· IntroductionTransition systemsBuchi automataProzess calculiPetri netsGraph transformation Course \Modelling of Concurrent Systems" (\Modellierung nebenlau ger Systeme") Winter

$Page 1: · IntroductionTransition systemsBuchi automataProzess calculiPetri netsGraph transformation Course \Modelling of Concurrent Systems" (\Modellierung nebenlau ger Systeme") Winter$
Introduction Transition systems Buchi automata Prozess calculi Petri nets Graph transformation

Course “Modelling of Concurrent Systems”(“Modellierung nebenlaufiger Systeme”)

Winter Semester 2009/10University of Duisburg-Essen

Barbara KonigTeaching assistant: Christoph Blume

Barbara Konig Course “Modelling of Concurrent Systems” 1


Motivation

What are concurrent systems?

In general: systems in which several components/processes runconcurrently and typically communicate via message passing.



Motivation

Concurrency versus parallelism:

Parallelism

Two events take place in parallel if they are executed at the samemoment in time.

Concurrency

Two events are concurrent if they could potentially be executed inparallel, but they do not have to. This means there is no causaldependency between them.

Hence: concurrency is the more general term.



Motivation

Examples

Process scheduling for a single-processor computer(concurrency, but no parallelism)

Computer with several processors

Network (LAN, WAN, Internet)

Concurrent/parallel applications

We distinguish between

Parallelism for a gain in efficiency (example: parallelsorting procedures)Concurrency caused by the use of distributed resources(example: web services)



Motivation

(Potential) characteristics of concurrent systems

Concurrency/parallelism

Openness (extendability, interaction with the environment)

Modularity

Non-terminating behaviour (infinite runs)

Non-determinism

Temporal properties (e.g. “an event will occur eventually”)



Motivation

Problems with concurrent systems

Deadlocks

Guaranteeing mutual exclusion

Infinite respectively huge state space

Strongly dynamic behaviour/changing number of processes

Variable topology/mobility

Hence: We need methods to model, analyze and verify suchsystems.



Introductory example: process communication

We consider a system with three processes P0, P1, P2:

P1 P2

P0

In this system P0 sends messages to P1, P1 sends messages to P2

and P2 sends messages to P0.




A process Pi behaves in the following way:

If there is a message waiting for Pi , the process Pi will receivethis message (Action ri – receive).

If there is no message waiting for Pi and at the same time nomessage is waiting at its neighbour Pj (with j = (i + 1)mod 3), the process Pi sends a message to Pj (Action si –send).

In each moment of time an arbitrary process in the system canexecute the next action.




Modelling via a transition system:

System states of the form (x , y , z) with x , y , z ∈ {M,−}.Example: (M,M,−) means that a message is waiting forprocesses P0 and P1, but not for P2.

Transitions/state changes with Actions ri (process Pi receivesa message) and si (process Pi sends a message).




(−,−,−)

(−,M ,−)

(M ,M ,−)

(−,−,M)

(−,M ,M)

(M ,−,−)

(M ,−,M)

s0

s2

r0

r1 r0

s1 r2

s0r2

r1

s2

s1r0

r2

r1




Extensions

What can be observed by an external observer who can notdistinguish between the different send actions and betweenthe different receive actions? Which states can be consideredequivalent?

Assume that in the system described above an error mightoccur, which leads to the inability of process P0 to sendmessages. This error always occurs right after a sendingoperation of P0. How can the transition system be extendedin such a way that the error is incorporated?

What happens if a process is allowed send another message toits neighbour, before the previous message is received?



Table of contents

We will introduce the following models for concurrent systems:

Transition systems (as above)

Models which are closer to realistic programming languages(for instance process calculi)

Additional models: Buchi automata, Petri nets, graphtransformation systems

Furthermore (in order to investigate/analyze systems):

Specification of properties of concurrent systems (safety andliveness, temporal logics)

Behavioural equivalences: When do two systems behave thesame (from the point of view of an external observer)?



Table of contents

Transition systems

Behavioural equivalences (trace equivalence, bisimulation)

Safety and liveness properties

Buchi automata

Temporal logics (LTL), model-checking

Process calculi (CCS, π-calculus)

Petri nets (unfolding of nets)

Graph transformation systems



Transition systems

Transition systems represent statesand transitions between states.

True parallelism is not directlyrepresented.

Strong similarity to automata,however we are here not so muchinterested in the acceptedlanguage.

1 2

3

a

bc



Behavioural equivalences

Assume that an external observercan only observe certain actions ofa system from the outside and hecan only interact with the systemto a limited extent . . .

How to conclude that two systemsare equivalent from the point ofview of that external observer?

This kind of interaction of theobserver with the system can oftenbe described as some form of game.

Various behavioural equivalences(trace equivalence, bisimilarity)

Interface which allowsonly certain interactionswith the system



Sicherheits- und Lebendigkeitseigenschaften

Each property of (finite orinfinite) runs of a systemcan be decomposed into

a safety property anda liveness property.

Safety property (roughly):nothing bad every happens(for instance a deadlock)

Liveness property (roughly):eventually something goodwill happen (for instancetermination)



Buchi automata

Special kind of automata whichaccept words of infinite length(named after Julius Richard Buchi)

Infinite words representnon-terminating runs of the system

Final states, as they are knownfrom finite automata, are replacedby other acceptance conditions.

1 2

3

a

bc

abcabcabc. . .



Temporale Logik, Model-Checking

Properties of systems can also bedescribed with temporal logics (forinstance LTL).

Temporal logics is accompanied byso-called model-checkingtechniques, which can check – witha transition system – whethercertain properties are satisfied bythe system.

These techniques work especiallywell for systems with a finite statespace.

S |= �♦P

property P is satisfiedinfinitely often in every run

of the system S .Here S is the model,

belonging to the formula.



Prozess calculi

Process calculi are “miniprogramming languages” whichcan describe interacting andcommunicating processes.

There are possible additional“features”: mobility (ofcommunication channels, ofprocesses)

The behaviour of processes isdescribed by transitions

Well-known process calculi: CCS,π-calculus

a.P | a.Q τ→ P | Q



Petri nets

Model for concurrent systems thatdescribes the joint use of resources.

Resources are represented bytokens and consumed andgenerated by transitions.

Many analysis techniques areavailable (coverability graph,marking equation, invariants)

There are so-called partial ordertechniques, which try to avoid thestate explosion caused byconcurrency (for instance netunfoldings)

place

transition

token



Graph transformation systems

Generalization of Petrinets, where not only setsof tokens, but graphs aretransformed.

Graphs usually modelconnected components,which may changedynamically.

Transition in a graphtransformation system:

⇒



Modelling with UML

Modelling of systems with UML (= Unified Modeling Language)will only play a minor role in this course. The following types ofUML diagrams are related to topics of the course:

State diagrams/statecharts: extended transition systems withadditional hierarchical structure

Activity diagrams: similar to Petri nets



Modelling with UML

Sequence diagrams/message sequence charts: can be used todescribe communication patterns of a fixed number ofprocesses

Process communication

(message)

time

process 1 process 2 process 3



Transition systems (motivation)

In the following we will look attransition systems, which can be usedto represent the behaviour of a systemin a very direct and explicit way.

1 2

3

a

bc



Actions and sequences of actions

We use the following notation:

Act: set of atomic actions, often denoted by a, b, c , . . . . Wewill sometimes use the internal action τ , which should beinvisible from outside.

Act∗: the set of all finite words over the alphabet Act.

Actω: the set of all infinite words over the alphabet Act.An infinite word w ∈ Actω can be represented by a mappingw : N0\{0} → Act.

Act∞ = Act∗ ∪ Actω: the set of all finite and infinite wordsover Act.

Pref(L): given a language L ⊆ Act∞ we define the set of allprefixes of L as follows:

Pref(L) = {u ∈ Act∗ | ∃w ∈ L, v ∈ Act∞ : w = uv}.



Relations

We use the following notation for relations:

A relation R between the sets A,B is a subset of A× B, i.e.,R ⊆ A× B.

Let (a, b) ∈ A× B be a pair with (a, b) ∈ R. Then we alsowrite a R b (in words: a is related to b).



Transition systems

Transition system (definition)

Let Act be a fixed set of actions. A transition system T = (Z ,→)over Act consists of

A set Z of states and

a set → ⊆ Z × Act× Z of transitions between states.

A transition system is called finite if the state set as well asthe set of transitions is finite.

Instead of (z , `, z ′) ∈→ we will in the following write z`→ z ′.

Furthermore we will abbreviate za1→ . . .

an→ z ′ by za1...an−→ z ′. In

addition zε→ z holds for every state z .

Given a state z we write za→ if there exists a state z ′ with

za→ z ′ and z 6 a→ if there is no such state.



Transition systems (examples)

A classical example: the tea/coffee-machine

We want to model a very simple machine that

outputs tea or coffee after a coin has been inserted and abutton has been pressed,

can show faulty behaviour and

may potentially behave non-deterministically.




z

coffee teacoin

button(tea)button(coffee)

A tea/coffee-machine.

We distinguish between input actions of the form a and output ac-tions (also called coactions) of the form a.




z

coin

button(tea)

coffee tea

change

button(coffee)

A machine that gives back change.




z

coffee teacoin

button(tea)

error

button(coffee)

A machine with an error. The occurrence of an error is actuallyrather an internal action and could alternatively be modelled witha τ .




z

coffee

button(tea)

error

errorcoin

teabutton(coffee)

An (unfair) machine with faulty behaviour which may enter the errorstate after a coin has been inserted.




z

coffee teacoin

button(tea)

error

repair

button(coffee)

A machine with an error state that can be repaired.




z

coffee teacoincoin


A machine with non-deterministic behaviour that makes a choice ofbeverages for the user.



Deterministic transition systems

Deterministic transition system (definition)

A transition system T = (Z ,→) is called deterministic, if for everystate z ∈ Z :

Whenever za→ z1 and z

a→ z2, then z1 = z2.

Remarks:

All tea/coffee-machines, apart from the last, are deterministic.

Opposed to deterministic finite automata we do not requirefor deterministic transition systems that every action isfeasible in every state.




The Dining Philosophers problem considers processes (=philosophers) and resources (= forks):

Three philosophers are seated at a round table and there is afork between each pair of philosophers sitting side by side.

Philosophers eventually get hungry and need both adjacentforks in order to eat.

Each philosopher picks up both forks (in any order) at anarbitrary moment in time, eats and, after eating, puts backboth forks.

P2P1

P3

F2F3

F1




Question

The intention is that the system runs forever and never terminates.Can the system reach a deadlock state in which no actions arepossible?

We solve this question by drawing the corresponding transitionsystem (at least partially).




States: 3-tuples of the form (z1, z2, z3), where zi symbolizesthe state of fork Fi . It holds that:

z1 ∈ {−,P1,P2} (F1 is not assigned, assigned to P1 or toP2)z2 ∈ {−,P2,P3} (analogous meaning)z3 ∈ {−,P3,P1} (analogous meaning)

Hence the transition system has 33 = 27 states.

Actions:

t(Pi ,Fj ): philosopher Pi takes fork Fj .ei : philosopher Pi eats.ri : philosopher Pi returns both forks.




Excerpt from the transition system:

(P1,−,−)

(P2,P2,−)

(−,−,−)

(P1,P2,−)(P1,−,P1)

(P1,P2,P3)(P1,P2,P1)

t(P1, F1)

t(P2, F2)t(P1, F3)

t(P3, F3)t(P2, F2)

(−,P2,−)

e1

e1

e2t(P2, F1)

r1

r1




Excerpt from the transition system:

(P1,−,−)

(P2,P2,−)

(−,−,−)

(P1,P2,−)(P1,−,P1)

(P1,P2,P1)

t(P1, F1)

t(P2, F2)t(P1, F3)

t(P3, F3)t(P2, F2)

(−,P2,−)

e1

e1

e2t(P2, F1)

(P1,P2,P3)

r1

r1

Deadlock!

are possible.No more transitions




Possible solutions for the deadlock problem:

Avoid deadlocks:

A philosopher has to take both forks simultaneously.Introduction of left-handed and right-handedphilosophers. A left-handed philosopher takes the left forkfirst, a right-handed philosopher takes the right fork first.If we have left-handed as well as right-handedphilosophers, no deadlocks can occur.Order the resources: F1 < F2 < F3. The smaller aresource with respect to the ordering, the earlier it has tobe taken.

Recognize and resolve deadlocks: deadlocks have to be found(by a monitoring process, via timeouts, . . . ) and to beresolved accordingly.



Behavioural equivalences (trace equivalence)

Language of a state (definition)

The language of a state z is the set of all words over Act, whichcorrespond to paths originating from z . There are three distinctpossibilities to define languages:

S(z) = {w ∈ Act∗ | ∃z ′ ∈ Z : zw→ z ′}

Sω(z) = {a1a2a3 · · · ∈ Actω | z a1→ z1a2→ z2

a3→ . . . }S∞(z) = S(z) ∪ Sω(z)

The language of a state is also called its set of traces.

Trace equivalence (definition)

Two states z , z ′ ∈ Z are called S-trace equivalent wheneverS(z) = S(z ′). Analogously we define Sω- and S∞-traceequivalence.




Trace equivalence has the following property:

Whenever z , z ′ are S∞-trace equivalent, then they are also S- andSω-trace equivalent.

Reason:

S∞(z) = S∞(z ′) impliesS(z) = S∞(z) ∩ Act∗ = S∞(z ′) ∩ Act∗ = S(z ′).

Analogously:Sω(z) = S∞(z) ∩ Actω = S∞(z ′) ∩ Actω = Sω(z ′).




However:

Whenever z , z ′ are S-trace equivalent sind, then they are notnecessarily Sω-trace equivalent (and vice versa).

Counterexamples:

States z , z ′ are S-equivalent, butnot Sω-equivalent. (From z ′ onlyfinite paths originate.)

a

z

aa

a a

a

a

z ′

aa

...

. . .

States z , z ′ are Sω-equivalent,but not S-equivalent.

a

z ′

a

b

z



Behavioural equivalences (failures equivalence)

Motivation: the states z , z ′ of the following twotea/coffee-machines are trace equivalent.

z

coffee teacoin


coffee teacoin

button(tea)

coinz ′

button(coffee)

However, one does not really want to consider these two states as“equal”. In one case the machine works correctly, in the other themachine keeps the coin without giving back a beverage.

Therefore: trace equivalence is not sufficient. We also need a wayof expressing that the reachable states allow respectively disallowthe same actions.




Failures equivalence (Definition)

Let T = (Z ,→) be a transition system. The set of failure pairs ofa state z ∈ Z is defined as:

F(z) = {(w ,A) ∈ Act∗ × P(Act) |∃z ′ ∈ Z : z

w−→ z ′ and z ′ 6 a→ for all a ∈ A}

Two states z , z ′ ∈ Z are called failure equivalent wheneverF(z) = F(z ′).




Motivation: the states z , z ′ of the two followingtea/coffee-machines are trace equivalent.

z

coffee teacoin


coffee teacoin

button(tea)

coinz ′

button(coffee)

In the example F(z ′) contains the pair(coin, {button(coffee), button(tea)}) which is not contained inF(z).




Remarks:

If a pair (w ,A) is contained in the set F(z), then we know forevery A′ ⊆ A that also (w ,A′) ∈ F(z). (We also say: F(z) isclosed under set inclusion.)Hence it is sufficient to consider pairs (w ,A) where A ismaximal.

The definition of “activation equivalence” with the followingsets A(z) is not sufficient to distinguish the correct machinefrom the faulty one.

A(z) = {(w ,A) ∈ Act∗ × P(Act) | ∃z ′ ∈ Z : zw−→ z ′ and

z ′ a→ for all a ∈ A}




Another example for failures equivalence:

z

a

c

a

b

a

c

a

b

z ′

a a

b c

It holds that:

F(z) = {(ε,A) | A ⊆ {b, c}} ∪ {(a,A) | A ⊆ {a, b, c}} ∪{(ab,A) | A ⊆ {a, b, c}} ∪ {(ac,A) | A ⊆ {a, b, c}}

= F(z ′)

and z , z ′ are hence failure equivalent.



Behavioural equivalences (bisimilarity)

There is another important equivalence which is slightly finer thanfailures equivalence and usually easier to mechanize: bisimilarity orbisimulation equivalence.

Intuitively we require that the two states z , z ′ are able to mutuallysimulate each other.

Bisimulation (definition)

Let T = (Z ,→) be a transition system. A relation R ⊆ Z × Z onstates is called bisimulation if for every pair (z1, z2) ∈ R and forevery action a ∈ Act:

for every z ′1 with z1a→ z ′1 there exists z ′2 with z2

a→ z ′2 and(z ′1, z

′2) ∈ R.

for every z ′2 with z2a→ z ′2 there exists z ′1 with z1

a→ z ′1 and(z ′1, z

′2) ∈ R.




Bisimilarity (Definition)

Two states z1, z2 are called bisimilar if there exists a bisimulationR with (z1, z2) ∈ R. In this case we write z1 ∼ z2.The relation ∼ is called bisimilarity or bisimulation equivalence.




Examples:

z

coffee teacoin


coffee teacoin

button(tea)

coinz ′

button(coffee)

The two states z , z ′ are not bisimilar.




Examples:

z

coffee teacoin


coffee teacoincoin

button(tea)

z ′

button(coffee)

The two states z , z ′ are not bisimilar.




Examples:

1

2

3 4

5

6 7

8

da

b c

d

a a

b, c b, c

d

z z ′

The two states z = 1, z ′ = 5 are bisimilar. Bisimulation:

R = {(1, 5), (2, 6), (2, 7), (3, 8), (4, 8)}Barbara Konig Course “Modelling of Concurrent Systems” 48



Bisimilarity can also be characterized as a game:

Bisimulation game

Participants: Player I, Player II

Equipment: 2 tokens, 1 transition system

Initial situation: The two tokens are placed on the states z , z ′.Rules of one round: Player I chooses one of the two tokens and

makes an arbitrary (a-)transition.Player II has to take the other token and make ana-transition as an answer.Important: In each round Player I can “change” andchoose the other token!




Bisimulation game (continuation)

Game playing: Starting with the initial situation one round afterthe other is played, until one of the two players cannot make another move.

Winning condition: Player I wins if he can make a move that cannot be simulated by Player II.Player II wins if he can simulate every move ofPlayer I. (This can also mean that the gamecontinues forever.)




Correctness of the bisimulation game (proposition)

Two states z , z ′ are bisimilar if and only if Player II has a winningstrategy in the corresponding bisimulation game, where tokens areinitially placed on z , z ′.

Remarks:

This means that Player II has to be able to win if he does notmake a mistake. It does not mean that Player II will alwayswin regardless of the moves he makes.

The strategy mentioned above is a bisimulation relation Rwhich can be used to show that z and z ′ are bisimilar.




How to describe a winning strategy for Player I?

Player I makes the first move. It is possible to set up a decisiontree that records which moves have to be made by Player Idepending on the answering moves of Player II. The leaves of thedecision tree are the moves of Player I which can not be answeredby Player II.




Example (winning strategy for Player I):

a a

z1

1

2 3b

c b

a a

b

c

z2

65

4

c

Player I: 1a→ 3

Player II: 4a→ 5 4

a→ 6

Player I: 5c→ 5 3

b→ 3Player II: — —

Depending on whether Player IIanswers with 4

a→ 5 or with4

a→ 6, it is necessary for Player Ito choose a different move.




Properties of bisimilarity:

Bisimilarity is a bisimulation (proposition)

Let T = (Z ,→) be a transition system. The bisimilarity ∼ on Zsatisfies:

∼ =⋃{R | R ⊆ Z × Z ,R is bisimulation}

The bisimilarity ∼ is a bisimulation itself.




Closure properties (proposition)

Let T = (Z ,→) be a transition system and let R1,R2 bebisimulations. Then the following relations are bisimulations aswell:

1 IdZ = {(z , z) | z ∈ Z}.2 R−1

1 = {(z2, z1) | (z1, z2) ∈ R1}3 R1R2 = {(z1, z3) | ∃z2 : (z1, z2) ∈ R1, (z2, z3) ∈ R2}4 R1 ∪ R2

The first three statements of the proposition imply that bisimilarity∼ is an equivalence relation, i.e., it is reflexive, symmetric andtransitive.




Similar to the minimization procedure for (deterministic) finiteautomata, there exists a method for determining bisimilar pairs ofstates in a transition system.

Idea:

Start with a very coarse relation ∼0 that relates all possiblestates.

Refine this relation step by step and construct relations ∼1,∼2, . . . .

As soon as two subsequent relations coincide (∼n =∼n+1) wehave found the bisimilarity (at least for finite transitionsystems). That is, we have ∼=∼n.




Method for determining bisimilar pairs of states

Input: A transition system T = (Z ,→)

Define ∼0 = Z × Z .

∼n+1 ⊆ Z ×Z , where z ∼n+1 z ′ if and only if for all a ∈ Act:

1 For every z1 with za→ z1 there exists z2 such that

z ′ a→ z2 and z1 ∼n z2.2 For every z2 with z ′ a→ z2 there exists z1 such that

za→ z1 und z1 ∼n z2.

The method terminates as soon as ∼n=∼n+1.

Output: ∼n




Example: determine the bisimilar pairs of states of the followingtransition system

a

2 3

4

c

b

b

c

a a

b

a

a

c

5

6 7

1

a




If we represent the equivalence relations ∼i via equivalence classes,then we obtain the following sequence ∼0,∼1,∼2=∼3.

5

1

7

3 2

4

∼1

5 7

3 2

4

∼0

6 6

5

1

7

3 2

4 5

1

7

3 2

4

∼2 ∼3=

6 6

1




Lemma

It holds that:

1 ∼n is an equivalence relation for all n ∈ N0.

2 z ∼n z ′ implies z ∼m z ′ for all m ≤ n.

3 z ∼ z ′ implies z ∼n z ′ for all n ∈ N0.

4 ∼n=∼n+1 implies ∼n=∼m for all m ≥ n.




Proposition

Let T = (Z ,→) be a transition system which is finitely branching,i.e., for every state z the set

{z ′ | ∃a ∈ Act : za→ z ′}

is finite.

Then we have z ∼ z ′ if and only if z ∼n z ′ for all n ∈ N0.

In other words: ∼ =⋂

n∈N0∼n.

This proposition does not hold for transition systems which are notfinitely branching.




Corollary

For every finite transition system we have:

1 The method for determining bisimilar pairs of states alwaysterminates and

2 returns the correct bisimilarity ∼.




Remarks concerning the method for determining bisimilar pairs ofstates:

For an efficient implementation the relations∼0,∼1,∼2, . . . ,∼ should not be stored explicitly. Especiallythis holds for the relation ∼0 which contains all pairs of statesand has hence size |Z |2.

An efficient implementation represents the equivalencerelation ∼i via its equivalence classes. At the beginning thereis only one equivalence class which is then refined accordingly(see also the previous example).



Internal actions

In the following we regard τ -actions as special internal actionswhich are invisible from the outside.

This means specifically:

An action sequence z1τ→ . . .

τ→ z2 looks from outside as if noaction has been performed.

In an action sequence z1τ→ . . .

a→ . . .τ→ z2 an external

observer only sees action a.



Internal actions

Hence we define a new weak transition relation:

Definition

For a set Act of actions we define the following relations:

z1ε⇒ z2 if and only if z1(

τ→)∗z2, i.e., z1τ→ . . .

τ→ z2.

For an a ∈ Act we have z1a⇒ z2 if and only if z1

ε⇒ a→ ε⇒ z2.

Standard transitions will in the following also be called strongtransitions in order to distinguish them from weak transitions.



Internal actions

Divergence

A transition system T = (Z ,→) with τ -transitions is calleddivergent if there exists an infinite run z

τ→ z1τ→ z2

τ→ . . . .

It is called convergent if there is no such run.



Internal actions

Behavioural equivalences and τ -transitions

Weak trace equivalence, weak failures equivalence and weakbisimilarity are defined on weak transitions of the form

a⇒.

In this way we obtain coarser behavioural equivalences, i.e., morestates are related to each other.



Internal actions

Example 1:

2

a

z

1

b c τ τ

z ′

a a

3

4 5

67 8b c

τ τ

The two states z , z ′ are weakly trace equivalent.



Internal actions

Example 2:

2

a

z

1

b c τ τ

z ′

a a

τ τ

c

3

4 5

67 8

b

The two states z , z ′ are weakly trace equivalent as well.



Internal actions

We will now consider weak bisimilarity in more detail:

Weak bisimulation (definition)

Let T = (Z ,→) be a transition system. A relation R ⊆ Z × Z onstates is called weak bisimulation if for every pair (z1, z2) ∈ R andfor every a ∈ Act\{τ} ∪ {ε} we have:

For every z ′1 with z1a⇒ z ′1 there exists z ′2 with z2

a⇒ z ′2 and(z ′1, z

′2) ∈ R.

For every z ′2 with z2a⇒ z ′2 there exists z ′1 with z1

a⇒ z ′1 and(z ′1, z

′2) ∈ R.



Internal actions

Weak bisimilarity (definition)

Two states z1, z2 are called weakly bisimilar if there exists a weakbisimulation R with (z1, z2) ∈ R. In this case we write z1 ≈ z2.The relation ≈ is known as weak bisimilarity or observationalequivalence.



Internal actions

Remark: the definition of bisimilarity given above is not verysatisfactory for practical purposes, since there are usually manymore strong than weak transitions.

Hence the following alternative characterization is preferable:

Alternative charakterization of weak bisimulation (proposition)

A relation R ⊆ Z × Z is a weak bisimulation if and only if for everypair (z1, z2) ∈ R and for every a ∈ Act:

For each z ′1 with z1a→ z ′1 there exists z ′2 with z2

a⇒ z ′2 and(z ′1, z

′2) ∈ R.

For each z ′2 with z2a→ z ′2 there exists z ′1 with z1

a⇒ z ′1 and(z ′1, z

′2) ∈ R.

We define a = a, whenever a ∈ Act\{τ}, and τ = ε.



Internal actions

Example 1:

2

a

z

1

b c τ τ

z ′

a a

3

4 5

67 8b c

τ τ

The two states z , z ′ are weakly bisimilar with bisimulationR = {(1, 3), (1, 4), (1, 5), (2, 6), (1, 7), (1, 8)}.



Internal actions

Example 2:

2

a

z

1

b c τ τ

z ′

a a

τ τ

c

3

4 5

67 8

b

The two states z , z ′ are not weakly bisimilar. Player I makes amove z ′ = 3

a⇒ 7 that can be answered by Player II only withz = 1

a⇒ 2. Then Player I makes a move 2c⇒ 1 and state 7 does

not allow any further (weak) c-move.



Internal actions

Remarks:

The alternative characterization of weak bisimilarity is moreconvenient for showing that two states are weakly bisimilar.(Since Player I has fewer possibilities.)

Instead the usual characterization is more convenient forshowing that two states are not weakly bisimilar. (SincePlayer I has more possibilities.)

The other, less convenient, characterization works as well.However it might be necessary to invest more effort.



Behavioural equivalences (comparison)

We now show how the various behavioural equivalences are related.We first restrict ourselves to strong transitions. However, theresults hold analogously also for the “weak” equivalences.

Failures equivalence implies S-trace equivalence (proposition)

Let z , z ′ be two failure equivalent states, i.e., F(z) = F(z ′). Thenz , z ′ are also S-trace equivalent, i.e., S(z) = S(z ′).

Remark: two failure equivalent states are not necessarily Sω-traceequivalent.




Bisimilarity implies failures equivalence and Sω-trace equivalence(proposition)

Let z , z ′ be two bisimilar states, i.e., we have z ∼ z ′. Then z andz ′ are also failure equivalent and Sω-trace equivalent.




Finally we compare strong and weak bisimilarity:

Strong bisimilarity implies weak bisimilarity

Let z , z ′ two (strongly) bisimilar states, i.e., we have z ∼ z ′. Thenz , z ′ are also weakly bisimilar, i.e., z ≈ z ′.

Reason: Every strong bisimulation ist also a weak bisimulation(where each strong transition is simulated again by a strongtransition).




Hence we have the following situation (each arrow stands for animplication):

S-equ.++

Sω-equ.,,

weakly S-equ. weakly Sω-equ.

S∞-equ.,,

^^=======

??��weakly S∞-equ.

ffLLLLLLLLLL

99rrrrrrrrrr

fail. equ.,,

OO

weakly fail. equ.

TT

bisimilar,,

OO

ee

weakly bisimilar

OO

ee



Preorders

Apart from the behavioural equivalences considered so far there arealso preorders, which order states, depending on whether theyexhibit more or less behaviour.

The relations that we consider here are not real orders, but onlypreorders (also called quasi-orders) since they are reflexive andtransitive, but usually not anti-symmetric.



Preorders

Preorders (definition)

Let T = (Z ,→) be a transition system and let z , z ′ ∈ Z be twostates.

The states z , z ′ are ordered with respect to (S-)languageinclusion, whenever S(z) ⊆ S(z ′).(Analogously: Sω-/S∞-language inclusion)

The corresponding preorder is called trace preorder.

The states z , z ′ are ordered with respect to inclusion of thesets of failure pairs, whenever F(z) ⊆ F(z ′).

The corresponding preorder is called failures preorder.



Preorders

The notion of simulation is obtained from the definition ofbisimulation by using only the first of the two conditions.

Simulation (definition)

Let T = (Z ,→) be a transition system. A relation R ⊆ Z × Z onstates is called simulation whenever for every pair (z1, z2) ∈ R andfor every action a ∈ Act:

For every z ′1 with z1a→ z ′1 there exists z ′2 with z2

a→ z ′2 and(z ′1, z

′2) ∈ R.

We say that a state z2 simulates a state z1 (in symbols: z1 ≺ z2)whenever there exists a simulation R with (z1, z2) ∈ R.

Remark: z1 ≺ z2 implies S(z1) ⊆ S(z2) and Sω(z1) ⊆ Sω(z2)



Preorders

Remarks concerning simulation:

Let z1 ≺ z2, i.e., z2 simulates z1. Then it does not necessarilyhold that either F(z1) ⊆ F(z2) or F(z1) ⊇ F(z2).

2

1

a a

4

3

b

5

Since R = {(1, 3), (2, 4)} is a simulation, we have 1 ≺ 3.However F(1) ⊆ F(3) does not hold (since (a, {b}) 6∈ F(3)),and neither does F(3) ⊆ F(1) (since (ab, ∅) 6∈ F(1)).



Preorders

z1 ≺ z2 and z2 ≺ z1 do not necessarily imply z1 ∼ z2. That is,mutual similarity does not imply bisimilarity.

31

2

a

a a

We have 1 ≺ 3 since {(1, 3), (2, 3)} is a simulation, and 3 ≺ 1since {(3, 1)} is a simulation ist. However: 1 6∼ 3.

Intuitive explanation: the two states can only be recognized asbisimilar if Player I switches to the other token. However, this isnot possible for mutual simulation.



Preorders

z1 ∼ z2 always implies z1 ≺ z2 and z2 ≺ z1.

This is caused by the fact that every bisimulation is also asimulation.



Properties of infinite words

This chapter of the course is concerned with the description ofproperties of words, where the words are often infinite.

We consider the following description formalisms and connectionsbetween the formalisms:


Buchi automata

Linear temporal logic (LTL) and LTL model-checking




Each property of (finite orinfinite) runs of a systemcan be decomposed into

a safety property anda liveness property.

Safety property (roughly):nothing bad every happens(for instance a deadlock)

Liveness property (roughly):eventually something goodwill happen (for instancetermination)




Here: a property P is a language respectively a subset of Act∞

(P ⊆ Act∞)

Safety property (definition)

A language P ⊆ Act∞ is called safety property whenever:

1 P 6= ∅2 An arbitrary word w ∈ Act∞ is contained in P if and only if

all (finite) prefixes v ∈ Pref({w}) are contained in P.




Remarks concerning safety properties:

Each safety property is closed under the prefix operation. Thatmeans, whenever a word w satisfies the safety property, thenall the prefixes of w will satisfy the safety property as well.

Given an infinite word, then its prefixes already determinewhether the word satisfies the safety property.




Examples:

{w ∈ {a, b, c}∞ | w contains no c}is a safety property.

{w ∈ {a, b, c}∞ | w contains finitely many c ’s}is no safety property.

{w ∈ {a, b, c}∞ | w contains at least one c}is no safety property.

{w ∈ {a, b, c}∞ | w contains infinitely many c’s}is no safety property.

{w ∈ {a, b, c}∞ | w contains no subword of the form abc}is a safety property.

{w ∈ {a, b, c}∞ | each a in w is eventually followed by a b}is no safety property.




Lebendigkeitseigenschaft (Definition)

A language P ⊆ Act∞ is called liveness property whenever:

1 For every u ∈ Act∗ there exists v ∈ Act∞ such that uv ∈ P.

That means that every finite word (not necessarily contained in P)must be extendable to a word that satisfies the liveness property P.




Examples:

{w ∈ {a, b, c}∞ | w contains no c}is no liveness property.

{w ∈ {a, b, c}∞ | w contains finitely many c ’s}is a liveness property.

{w ∈ {a, b, c}∞ | w contains at least one c}is a liveness property.

{w ∈ {a, b, c}∞ | w contains infinitely many c’s}is a liveness property.

{w ∈ {a, b, c}∞ | w contains no subword of the form abc}is no liveness property.

{w ∈ {a, b, c}∞ | each a in w is eventually followed by a b}is a liveness property.




More remarks:

There are properties which are neither safety nor livenessproperties:

the empty set ∅{w ∈ {a, b, c}∞ | w contains no a and at least one b}

There exists exactly one property which is a safety andliveness property at the same time:

the set of all finite and infinite words Act∞




A property which is a safety and liveness property

Whenever P is a safety and a liveness property, then P = Act∞.




The main theorem concerning safety and liveness properties readsas follows:

Proposition

Let P ⊆ Act∞ be an arbitrary language with P 6= ∅. Then thereexists a safety property S and a liveness property L such thatS ∩ L = P.




Proof sketch: a property P can be decomposed into a safetyproperty S and a liveness property L as follows:

S∗ = Pref(P) (the set of all prefixes of words in P)

Sω = {w ∈ Actω | all prefixes of w are contained in S∗}S = S∗ ∪ Sω

L = P ∪ {w ∈ Act∗ | ∀v ∈ Act∞ : wv 6∈ P}




Example: we decompose

P = {w ∈ {a, b, c}∞ | w contains no a and at least one b}

into a safety and a liveness property.

S = {w ∈ {a, b, c}∞ | w contains no a}L = P ∪ {w ∈ {a, b, c}∗ | w contains an a}= {w ∈ {a, b, c}∞ | w contains no a and at least one b}∪ {w ∈ {a, b, c}∗ | w contains an a}

Remark: decomposition into safety and liveness properties is notunique. In this case also the following liveness property would havesatisfied all requirements:

L′ = {w ∈ {a, b, c}∞ | w contains at least one b}



Buchi automata

Special kind of automata whichaccept words of infinite length(named after Julius Richard Buchi)

Infinite words representnon-terminating runs of the system

Final states, as they are knownfrom finite automata, are replacedby other acceptance conditions.

1 2

3

a

bc

abcabcabc. . .



Buchi automata

A Buchi automaton is defined like a standard non-deterministicautomaton. However the set of acceptance states will beinterpreted differently than for finite automata.

Buchi automaton (definition)

A Buchi automaton M is a 5-tuple M = (Z ,Act, δ, S ,E ) where

Z is the (finite) set of states,

Act is the action set (satisfying Z ∩ Act = ∅),

S ⊆ Z is the set of initial or start states,

E ⊆ Z is the set of acceptance states and

δ : Z × Act→ P(Z ) is the transition function .

Instead of z ′ ∈ δ(z , a) we will also write za→ z ′.



Buchi automata

ω-regular language

The language accepted by a Buchi automaton M is

Lω(M) = {a1a2a3 . . . ∈ Actω | ∃z0 ∈ S , z1, z2, . . . ∈ Z :

z0a1→ z1

a2→ z2a3→ . . .︸︷︷︸

π

and InfZ (π) ∩ E 6= ∅}.

Here InfZ (π) is the set of states that occur infinitely often in thepath π.

A language accepted by a Buchi automaton is called ω-regular.



Buchi automata

Example automata:

{w ∈ {a, b, c}ω | w contains no c}

a, b



Buchi automata

{w ∈ {a, b, c}ω | w contains finitely many c ’s}

a, b, c a, b

a, b



Buchi automata

{w ∈ {a, b, c}ω | w contains at least one c}

c

a, b a, b, c



Buchi automata

{w ∈ {a, b, c}ω | w contains infinitely many c ’s}

a, b

a, b

c

c



Buchi automata

{w ∈ {a, b, c}ω | w contains no subword of the form abc}

b, c

a

a

b

c

a, b, c

c a

b



Buchi automata

{w ∈ {a, b, c}ω | each a in w is eventually followed by a b}

b, c

a

a, c

b



Buchi automata

ω-regular expressions

An ω-regular expression is of the form (αβ), (β | γ) or (α)ω, whereα is an arbitrary regular expression and β, γ are ω-regularexpressions.

Furthermore L(β) denotes the language of an ω-regular expressionβ. All operators are interpreted as usual for regular expressions.And for for (α)ω we have: L((α)ω) = (L(α))ω where

Lω = {w ∈ Actω | w = w1w2w3 . . . and wi ∈ L for all i ∈ N0}



Buchi automata

The languages accepted by Buchi automata correspond exactly tothe languages generated by ω-regular expressions. We can expressthis even more concisely as follows:

ω-regular languages (proposition)

A language L is accepted by a Buchi automaton (i.e., it isω-regular) if and only if there exists a finite index set I and regularlanguages Ui , Vi 6= ∅, i ∈ I such that

L =⋃i∈I

UiVωi .

(Without proof)



Deterministic Buchi automata

Deterministic Buchi automaton (definition)

A Buchi automaton M = (Z ,Act, δ,S ,E ) is called deterministic, iffor every z ∈ Z and every a ∈ Act we have: |δ(z , a)| ≤ 1. (Thatmeans that every state has at most one a-transition for everya ∈ Act.) Furthermore we require that |S | = 1.

Remarks:

There are ω-regular languages which can not be accepted by adeterministic Buchi automaton. One such language isL = {w ∈ {a, b, c}ω | w contains finitely many c’s}(without proof).




This means that for Buchi automata non-determinism can notalways be simulated by a deterministic automaton.

Furthermore it implies that the class of deterministic Buchiautomata is not closed under complementation.

Reason: The languageActω\L = {w ∈ {a, b, c}ω | w contains infinitely many c ’s}can be accepted by a deterministic automaton, which is nottrue for its complement L.




Remarks concerning the complementation of deterministic Buchiautomata:

Why is it not possible to use the following (deterministic)automaton – which accepts all words with infinitely many c’s –and to exchange acceptance and non-acceptance states? Why doesthis not provide us with an automaton accepting the complementlanguage?

a, b

a, b

c

c




a, b

a, b

c

c

By exchanging the acceptance and non-acceptance states weobtain an automaton accepting all words which containinfinitely many a’s or infinitely many b’s. One of these wordsis (ac)ω, which contains infinitely many c’s.

A word w is accepted by an automaton if there exists a pathπ for this word satisfying InfZ (π) ∩ E 6= ∅. However this doesnot mean that InfZ (π) ∩ (Z\E ) = ∅!



Generalized Buchi automata

Generalized Buchi automaton (definition)

A generalized Buchi automaton M is a 5-tupleM = (Z ,Act, δ,S , E) where

Z is the set of states,

Act is the action set (where Z ∩ Act = ∅),

S ⊆ Z is the set of initial or start states,

E ⊆ P(Z ) is the set of acceptance sets and

δ : Z × Act→ P(Z ) is the transition function.

Z , Act have to be finite sets.

There is only one difference to standard Buchi automata: the setof acceptance states is replaced by a set of sets of states.




Langugage accepted by a generalized Buchi automaton (definition)

The language accepted by a generalized Buchi automaton M is

Lω(M) = {a1a2a3 . . . ∈ Actω | ∃z0 ∈ S , z1, z2, . . . ∈ Z :

z0a1→ z1

a2→ z2a3→ . . .︸︷︷︸

π

and

InfZ (π) ∩ E 6= ∅ for all E ∈ E}.




Example: Which language is accepted by the following generalizedBuchi automaton? There are two sets of acceptance states, wherethe first is indicated with a circle (states 1, 3) and the second isindicated with a square (states 3, 4).

b

c

a

b

a

b

c c

c

a

1 2

3 4b

a




The accepted language is

{w ∈ {a, b, c}ω | w contains infinitely many c ’s

and each a in w is eventually followed by a b}

Interpretation of the states:

1: The last action was a b or beginning of the word.

2: The last action was an a.

3: The last action was a c and there is no“unanswered” a.

4: The last action was a c and there exists an“unanswered” a.




Generalized Buchi automata can be converted into standard Buchiautomata, that is, they are not strictly more expressive.

Conversion of generalized Buchi automata

For every generalized Buchi automaton M there exists a standardBuchi automaton M ′ such that Lω(M) = Lω(M ′).

Construction (idea): for every acceptance set make a copy of Mand change into the next copy as soon as an acceptance state isreached.




Example: conversion of the following generalized Buchi automaton

b

c

a

b

a

b

c c

c

a

1 2

3 4b

a



Closure properties of ω-regular languges

In the following we will have a look at closure properties oflanguages accepted by Buchi automata.

What are closure properties good for?

In the following we will analyze transition systems and showthat they have certain temporal properties. That means theysatisfy formulas of a temporal logics.

In order to conduct such an analysis we specifically need a methodfor computing the intersection of two ω-regular languages.




Closure under union

Let M1, M2 be two Buchi automata. Then there exists a Buchiautomaton M such that Lω(M) = Lω(M1) ∪ Lω(M2).

Construction: take the union of the two automata. Specificallytake the union of the sets of initial states and the sets ofacceptance states.




Closure under intersection

Let M1, M2 be two Buchi automata. Then there exists a Buchiautomaton M such that Lω(M) = Lω(M1) ∩ Lω(M2).

Construction: usual construction of the product automaton, wherethe resulting Buchi automaton is a generalized Buchi automatonwith sets of acceptance states {E1 × Z2,Z1 × E2}.Then convert it into a standard Buchi automaton with the methoddiscussed above.




Example: construct an automaton which accepts the intersectionof the following two languages (represented by Buchi automata).

{w ∈ {a, b, c}ω |every a in w is eventuallyfollowed by a b}

b, c

a

a, c

b

{w ∈ {a, b, c}ω |w contains infinitely many c ’s}

a, b

a, b

c

c




Closure under complementation

Let M be a Buchi automaton. Then there exists a Buchiautomaton M ′ such that Lω(M ′) = Actω\Lω(M).

(Without proof)

Remarks:

This result means that non-deterministic Buchi automata areclosed under complementation, opposed to deterministicBuchi automata.

The complementation construction is fairly complex and canlead to very large automata.




Decidability of the emptiness problem

It is decidable whether a Buchi automaton accepts the emptylanguage.

Method:

Determine the strongly connected components of theautomaton.

A subset K ⊆ Z of states is a strongly connected component,whenever

every state in K is reachable from every other state in K ,i.e., K is strongly connected.there is no larger strongly connected set K ′ with K ⊆ K ′,i.e., K is maximal.




The accepted language is non-empty if and only if there existsa non-trivial strongly connected component that is reachablefrom an initial state and which contains an acceptance state.

A connected component is called trivial if it consists of asingle state without loop.

In other words: the accepted language is non-empty if and only ifthere exists a reachable acceptance state that is also reachablefrom itself (in at least one step).



Linear temporal logic (LTL)

We will now consider a different possibility to characterize infinitewords: temporal logics, especially LTL (linear temporal logic).

Other temporal logics (not treated in this course):

CTL (computation tree logic) – assertions about states andthe branching behaviour of a transition systems, as opposedto assertions about words and runs

µ-calculus – a very general temporal logics, based onfixed-point operators, which encompasses both LTL and CTL




LTL syntax (definition)

Let Act be a set of actions. An LTL formula α has one of thefollowing forms:

true

a ∈ Act (“the current action is a”)

¬α (“not α”)

α ∨ β (“α or β”)

Xα (“after the next step α holds”)

αUβ (“α holds until β holds; and β will hold eventually”)

Origin of the abbreviations: X comes from neXt, U from Until.




LTL formulas are interpreted on infinite words w ∈ Actω. We writew |= α, whenever w satisfies the formula α.

Required notation: let w = a1a2a3 . . . ∈ Actω. We define:

w [i ] = ai

w i = aiai+1 . . . (w i is also called i-th suffix of w)




The meaning (= semantics) of LTL formulas is defined as follows:

Semantics of LTL (definition)

Let w ∈ Actω and let α, β be LTL formulas. Then it holds that:

w |= true

w |= a (where a ∈ Act) if and only if w [1] = a.

w |= ¬α if and only if w 6|= α.

w |= α ∨ β if and only if w |= α or w |= β.

w |= Xα if and only if w2 |= α.

w |= αUβ if and only if there exists an index k ∈ N0\{0}with wk |= β and w j |= α for all 0 < j < k .




Abbreviations

false = ¬true.

Propositional operators of the form ∧, →, ↔ can beexpressed via ¬ and ∨.

♦α stands for true Uα (“sometimes α” resp. “eventually α”).In the literature ♦α is sometimes also denoted by Fα.

�α stands for ¬♦¬α (“always α”, “globally α” resp.“henceforth α”). In the literature �α is sometimes alsodenoted by Gα.

It holds that:

w |= ♦α if and only if there exists a k ∈ N0\{0} such thatwk |= α.

w |= �α if and only if for all k ∈ N0\{0}: wk |= α.




We consider the following infinite word:

w = (abcab)ω = abcababcababcab . . .

Does w satisfy the following LTL formulas?

w |= a ?

w |= Xa, w |= Xb ?

w |= ♦c ?

w |= �(a→ Xb), w |= �(b → Xc) ?

w |= �(b U c), w |= �((a ∨ b) U c) ?

w |= �♦ c , w |= ♦� c ?




Analogously to automata and regular expressions it is possible toassociate an LTL forma with a “generated” language.

Defined language (definition)

An LTL formula α defines a language L ⊆ Actω if and only if:

L = {w ∈ Actω | w |= α}.

The language L will be denoted by Lα.

Given two formulas α, β we write α ≡ β (“α and β areequivalent”) if and only if Lα = Lβ.

Furthermore we write α |= β (“α implies β”) if and only ifLα ⊆ Lβ. This means that every word satisfying α also satisfies β.




Example: LTL formulas for the example languages:

{w ∈ {a, b, c}ω | w contains no c}�(¬c)

{w ∈ {a, b, c}ω | w contains finitely many c ’s}♦�(¬c)

{w ∈ {a, b, c}ω | w contains at least one c}♦c




{w ∈ {a, b, c}ω | w contains infinitely many c ’s}�♦ c

{w ∈ {a, b, c}ω | w contains no subword of the form abc}�¬(a ∧ Xb ∧ XXc)

{w ∈ {a, b, c}ω | each a in w is eventually followed by a b}�(a→ ♦b)




Relations between the operators (I)

X(α1 ∨ α2) ≡ Xα1 ∨ Xα2

X(α1 ∧ α2) ≡ Xα1 ∧ Xα2

¬Xα ≡ X¬α♦(α1 ∨ α2) ≡ ♦α1 ∨ ♦α2

¬♦α ≡ �¬α�(α1 ∧ α2) ≡ �α1 ∧�α2

¬�α ≡ ♦¬α(α1 ∧ α2) Uβ ≡ (α1 Uβ) ∧ (α2 Uβ)

αU (β1 ∨ β2) ≡ (αUβ1) ∨ (αUβ2)




Relations between the operators (II)

♦♦α ≡ ♦α��α ≡ �α

(αUβ) Uβ ≡ αUβ

♦α ≡ α ∨ X♦α�α ≡ α ∧ X�α

αUβ ≡ β ∨ (α ∧ X(αUβ))



Linear Temporal Logic (LTL)

Remark:

In addition to the laws listed above, all the usual laws ofpropositional logic (associativity, commutativity, idempotency,distributivity, de Morgan, etc.) are valid as well.




Remarks:

LTL formulas are usually more compact and smaller than thecorresponding Buchi automata.

Furthermore: LTL formulas are closer to natural language.

Hence they are often used in practical applications for systemspecifications.

LTL formulas can be classified into formulas which describesafety properties and into formulas which describe livenessproperties (and into formulas which describe neither).




But: not every ω-regular language can be expressed by an LTLformula.

For instance, the language

{w ∈ {a, b, c}ω | every even position in w is occupied by a c}

can be accepted by a Buchi automaton.

a, b, c

c

but it can not be defined by an LTL formula (without proof).



LTL → Buchi automata

On the other hand, for every LTL formula α the defined language

Lα = {w ∈ Actω | w |= α}

can be accepted by a Buchi automaton.

We first describe the corresponding construction and then reviewapplications in the area of model-checking (= automaticverification whether all runs in a transition system satisfy aformula).




Let α be an arbitrary LTL formula. Our aim is to construct thecorresponding (generalized) Buchi automaton M. We will do thisin several steps.

LTL → Buchi (1): determine subformulas of α

For a formula α let CL′(α) (CL stands for closure) the smallest setof formulas satisfying the following conditions:

α ∈ CL′(α)

If ¬β ∈ CL′(α), then also β ∈ CL′(α).

If β ∨ γ ∈ CL′(α), then also β, γ ∈ CL′(α).

If Xβ ∈ CL′(α), then also β ∈ CL′(α).

If βU γ ∈ CL′(α), then also β, γ,X(βU γ) ∈ CL′(α).

Furthermore let CL(α) = CL′(α) ∪ {¬β | β ∈ CL′(α)}, where ¬¬βis identified with β.




Remarks about step (1):

The states of the future Buchi automaton are subsets ofCL(α), where a set should contain exactly those formulaswhich hold for the rest of the word still to be read.

Actually we do not only determine the set of all subformulasin order to obtain CL(α), but we also add the followingformulas:

For every occurrence of βU γ the formula X(βU γ) isadded. If γ is not currently satisfied, we want to be ableto express that βU γ must still hold after the next step.For every occurrence of β the formula ¬β is added, inorder to explicitly express that a subformula does nothold.

CL(α) is always finite.




LTL → Buchi (2): determine sets of formulas which are consistent

We now determine the subsets of CL(α) which are (maximally)consistent and call them atoms.A subset A ⊆ CL(α) is called atom whenever:

false = ¬true 6∈ A

There are no two different actions a, b ∈ Act which arecontained in A. (In the next step at most one action ispossible.)

For a formula β ∈ CL(α) it holds that: β ∈ A ⇐⇒ ¬β 6∈ A .(Again ¬¬β is identified with β.)

For a formula (β ∨ γ) ∈ CL(α) it holds that:(β ∨ γ) ∈ A ⇐⇒ (β ∈ A or γ ∈ A).

For a formula (βU γ) ∈ CL(α) it holds that:(βU γ) ∈ A ⇐⇒ (γ ∈ A or β,X(βU γ) ∈ A).




Remarks about step (2):

The last consistency condition

(βU γ) ∈ A ⇐⇒ (γ ∈ A or β,X(βU γ) ∈ A)

is based on the (unfolding) law

βU γ ≡ γ ∨ (β ∧ X(βU γ))

A different characterization of atoms is as follows: A ⊆ CL(α)is an atom if

each β ∈ CL(α) either occurs in positive form or innegative form in A (i.e., A is maximal) andthe conjunction of all formulas in A is not equivalent tofalse (i.e., A is consistent).




LTL → Buchi (3): construct the Buchi automaton

Now we can construct the (generalized) Buchi automaton M:

States: Z is the set of all atoms.

Start states: All atoms which contain the formula α.

Transition function: We have that Aa→ B whenever

(a ∈ A or (a 6∈ CL(α) and no action contained inCL(α) lies in A)) andfor all Xβ ∈ CL(α) we have that(Xβ ∈ A ⇐⇒ β ∈ B).

Sets of acceptance states: For every formula of the form βi U γi

which is contained in CL(α) there is a set ofacceptance states Ei with

Ei = {A | (βi U γi ) 6∈ A or γi ∈ A}.Barbara Konig Course “Modelling of Concurrent Systems” 145



Example: we construct the Buchi automaton for the LTL formula

α = button U coffee.

(“The button is pressed until coffee is available; and coffee iseventually available.”) We abbreviate button by b and coffee by c .

LTL → Buchi (1) – example

It holds that:

CL(α) = {b U c ,¬(b U c),X(b U c),¬X(b U c), b,¬b, c ,¬c}.





The following six sets of formulas are atoms:

{b U c ,X(b U c), c,¬b} (state 1)

{b U c ,¬X(b U c), c ,¬b} (state 2)

{b U c ,X(b U c),¬c , b} (state 3)

{¬(b U c),¬X(b U c),¬c , b} (state 4)

{¬(b U c),X(b U c),¬c ,¬b} (state 5)

{¬(b U c),¬X(b U c),¬c ,¬b} (state 6)

All states apart from 3 are acceptance states.




Examples for sets of formulas which are not atoms:

{b U c ,X(b U c),¬c , b,¬b} contains a formula (b) in positiveand negative form.

{b U c ,X(b U c), c , b} contains two actions (c , b)

{b U c ,¬X(b U c),¬c , b} promises the satisfaction of b U c.Since c does not hold, the formula b U c should hold in thesuccessor state. This is in contradiction to the presence of¬X(b U c).





Hence we obtain the following automaton (with a singleacceptance set). Act′ stands for Act\{c , b}.

41

2

3

5

6

k

k

k

t

t

t t

t

t

Act′

Act′

Act′

k

Act′

Act′

Act′

k

k




LTL → Buchi (Satz)

Let α be an LTL formula and let M be the Buchi automatonconstructed from α. Furthermore let w ∈ Actω. Then we have:

w ∈ Lω(M) ⇐⇒ w |= α.



LTL model-checking

Model-Checking-Problem

Let T = (Z ,→) be a transition system, let z0 ∈ Z be a state andlet α be an LTL formula.

The model-checking problem is to decide whether every run z0w→,

starting from z0 with w ∈ Actω, satisfies the formula α, i.e.,whether w |= α holds. In this case we also write z0 |= α.



LTL model-checking

Example: we consider the following transition system

z0

a b

bc

Which of the following formulas are satisfied by all (infinite) runsof the transition system?

♦c

♦�b

�b

a ∨ b

Xb

XXb

(a ∨ c) U b

X(c U b)



LTL model-checking

Model-checking procedure

Input: transition system T , state z0, LTL formula α

1 Convert the transition system T into a Buchi automaton MT ,with z0 as start state and an acceptance set containing allstates. It holds that: Lω(MT ) = {w | z0

w→,w ∈ Actω}.2 Convert the formula ¬α into a Buchi automaton M¬α as

described above.



LTL model-checking

Model-checking procedure (continuation)

3 Determine an automaton M∩ which accepts the intersectionof Lω(MT ) and Lω(M¬α). Check whether M∩ accepts theempty language.

If yes: there exists no run in T which satisfies ¬α⇒ z0 |= αIf no: there exists a run in T which satisfies ¬α⇒ z0 6|= α



LTL model-checking

Remarks about LTL model-checking: all constructions used in theprocedure described above have been introduced during the course.

Construction of the Buchi automaton for an LTL formula.

Construction of the automaton accepting the intersection ofthe languages.

Test for emptiness.

By negating the formula we avoid the inclusion testLω(MT ) ⊆ Lω(Mα) which would need the (problematic)complementation operation.

The procedure described above is used by model-checking toolssuch as SPIN.



LTL model-checking

Further remarks:

In general the resulting Buchi automata have to be furthersimplified in order to conduct model-checking efficiently.

It is possible to start with model-checking (especially thesearch for cycles in the emptiness test) while the product ofthe transition system and the Buchi automaton is beingconstructed.Such methods which construct the investigated structure ondemand are also known as on-the-fly methods.However, if verification is successful, the entire productautomaton has to be constructed.



Application: verification of a leader election protocol

We consider the following problem:

Leader election

There are n processes located on a ring. These processes have toelect a new distinguished process (the so-called leader).

This procedure is needed especially if the previous leader has failedand is not available anymore.

Example: reelection of the monitors in the token ring protocol




Leader election (idea)

Each process has a unique ID.

The process with the highest ID should become the newleader.

But: how does a process determine, which process has thehighest ID?

process 1

. . .

. . .

. . .ID k1

process 2ID k2

process 3ID k3




Leader election (procedure, part 1)

Each process keeps track of the highest ID seen so far(maximum). At the beginning this is its own ID. This ID issent to its successor on the ring.





Upon reception of a message containing a number nr aprocess makes the following case distinction:

If nr > maximum, then nr will be the new maximum.This number is sent to the successor.If nr = maximum, then this number has (intuitively)moved around the ring once and must be the absolutemaximum. In this case the process with ID maximum isthe winner. A message annoucing the winner is sentthrough the ring.Otherwise (nr < maximum) no action is performed.





After the announcement of the winner each process comparesmaximum with its own ID, in order to determine whether it isthe winner.

Remarks about the leader election protocol:

We require that every process acts according to the protocol.Systems of non-cooperating processes need more complexprotocols.

If all processes have the same code and can also not bedistinguished via IDs (full symmetry), then leader election isimpossible.

There are more efficient methods for leader election (e.g. byItai & Rodeh) which try to minimize the number of exchangedmessages.




We verify the leader election protocol using SPIN.

Model-checker SPIN – http://www.spinroot.com/

SPIN is a well-knwon LTL model-checker which is usedextensively.

In 2001 SPIN received the Software System Award of theACM (Association for Computing Machinery).Other well-known recipients of this award are: Java, Apache,Tcl/Tk, Word-Wide Web, TCP/IP, PostScript, TeX

SPIN has been developed by Gerard J. Holzmann at Bell Labs.

The tool uses Promela as input language, a programminglanguage which allows to specify the behaviour of eachprocess separately. Out of this description a transition systemis generated.




Excerpt from the Promela code of the leader election protocol:behaviour of a process upon reception of a message.

:: in?standard(nr) ->if:: nr == maximum ->

out!winner(nr);know_winner = 1

:: nr > maximum ->out!standard(nr);maximum = nr;

:: else -> skipfi




Methods provided by SPIN:

Simulation of a single system run (represented by sequencediagrams – message sequence charts)

Verification of LTL formulas. Here the LTL formulas refer tostates (not to actions) of the system.

Examples:

�((nr leaders = 1) ∨ (nr leaders = 0))(there is always one or no leader)(nr leaders = 0) U (nr leaders = 1)(there is no leader, until there exists exactly one leader)♦�(nr leaders = 1)(eventually there is a leader and this will not change)

Counter-example: if the LTL formula is not satisfied, thenSPIN outputs a sequence diagram describing a run whichviolates the property.




Sequence diagram of an example run (3 processes)




SPIN: window for the verification of LTL formulas




Remarks:

SPIN uses several heuristic to cope with state space explosioncaused by a high amount of concurrency (for instance withbinary decision diagrams (BDDs) and partial ordertechniques).

In general SPIN can only verify systems with a finite statespace (finite data types, finite number of processes). However,there are also techniques for systems with an infinite statespace.



Process calculi: motivation

We will in the following introduce so-called process calculi (alsoknown as process algebra), which are “mini programminglanguages” that can be used to describe interacting processes.

Why are process calculi useful?

Programming language that allows to compose a system fromprocesses in a modular way

Study of interaction, parallelism, modularity

Simplicity in order to investigate calculi in formal way and inorder to establish analysis techniques(trade-off between the expressivity of a language and the easeof analyzing it)




Which features exist in process calculi?

Communication via channels

Interaction with the environment/reactivity

Parallel composition

Hiding of actions from the environment

Non-deterministic behaviour

Which features do not exist in process calculi (in general)?

Data types (integers, booleans, . . . )

Language constructs such as functions, procedures, loops, . . .

This could be simulated (with some extra effort), since all processcalculi considered here are Turing-complete.




Which kind of process calculi exist?

CCS (Calculus of Communicating Systems) – introduced in1980 by Robin Milner

CSP (Communicating Sequential Processes) – introduced byTony Hoare (this calculus has more primitive operators andallows—opposed to CCS—the synchronisation of more thantwo communication partners.)

π-calculus—has the possibility to send channel names as thecontext of messages and so change the topology of thecommunication structure dynamically.




Spi-calculus—extension of the π-calculus with cryptographicprimitives for the analysis of cryptographic protocols.

Ambient calculus—models mobility with so-called ambients,which can be seen as containers for mobile code.

. . .

We will in the following mainly consider CCS.



CCS: motivation

First idea: write transition systems in textual form

A

B C D

ab

a

c d A := a.B + b.C + a.D

B := c .A

C := 0

D := d .A

Abbreviation: A where A := a.c .A + b.0 + a.d .A.



CCS: motivation

Meaning of the symbols:

a.P stands for an action a, followed by a process P. Thissyntactical construct is known as prefix. It is a restricted formof sequential composition.

P1 + P2 stands for non-deterministic choice. The subprocessPi which executes the first action “wins” and continues toevolve, the other subprocess is discarded.

0 stands for the inactive null process that does not make anyactions.



CCS: motivation

Second idea: allow parallel composition of processes

Example: processa.0 | b.0Both processes canexecute actionsindependently ofeach other.

a.0 | b.0a

yytttttttttb

%%JJJJJJJJJ

0 | b.0

b%%J

JJJJJJJJa.0 | 0

ayyttttttttt

0 | 0

Further example: A | C where A := a.b.A, C := c .d .C .



CCS: motivation

Third idea: synchronization of input and output actions

Matching input andoutput actions aand a cansynchronize andbecome an internalaction τ .

Example: a.P | a.Q

a.P | a.Q

ayyrrrrrrrrrr

τ

��

a

%%LLLLLLLLLL

P | a.Qa

%%LLLLLLLLLLa.P | Q

ayyrrrrrrrrrr

P | Q

Remarks:

Note that a synchronization may happen, but it does not haveto happen (see transition system above).

An action a is also called coaction. We define a = a andτ = τ .



CCS: motivation

Fourth idea: hiding/restriction

Certain actions should not bevisible from outside, they arehidden (respectively restricted).

If an action a is hidden from theoutside, synchronization over acan happen only internally.

Example: (a.P | a.Q)\{a}

(a.P | a.Q)\{a}τ

��

(P | Q)\{a}

Remark: In this case the two parallel processes a.P, a.Q mustcommunicate.



CCS: motivation

Fifth idea: renaming

Actions can be renamedbefore they are exposed tothe outside.

Example:(a.b.0)[a/c , b/d ]

(a.b.0)[a/c , b/d ]

c

��

(b.0)[a/c , b/d ]

d��

0[a/c, b/d ]



CCS: motivation

Remarks concerning renamings:

If we have a renaming of the form [a/b, b/c], then allrenamings are done “simultaneously”. Specifically all a’s arerenamed to b’s (and not to c ’s).

On the other hand [a/b][b/c] describes the sequentialexecution of renamings, i.e., a is renamed to c .



CCS: syntax und semantics

After the (informal) motivation we will now formally describe thesyntax and semantics of CCS processes.

Syntax of CCS (definition, part 1)

Let L be a set of labels and let Act = {τ} ∪ L∪ {a | a ∈ L} be theset of all actions.

A CCS process is either

the inactive process 0,

a process of the form a.P where a ∈ Act,

a non-deterministic choice P1 + P2,

a parallel composition P1 | P2,

a restriction P\L where L ⊆ L,




Syntax of CCS (definition, part 2)

a restriction P[f ] where f : L → L is a renaming function, or

a constant A where A is specified by a definition of the formA := P.

P,P1,P2 are again processes.




All transitions of a CCS process can be obtained via derivationrules which are of the following kind:

X1, . . . ,Xn

Y

This means that if the preconditions (or premises) X1, . . . ,Xn aremet, the implication Y is satisfied.

It could also be the case that n = 0, that is, there are nopreconditions and the implication Y always holds.




(Act)a.P

a→ P(Con)

Pa→ P ′

Aa→ P ′

if A := P

(Plus1)P

a→ P ′

P + Qa→ P ′

(Plus2)Q

a→ Q ′

P + Qa→ Q ′

(Par1)P

a→ P ′

P | Q a→ P ′ | Q (Par2)Q

a→ Q ′

P | Q a→ P | Q ′

(Par3)P

a→ P ′,Q a→ Q ′

P | Q τ→ P ′ | Q ′




(Res)P

a→ P ′

P\L a→ P ′\L if a, a 6∈ L

(Ren)P

a→ P ′

P[f ]f (a)→ P ′[f ]

where f (τ) = τ , f (a) = f (a)

This kind of inductive semantics definition is also called SOSsemantics (SOS = Structural Operational Semantics).




Example: derivation of a transition of the process

((b.0)[b/a] | (a.0 | b.0))\{a}

(Act) b.0b→ 0 a.0

a→ 0 (Act)

(Ren) (b.0)[b/a]a→ 0[b/a] a.0 | b.0 a→ 0 | b.0 (Par1)

(Par3) (b.0)[b/a] | (a.0 | b.0)τ→ 0[b/a] | (0 | b.0)

(Res) ((b.0)[b/a] | (a.0 | b.0))\{a} τ→ (0[b/a] | (0 | b.0))\{a}

The second transition which is possible for this process:

((b.0)[b/a] | (a.0 | b.0))\{a} b→ ((b.0)[b/a] | (a.0 | 0))\{a}




A CCS process P can always be associated to its transition systemTS(P).

Transition system of a processes (definition)

Let P be a CCS process. The transition system of the processconsists of:

the set Z of states, which contains P itself and all processeswhich are reachable from P via transitions, and

the transition relation → between processes in Z , which isspecified by the derivation rules given above.

Remark: the transition system of a process may be infinite. Anexample is the process A := a.(b.0 | A).



Synchronous vs. asynchronous communication

Communication in CCS is synchronous, i.e., both communicationpartners wait for each other (= rendezvous) and only continue ifthe partner has received the message (respectively action):

a.P | a.Q τ→ P | Q

Asynchronous communikation is also possible if we fork a processwhich executes in parallel and whose only purpose is to send themessage:

(a.0 | P) | a.Q w→ (a.0 | P ′) | a.Q τ→ 0 | P ′ | Q,

if Pw→ P ′. This means that process P can continue before Q

receives the message.



Modelling of the alternating bit protocol

We will now model the alternating bit protocol in CCS.

Description: alternating bit protocol

Sender and receiver exchange messages over a faulty channelwhich may lose messages.

Each message which has arrived is acknowledged by thereceiver by giving its sequence number. Only the sequencenumbers 0, 1 are used (alternatingly).

The sender continues to send the same message until he hasreceived an acknowledgement for this message. He thenproceeds to send the next message.




Remarks:

We abstract from the content of the messages, i.e., theactions only exhibit the type of message (real message oracknowledgement) and which sequence number (0 or 1) isbeing used.

From the outside only the actions accept and deliver shouldbe visible. Via accept the sender receives a message of theapplication which should be dispatched, and via deliver thereceiver hands it over to its application.

The unreliable communication medium (the channel) will alsobe modelled by a processes which may either forward or losemessages.




Modelling of the sender: the sender uses – apart from accept – thefollowing actions:

s0, s1: message with sequence number 0 respectively 1 isbeing sent.

rack0, rack1: acknowledgement for sequence number 0respectively 1 is received. (“receive acknowledgement”).




Modelling of the sender as a transition system and as a process

accept

S ′0

s0

rack1

accept

s1

S0

S1

S ′1

S ′′1

S ′′0rack0

s1

s0

rack1

rack0

S0 := accept.S ′0S ′0 := s0.S

′′0

S ′′0 := s0.S′′0 + rack0.S1 + rack1.S

′′0

S1 := accept.S ′1S ′1 := s1.S

′′1

S ′′1 := s1.S′′1 + rack1.S0 + rack0.S

′′1




Modelling of a reliable channel as a transition system and as aprocess

MsafeSR

s0 r0

r1 s1

MsafeRS

sack1rack1

sack0 rack0

|

MsafeSR := s0.r0.MsafeSR

+ s1.r1.MsafeSR

MsafeRS := sack0.rack0.MsafeRS

+ sack1.rack1.MsafeRS

Msafe := MsafeSR | MsafeRS

(Forward) channel from the sender to the receiver: MsafeSR(Backward) channel from the receiver to the sender: MsafeRS




Modelling of an unreliable channel as a process

MlossySR := s0.r0.MlossySR+s0.MlossySR

+ s1.r1.MlossySR+s1.MlossySR

MlossyRS := sack0.rack0.MlossyRS+sack0.MlossyRS

+ sack1.rack1.MlossyRS+sack1 .MlossyRS

Mlossy := MlossySR | MlossyRS




Modelling of the receiver as a transition system and as a process

R0

R1

r0

sack0

r1

deliver

deliver

sack1

sack0

sack1

r1

r0

R0 := r0.deliver .sack0.R1

+ r1.R0

+ sack1.R0

R1 := r1.deliver .sack1.R0

+ r0.R1

+ sack0.R1




Modelling of the entire protocol

With a reliable channel:

ABPsafe := (S0 | Msafe | R0)\{r0, r1, s0, s1, rack0, rack1,

sack0, sack1}

With an unreliable channel:

ABPlossy := (S0 | Mlossy | R0)\{r0, r1, s0, s1, rack0, rack1,

sack0, sack1}




Specification

The following behaviour should be visible from outside:

Spec := accept.deliver .Spec

Question: Are ABPlossy and Spec behaviourally equivalent, thatis, undistinguishable from the point of view of an external observer?




In the following we will investigate which processes show the samebehaviour although they might be syntactically different. Asbehavioural equivalences we use weak and strong bisimilarity.

Bisimilarity of processes (definition)

Two CCS processes P,Q are called (strongly) bisimilar (in signs:P ∼ Q) whenever their states in the transition systems of P and Qare (strongly) bisimilar.Analogously we define weak bisimilarity (in signs: P ≈ Q).

Remark: failures equivalence is rarely used for CCS, however it isan important behavioural equivalence for the process calculus CSP.




Remarks: are the following pairs P,Q of processes stronglybisimilar, i.e., does P ∼ Q hold?

1 P = 0 Q = a.0

2 P = 0 Q = τ.0

3 P = 0 Q = (a.0)\{a}4 P = a.0 + b.0 Q = a.0 | b.05 P = a.b.0 + a.c .0 Q = a.(b.0 + c .0)

6 P = a.b.0 + b.a.0 Q = a.0 | b.07 P = a.a.0 + a.a.0 Q = a.0 | a.08 P = a.a.0 + a.a.0 + τ.0 Q = a.0 | a.09 P,Q mit P := a.b.P, Q := a.b.a.b.Q

10 P = a.0 | a.0 Q = τ.0

11 P = (a.0 | a.0)\{a} Q = τ.0




Examples: are the following pairs P,Q of processes weaklybisimilar, i.e., does P ∼ Q hold?

1 P = 0 Q = τ.0

2 P = a.0 | a.0 Q = τ.0

3 P = (a.0 | a.0)\{a} Q = 0

4 P = τ.(a.0 + b.0) Q = a.0 + b.0.

5 P = τ.(a.0 + b.0) Q = τ.a.0 + τ.b.0.

6 P = a.(b.0 + τ.c .0) Q = a.(b.0 + τ.c .0) + a.c.0



Structural congruence

Some processes are structurally so much alike that we can sayimmediately that they are (strongly) bisimilar.

Examples:

0 | 0 ∼ 0 0 | P ∼ P P | Q ∼ Q | P P + P ∼ P

Two processes which basically have the same structure are calledstructurally congruent.




Structural congruence (definition, part 1)

The following rules describe when two processes P,Q arestructurally congruent (in signs: P ≡ Q).

P1 | (P2 | P3) ≡ (P1 | P2) | P3 P1 | P2 ≡ P2 | P1

P | 0 ≡ P

(These three rules say that parallel composition is associative,commutative and has 0 as the neutral element.)





P1 + (P2 + P3) ≡ (P1 + P2) + P3 P1 + P2 ≡ P2 + P1

P + 0 ≡ P P + P ≡ P

(Non-deterministic choice is associative and commutative as welland has 0 as neutral element. Furthermore it satisfies P + P ≡ P.)





P ≡ P

P1 ≡ P2

P2 ≡ P1

P1 ≡ P2,P2 ≡ P3

P1 ≡ P3

(These rules say that ≡ is reflexive, symmetric and transitive, i.e.,it is an equivalence relation.)





P1 ≡ P2

a.P1 ≡ a.P2

P1 ≡ P2

P1\L ≡ P2\LP1 ≡ P2

P1[f ] ≡ P2[f ]

P1 ≡ P2,Q1 ≡ Q2

P1 | Q1 ≡ P2 | Q2

P1 ≡ P2,Q1 ≡ Q2

P1 + Q1 ≡ P2 + Q2

(These rules say that ≡ is preserved by the CCS operators. Onealso says that ≡ is a congruence.)




Examples: the following processes are strukturally congruent,which can be shown using the rules above.

0 | P ≡ P

0 + P ≡ P

P + (0 + Q) ≡ P + Q

a.(0 + P) ≡ a.P




Structural congruence and bisimilarity (proposition)

The relation ≡ on CCS processes is a strong bisimulation.

(without proof)

Remark: the structural congruence ≡ is not the largestbisimulation. That is, it is finer than the bisimilarity ∼.



Priority of the operators

Priority of the operators

\L (hiding) and [f ] (renaming) bind more strongly than allother operators

a. (prefix) binds stronger than || (parallel composition) binds stronger than +

+ (non-deterministic choice) binds the weakest

Hence: a.P | Q + R\L is bracketed as ((a.P) | Q) + (R\L).



Up-to techniques

Motivation: we want to show that the processes A,B with

A := a.(A | 0) B := a.B

are strongly bisimilar.

Problem: the smallest bisimulation R containing the pair (A,B) isinfinite in size, specifically:

R = {(A,B), (A | 0,B), (A | 0 | 0,B), (A | 0 | 0 | 0,B), . . . }

Can we show bisimilarity with a finite relation?

Idea: we consider the relation R ′ = {(A,B)}. The pair (A | 0,B)reached after one step is “almost” contained in R ′, since we haveA | 0 ∼ A (even: A | 0 ≡ A).



Up-to techniques

We now consider so-called up-to bisimulations. (We will also callthem modulo bisimulations.)

Bisimulation up-to strong bisimilarity (definition)

A relation R is called (strong) bisimulation up-to strong bisimilarityif for every pair (P1,P2) ∈ R and for every action a ∈ Act we have:

for every Q1 with P1a→ Q1 there exists Q2 with P2

a→ Q2 and(Q1,Q2) ∈∼ R ∼.


a→ Q1 and(Q1,Q2) ∈∼ R ∼.

Here ∼ R ∼ is the composition of three relations and we haveQ1 ∼ R ∼ Q2 if and only if there exist processes Q ′1,Q

′2 such that

Q1 ∼ Q ′1RQ ′2 ∼ Q2.



Up-to techniques

This proof technique can be visualized by a diagram as follows:

P1

a

��

R P2

Q1

(. . . plus the symmetric case.)



Up-to techniques


P1

a

��

R P2

a

��

Q1 Q2




Up-to techniques


P1

a

��

R P2

a

��

Q1 ∼ Q ′1 R Q ′2 ∼ Q2




Up-to techniques

We still have to show that up-to bisimulation is defined in asensible way.

Bisimulation up-to strong bisimilarity (proposition)

Let R be a bisimulation up-to strong bisimilarity. Then it holdsthat R ⊆∼. Specifically every pair of processes (P,Q) ∈ Rsatisfies P ∼ Q.

Remark: This proposition is still correct if we replace—in thedefinition of bisimulation up-to strong bisimilarity—the relation∼ R ∼ by (∼ R ∼)∪ ∼. That is, it is sufficient to reach a pair ofprocesses that is already known as bisimilar.



Up-to techniques

Weak bisimulation up-to strong bisimulation is known as a correctproof technique as well.

Weak bisimulation up-to strong bisimilarity (definition)

A relation R is called weak bisimulation up-to strong bisimilarity, iffor every pair (P1,P2) ∈ R and for every action a ∈ Act we have:

for every P ′1 with P1a→ P ′1 there exists P ′2 with P2

a⇒ P ′2 and(P ′1,P

′2) ∈∼ R ∼.

for every P ′2 with P2a→ P ′2 there exists P ′1 with P1

a⇒ P ′1 and(P ′1,P

′2) ∈∼ R ∼.

Remember: a = a, if a ∈ Act\{τ}, and τ = ε.



Up-to techniques

Weak bisimulation up-to strong bisimilarity (proposition)

Let R be a weak bisimulation up-to strong bisimilarity. Then itholds that R ⊆≈. Specifically every pair of processes (P,Q) ∈ Rsatisfies P ≈ Q.

(Without proof)



Up-to techniques

A wrong proof technique however is weak bisimulation up-to weakbisimilarity.

Example: P = τ.0, Q = τ.a.0 (these processe are for sure notweakly bisimilar!)

We consider the relation R = {(τ.0, τ.a.0)} and show that it is aweak bisimulation up-to weak bisimilarity.

This implies that this proof technique is wrong.



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

0

Second case:

τ.0 R τ.a.0

τ

��

a.0



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

ε

��0 a.0

Second case:

τ.0 R τ.a.0

τ

��

a.0



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

ε

��0 ≈ τ.0 R τ.a.0 ≈ a.0

Second case:

τ.0 R τ.a.0

τ

��

a.0



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

ε

��0 ≈ τ.0 R τ.a.0 ≈ a.0

Second case:

τ.0 R τ.a.0

τ

��

a.0



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

ε

��0 ≈ τ.0 R τ.a.0 ≈ a.0

Second case:

τ.0

ε

��

R τ.a.0

τ

��

0 a.0



Up-to techniques

First case:

τ.0

τ

��

R τ.a.0

ε

��0 ≈ τ.0 R τ.a.0 ≈ a.0

Second case:

τ.0

ε

��

R τ.a.0

τ

��

0 ≈ τ.0 R τ.a.0 ≈ a.0



Undecidability of bisimilarity

Undecidability of bisimilarity (proposition)

It is undecidable whether two given processes P,Q are (strongly orweakly) bisimilar.

Intuition:

Processes may have transition systems of infinite size, hence itis not sufficient to “try” all possible bisimulations.

CCS is Turing-complete, i.e., it can simulate Turing machines.Hence undecidability is an indirect consequence of Rice’stheorem (= it is undecidable whether the function computedby a Turing machine has a given non-trivial property).



Observational congruence

It can be shown that strong bisimilarity is preserved by the CCSoperators, i.e., it is a congruence.

Proposition (∼ is a congruence)

Assume that P1 ∼ P2. This implies:

1 a.P1 ∼ a.P2

2 P1 + Q ∼ P2 + Q

3 P1 | Q ∼ P2 | Q4 P1\L ∼ P2\L5 P1[f ] ∼ P2[f ]




Weak bisimilarity is a congruence with respect to most CCSoperators (with the exception of non-deterministic choice!).

Proposition (≈ is a congruence)

Assume that P1 ≈ P2. This implies:

1 a.P1 ≈ a.P2

2 P1 | Q ≈ P2 | Q3 P1\L ≈ P2\L4 P1[f ] ≈ P2[f ]

(The proof is more or less analogous to the case of strongbisimilarity.)




Weak bisimilarity is not preserved by non-deterministic choice.

Example: We have a.0 ≈ τ.a.0, but

a.0 + b.0 6≈ τ.a.0 + b.0.

a.0 + b.0a

zzvvvv

vvvv

vv b

$$HHH

HHHH

HHH

0 0

τ.a.0 + b.0τ

yyssssssssssb

%%JJJJJJJJJJ

a.0

a

��

0

0




Problem: It is possible that the behaviour of the overall system ismodified by exchanging subsystems by weakly bisimilar subsystems(= processes).

Idea: refine weak bisimilarity so that it becomes a congruence, i.e.,it is preserved by the CCS operators.

Repetition: weak transitions

Pτ⇒ Q if and only if P

ε⇒ Q if and only if P(τ→)∗Q

Pa⇒ Q if and only if P

a⇒ Q if and only if P(τ→)∗ a→ (

τ→)∗Qfor a 6= τ

We will now define a sequence of at least one τ -transition:

Pτ⇒ Q if and only if P(

τ→)∗ τ→ (τ→)∗Q




Observational congruence (definition)

Two processes P,Q are called observationally congruent (in signs:P ≈c Q), if for every a ∈ Act:

for every P ′ such that Pa→ P ′ there exists Q ′ with Q

a⇒ Q ′

and P ′ ≈ Q ′.for every Q ′ such that Q

a→ Q ′ there exists P ′ with Pa⇒ P ′

and P ′ ≈ Q ′.

Remark: only in the first step the τ of one of the processes has tobe answered by at least one τ of the other process. After the firststep we simply require weak bisimilarity (P ′ ≈ Q ′).




Observational congruence (proposition)

The relation ≈c is the largest equivalence that

is contained in weak bisimilarity ≈ and

is a congruence with respect to all CCS operators.

(Without proof)




Hence we know the following about the observational congruence≈c :

≈c is a congruence (proposition)

Assume that P1 ≈c P2. This implies:

1 a.P1 ≈c a.P2

2 P1 + Q ≈c P2 + Q

3 P1 | Q ≈c P2 | Q4 P1\L ≈c P2\L5 P1[f ] ≈c P2[f ]



Concurrency Workbench


Tool for the simulation and verification of CCS processes.

Two versions:

Edinburgh Concurrency Workbench(http://homepages.inf.ed.ac.uk/perdita/cwb/)Developed by Perdita StevensConcurrency Workbench of the New Century(http://www.cs.sunysb.edu/~cwb/)With a graphical user interface and more efficientalgorithms

Remarks concerning syntax: a prefix a is denoted by ′a.




Concurrency Workbench – Alternating Bit Protocol

** Agents **agent ABPlossy = (R0 | Mlossy | S0)\Internals;agent ABPsafe = (R0 | Msafe | S0)\Internals;agent Mlossy = MlossySR | MlossyRS;agent MlossyRS = sack0.’rack0.MlossyRS +

sack0.MlossyRS + sack1.’rack1.MlossyRS +sack1.MlossyRS;

...agent Spec = accept.’deliver.Spec;

** Action sets **set Internals = {r0,r1,rack0,rack1,s0,s1,sack0,sack1};




Concurrency Workbench – Simulation

Command: sim ABPsafe;

Simulated agent: ABPsafeTransitions:

1: --- tau ---> (R0 | (MsafeSR | ’rack1.MsafeRS)| S0)\Internals

2: --- accept ---> (R0 | Msafe | S0’)\Internals




Concurrency Workbench – Verification

Check strong bisimilarity:

Command: strongeq(ABPlossy,Spec);false

Check weak bisimilarity:

Command: eq(ABPlossy,Spec);true




Concurrency Workbench – Verification

Check observational congruence:

Command: cong(ABPlossy,Spec);false

Observational congruence with a different specification:

Command: agent Spec’ = tau.Spec;Command: eq(ABPlossy,Spec’);true



CCS and mutual exclusion

We model the algorithm of Lamport for mutual exclusion in CCS.

We consider: two processes P1, P2 with different program codeand two boolean variables f1, f2 (initialized with false), whichboth want to enter the critical section.




Process P1

while true do1: f1 := true; (#)2: while (f2 = true?) do

skipod;

3: [Enter crit. section];4: [Leave crit. section];5: f1 := false

od;

skip: null operation (no effects)




Process P2

while true do1: f2 := true; (#)2: if (f1 = true?) then do

begin3: f2 := false;4: while (f1 = true?) do skip od;

goto 1end;

5: [Enter crit. section];6: [Leave crit. section];7: f2 := false

od;




Modelling of both processes and the two variables as CCSprocesses.

Actions for writing and reading the variables:

f1wt – assign true to variable f1

f1wf – assign false to variable f1

f1rt – check whether true is assigned to variable f1

f1rf – check whether false is assigned to variable f1

(Analogously for f2).

Enter and leave the critical section:

bkb1 – process 1 enters the critical section

vkb1 – process 1 leaves the critical section

(Analogously for process 2).




Processes in the syntax of the Concurrency Workbench:

* Variable f1proc F1t = ’f1rt.F1t + f1wt.F1t + f1wf.F1fproc F1f = ’f1rf.F1f + f1wt.F1t + f1wf.F1f

* Variable f2proc F2t = ’f2rt.F2t + f2wt.F2t + f2wf.F2fproc F2f = ’f2rf.F2f + f2wt.F2t + f2wf.F2f




Processes in the syntax of the Concurrency Workbench:

* Process P1proc P1 = ’f1wt.f2rf.bkb1.vkb1.’f1wf.P1

* Process P2proc P2 = ’f2wt.(f1rt.’f2wf.f1rf.P2 +

f1rf.bkb2.vkb2.’f2wf.P2)

* Mutex algorithmproc Mutex = (F1f | F2f | P1 | P2)\{f1rf,f1wf,f1rt,

f1wt,f2rf,f2wf,f2rt,f2wt}




Questions:

Does the process have deadlocks?

How does the transition system of Mutex look like? Putdifferently: minimize Mutex with respect to weak bisimilarity.

What is a suitable specification and how can we show thatMutex satisfies this specification?



Contexts and up-to context techniques

Context (definition)

A context C [ ] is a process which contains at a single position thesign (= underscore) instead of a subprocess. The occurrence ofis also called placeholder.

By C [P] we denote the context C [ ] where the sign is replacedby P.

Examples:

a.P + + b.Q

(a.P | )\{a}[f ]




Congruence relations (corollary)

Let P1,P2 be CCS processes and let C [ ] be an arbitrary context.Then it holds that:

P1 ∼ P2 always implies C [P1] ∼ C [P2].

P1 ≈c P2 always implies C [P1] ≈c C [P2].

Proof: this corollary is a direct consequence of the abovepropositions which say that ∼ and ≈c are congruences.




Bisimulation up-to context (definition)

A relation R is called (strong) bisimulation up-to context, if forevery pair (P1,P2) ∈ R and for every action a ∈ Act we have:


a→ Q2 and(Q1,Q2) ∈ R.


a→ Q1 and(Q1,Q2) ∈ R.

Here R stands for the relation

R = {(C [P1],C [P2]) | (P1,P2) ∈ R,C [ ] is an arbitrary context}.




Bisimulation up-to context (proposition)

Let R be a bisimulation up-to context. Then it holds that R ⊆∼.Specifically every pair of processes (P,Q) ∈ R satisfies P ∼ Q.

Proof (sketch): We show directly that the relation R from theabove definition is a bisimulation. For this one needs the fact thatbisimilarity is a congruence.




This means that in bisimulation proofs it is sufficient to show thatthe successor processes are in the relation R with possiblyadditional (but identical) context. (This technique can also becombined with other up-to techniques.)

Example:

P with P := a.(P | P)

Q with Q := a.(Q | P)

To show: R = {(P,Q)} is a bisimulation up-to context.



Axiomatization

We will now look for further laws or axioms for behaviouralequivalences, for strong bisimilarity as well as for observationalcongruence.

We know:

P ≡ Q ⇒ P ∼ Q.

P ∼ Q ⇒ P ≈c Q.

Strong bisimilarity as well as observational congruence arecongruences.

Axiomatizations are sensible only in the case of congruences,otherwise we can not replace subprocesses by behaviourallyequivalent subprocesses.



Axiomatization

We first consider the so-called expansion law.

Expansion law (proposition)

P︷︸︸︷(∑i∈I

ai .Pi

)|

Q︷︸︸︷∑j∈J

bj .Qj

∼

∑i∈I

ai .(Pi | Q) +∑j∈J

bj .(P | Qj ) +∑

ai =bj

τ.(Pi | Qj ).

Notation: Let I = {i1, . . . , in} be an index set. We define:∑i∈I

Pi = Pi1 + · · ·+ Pin .



Axiomatization

Example for the application of the expansion law:

P︷︸︸︷(a.P1 + b.P2) |

Q︷︸︸︷(a.Q1 + c .Q2)

∼ a.(P1 | Q) + b.(P2 | Q) +

a.(P | Q1) + c .(P | Q2) +

τ.(P1 | Q1)



Axiomatization

Restriction laws

(Res1) 0\L ∼ 0

(Res2) (P\L)\L′ ∼ P\(L ∪ L′)

(Res3) (a.P)\L ∼{

a.(P\L) if a, a 6∈ L0 otherwise

(Res4) (P + Q)\L ∼ P\L + Q\L



Axiomatization

Renaming laws

(Ren1) 0[f ] ∼ 0

(Ren2) (P[f ])[f ′] ∼ P[f ′ ◦ f ]

(Ren3) (a.P)[f ] ∼ f (a).(P[f ])

(Ren4) (P + Q)[f ] ∼ P[f ] + Q[f ]

Restriction-renaming laws

(ResRen) (P[f ])\L ∼ (P\f −1(L))[f ]



Axiomatization

The following laws hold for observational congruence:

τ -laws

(Tau1) a.P ≈c a.τ.P

(Tau2) τ.P ≈c τ.P + P

(Tau3) a.(P + τ.Q) ≈c a.(P + τ.Q) + a.Q



Axiomatization

All of the laws above (also called axioms) are correct for strongbisimilarity respectively observational congruence. However, we canalso ask the following question:

Given two processes P,Q such that P ∼ Q (resp. P ≈c Q), canwe show the behavioural equivalence of P and Q just by applyingthe laws?

An axiomatization which satisfies this condition is called complete.



Axiomatization

The CCS axiomatization is not complete in general.

However, we have completeness results for a subset of CCS:

CCSfin (definition)

Let CCSfin be the set of all CCS processes which do not containconstants.

This means specifically that recursion is disallowed and that eachprocess in CCSfin terminates after finitely many steps.



Axiomatization

Completeness for ∼Let P,Q be two processes in CCSfin such that P ∼ Q. Then wecan show the strong bisimilarity of P and Q using the followingaxioms:

Laws for structural congruence laws ,

expansion law,

laws (Res1), (Res3), (Res4), (Ren1), (Ren3), (Ren4)and

the fact that ∼ is a congruence.



Axiomatization

Proof idea:

First convert both processes P,Q into their normal form by

removing parallel compositions (expansion law)removing restrictions and renamings (move restrictionand renaming towards the inside using the correspondinglaws)

The processes obtained in this way contain only 0, sum andprefix.

Show that the bisimilarity of processes in normal form can bechecked via the application of the laws of structuralcongruence.



Axiomatization

Example: show—by applying only laws—strong bisimilarity of thefollowing processes:

P = ((a.0 + b.0) | (a.0 + c .0))\{a}Q = τ.0 + (a.0 | b.0)[a/c] + b.c .0



Axiomatization

Completeness for ≈c

Let P,Q be two processes in CCSfin such that P ≈c Q. Then wecan show the observational congruence of P and Q using thefollowing axioms:

Laws for structural congruence laws ,

expansion law,

laws (Res1), (Res3), (Res4), (Ren1), (Ren3), (Ren4),

τ -laws and

the fact that ≈c is a congruence.



Axiomatization

Meaning of the axiomatization:

“Computing” with concurrent systems

Analogy to engineering where the stability of buildings isdetermined via differential equations.

Aim: show the behavioural equivalence of a process with itsspecification by transforming both accordingly.

Since the axiomatization is not necessarily complete, this aim cannot always be achieved.



Motivation: Petri nets

Petri nets are a formalism for the modelling of concurrent systems,which has the following properties:

Representation of transitions of a system where joint resourcesare consumed and produced.

Natural modelling of spatial distribution of the resources,concurrency and conflicts.

Intuitive graphical representation.

Petri nets are widely used in practice. They can also be foundin UML under the name of activity diagrams.




Example of a Petri net:

Notation:

Places (represented by circles): containers for resources

Tokens (represented by small black circles): resources

Transitions (represented by rectancles): describe statechanges in the system




Depiction of a transition:

preset (tokens which are consumed)

postset (tokens which are produced)

The removal of the tokens in the preset and creation of tokens inthe postset is called the firing of the transition.










































Beispiel: Dining Philosophers

Wir return to the example of the Dining Philosophers:

Three philosophers are seated at a round table and there is afork between each pair of philosophers sitting side by side.

Philosophers eventually get hungry and need both adjacentforks in order to eat.

Each philosopher picks up both forks (in any order) at anarbitrary moment in time, eats and, after eating, puts backboth forks.

P2P1

P3

F2F3

F1



Beispiel: Dining Philosophers

Modelling thedining philosophersby a Petri net:

In this net adeadlock isreachable, i.e., amarking underwhich no transitioncan be fired.

E1

W1

E2

F1H1

W2

H2

W3

H3

E3

F2

F3



Petri nets: Definitionen

Petri net (definition)

A Petri net is a tuple N = (S ,T , •(), ()•,m0), where

S is a set of places and

T is a set of transitions.

Furthermore for each transition t there exist two mappings•t : S → N0, t• : S → N0 which indicate how many tokens ineach place are consumed and produced by t.

m0 : S → N0 is the initial marking.

A marking is a mapping m : S → N0 indicating how many tokensare present in each place. If we fix an order s1, . . . , sn of the places,it is also possible to represent a marking m by a tuple(m(s1), . . . ,m(sn)).




An alternative (frequently used) definition represents theconnections between places and transitions and the correspondingweights as follows:

F ⊆ (S × T ) ∪ (T × S) (flow relation)

W : F → N0\{0} (assignment of weights)

Relation to the notation introduced earlier:

(s, t) ∈ F ⇐⇒ •t(s) ≥ 1

W ((s, t)) = •t(s)

(t, s) ∈ F ⇐⇒ t•(s) ≥ 1

W ((t, s)) = t•(s)




Operations on markings:

Let m,m′ : S → N0 be two markings, or—more generally—twomappings from places to natural numbers. We define:

Order: We define m ≤ m′ if m(s) ≤ m′(s) holds for all s ∈ S .

Addition: We define m ⊕m′ = m′′ where m′′ : S → N0 suchthat m′′(s) = m(s) + m′(s) for all s ∈ S .

Subtraction: We define m m′ = m′′ where m′′ : S → N0

such that m′′(s) = m(s)−m′(s) for all s ∈ S . (We definen − k = 0 whenever n, k ∈ N0, n < k .)

Given a marking m we denote by Set(m) the set{s ∈ S | m(s) ≥ 1}, i.e., the set of all places that contain at leastone token.



Petri nets: definitions

Firing and reachability (definition)

A transition t is activated under a marking m whenever•t ≤ m. (That is, there are enough tokens in order to fire thetransition.)

Let m be a marking and t a transition which is activatedunder m. Then we can fire t and obtain the successor markingm′ = m •t ⊕ t•. Symbolically: m[t〉m′.A marking m is called reachable in a net whenever there existsa sequence of transitions t1, . . . , tn such thatm0[t1〉m1 . . .mn−1[tn〉m, where m0 is the initial marking.




Remarks:

The definitions allow to have more than one token in a place.

The firing of a transition removes as many tokens asprescribed by the function •t and produces as many tokens asindicated by t•.In the graphical notation •t resp. t• are represented asfollows:

No arrow between s and t if •t(s) = 0 (resp. t•(s) = 0).An unlabelled arrow between s and t if •t(s) = 1 (resp.t•(s) = 1).An arrow labelled with n between s and t if•t(s) = n > 1 (resp. t•(s) = n > 1).

The values •t(s) and t•(s) are also called weights.




Safe, bounded and unbounded nets

Let N be a Petri net. The net N is called

bounded if there exists a constant c ∈ N0 such that for eachreachable marking m and each place s it holds that m(s) ≤ c .

safe (also 1-safe) if

For each transition t and for each place s it holds that•t(s) ≤ 1 and t•(s) ≤ 1, i.e., all weights are at most 1andfor each reachable marking m and each place s it holdsthat m(s) ≤ 1.

unbounded if for each constant c ∈ N0 there exists areachable marking m and a place s such that m(s) > c .

Exercise: Find an example for an unbounded net.



Analysis methods for Petri nets

Reachability/coverability graphs: Representation of allreachable (coverable) markings as a transition system.

Incidence matrices and invariants: analysis of Petri nets withmethods from linear algebra.

Partial order techniques: analyzing the net without imposingan artificial ordering (= interleaving) on concurrent events.

We will in the following have a closer look at partial ordertechniques.



Motivation: unfoldings

Idea:

Representation of all possible runs of the Petri net withoutordering concurrent events (= interleaving).That is, we are looking for an alternative to the usualrepresentation of all possible runs in a transition system.

Such a representation is obtained by “unfolding” the net andso converting it into an acyclic net.

This representation is then used as a basis for analysismethods.







































Occurrence nets

Remarks:

Unfoldings are in general infinite in size, even for safe orunbounded nets. We will later discuss how to avoid thisproblem.

The acyclic nets used to represent the possible runs are calledoccurrence nets, since they describe the occurrence of events.



Occurrence nets

Two places (or transitions) in an occurrence net can be in one ofthe following three relations:

Causality: s2 is causallydependent on s1.

Concurrency: s1 and s2may occur at the sametime.

Conflict: s1 and s2 occur indifferent runs.

s1

s2



Occurrence nets





s2s1



Occurrence nets





s2

s1



Occurrence nets

Causality (definition)

Let N be a Petri net. Causality <N is the smallest transitiverelation on the set S ∪ T of places and transitions which satisfies:

Whenever •t(s) ≥ 1, then s <N t.

Whenever t•(s) ≥ 1, then t <N s.

The relation ≤N is the reflexive closure of <N .

Conflict (definition)

Let N be a Petri net. Two transitions t1 6= t2 are in direct conflictwhenever there exists a place s such that •t1(s) ≥ 1 and•t2(s) ≥ 1.

Two elements x1, x2 ∈ S ∪ T are in conflict (symbolically: x1#x2)if there are two transitions t1, t2 which are in direct conflict andt1 ≤N x1, t2 ≤N x2.



Occurrence nets

Occurrence net (definition, part 1)

An occurrence net is a Petri net N = (S ,T , •(), ()•,m0) with thefollowing properties:

N is safe.

The causality <N is acyclic, i.e., there is no elementx ∈ S ∪ T with x <N x .

For each place s it holds that:

|{t | t•(s) ≥ 1}| ≤ 1.

(Each place is in the postset of at most one transition, i.e.,each place is uniquely produced.)



Occurrence nets

Occurrence net (definition, part 2)

No element x ∈ S ∪ T is in conflict with itself, i.e., no xsatisfies x#x .

The initial marking m0 contains exactly those places which arenot in the preset of a transition.

If N is infinite then we require in addition that for each x ∈ S ∪ T ,the set {y | y <N x} is finite. (That is, there are only finitely manyelements of which x is causally dependent.)



Occurrence nets

Examples of nets which are no occurrence nets:

Counterexample 1:

Cyclic net nooccurrence net

Counterexample 2:

Place is in the postset oftwo transitions nooccurrence net



Occurrence nets

Examples of nets which are no occurrence nets:

Counterexample 3:

s1

s2 s3

t1 t2

s4

t3

t1, t2 are in direct conflict⇒ s2#s3 ⇒ t3#t3 ands4#s4 (self-conflict!)

no occurrence net



Occurrence nets

Concurrency (definition)

Let N = (S ,T , •(), ()•,m0) be an occurrence net and letx1, x2 ∈ S ∪ T . The elements x1, x2 are called concurrent(symbolically: x1 co x2), whenever they are neither causallydependent nor in conflict, i.e., neither x1 <N x2, nor x2 <N x1, norx1#x2 holds.

Remarks:

The symbol co stands for “concurrent”.

A set S ′ ⊆ S is called concurrent if all elements of the set arepairwise concurrent, i.e., for all s, s ′ ∈ S ′ it holds that (s co s ′).



Occurrence nets

Caution! The relations # (conflict) and co (concurrency) are nottransitive.

t1 t2 t3

It holds that t1#t2, t2#t3, but ¬(t1#t3).

t1 t2 t3

It holds that t1 co t3, t3 co t2, but ¬(t1 co t2).



Unfoldings

We will now describe how a Petri net N is unfolded into itscorresponding occurrence net U(N) (= unfolding of N).

Requirement 1

In order to simplify the procedure we will require from now on thatin the initial marking no place contains more than one token andthat all weights are at most 1. (However, the net does notnecessarily have to be safe.)

This means that the initial marking and the presets and postsets oftransitions are already uniquely determined by the setsSet(m0),Set(•t), Set(t•).



Unfoldings

Requirement 2

In addition we require that the net N is consuming, i.e., eachtransition t has a non-empty preset: Set(•t) 6= ∅.

The following problem occurs for non-consuming nets: we considerthe following net N, which is equal to its unfolding.

t

s

N

Transition t can fire arbitrarily oftenand produce an unbounded number oftokens in s. However, this implies thatN is not safe and is hence nooccurrence net.



Unfoldings

Let N = (S ,T , •(), ()•,m0) be a net that conforms to the tworequirements above.

Unfolding (Start)

Construct the occurrence net U0 = (S0,T0,•(), ()•,m0) where

S0 = Set(m0), T0 = ∅. Therefore U0 contains exactly those placesthat are initially marked in N.

Furthermore we define a mapping ϕ0 : S0 ∪ T0 → S ∪ T withϕ0(s) = s for each s ∈ S0. The function ϕ0 maps all elements ofU0 to their corresponding elements in N.



Unfoldings

Assumption: we constructed Ui = (Si ,Ti ,•(), ()•,m0) and ϕi in

the previous step.

Unfolding (add a new transition, part 1)

Look for a set V ⊆ Si of places which satisfies:

V is concurrent and |V | = |ϕi (V )| (i.e., V is mappedinjectively).

There exists a transition t in N with ϕi (V ) = Set(•t), i.e.,the image of V is the preset of a transition.

There is no a transition t ′ with preset V in Ui that is mappedto t. That is, the transition has not yet been unfolded.

Furthermore let Set(t•) = {s1, . . . , sn} be the postset of t.



Unfoldings

Unfolding (add a new transition, part 2)

Now construct the occurrence netUi+1 = (Si∪{s ′1, . . . , s ′n},Ti∪{t ′}, •(), ()•,m0),where s ′1, . . . , s

′n are new places and t ′ is a new

transition. Furthermore V is the preset and{s ′1, . . . , s ′n} the postset of t ′.

In addition we extend ϕi to ϕi+1 whereϕi+1(s ′j ) = sj for j ∈ {1, . . . , n} andϕi+1(t ′) = t.

V

t ′

s ′1 s ′n

Ui



Unfoldings

Additional requirement: each transition that can be unfolded musteventually be unfolded (fairness constraint).

This can be achieved via “breadth-first”-unfolding (unfoldtransitions with the lowest depth first), but not necessarily via“depth-first”-unfolding.



Unfoldings

Unfolding (definition)

The occurrence net U(N) which is obtained by taking the union ofall occurrence nets Ui , is called the unfolding of N. The net U(N)is usually infinite.The mapping ϕ from U(N) to N is obtained by taking the union ofall mappings ϕi .

The unfolding is an occurrence net

Let N be a net satisfying the restrictions above and let U(N) be itscorresponding unfolding. Then U(N) is an occurrence net.



Unfoldings

Example of an unfolding

BA

D

C

a

c b

N

Net N, which should be unfolded



Unfoldings


a

c b

a

c b

BA

D

C

B C

A

a

Incomplete unfolding U1 with a mapping to the components of N(mapping is indicated by the labels A,B,C , a)



Unfoldings


a

c b

a

c b

A

DA

a

B CB

CV

Concurrent set V



Unfoldings


A

DA

a

B CB

C

a

c b

a

c b

The image of V is the preset of transition b which has not yet beenunfolded.



Unfoldings


A

A

a

B CB

C

a

c b

a

c b

D

D

b

Unfolding of transition b with a new postset.



Unfoldings

Example: unfolding of a non-safe net N

A

B

N

A

B

B

AB

A

...

U(N)

A



Unfoldings

Remarks concerning the unfolding:

The example net above has an infinite unfolding, since thecycle is unfolded into an acyclic net.

Hence we need some kind of “stopping condition”, telling usthat we can stop the unfolding since we have already seen theentire state space ( later).

First, however, we will show that the unfolding represents allmarkings of the original net.



Configurations

In order to do this we need the notion of configuration: a set oftransitions of an occurrence nets that can be fired subsequently.

Configuration (definition)

A configuration C is a finite set of transitions which satisfies:

t ∈ C and t ′ ≤ t imply t ′ ∈ C (C is closed under causality).

There are no transitions t, t ′ ∈ C with t#t ′ (C isconflict-free).



Configurations

Cut of a configuration (definition)

Let C be a configuration. The cut of C is the set of all places swhich satisfy:

s ∈ Set(m0) or s ∈ Set(t•) for some t ∈ C (i.e., s is either inthe initial marking or it is in the postset of a transition of C )and

there is no transition t ′ ∈ C with s ∈ Set(•t ′) (i.e., s is notconsumed by a transition in C ).

Intuitively: the places in the cut of C are exactly those placeswhich are marked after we fire all transitions in C , starting withthe initial marking.



Configurations

Examples for configurations and cuts:

C (consisting of the blue tran-sitions) is a configuration. Thecorresponding cut is indicated bygreen colour.



Configurations


tC is no configuration since it isnot closed under causality. (Tran-sition t is not contained in C !)



Configurations


t ′t C is no configuration since it con-tains transitions t, t ′, which are inconflict.



Configurations


C is a configuration. The corre-sponding cut is indicated by greencolour.



Configurations

Lemma

Let M be the cut of a configuration. Then all s, s ′ ∈ M areconcurrent, i.e., s co s ′. This means that M is concurrent.

(Without proof)



Correctness

Correspondence between cuts and markings of the net:

B

A

...

U(N)

A

B

B

A

A

A

B

N



Correctness


B

A

...

U(N)

A

B

B

A

A

A

B

N



Correctness


B

A

...

U(N)

A

B

B

A

A

A

B

N



Correctness

The marking, which corresponds to the image of a cut M, will bedenoted by ϕ⊕(M).

Here ϕ is the function that maps the places and transitions ofthe unfolding U(N) to the original net N.

With ϕ⊕(M) we do not only obtain the image of M, we alsocount the number of preimages of a place. That is, we have:m = ϕ⊕(M) with

m(s) = |{s ′ | s ′ ∈ M, ϕ(s ′) = s}|

for all s ∈ S .

The function ϕ⊕ has the following properties:

ϕ⊕(M1 ∪M2) = ϕ⊕(M1)⊕ ϕ⊕(M2) if M1 ∩M2 = ∅.ϕ⊕(M1\M2) = ϕ⊕(M1) ϕ⊕(M2) if M2 ⊆ M1.



Correctness

Correctness of the unfolding (proposition)

Let N be a Petri net and let U = U(N) be the correspondingunfolding with a mapping ϕ from the places and transitions of Uto the places and transitions of N. It holds that:

Let m be a reachable marking in N. Then there exists aconfiguration C of U with cut M such that m = ϕ⊕(M).

Let C be a configuration of U with cut M. Then the markingm of N with m = ϕ⊕(M) is a reachable marking of N.

Remark: this means that the reachable markings of N correspondto the configurations of U.



Finite complete prefixes

We will in the following only consider safe nets.

Observation: for a safe net we can (even if the unfolding should befinite) create a finite prefix of the unfolding that contains allreachable markings and all firable transitions.

Such a prefix is called finite complete prefix.




Example for a finite complete prefix:

BA

D

C

a

c b

N

A

a

D

B C

b

c

prefix

Remark: here, the postset of c has been simply omitted.




Problem: It is too costly to test whether every reachable markingof the net already corresponds to a cut of the (incomplete)unfolding.

Idea: Define a local condition. Determine for each transition t thecorresponding configuration

btc = {t ′ | t ′ ≤N t}

and check whether the marking corresponding to the cut of btc isalready represented by the unfolding.




Idea: we define so-called cutoff transitions whose postset need notbe unfolded.

Cutoff transition (definition)

Let N be an occurrence net and let t ′ be a transition. If there isanother transition t such that

|btc| < |bt ′c| and

ϕ⊕(Mt) = ϕ⊕(Mt′) (where Mt resp. Mt′ are the cuts of btcresp. bt ′c),

then t ′ is called cutoff transition. Furthermore t ′ is called cutofftransition whenever ϕ⊕(Mt′) = m0.

During the unfolding a cutoff transition is marked as such and itspostset will not be added to the unfolding.




Example: determine the finite complete prefix for the following net.

B

E

DC

A

d

cb

a




Completeness (proposition)

Let N be a safe net and let P be the prefix of the unfolding whichis obtained if we do not unfold the postsets of cutoff transitions(and everything that is causally dependent on them). It holds that

P is finite.

For each reachable marking m there exists a configuration ofP with cut M such that ϕ⊕(M) = m. (Here, ϕ is themapping of P to the original net N which is obtained duringthe unfolding.)




Example: unfolding of a netusing cutoffs

Net N

A

a

B

b

C

c

D

d

E

e

unfolding U(N)

b

C B

A

a

B

D

A

E

d

e

D

E

A

...

...

...c

d ′

e ′

b′ b′′a′

init. marking




Example: unfolding of a netusing cutoffs

Net N

A

a

B

b

C

c

D

d

E

e

prefix

b

C B

A

a

B

c

D

E

d

e

init. marking




unfolding U(N)

A

a

B

D

A

E

d

e

D

E

A

...

...

b

C B

c

d ′

e ′

b′ ...

b′′a′

prefix

b

C B

A

a

B

c

D

E

d

e

Configuration {b, c, d ′, e ′}(marked blue) in the unfoldingcan be replaced by {a, d , e}(marked green) in the prefix.




Remarks concerning completeness:

In addition, it holds that every finite complete prefix of a netN contains each firable transition of N at least once, i.e., it ispossible to check the liveness of transitions via the prefix.

In order to keep the prefix as small as possible one can extendthe definition of a cutoff (keyword: adequate order). In thisway one can guarantee that the prefix is at most as large asthe reachability graph of N. (And in many cases it is muchsmaller.)




Problems which can be solved using finite complete prefixes:

Liveness of transitions

Question: Given a net N and a transition t of N. Is t firable in N?That is, is there a reachable marking which activates t?

construct the prefix P of N (together with the mapping ϕ) andcheck whether P contains a transition t ′ with ϕ(t ′) = t.




Coverability of markings

Question: Let N be a net and m a marking. Is m coverable in N?That is, is there a reachable marking m′ with m ≤ m′?

Add a new transition t to N whose preset is m. Then checkliveness of t using the unfolding.




Further applications:

Check reachability of markings. (The reachable markingscorrespond, under certain conditions, to the maximallyconcurrent sets of places of the prefix use constraintprogramming).

Check deadlock freedom.



Motivation: Graphtransformation

We describe rewriting rules which transform graphs into othergraphs. These rules are – as in Chomsky grammars – of the form:

Left-hand side → Right-hand side

Different from Chomsky grammars:

After we delete the left-hand side from a graph, how do weintegrate the right-hand side into the remaining graph? ( embedding rules)



Motivation: graph transformation

Graph transformation systems are suitable for the modelling ofsystems with:

A high degree of concurrency

Infinite state space

Dynamic creation respectively deletion of objects

Variable topology (the structure of the system changesdynamically during runtime)

Mobility (mobile code or mobile processes)

Caution: Tradeoff! The more complex a modelling languages is,the more difficult it is to analyze it.




Graph transformation (schematically)

RL

L R

1 2

n

...

...

1 2

n

...

...

Here: the embedding is given by the interface, i.e., by a set ofnodes (respectively edges) which is preserved by the rewriting.




Graph transformation (in a bit more detail)

A graph transformation rule consists of a left-hand side L, aright-hand side R and an interface I , where L, I ,R are graphs.Furthermore the interface is embedded into the left-hand and theright-hand side (with a type of mapping that still has to bedefined):

L← I → R



Graph transformation: examples

Mini-example

Rules:

q1

A1 2 1 2

A C1 2

q2

B

3

A

C

B 2B21 1

A3

2

1

3

Initial graph:B

A




Remarks concerning the example:

The transition system generated by the initial graph and therule set has infinitely many states. The states correspond tothe reachable graphs.

Question: Can rule q2 be applied to the initial graph?

This depends on whether we allow non-injective matchesof the left-hand side ( later).




Another example: dining philosophers

Here:

At the beginning we have a table with two philosophers andtwo forks.

One left-handed and one right-handed philosopher is present(in order to avoid deadlocks).

We create additional philosophers: eating philosophers mayreproduce.




Dining philosophers (with the creation of additional philosophers)

Rules:

1 2

1 2

1 2

21

21

21

21

21

1

1

1

1

2

2

1

1

1

1

1

1 2

2

2

22

2

2

2

(RepX )

(HungryX ) EX

EX

WL

EL

WR

F HX

ER

F

EX FHX

X ∈ {L,R}

(EatR)

(WaitR)

(EatL)

(WaitL) F

WL

F

WR

F

HL

F

HR

Initial graph:

F

HL HR

F



Hypergraphs and graph morphisms

We do not only consider directed graphs, as in the previousexamples, but a more general notion of graphs: hypergraphs.

A

C

B

0

21

31

2

0

0

Properties:

A hyperedge (box with rounded corners) is connected toseveral nodes (connections are numbered 0 to n − 1).

A hyperedge may also be connected several times to the samenode.

Only hyperedges are labelled, but nodes remain unlabelled.




Intuition: do not think of nodes which are connected by edges; butrather of hyperedges which are attached via the nodes.

Representation: a hyperedge which is connected to exactly twonodes is often represented as a directed edge.

A10

A

Remark: it would also be possible to define graph transformationon different types of graphs (directed graphs, undirected graphs,attributed graphs, . . . )




Hypergraph (definition)

Let Λ be a set of labels. A hypergraph G is a tupleG = (V ,E , c , l), where

V is a set of nodes,

E is a set of (hyper-)edges,

c : E → V ∗ is the connection function and

l : E → Λ is the labelling function.

Remarks:

Instead of “hypergraph” we will in the following often just say“graph”.

V ∗ denotes the set of all words or sequences over V .

The arity of an edge e is |c(e)|.Barbara Konig Course “Modelling of Concurrent Systems” 316



In order to embed a graph into another graph we need the notionof graph morphism.

Graph morphismus (definition)

Let G1 = (V1,E1, c1, l1), G2 = (V2,E2, c2, l2) be two graphs. Agraph morphism ϕ : G1 → G2 is a pair of mappings ϕV : V1 → V2,ϕE : E1 → E2 such that for all e1 ∈ E1 it holds that

c2(ϕE (e1)) = ϕV (c1(e1)) and

l2(ϕE (e1)) = l1(e1).

Remarks:

Applying the mapping ϕV to a word is done componentwise,i.e., ϕV (v1 . . . vk ) = ϕV (v1) . . . ϕV (vk ).

We will often omit the indices and write ϕ instead of ϕV , ϕE .

Sometimes “graph morphisms” are simply called “morphisms”.




Isomorphism (definition)

Two graphs G ,H are called isomorphic (symbolically: G ∼= H) ifthere exists a morphism ϕ : G → H where both component mapsϕV and ϕE are bijective.

Remark: In general graphs are considered “up to isomorphism”.This means that two different, but isomorphic graphs areconsidered to be “equal”.



Graph transformation

In order to define graph transformation we first have to specifywhat it means to glue two graphs over a common subgraph.

For this we need the notion of factorization through an equivalencerelation.

Factorization (definition)

Let M be a set and let ≡ be an equivalence relation on this set.Given an element x ∈ M the equivalence class of x is defined asfollows

[x ]≡ = {y ∈ M | y ≡ x}.We factorize M through ≡ and obtain the set M/≡ of equivalenceclasses of ≡, i.e.,

M/≡ = {[x ]≡ | x ∈ M}.




Gluing of graphs (definition, part 1)

Let I ,G1,G2 be graphs with graph morphisms ϕ1 : I → G1,ϕ2 : I → G2. We call I = (VI ,EI , cI , lI ) the interface. We alsoassume that all node and edge sets are disjoint.

Let ≡ be the smallest equivalence relation on V1 ∪ E1 ∪ V2 ∪ E2

which satisfies ϕ1(x) ≡ ϕ2(x) for all x ∈ VI ∪ EI .

The gluing of G1,G2 over I (written as G = G1 +ϕ1,ϕ2 G2 resp.G = G1 +I G2) is defined as G = (V ,E , c, l) with:

V = (V1 ∪ V2)/ ≡,

E = (E1 ∪ E2)/ ≡,




Gluing of graphs (definition, part 2)

c : E → V ∗ where c([e]≡) = [v1]≡ . . . [vk ]≡ and

v1 . . . vk =

{c1(e) if e ∈ E1

c2(e) if e ∈ E2

l : E → Λ where

l([e]≡) =

{l1(e) if e ∈ E1

l2(e) if e ∈ E2




Remarks:

The functions c and l are well-defined. That is, the definitionsabove are independent of the choice of representative of theequivalence class.

There are graph morphisms ψ1 : G1 → G , ψ2 : G2 → G whichmap each hyperedge and each node to their correspondingequivalence class.




Examples: gluing of graphs

Gluing (example 1)21

ϕ1

xxqqqqqqqqqqqϕ2

''NNNNNNNNNNN

WL

1

2

ψ1 !!DDD

DDDD

HR

F1

2

ψ2||yyyy

yyy

HR

F

WL

1

2




Gluing (example 2)

21ϕ1

xxpppppppp ϕ2

))RRRRRRR

1, 2

ψ1##G

GGGGG21

A

ψ2xxqqqqqq

q1, 2

A




Gluing (example 3)

21 3ϕ1

ttiiiiiiiii ϕ2

**UUUUUUUUU

1A

2, 3

ψ1

((PPPPPP

1, 2 3B

ψ2

vvnnnnnn

A B

1, 2, 3




Gluing (example 4)

B1 2

ϕ1

vvmmmmmmmmmmmmmϕ2

((QQQQQQQQQQQQQ

A1 2

B

ψ1 ((QQQQQQQQQQQQQ

1 2B C

ψ2vvmmmmmmmmmmmmm

A1 2

B C




Such a “gluing diagram” has the following universal property:

Iϕ1

~~}}}}

}}}} ϕ2

AAA

AAAA

A

G1

ψ1

AA

AAAA

A

ψ′1

""

G2

ψ2

~~~~~~

~~~~

ψ′2

||

G1 +I G2

η

��

H

For any two morphismsψ′1 : G1 → H, ψ′2 : G2 → Hsatisfying ψ′1 ◦ϕ1 = ψ′2 ◦ϕ2 thereexists a unique morphismη : G1 +I G2 → H such thatη ◦ ψ1 = ψ′1 and η ◦ ψ2 = ψ′2.

Diagrams having this property are called pushouts. The graphG1 +I G2 is unique up to isomorphism.




Graph transformation rule (definition)

A (graph transformation) rule consists of three graphs L, I ,R and

two graph morphisms LϕL← I

ϕR→ R.

Example:

HL

F2

1

21ϕLooϕR // WL

1

2




Graph transformation can be described by two gluings of aso-called context graph with the left-hand and right-hand side.

Graph transformation (definition)

Let r = (LϕL← I

ϕR→ R) be a rule. We say that a graph G istransformed into a graph H (symbolically: G

r⇒ H) if there is agraph C (the so-called context) and a graph morphism ψ : I → Csuch that:

G ∼= L +ϕL,ψ C H ∼= R +ϕR ,ψ C




Considering all graph morphisms we can represent a graphtransformation diagrammatically as follows:

L

m

��

IϕLoo

ϕR //

ψ

��

R

��

G Coo // H

Remarks:

The diagram above gives the graph transformation approachits name: double-pushout approach (DPO for short).

The morphism m is called match of the left-hand side in thegraph G .




Example diagram describing a graph transformation:

HL

F2

1

m

��

21ϕLooϕR //

ψ

��

WL

1

2

��

F

HL HR

F2

1

HR

F1

2

oo // HR

F

WL

1

2




Intuitively a graph transformation consists of the following steps:

In order to obtain the context C we first delete from G allimages of the left-hand side which are not present in theinterface.

Then we add the right-hand side to C by gluing over theinterface, thus obtaining the resulting graph H.




Graph transformation system (definition)

Let Λ be a set of labels. A graph transformation system is a tupleG = (G0,R) where

G0 is an arbitrary hypergraph, the so-called initial graph orstart graph, and

R is a set of graph transformation rules.

All edges are labelled with elements of Λ.




Question: Under which conditions does the context C exist?

Problem: in some cases there is no fitting context for a ruleL← I → R and a match m : L→ G .

Non-existence of the context C (Case 1)

Deletion of a node without deleting the adjacent edge.

1A

m

��

1ϕLoo

��A1

B ?oo




Non-existence of the context C (Case 2)

Merging of two elements of the left-hand side which are notpresent in the interface.

A

A

1 2

m

��

21ϕLoo

��

A1 2

?oo




But: the context exists if we only merge elements of the interface.

A1 2

m

��

21ϕLoo

��1, 2

A

1, 2oo




Existence of the context (proposition)

Let LϕL← I

ϕR→ R be a graph transformation rule and let m : L→ Gbe a match. Then a context C and a morphism ψ : I → C suchthat G ∼= L +ϕL,ψ C exist if and only if the following holds:

For every node v of L whose image m(v) is adjacent to anedge e which is not in the image of m, there exists a node v ′

in I with ϕL(v ′) = v .

Whenever two elements x , y (where x , y can be nodes oredges in L) satisfy m(x) = m(y), then there exist x ′, y ′ in Iwith ϕL(x ′) = x , ϕL(y ′) = y .

These two conditions are called gluing conditions.




Remarks:

The context which completes a gluing diagram is calledpushout complement, since it complements a pushout.

If the context does not exist, no graph transformation step isfeasible in the double-pushout approach.

There are other graph transformation approaches, such as thesingle-pushout approach where all adjacent edges are deletedwhen deleting a node.



Negative application conditions

Negative application condition (definition)

Let r = (LϕL← I

ϕR→ R) be a graph transformation rule. A negativeapplication condition for r is a graph N with a morphismn : L→ N.

Intuition: We require that N does not occur in the vicinity of Lwhenever the rule is applied to a graph G .




Match satisfies a negative application condition (definition)

Let r = (LϕL← I

ϕR→ R) be a rule, n : L→ G a negative applicationcondition and m : L→ G a match.We say that m satisfies the negative application conditiondwhenever there exists no injective morphism p : N → G withp ◦ n = m.

N

p��

L

m

��

noo IϕLoo

ϕR // R

G




Example: compute the transitive closure of a (directed) graph

Idea: two nodes connected indirectly over a third node areconnected with a direct edge. However, this should happen only ifthis connection does not already exist.




Computation of the transitive closure

AA AA A

A

A

R

A

IL

A

A

N

Apply this rule as long as possible. As soon as the rule can not beapplied any more, we have found the transitive closure.



Graph transformation und Petri nets

Petri nets can, in a very simple way, be encoded into graphtransformation:

Each place becomes a label of the graph transformationsystem.

Each transition becomes a rule.

A marking is represented by a set of edges of arity 0, whichhave the appropriate labels.

Graphs consist of edges only, without any nodes.




Encoding: Petri net → graph transformation

Let N = (S ,T , •(), ()•,m0) be a Petri net.We use Λ = S as label set. The corresponding graphtransformation system is G = (G0,R) where:

G0 does not contain any nodes. For each s ∈ Λ there arem0(s) edges labelled s and all edges have arity 0.(Analogously we can assign a graph Gm to any marking m .)

Each transition t ∈ T is assigned to a rule rt = (L← I → R)where: L = G•t , I = ∅ (empty graph), R = Gt• .




Example encoding:

Petri nets2s1

s3

s4

t1

t2t3

Corresponding graph transformationsystem

s2s1

s2s1

s3

s3 s1 s4

rt1:

rt2:

rt3:

s2s3

Initial graph:




We can formulate the correctness of the encoding as follows:

Correctness of the encoding (proposition)

Let N be a Petri net and let G = (G0,R) be the corresondinggraph transformation system. It holds that:

Whenever m[t〉m′ for two markings m,m′ then we have

Gmrt⇒ Gm′ where rt ∈ R.

Let G be a graph reachable from G0 and let Grt⇒ G ′ for a

rule rt ∈ R. Then there are markings m,m′ such thatGm∼= G , Gm′ ∼= G ′ and m[t〉m′.



Model transformation of Petri nets

In some cases it can also be useful to represent Petri nets directlyas graphs, especially if we want to modify their structure.

The following rules describe model transformation on Petri nets bymodifying the structure of a net. It is possible to show that theresulting net has “in principle” the same behaviour than theoriginal net (especially concerning deadlocks, 1-safety andboundedness).




[Rules taken from Tadao Murata: “Petri Nets: Properties, Analysisand Applications”]













Exercise:

Fix a representation of Petri nets as graphs

Describe the rules above via graph transformation rulesCaution: most of the rules have negative applicationconditions, i.e., they require the non-existence of certainincoming or outgoing connections.

Remark: graph transformation is often used for so-called modeltransformations, i.e., for the transformation of diagrammaticspecifications or the encoding of one kind of diagrammaticspecification into another. An important application field is thetransformation of UML diagrams.




Idea for encoding of the structure of Petri nets:

Represent both places and transitions by nodes. In order todistinguish them add a unary hyperedge labelled either S or T .

Tokens are similarly represented by unary edges labelled Mand attached to the respective place.

Connections between places and transitions (or vice versa) arerepresented by binary A-edges.




Example: encoding a net as a graph

SS

T

A

AA

SM

Petri net graph encoding



Graph transformation and CCS

CCS processees can be simulated by graph transformation rules(according to [Gadducci]). Here we restrict ourselves to processeswithout constants, non-deterministic choice, renamings andτ -prefixes.

Ideas:

Each CCS process is represented by a graph. This graph representsboth

the term structure by a tree-like graph structure and

the communication channels between processes (due to shared(action) labels).

There are two kinds of nodes:

black nodes (•) for the term structure

white nodes (◦) representing (action) labels




We use only the following three edge labels:

in: representation of input prefixes

3-ary (or ternary) edge whose nodes have the followingmeaning

(action) label (white node ◦)predecessor and successor in the term structure (blacknodes •)

out: representation of output prefixesMeaning of the nodes as for in

go: will be attached to the root of the term structure in orderto avoid rewriting underneath a prefix

Unary edge which is connected to a single black node •




In order to determine how many (external) white nodes should begenerated when encoding a process P we first have to determinethe (action) labels occurring free in a process.

Free action labels (definition)

Let L be a set of labels and let P be a process whose actions andcoactions are taken from L. A label a ∈ L occurrs free in P if itoccurs in an input or output prefix which is not underneath arestriction of a.

Examples:

P = a.Q1 | b.Q2 a, b occur free in P.

P = (a.Q1 | b.Q2)\{b} only a occurs free in P.

P = (a.b.c .Q)\{b} a, c occur free in P.

P = (a.Q1)\{a} | a.Q2 a occurs free in P.




Free action labels (inductive definition)

The set free(P) of action labels which occur free in P is defined asfollows:

free(0) = ∅free(a.P) = {a} ∪ free(P)

free(a.P) = {a} ∪ free(P)

free(τ.P) = free(P)

free(P | Q) = free(P) ∪ free(Q)

free(P\L) = free(P)\Lfree(P[f ]) = {f (a) | a ∈ free(P)}free(P + Q) = free(P) ∪ free(Q)

free(A) = free(P) if A := P.




We now define [[P]]w , i.e., the encoding of a CCS process P into agraph. Here w ∈ L∗ is a word which contains at least all (action)labels occurring free in P such that no label appears multipletimes. By w [i ] we denote the i-th element of w . Furthermore letn = |w | be the length of w .

Now we define [[P]]w , which is a graph with n + 1 distinguishednodes: n white nodes ◦ (one for each action label) and one blacknode • (for the root of the term structure).

Schema:

n1 n+1. . .




Inactive process

[[0]]w =n1 n+1

. . .

Restriction

[[P\{a}]]w =

n1 n+1. . .

[[P ]]wa

[[P]]wa has n + 2 distinguished nodes, of which the next to lastnode, i.e. the node corresponding to a, is removed.




Parallel composition

[[P | Q]]w =

1

...

n+1

n[[P ]]w [[Q]]w




Input prefix

[[a.P]]w =n1 . . .

i

in

n+1

[[P ]]w

where w [i ] = a.




Output prefix

[[a.P]]w =n1 . . .

i

n+1

out

[[P ]]w

where w [i ] = a.




Now we determine {[P]}w (the final encoding), which we obtainfrom [[P]]w by adding a go-edge.

Adding a go-edge

{[P]}w =n1 n+1

. . . go

[[P ]]w




Example: encoding of the CCS process ((a.b.0 | b.0) | a.0)\{b}

in

in

1 2

out out

ba

go




We now want to show that two processes are structurallycongruent if and only if their encodings are isomorphic. However,this is not quite true, we first have to slightly adapt the notion ofstructural congruence and the notion of isomorphism.

Isomorphism of graphs with distinguished nodes (definition)

Let G , H be two graphs where G has the sequence v [1] . . . v [n + 1]and H the sequence w [1] . . .w [n + 1] of distinguished nodes.Two graphs with distinguished nodes are isomorphic if there existsa bijective morphism ϕ : G → H such that ϕ(v [i ]) = w [i ] for alli ∈ {1, . . . , n + 1}.




Extended structural congruence (definition)

The extended structural congruence on CCS processes(symbolically: P ≡Q) is the smallest relation which can be derivedvia the laws of structural congruence and the following laws:

(a.P)\{b} ≡ a.(P\{b}) if a 6= b, a 6= b.

(P\L)\L′ ≡P\(L ∪ L′)

(P | Q)\{a} ≡P | (Q\{a}) if a 6∈ free(P).

0\L ≡ 0

Furthermore restricted labels can be renamed. (For instance:(a.b.0)\{a} ≡ (c .b.0)\{c})




Isomorphism and structural congruence (proposition)

Let P,Q be two CCS processes and let w be a word containing allaction labels occurring free in P,Q. Then the graphs {[P]}w and{[Q]}w with distinguished nodes are isomorphic if and only ifP ≡Q.




Finally we have to specify the operational semantics of CCS. Asingle rule is enough:

Operational semantics of CCS given by graph transformation rules

3

1 2go

1 2

43

out go2, 3, 4

4

in1go




Intuition behind the transformation rule:

The two prefixes have to belong to the same action label.This is ensured by requiring that they are connected to thesame white node.

By applying the rule we merge the nodes 2, 3, 4 and in thisway we “move up” the terms underneath the prefixes..

Rule application is only possible if a go-edge is present. Thatis, the prefixes must be located at the root of the termstructure and should not be located underneath a prefix. Thego-edge is present in the interface and is hence preserved.




With the rule given above we can now simulate all τ -steps(reduction semantics):

Correctness of the encoding (proposition)

Let P be a CCS process, let w be a sequence of action labelsoccurring free in P and let r be the rule given above. Then it holdsthat:

Pτ→ Q implies {[P]}w

r⇒ [[Q]]w .

{[P]}wr⇒ G for a graph G implies the existence of a CCS

process Q with {[Q]}w∼= G and P

τ→ Q.




Remarks:

It is also possible to encode CCS processes with sum,renamings, constants and τ -prefixes by introducing new typesof hyperedges and nodes.

Furthermore it would be possible to model “true” interactionwith the environment, i.e., to simulate transitions of the formP

a→ Q where a 6= τ .




Based on the graph transformation semantics it if fairly simple toimplement extensions of CCS. For instance one can consider labelsas channel names and send those channel names as the content ofa message during communication.

This allows to modify channel connections dynamically duringruntime (cf. π-calculus). This effect is also called (weak) mobility.




Sending of channel names via graph transformation rules

in

43

go

go

3

1 2

4

2, 3, 4go

5 6

5, 6

out

21 5ba

6x

1

Corresponding step in the π-calculus

a〈b〉P | a(x).Qτ→ P | Q[b/x ]

We consider x to be a bound label, i.e., it does not occur free inthe process.



Outlook

What else is there in graph transformation?

Unfoldings (similar to Petri nets)

Graph grammars (in order to generate graph language)

Underlying mathematical theory: category theory

Many Application, Modelling of large, real-life systems

Many tools (Agg, Progres, Groove, Augur, . . . )

. . .


Documents

· IntroductionTransition systemsBuchi automataProzess calculiPetri netsGraph transformation Course \Modelling of Concurrent Systems" (\Modellierung nebenlau ger Systeme") Winter