Fakultät für Informatik der Technischen Universität München,
Lehrstuhl für Theoretische Informatik und Grundlagen der KI


Partial-order verification techniques

Pu 'u O 'o (Hawaii) Cooperations Financial Support

Publications, Tools

Current Members: Former Members:
  • Angelika Mader
  • Stephan Melzer
Links

The unfolding technique

  • Introduction
  • An example
  • How big are complete prefixes
  • How are properties checked with complete prefixes?
  • A bibliography on the unfolding technique

    Other research on partial order semantics

  • Decidability of partial order equivalences


    Introduction

    Since 1994 we are working on the development of a model-checking technique for the verification of concurrent systems. The technique is based on the concept of net unfoldings, a well-known partial order semantics originally introduced for Petri nets by Nielsen, Plotkin and Winskel in 1980 [NPW80]. It can be applied to different models of concurrency, like Petri nets, different classes of communicating automata, and simple process algebras.

    The unfolding of a system is an occurrence net, a particularly simple Petri net without cycles. A concurrent system (think of it as a tuple of communicating transition systems) is to its unfolding what a single transition system is to its unwinding into a tree.

    The unfolding of a concurrent system is behaviourally equivalent to it, in the same way that the unwinding of a transition system is behaviourally equivalent to the transition system itself. To make this statement precise you can choose your favourite notion of equivalence: Trace-, failures-, bisimulation-equivalence, or even so called true concurrency equivalences, like history-preserving bisimulation ..., which not only preserve the possible execution sequences and the branching structure, but also the concurrency of the system.

    Unfoldings are usually infinite nets, and so they cannot be directly stored in a computer. However, K. McMillan observed in his Ph. D. Thesis [McM93] that it is possible to construct a finite initial part of the unfolding containing as much information as the unfolding itself. We call such an initial part a finite complete prefix. The set of reachable states of a finite complete prefix coincides with the set of reachable states of the system. Finite complete prefixes can be generated, stored in a computer, and use to check behavioural properties.

    One of the advantages of complete prefixes is that they can be much smaller than the state space of the system, and (if adequate algorithms are used) never larger (see How big are complete prefixes? ). Therefore, they are a useful technique to attack the well-known state explosion problem. The price to pay is that extracting information from a prefix (for instance, whether the system is deadlock-free) is more expensive than extracting it from a transition system (see How are properties checked with complete prefixes?); Fortunately, in many examples this price turns out to be very affordable.

    The second advantage of unfoldings is that they contain information about causality, spatial distribution, and concurrency. Using this information it is possible to verify properties expressed in local logics, which allow to reason about the knowledge each component has of the global state of the system. A typical property of this kind is

    when component i executes the commit action, it knows that all other components of the system will eventually execute the commit action as well

    The unfolding technique has been applied to the verification of circuits, telecomunication systems, distributed algorithms, manufacturing systems, and others.

    For a list of our own publications on the unfolding technique, click here. For a relatively complete bibliography, click here.

    An example

    Consider the system of the figure below, modelled as a Petri net. Alternatively, we can think of this system as two communicating automata. The states of the first automaton are s1, s3, s4, s6, and the states of the second are s2, s5, s7. The automata synchronize on the transitions t4 and t5.
    A Petri net
    The unfolding is the following infinite occurrence net:
    The unfolding
    An occurrence net is an acyclic net satisfying the following properties: (1) each place has at most one input transition, and (2) two different paths leaving a place by two different arcs never meet. In fact, unfoldings can be seen as trees that synchronise on transitions. For instance, The unfolding above can be seen as the synchronisation of the two trees below, coming from the two automata of the net:
    Algorithms for the construction of finite complete prefixes iteratively generate new nodes until some transitions are identified as so-called cut-off points. No new nodes are added below a cut-off point. The constraction terminates when no new node can be added. The next figure shows a complete prefix of the unfolding above. The shaded nodes are the cut-off points.
    A finite complete prefix
    The reachable states of the complete prefix coincide with the reachable states of the system.

    How big are complete prefixes?

    A complete prefix is usually much smaller than the state space of the system. For instance, Dijkstra's dining philosophers or Milner's scheduler have complete prefixes that grow linearly with the number of components, while the corresponding transition systems grow exponentially. Complete prefixes can also be smaller than a BDD representation of the state space, as proved by the following little experiment. Three classes of philosophers were considered: For n=4, 6, 8, ..., 14 we generated 100 tables with n philosophers. the class of each philosophers was chosen randomly. We computed the sizes of a complete prefix and a BDD representation of the state space. The results are shown in the two tables below, and show that this is a very favourable case for the unfolding technique. Of course, it has to be taken into account that with a different tool for BDD generations (we use a BDD package developed at Carnegie Mellon University) the results might be different.

    BDD size
    Phil. Aver. Min. Max. St.Dev. Aver./St.Dev
    417894355520.30
    658324817163050.52
    81553390867814370.92
    1031405102751646371.48
    1248556324703985381.76
    1433742797429903857982.54

    Prefix size (number of nodes)
    Phil. Aver. Min. Max. St.Dev. Aver./St.Dev
    44640605.10.10
    67060856.00.09
    895801106.90.07
    101171001357.80.07
    121411201607.40.05
    141611401859.30.06

    There are other systems for which the BDD representation is smaller than the complete prefix. As a rule of thumb, it can be said that BDDs exploit the regularity of a system, while unfoldings exploit its concurrency. Systems composed of tightly coupled identical components are very regular and not very concurrent, and so BDDs may have the edge. For highly concurrent systems of heterogeneous components unfoldings may be more suitable. But be prepared for many exceptions.

    To close this point, it should be mentioned that current algorithms for the construction of complete finite prefixes guarantee that the prefix will never be larger than the state space. So with unfoldings one will never be worse-off in memory terms than by explicitely constructing the state space.

    How are properties checked with complete prefixes?

    Ocurrence nets have a very nice property: The set of reachable states can be characterized

    These characterisations allow to apply graph theoretical algorithms, tools for integer linear problems, and SAT solvers or logic programming tools to check safety properties like deadlock freedom or reachability of states. This is one of the strong points of the unfolding technique: it makes possible to apply technology developed along many years by the mathematical and logic programming communities.

    In automatic verification there is a trade-off between time and space. If the system is represented in a very compact way, then extracting information from it is computationally expensive. For instance, if a concurrent system is very compactly represented as a tuple of communicating automata, or as a Petri net, then typical verification problems, like deadlock-freedom or reachability of a state, are PSPACE-complete. If we take the transition system as representation instead, then the problems are polynomial, but the size of the representation blows-up in most cases. Complete prefixes offer a compromise: their size is between the sizes of the concurrent system and the transition system, and typical problems are NP-complete. As was mentioned above, the problems can be very easily translated to standard NP-complete problems, like satisfiability of boolean formulas, or integer linear programming, in order to apply existing tools for these problems. Many instances of the problems are solved very efficiently. For the example of the random philosophers and a property like deadlock-freedom, unfoldings are much more efficient than an exhaustive exploration of the state space, and also more efficient than BDDs (at least using the BDD-package we used, and in the same way as we used it). Notice that for 14 philosophers one never has to generate a prefix containing more than 185 nodes, while one may have to generate BDDs containing over 400.000 nodes. This difference in size easily compensates for the potentially more time-consuming checking algorithms of the unfolding technique.

    A bibliography on the unfolding technique

    We try to keep a relatively complete bibliography on net unfoldings. After the last update it contains over 60 references, which can be classified into the following categories:

    Please help us to keep the bibliography updated. If you write a paper on unfoldings, or know of one which is not in the bibliography, please send us a reference, if possible in BibTeX format. Please understand that we sometimes prefer not to include papers which are only indirectly related to the unfolding technique.

  • All references
  • Semantics
  • Algorithmics
  • Applications
  • Tools


    Decidability of partial order equivalences

    We have studied the decidability of partial order bisimulation equivalences for fragments of certain process algebras. To know more have a look at [KH97] and [Roe95].

    Cooperations

    Financial Support


    Publications

    [Postscript] [PDF]

    [Esp94b]
    J. Esparza.
    Model checking using net unfoldings.
    Science of Computer Programming, 23:151-195, 1994.
    Abstract: McMillan (1992) described a technique for deadlock detection based on net unfoldings. We extend its applicability to the properties of a temporal logic with a possibility operator. The new algorithm is shown to be polynomial in the size of the net for 1-safe conflict free Petri nets, while the algorithms of the literature require exponential time.

    [eskiehn95]
    J. Esparza and A. Kiehn.
    On the model checking problem for branching logic and Basic Parallel Processes.
    In Proceedings of CAV '95, number 939, pages 353-366. Springer-Verlag, 1995. [gzipped Postscript ]
    Abstract: We investigate the model checking problem for branching time logics and Basic Parallel Processes. We show that the problem is undecidable for a logic equivalent to CTL* in the usual interleaving semantics, but decidable in a standard partial order interpretation.

    [EM97]
    J. Esparza and S. Melzer.
    Model checking LTL using constraint programming.
    In Proc. of Application and Theory of Petri Nets'97, 1997. [gzipped Postscript ]
    Abstract: The model-checking problem for 1-safe Petri nets and linear-time temporal logic (LTL) consists of deciding, given a 1-safe Petri net and a formula of LTL, whether the Petri net satisfies the property encoded by the formula. This paper introduces a semidecision test for this problem. By a semidecision test we understand a procedure which may answer `yes', in which case the Petri net satisfies the property, or `don't know'. The test is based on a variant of the so called automata-theoretic approach to model-checking and on the notion of T-invariant. We analyse the computational complexity of the test, implement it using 2lp - a constraint programming tool, and apply it to two case studies.

    [EM99]
    J. Esparza and S. Melzer.
    Verification of safety properties using integer programming: Beyond the state equation.
    Formal Methods in System Design, 1999.
    to appear. [gzipped Postscript ]
    Abstract: The state equation is a verification technique that has been applied - not always under this name - to numerous systems modelled as Petri nets or communicating automata. Given a safety property P, the state equation is used to derive a necessary condition for P to hold which can be mechanically checked. The necessary conditions derived from the state equation are known to be of little use for systems communicating by means of shared variables, in the sense that many of these systems satisfying the property but not the conditions. In this paper, we use traps, a well-known notion of net theory, to obtain stronger conditions that can still be efficiently checked. We show that the new conditions significantly extend the range of verifiable systems.

    [ERV96]
    J. Esparza, S. Römer, and W. Vogler.
    An improvement of MacMillan's unfolding algorithm.
    In T. Margaria and B. Steffen, editors, Proc. of TACAS'96, number 1055, pages 87-106. Springer-Verlag, 1996. [gzipped Postscript ]
    Abstract: McMillan has proposed a new technique to avoid the state explosion problem in the verification of systems modelled with finite-state Petri nets. The technique is based on the concept of net unfolding, a well known partial order semantics of Petri nets, later described in more detail under the name of 'branching processes'. The unfolding of a net is another net, usually infinite but with a simpler structure. McMillan proposes an algorithm for the construction of a finite initial part of the unfolding which contains full information about the reachable states. We call such an initial part a finite complete prefix. He then shows how to use these prefixes for deadlock detection. Although McMillan's algorithm is simple and elegant, it sometimes generates prefixes much larger than necessary. In some cases a minimal complete prefix has O(n) in the size of the Petri net, while the algorithm generates a prefix of size O(2n) . In this paper we provide an algorithm which generates a minimal complete prefix (in a certain sense to be defined). The prefix is always smallerthan or as large as the prefix generated with the old algorithm.

    [HNW98]
    M. Huhn, P. Niebert, and F. Wallner.
    Verification based on local states.
    In Proc. of TACAS'98, number 1384, pages 35-51. Springer-Verlag, 1998. [gzipped Postscript ]
    Abstract: Net unfoldings are a well-known partial order semantics for Petri nets. Here we show that they are well suited to act as models for branching-time logics interpreted on local states. Such local logics (in particular a "distributed mu-calculus") can be used to express properties from the point of view of one component in a distributed system. Local logics often allow for more efficient verification procedures because - in contrast to interleaving branching-time logics - they do not refer to the entire space of global states. We reduce verification of local properties to standard model checking algorithms known for interleaving branching-time logics. The key is to extract a finite (usually small), local transition system bisimilar to the complete unfolding. The construction is based on the finite prefix of a net unfolding defined by McMillan.

    [HNW99]
    M. Huhn, P. Niebert, and F. Wallner.
    Model checking logics for communicating sequential agents.
    In Proc. of FOSSACS'99, number 1578, pages 227-242. Springer-Verlag, 1999. [gzipped Postscript ]
    Abstract: We present a model checking technique for Lcsa , a temporal logic for communicating sequential agents (CSAs) introduced by Lodaya, Ramanujam, and Thiagarajan. Lcsa contains temporal modalities indexed with a local point of view of one agent and allows to refer to properties of other agents according to the latest gossip which is related to local knowledge. The model checking procedure relies on a modularisation of Lcsa into temporal and gossip modalities. We introduce a hierarchy of formulae and a corresponding hierarchy of equivalences, which allows to compute for each formula and finite state distributed system a finite multi modal Kripke structure, on which the formula can be checked with standard techniques.

    [KH97]
    A. Kiehn and M. Hennessy.
    On the decidability of non-interleaving process equivalences.
    Fundamenta Informaticae, 30:23-43, 1997.
    Abstract: We develop decision procedures based on proof tableaux for a number of non-interleaving equivalences over processes. The processes considered are those which can be described in a simple extension of BPPτ , Basic Parallel Processes with communication, obtained by omitting the restriction operator from CCS . Decision procedures are given for both strong and weak versions of location equivalence and ST-bisimulation.

    [Mad97]
    A. Mader.
    Verification of Modal Properties Using Boolean Equation Systems.
    PhD thesis, TU München, 1997.
    Abstract: This thesis is concerned with model-checking in the modal Á -calculus. By showing the equivalence of solving Boolean equation systems and model-checking we are also able to derive equivalences with problems in automata-theoretic and game-theoretic frameworks, which sched new light on complexity issues for model-checking. A new algorithm for solving Boolean equation systems is presented, similar to Gau▀ elimination for linear equation systems. For the case of systems with infinite state spaces we also prove the equivalence of model-checking and solving infinite Boolean equation systems, and derive an algorithm for it.

    [ME96]
    S. Melzer and J. Esparza.
    Checking system properties via integer programming.
    In Proc. of ESOP'96. Springer-Verlag, 1996. [gzipped Postscript ]
    Abstract: The marking equation is a well known verification method in the Petri net community. It has also be applied by Avrunin, Corbett et al. to automata models. It is a semidecision method, and it may fail to give an answer for some systems, in particular for those communicating by means of shared variables. In this paper, we complement the marking equation by a so called trap equation. We show that both together significantly extend the range of verifiable systems by conducting several case studies.

    [MR97]
    S. Melzer and S. Römer.
    Deadlock checking using net unfoldings.
    In Proc. of the Conf. on Computer-Aided Verfication (CAV'97), 1997. [gzipped Postscript ]
    Abstract: McMillan presented a deadlock detection technique based on unfoldings of Petri n et systems. It is realized by means of a backtracking algorithm that has its drawback for unfoldings that increase widely. We present an approach that exploits precisely this property. Moreover, we introduce a fast implementation of McMillan's algorithm and compare it with our new technique.

    [Mer97]
    S. Merkel.
    Verification of fault tolerant algorithms using pep.
    SFB-Report TUM-I9734 342/23/97A, TU München, Dept. of Computer Science, 1997.
    Abstract: Petri net theory is an accepted approach to modelling and verifying distributed algorithms. In this paper we show how a tool based on Petri net theory, the PEP tool, can be used to model and verify fault tolerant algorithms for distributed systems. We conduct three case studies to illustrate our approach and to show the more specific problems we ran into, such as synchronization and crash detection in asynchronous systems, and we explain how we tried to solve them.

    [Roe95]
    C. Röckl.
    Proof tableaux for basic parallel processes.
    Technical report, TU München, Dept. of Computer Science, 1995.
    Term project.
    Abstract: Due to their constructiveness, recent proofs of the decidability of the strong bisimulation equivalence and the local cause equivalence of recursive BPP (Basic Parallel Processes) have provided algorithms based on the underlying tableau systems. The work in hand compares two just slightly distinct proof systems, the first of them testing on the strong bisimulation equivalence of BPP and the second testing on a more restricted notion of equivalence, the local cause equivalence. The latter is not merely a subclass of the former, but a proper one, for which a standard example will be given. Annotated to this work is a Scheme program executing both the proof utilising strong bisimulation and the one utilising local cause bisimulation upon BPP.

    [Wal98]
    F. Wallner.
    Model checking LTL using net unfoldings.
    In Prof. of CAV'98, number 1427, pages 207-218. Springer-Verlag, 1998. [gzipped Postscript ]
    Abstract: Net unfoldings are a well-studied partial order semantics for Petri nets. In this paper, we show that the finite prefix of an unfolding, introduced by McMillan, is suited for model checking linear-time temporal properties. The method is based on the so-called automata-theoretic approach to model checking. We propose a technique to treat this approach within the framework of safe Petri nets, and give an efficient algorithm for detecting the system runs violating a given specification.

    [Wim97]
    G. Wimmel.
    A bdd based model checker for the pep tool.
    Technical report, TU München, Dept. of Computer Science, 1997.
    Term project. [gzipped Postscript ]
    Abstract: PEP (Programming Environment based on Petri Nets) is a tool developed at the University of Hildesheim. It can be used for editing, simulating and verifying Petri nets, and for creating Petri nets from a program in an imperative programming language. For the verification task, model checkers are used to decide whether a given logical formula is true or false for a particular Petri net. A fairly new method in implementing model checkers, symbolic model checking, involves binary decision diagrams (BDDs), a data structure for representing considerably large state spaces. In the individual project described in this dissertation, a BDD-based model checker for the PEP tool was developed that can verify safe Petri nets. The model checker makes use of the SMV system, developed at the Carnegie Mellon University. In addition, a range of different modelling possibilities, model checking options and optimisation techniques is discussed and evaluated using examples like the dining philosophers problem. The performance of BDD-based Petri net model checking is compared to the performance of the partial order model checker that is already implemented in the PEP Tool.

    Tools

    If you are interested in any of the following tools based on the unfolding technique, mail Stefan Römer.

    Links to Related Sites