1
Figure 1.3: Same system in mixed explicit and variable based notation; y assumes 3 as initial value
Instead of variables, one can use locations, or places, as carriers of state.
A state is then a distribution of resources over the locations. For an action, one would specify which resources it consumes or produces at each locations.
In this view, an action would be disabled at least in states where not all resources to be consumed are present in the respective locations. Petri nets, the most popular formalism of this class, have absence of resources as their only way to disable actions. Actions in resource oriented descriptions are usually deterministic and, at least in the Petri net case, as well invertible.
Figure 1.4: Not the same system, depicted as Petri net; places are circles, actions are boxes, resources are black dots, and consumption/production is coded by edges
Systems can be composed to larger systems. In sequential composition, only one component is active, and control is passed to the second component
10 when the first component terminates. The second component may access the final values of the variables in the first component. In parallel composition, both components are active at the same time. The composed system can be executed synchronously (an event in the composed system corresponds to the simultaneous occurrence of one event per component) or asynchronously (an event in the composed system correspond to only one event of one of its components). Interaction of parallel components is more complex than interaction of sequential components. Components may exchange data via variables that both can access (shared variables) ), or via passing messages to each other. In the message passing case, there are dedicated send and receive actions and message buffers between the components. Upon send, the sending component would add a data record to the buffer. The enabling condition of a send action includes the test whether a buffer cell is available.
A receive action retrieves a record from the buffer and is disabled when the buffer is empty. The system behavior depends on the specified buffer sizes. An unlimited buffer would never disable a send action. Buffers can be skipped altogether if messages are passed by simultaneous occurrence of send and receive. This kind of synchronizing actions of different component is, besides semaphores for assuring mutual exclusion, one of the major ways to interfere with another component’s control flow.
We conclude this (incomplete) enumeration of system description tech-niques with just mentioning the possibility of imposing refinement techtech-niques (replacing elementary syntactical units by whole components) and hierarchies (having dedicated syntactical units for representing components and their in-terfaces inside other components) for further structuring system descriptions.
Faced with a Babylonian confusion of system description formalisms, it is now our task to pick one or more languages as the underlying formalism(s) for our further discourse. Just sticking to the greatest common denominator—
labeled transition systems—is not an option since bridging the gap between a system description and the labeled transition system it defines is what this thesis is about. Giving all approaches a fully formal treatment would, on the other hand, consume an inappropriately large amount of space. Studying one formalism certainly covers other formalisms, at least to the degree de-scriptions can be transferred between formalisms. Possibilities of translating descriptions are far reaching but incomplete. This can be easily recognized by comparing the decidable reachability problem for Petri nets with the un-decidable reachability problem for guarded command languages having
prim-itives as usual programming languages (the halting problem is a reachability problem). The finite state versions of the formalisms (in the sense of finite variable domains, or buffers and locations having finite capacity) mentioned earlier have, however, equivalent expressive power. This is basically due to the fact that all formalisms allow for a one-to-one representation of arbitrary finite labeled transition systems.
The capability of expressing arbitrary labeled transition systems extends only to states and events, but not necessarily to actions. Obviously, a formal-ism having invertible actions only, like Petri nets, is incapable of representing any labeled transition system that features non-invertible actions. This in-compatibility can be fixed by letting a set of actions of the host formalism model a single action of the system to be modeled. Technically, this can be achieved by (noninjectively) labeling the actions of the host formalism and treating the labels as action rather than the elementary syntactical units. For our goals, this view is not appropriate, though. We view actions primarily as a tool for generating events out of a system description. These events are gen-erated out of the elementary syntactical units of the underlying formalism, no matter what labeling is imposed on top of them.
Revisiting translations between formalisms in the light of a strict preser-vation of actions (where one action of the original description corresponds to a unique action of the target description), we can now call a formalism A more flexible than a formalism B if every description in B can be effec-tively transformed to an action-preserving equivalent description inA. Now, suppose there is a state space verification technique for the more flexible for-malism that is based on exploring new states by computing events out of the system’s description of actions. Such a technique could be easily adapted to work for every less flexible formalism, too (if everything else fails, simply put the translation in front of the original technique). In contrast, for the less flexible formalism there may be techniques that take advantage of specific properties of actions in that formalism and are not applicable in the more flexible one.
That is, if we would base our considerations on a most flexible system description formalism (one with a strong expressive power), we could study only a small number of formalisms. We find it therefore wiser to pick a for-malism that is rather restrictive in its modeling power yet popular enough to be safe of totally irrelevant techniques. This way, a larger number of verification techniques can be treated in a uniform formal framework. We shall, however, discuss to which degree each technique relies on the specific
12 features of the formalism of our choice, and the implications for applying the same technique to more general system description languages. We find this approach the best way to cover both a large number of system descrip-tion languages and a large number of verificadescrip-tion techniques yet keeping the formal approaches readable.
Among the formalisms enumerated earlier, we find that Petri nets are the perfect candidate for our purposes. Petri net actions are not only deter-ministic, but also invertible (in contrast to most variable based languages).
Petri nets can be easily translated to the guarded command framework and other variable oriented formalisms such that actions are preserved. Other advantages of using Petri net include
• simplicity
• linearity
• monotonicity
where at least the last two properties can hardly be found in other for-malisms. Simplicity helps us to keep proofs readable. Linearity means that the differencebetween a state and its successor state via an action does not depend on the involved states. This phenomenon enables linear algebraic techniques, see Ch. 8. Monotonicity means that the enabling condition of actions is compatible with a natural partial order on states in the sense that an action enabled in some state is enabled in all larger states, too. The coverability graph technique (Ch. 7) relies on that property.
Note that the argumentation above is limited to picking a language for presenting various verification techniques in a uniform formal framework. For choosing a formalism as a tool’s input language, or for actually conducting a case study, many other issues would be relevant.
Definition 2 (Petri net) A Petri net N = [P, T, F, W, m0] consists of a finite set P of places, a disjoint finite set T of transitions, a set F ⊆ (T × P)∪ (P × T) of arcs connecting places with transitions and vice versa, a mapping W : F −→ N+ that assigns an arc weight to each arc, and an initial marking m0. A marking m : P −→N assigns a number of tokens to each place.
Places and transitions are collectively callednodes. For a nodex∈P∪T,
•x denotes its pre-set •x = {y | [y, x] ∈ F} and x• denotes its post-set x• ={y|[x, y]∈F}. For [x, y]∈/F, define W([x, y]) = 0.
Places are the carrier of Petri net states, transitions represent actions, weighted arcs define the effect of an action as well as its enabling condition, and markings are a synonym for states.
Definition 3 (Enabledness, state space) Let N = [P, T, F, W, m0] be a Petri net. Transition t ∈ T is enabled at marking m iff for all p ∈ •t, m(p) ≥ W([p, t]). Marking m0 is directly reachable from marking m via transition t (m −→t m0) iff t is enabled at m and for all p ∈ P, m0(p) = m(p)−W([p, t]) +W([t, p]). We extend reachability inductively to transition sequences: let m −→ε m for the empty sequence ε, and let m −→wt m0 for a sequence w and a transition t iff there is a marking m1 such that m −→w m1 and m1 −→t m0. Marking m0 is reachable from marking m (m−→∗ m0 iff there is a transition sequence w such that m−→w m0.
The introduced arrow notations for reachability are compatible with the corresponding notions for the labeled transition system that is canonically associated to a Petri net— it’s state space.
Definition 4 (Petri net state space) Let N = [P, T, F, W, m0] be a Petri net and L = [S, E, A, I] a labeled transition system. L is called the state space of N iff
• S ={m|m0 −→∗ m},
• A=T,
• I ={m0},
• and [m, t, m0]∈E iff m−→t m0.
In the sequel, we shall frequently refer to concepts closely related to a Petri net (or, more general, a system description) as structural while with behavioralwe shall address concepts closely related to the associated labeled transition system. This is in part justified by the fact that system properties we are interested in are defined over labeled transition systems.
14