On Temporal Properties of Nested Petri Nets Текст научной статьи по специальности «Математика»

On Temporal Properties of Nested Petri Nets

Leonid Dvoryansky Department of Software Engineering National Research University Higher School of Economics Moscow, Russia leo@mathtech.ru

Daniil Frumin

Department of Software Engineering National Research University Higher School of Economics Moscow, Russia difrumin@edu.hse.ru

Abstract—Nested Petri nets is an extension of Petri net formalism with net tokens for modelling multi-agent distributed systems with complex structure. Temporal logics, such as CTL, are used to state requirements of software systems behaviour. However, in the case of nested Petri nets models, CTL is not expressive enough for specification of system behaviour. In this paper we propose an extension of CTL with a new modality for specifying agents behavior. We define syntax and formal semantics for our logic, and give small examples of its usage.

Index Terms—Petri nets, nested Petri nets, temporal logic, CTL

I. INTRODUCTION

Petri nets is a popular formalism for modelling concurrent systems. Different extensions of Petri nets are extensively studied in the literature. The most popular are coloured Petri nets [5]. Nested Petri nets [6] is a formalism for modelling hierarchical multi-agent systems. There is a variety of temporal logics for specifying behavioural properties of discrete systems, such as HML, CTL, LTL, ^-calculi [4], [1], [3]. However, they are not convenient for expressing some natural properties of nested Petri nets.

The paper is organized as follows. To start with, we give some necessary foundations of labelled transition systems and Petri nets. Then we describe nested the Petri nets formalism. After that we give some examples of nested Petri nets properties we would like to express, and define nCTL - an extension of CTL for nested Petri nets. Finally we describe a formal semantics for nCTL. The paper ends with a conclusion.

II. Background

Definition 1. A Labelled Transition System (LTS) is a tuple

(S, q0, R, Act) where

• S - a set of states (worlds);

• Act - a set of actions;

• q0 € S is an initial state;

• R C S x Act x S is a transition relation.

For convenience we write s A- s' instead of (s, a, s') € R.

Definition 2. A Petri net (P/T-net) is a 4-tuple (P,T,F,W) where

• P and T are disjoint finite sets of places and transitions, respectively;

The research is partially supported by the Russian Fund for Basic Research (project 11-01-00737).

• F C (P x T) U (T x P) is a set of arcs;

• W : F ^ N \ 0 - an arc multiplicity function, that is, a function which assigns every arc a positive integer called an arc multiplicity.

We denote by W the extension of W by zero

~ in xFy A W(x,y) = n

B'(l’5)^0, -xFy

A marking of a Petri net (P, T,F,W) is a multiset over P, i.e. a mapping M : P ^ N. By M(N) we denote a set of all markings of a P/T-net N.

We say that the transition t in a P/T-net N = (P, T,F,W) is active in the marking M iff for every p € {p | (p,t) € F}: M(p) > W(p,t). An active transition may fire, resulting in a marking M', such as for all p € P: M'(p) = M(p) — W (p,t)+ W (t,p).

III. Nested Petri Nets

In this section we define nested Petri nets (NP-nets) [6]. For simplicity we consider here only two-level NP-nets, where net tokens are usual Petri nets.

Definition 3. A nested Petri net is a tuple

(Atom, Expr, Lab, SN, (EN1,..., ENk)) where

• Atom = Var U Con - a set of atoms;

• Lab is a set of transition labels;

• (ENi,..., ENk), where k > 1 - a finite collection of P/T-nets, called element nets;

• SN = (PSN ,TSN ,Fsn ,u,W, A) is a high-level Petri net where

- PSN and TSN are disjoint finite sets of system places and system transitions respectively;

- Fsn C (Psn x Tsn ) U (Tsn x Psn ) is a set of arcs;

- v : PSN ^ {EN1,..., ENk}U{^} is a place typing function;

- W : Fsn ^ Expr is an arc labelling function;

- A : TSN ^ Lab U {t} is a transition labelling function, t is the special "silent” label;

The arc expression language Expr is defined as follows. Let

Con be a set of constants interpreted over A = Anet U {•} and Anet = {(EN, m) | 3i = 1,... ,k : EN = ENi, m € M(ENi)}, i.e. Anet is a set of marked element nets. Let

Var be a set of variables. Then an expression in Expr is a multiset over Con U Var. The arc labeling function W is restricted in such way that constants or multiple instances of the same variable are not allowed in input arc expressions of the transition, constants and variables in the output arc expressions should correspond to the types of output places, and each variable in an output arc expression of the transition should occur in one of the input arc expressions of the transition.

A marking M in a NP-net NPN is a function mapping each p € PSN to some (possibly empty) multiset M (p) over A. By abuse of notation, a set of all markings in a NP-net NPN is denoted by M (NPN).

A behavior of an NP-net consists of three kinds of steps. A system-autonomous step (resp. element-autonomous step) is a firing of a transition, labeled with t, in the system net (resp. in one of the element nets).

An element-autonomous step is a transition firing according to the standard firing rules for P/T-nets.

To describe a system-autonomous step we need the concept of binding.

Definition 4. Let Vars(e) denote a set of variables in an expression e € Expr. For each t € TSN we define W(t) = {W(x, y) | (x, y) € Fsn A (x = t V y = t)} - all expressions labelling arcs incident to t.

A binding b of a transition t is a function b : Vars(W (t)) — A, mapping every variable in the t-incident arc expression to some value.

We say that a transition t is active w.r.t. a binding b iff

Vp € {p | (p,t) € Fsn}: b(W(p,t)) C M(p). An active

transition may fire (denote M —-— M') yielding a new marking M'(p) = M(p) — b(W(p,t)) + b(W(t,p)) for each p € PSN. An autonomous step in a net token changes only this token inner marking. An autonomous step in a system net can move, copy, generate, or remove tokens involved in the step, but doesn’t change their inner markings.

A (vertical) synchronization step is a simultaneous firing of a transition, labeled with some A € Lab, in a system net together with firings of transitions, also labeled with A, in all net tokens involved in (i.e. consumed by) this system net transition firing. For further details see [6]. Note, however, that here we consider a typed variant of NP-nets, when a type of an element net is instantiated to each place.

IV. Temporal Logics

In this section we describe CTL - computational tree logic, which is widely used for specifying temporal properties of reactive systems.

A CTL formula is defined by the following grammar:

$ ::= true | (-$) | ($1 V $2) | EU($i, $2) | AU($i, $2) | EX($) | p

where p is an atomic proposition.

A CTL formula is interpreted over Kripke structures. Kripke structure is a labelled transition system (c.f. definition 1) where Act is a singleton {t}.

We can recursively define interpretation of a given CTL formula $ over a Kripke structure K and a current state s. We suppose some fixed interpretation of atomic propositions

I: S x AP — {true, false}.

• (K, s) = true;

• (K, s) = p iff I(p, s) = true;

• (K, s) = ($i V $2) iff (K, s) = $i or (K, s) = $2;

• ^, s) = (-$) iff ^, s) = $;

• (K, s) = EX($) iff 3(s, s') € R. (K, s') = $;

• (K, s) = EU($1,$2) iff there exists a path sls2 • • • in

K (that is sl —— s2, s2 —— s3, • • •) such that: sl = s and

3n. (Vj € 0,n — 1.(K, sj) = $1) A (K, sn) = $2;

• (K,s) = AU($1,$2) iff for every path sls2 •••

in K the following holds: sl = s and 3n. (Vj €

0,n — 1.(K, sj) = $1) A (K, sn) = $2.

We can also define additional useful operator weak until: AW($,^) = -EU($ A-^, -$ A-^), EW($,^) =

-AU($ A -^, -$ A -^). Intuitively, if model satisfies AW($,^) (resp. EW($,^)) then for all paths (resp. there exists a path) in which either $ is true until we encounuter ^ or $ is always true. The difference between AW(^, $) and AU(^,$) is that in the former it’s not necessary that $ is reached.

V. TEMPORAL PROPERTIES OF NP-NETS

Let’s consider the following example (Fig.1). Here the left net is a system net with the net token a residing in pl, and a depicted in the right part of Fig.1.

Ti ti

Fig.1. NP-net NPNi

LTS representing the behaviour of this NP-net is shown in Fig.2.

Imagine, we want to check that in every net token transitions tl and t2 fire by turns. We could try the formula AG((tl =^ AXAW(-tl,t2)) A (t2 AXAW(-t2,tl))). Although this approach might look attractive at the first sight, it does not work in many cases.

To show why our approach does not work here let’s take a closer look at the LTS (Fig.4) corresponding to NPN2 (Fig.4).

Since tl appears “before” t2 in LTS S2, we can conclude that NPN2 satisfies our formula. However, actually in the second net token t2 fired before tl. The problem is that transition firings in different net tokens are indistinguishable in our model: t2 in figure 4 refers to the firing of t2 in the net token which originally resided in q3, but S2 does not contain any information about that.

To handle such properties we introduce a new modality in the next section.

start —► ( M0^\ M3

©

start —> Mi

Fig. 2. LTS corresponding to NPNi

Fig. 3. NP-net NPN2

VI. NCTL

In the following section we present a solution to the problem described in the previous passage by introducing additional modality.

A. Syntax

To specify properties concerning states (markings), system transitions and transitions in element nets we introduce a logic with three categories of formulae. Just like in CTL we make use of path quantifiers in both state and transition formulae.

We define the syntax of nCTL with a fixed nested Petri net NPN in mind.

State formulae: A ::= true | u | -A | (A1 V A2) | (B) | [C] | EU(Ai, A2) | AU(Ai, A2)

Transition formulae: B ::= true | x | -B | (B1VB2) | (A) | EU(B1, B2) | AU(B1, B2)

Element transition formulae: C ::= true | 7 |—C | (C\_ VC2) | [A] | EU(C1, C2) | AU(C1, C2) | AXC

Here true is a boolean constant, u is a function, called a marking predicate, with the type M — {true, false}, i.e. a predicate on the set of all markings. A function x maps transitions T of SN to booleans. 7 is a predicate on set of all transitions of all element nets (we do not need a predicate on

Fig. 4. LTS £2 of NPN2

markings of element nets, since every marking of an element net can be characterized by a subset of M). EU and AU are familiar from the conventional CTL.

A nCTL formula is a well-formed state formula.

B. Examples

The idea of using both state and event modalities were first developed in ASK-CTL library for coloured Petri nets [2]. We extend this idea to NP-nets.

Intuitively, when we encounter an element transition subformula, we switch our interpreting context to an LTS of an element net. Nesting of the modalities allow us to switch back and forth between contexts. [$] means that there exists a path in the LTS of the NP-net along which $ holds for every element net.

Now we can express the “switching” property for the NPN2 (Fig.3): [AU(-t2,ti) A AG(ti AXAU(-11,12)) A

AG(tl =^ AXAU(-tl,t2))]. The AU(-t2,tl) part is necessary to check whether ti is the first transition to be fired.

In order to properly verify whether the LTS, corresponding to NPN2 , is a model for our formula, we should change the way we construct the LTS. Firsly, we introduce a set N = {n0, nl,... } every member of which represents a single element net token (note that N is different from Anet, since the latter contains only types of element nets together with their markings, while the former also distinguishes between individual tokens). Now we mark arcs in a LTS with tuples of the form (t, ni), where t a name of transition in an element token ni € N. From here on in we use notation t[n-i] to denote (t, ni).

The new LTS corresponding to the NPN2 is shown in Fig.5. The element net tokens residing in ql (resp. q3) is denoted as n0 (resp. nl). If we check the only path generated by transitions - (Tl,tl[n0])(T2,t2[nl],t2[n0]) - we see that it does not satisfy our formula.

It is worth mentioning that our approach is not equivalent to model checking of element transition formulae on LTSs corresponding to element nets. This is caused by the fact

Fig. 5. New LTS of NPN2

that the LTS corresponding to an element net should be considered only w.r.t. transitions in the system net due to vertical synchronization. In addition, nCTL provides an ability to switch back to system context, based on the properties of an element net. Consider this example: [(AXii [Mi]) V (AXt2 =^ [(EXT2)])]. NP-net N' models that formula if either t1 fires in the next step in the element net and N' reaches marking M1 or t2 fires in the next step in the element net and T2 is enabled in the system net after that.

We need to construct LTS with respect to information about specific element nets. Let us consider some concrete problems conected with that.

Pi

Fig. 6. NP-net NPN3

Fig.6 represents an example of a nested Petri net, where the firing of transition T1 yields two copies (n0 in p2, ni in p3) of the same element net, therefore in both copies we need to keep the history of the old net token. For example, if the net token k (Fig.7) resides in the place p1 in NPN3, we get the LTS shown in Fig.8.

VII. NCTL semantics

nCTL formulae are interpreted over a pair (Lnpn, m), where Lnpn is a LTS corresponding to NPN and m is a reachable

marking of the latter. We say that NPN satisfies formula $ iff

(Lnpn,m0) = $, where m0 is the initial marking in NPN. State-transition modalities allow us to switch between different types of formulae.

Interpretation for state formulae:

• (lnpn, m) =a true

• (Lnpn, m) =a u u(m)

• (Lnpn, m) =a —$ (Lnpn, m) =a $

• (Lnpn, m) =a $1 V $2 (Lnpn, m) =a $1 or (Lnpn, m) =a $2

• (Lnpn, m) =a ($) 3a .m m' A

(Lnpn, (m,a,m')) =b $

• (Lnpn, m) =a [$] 3a .m m' A

(Lnpn, (m,a,m')) =c $

• (LNPN,m) =a AU($1,$2) Va =

a1a2 ••• € Pm . 3n < \ a \.m —^ m1 —■>

m2 ...mri-1 — mn . (Vi € 0,n - 1. (Lnpn,mi) =A

$1) A (Lnpn, mn) =a $2

• (Lnpn, mo) =a EU($1,$2) 3a =

a1a2 ••• € Vm. 3n < \ a \ . mo —^ m1

m2 ...mn-1 — mn . (Vi € 0,n - 1. (Lnpn, mi) =a

$1) A (Lnpn, mn) =a $2 Interpretation for transition formulae:

• (Lnpn, (m, a, m')) =b true

• (Lnpn, (m,a,m')) =b X A{x(t ) \ t € ST (a)},

where ST (a) is a set of system transitions, involved in

the step a.

• (Lnpn, (m, a, m')) =b -$ (Lnpn, (m, a, m')) =b $

• (Lnpn, (m,a,m')) =b $1 V $2

(Lnpn, (m, a, m')) =b $1 or (Lnpn, (m, a, m')) =b $2

• (Lnpn, (m,a,m')) =b ($) (LNPN,m') =a $

• (Lnpn, (mo,a1,m')) =b AU($1,$2)

Va = a1a2 ••• € Pm . 3n < \ a \ . mo —>

a2 /w ' /—

m1 —>■ m2 ...mn-1 —>■ mn . (Vi €

0,n — 1. (LNpN, (mi,ai,mj+i) =b Фі) A

{LNPN, (mn, an+b mn+i) =B ф2)

• (Lnpn, (m0,ai,m')) =b Еи(фі,ф2)

3a = aia2 ••• Є Pm . 3n < | a | . mo —-?►

a2 an /w • ^

mi —- m2 . .. mn-i —- mn . (Vt Є

0,n — 1 (Lnpn, (mi,ai,mi+i) =b фі) A

(LNPN, (mn, an+1, mn+i) =B ф2)

Interpretation for nested transition formulae:

• (Lnpn, (m, a, m')) =c true

• (Lnpn, (m,a,m')) =c Y /\ÍY(t[n]) I t[n] Є

NT (a)}, where NT (a) is a set of element net transitions

involved in a step a.

• (Lnpn, (m,a,m'))=c —ф (Lnpn, (m,a,m'))=c ф

• (Lnpn, (m,a,m')) =c фl V Ф2

(Lnpn, (m, a, m')) =c фl or (Lnpn, (m, a, m')) =c Ф2

• (Lnpn, (m,a,m'))=c [ф] (LNPN,m) =a Ф

• (Lnpn, (mo,ai,m')) =c Ли(фьф2)

Va = aia2 ••• Є Pm . 3n < | a | . mo

a2 an /w • ^

mi —- m2 . .. mn-i —- mn . (Vt Є

0, n - 1. (Lnpn, (mi,ai,mj+i) =c Фі) A

(LNPN, (mn, an+1, mn+i) =C ф2)

• (Lnpn, (mo,ai,m')) =c ЕИ(фьф2)

3a = aia2 ••• Є Pm . 3n < | a I. mo

a2 an /w • ^

mi —- m2 . .. mn-i —- mn . (Vt Є

0, n — 1. (Lnpn, (mi,ai,mj+i) =c Фі) A

(LNPN, (mn, an+1, mn+i) =C ф2)

• (Lnpn, (mo, ai, m')) =c ЛХф Va = aia2 ••• Є

Pm . (mo mi —- m2 ... ) A (Lnpn, (mi, a2, m2) =c

ф)

From a practical perspective, nCTL logic enables us to state properties of agents in multiagent systems.

VIII. Conclusion and future research

The temporal logic nCTL, described in this paper, is an extension of CTL for specifying semantic properties of nested Petri nets. Logic nCTL may be helpful for describing behavioural properties of multi-agent systems with complex structure. nCTL allows to express both system net and element nets properties directly. This gives a straightforward way of formalizing NP-net specific temporal properties.

our next goal is to develop an algorithm for constructing LTS describing semantics of a given NP-net. We also plan to investigate the expressive power of nCTL and study the possibility of developing effective verification algorithm for nested Petri nets.

references

[1] Julian Bradfield, Colin Stirling, Modal mu-calculi, In: Patrick Blackburn, Johan Van Benthem and Frank Wolter, Editor(s), Studies in Logic and Practical Reasoning, Elsevier, 2007, Volume 3, Pages 721-756.

[2] A. Cheng, S. Christensen, and K. H. Mortensen, Model Checking Coloured Petri Nets Exploiting Strongly Connected Components. - Cite-seer, 1997.

[3] Edmund M. Clarke, Orna Grumberg, Doron Peled. Model Checking, MIT Press, 2001.

[4] Ian Hodkinson, Mark Reynolds, Temporal logic, In: Patrick Blackburn, Johan Van Benthem and Frank Wolter, Editor(s), Studies in Logic and Practical Reasoning, Elsevier, 2007, Volume 3, Pages 655-720.

[5] K. Jensen and L. M. Kristensen. Coloured Petri Nets: Modelling and Validation of Concurrent Systems. Springer, 2009.

[6] I. A. Lomazova, Nested Petri nets: Modeling and analysis of distributed systems with object structure. - Moscow:Scientific World, 2004. - 208p.