Decidability problems in Petri nets with names and

Fundamenta Informaticae XXI (2001) 1001–1026

1001

IOS Press

Decidability problems in Petri nets with names and replication Fernando Rosa-Velardo Facultad de Informática C/Prof. José Garc´ıa Santesmases, s/n 28040 Madrid (Spain) [email protected]

David de Frutos-Escrig Facultad de CC. Matemáticas Pza. de las Ciencias, s/n 28040 Madrid (Spain) [email protected]

Abstract. In this paper we study decidability of several extensions of P/T nets with name creation and/or replication. In particular, we study how to restrict the models of RN systems (P/T nets extended with replication, for which reachability is undecidable) and ν-RN systems (RN extended with name creation, which are Turing-complete, so that coverability is undecidable), in order to obtain decidability of reachability and coverability, respectively. We prove that if we forbid synchronizations between the different components in a RN system, then reachability is still decidable. Similarly, if we forbid name communication between the different components in a ν-RN system, or restrict communication so that it is allowed only for a given finite set of names, we obtain decidability of coverability. Finally, we consider a polyadic version of ν-PN (P/T nets extended with name creation), that we call pν-PN, in which tokens are tuples of names. We prove that pν-PN are Turing complete, and discuss how the results obtained for ν-RN systems can be translated to them.

Keywords: Petri nets, pure names, infinite state systems, decidability, multithreading, security, choreography Address for correspondence: Facultad de Informática. C\Prof. José Garc´ıa Santesmases, s/n - 28040 Madrid (Spain)

This paper is an extended and revised version of [32]. Its authors are partially supported by the Spanish projects DESAFIOS10 TIN2009-14599-C03-01, UCM-BSCH GR58/08/910606 and PROMETIDOS S2009/TIC-1465.

1002

F. Rosa, D. de Frutos / Decidability problems in Petri nets with names and replication

1. Introduction and related work Pure names are identifiers with no relation between them other than equality [15]. They were first mentioned by Needham, who said that pure names are “nothing but a bit pattern that is an identifier, and is only useful for comparing for identity with other bit patterns” [28]. Names are relevant to mobility and security, because they can be used to represent channels, keys or computing boundaries [15]. In previous works [29, 31] we have studied a very simple extension of P/T nets, that we called ν-PN. Tokens in ν-PN are pure names, that can be created fresh, moved along the net and used to restrict the firing of transitions with name matching. Dynamic process creation is also ubiquitous in computer science, that is, the capacity of software components to spawn new processes, like in multithreaded programs, broadcast protocols or dynamic networks [6, 12, 4]. In the field of mobility, particularly in that of mobile agent systems, components usually have the capacity to replicate themselves, that is, the capacity of creating a new copy of themselves, typically initialized with some fixed state. In previous works [31] we also extended P/T nets with a simple primitive that creates new nets. We called this extension RN systems (where RN stands for Replicated Nets). In RN systems we also consider an automatic garbage collection mechanism that removes any empty net, since once they hold no tokens they become blocked. Therefore, the number of components in an RN system can not only grow when a new replication is executed, but also decrease when a component becomes garbage. In [22], Kummer proves undecidability of reachability for every object-oriented Petri net formalism. For that purpose, Minimal OO-nets were defined, as a minimal model of nets having objects as tokens, assuming that, at least, each object has a name. Though our ν-PN were thought of in a different context, they essentially correspond to the minimal OO-nets of [22]. The paper [9] studies different boundedness problems for Minimal OO-nets, and present an algorithm to decide them. Boundedness is a much trickier property than coverability, as already pointed out by the results about reset nets [10]. On the one hand, coverability can be decided with backward algorithms, like the ones we use in this paper, though for boundedness typically forward algorithms need to be considered. Forward and backward reachability analyses behave very differently, and, in particular, forward algorithms are more difficult to obtain. In particular, the algorithm obtained in [9] actually returns the wrong answer in several cases. Another model based on Petri nets that has names as tokens is Data Nets [24]. In Data Nets, tokens are not pure in general, but taken from a linearly-ordered infinite domain. In Data Nets, there is no mechanism for name creation, so that it has to be simulated using the linear order (for instance, simulating the creation of a fresh name by taking a value greater than any of the values that have appeared so far). Thus, in an unordered version of Data Nets there is no way of ensuring that a name is fresh. Other similar models include Object Nets [33, 34, 35], that follow the so called nets-within-nets paradigm. In Object Nets, tokens can themselves be Petri nets that synchronize with the net in which it lies. This model is supported by the RENEW tool [23], a tool for the edition and simulation of Object Petri Nets. Moreover, the RENEW tool can represent all the models presented in this paper and, therefore, be used to simulate them. Several papers study the expressive power of Object Nets. The paper [20] considers a two level restriction of Object Nets, called Elementary Object Nets (EON), and proves undecidability of reachability for them. This result extends those in [19]. Moreover, some subclasses are proved to have decidable reachability. In [21] it is shown that, when the synchronization mechanism is extended so that object


1003

tokens can be communicated, then Turing completeness is obtained. However, in all these models processes (object nets) do not have identities. Nested Petri Nets [25] also have nets as tokens, that can evolve autonomously, move along the system net, synchronize with each other or synchronize with the system net (vertical synchronization steps). Nested nets are more expressive than ν-PN. Indeed, it is possible to simulate every ν-PN by means of a Nested Petri Net which uses only object-autonomous and horizontal synchronization steps. In Nested Petri Nets, reachability is undecidable, although other problems, like termination, remain decidable [26]. We know that reachability in ν-PN is undecidable [22], but they are Well Structured Transition Systems (WSTS), so that coverability is still decidable [29]. Moreover, in [31] we proved that ν-PN and RN systems are equivalent, in a sense that preserves both reachability and coverability, so that we also know that reachability is undecidable for RN systems, but coverability is decidable for them. Finally, also in [31] we extended P/T nets both with name creation and replication, obtaining ν-RN systems, and proving that, although the two extensions were equivalent, when we consider both of them together we obtain Turing-completeness. In particular, coverability is undecidable. In this paper we study how both models, RN systems (or equivalently ν-PN) and ν-RN can be restricted in order to keep decidability of reachability and coverability, respectively. We will prove that reachability is decidable for the class of RN systems without synchronizations. The proof is done by first reducing it to reachability in a multiset rewriting system with conditional rewrite rules, where the conditions are reachability problems in ordinary P/T nets. This technique is somewhat similar to the model of Recursive Petri Nets (RPN) [16, 17], in which some transitions (the so called abstract transitions) are not atomic. They first remove tokens from preconditions, but do not put them in postconditions until a new component (a child thread created by the abstract transition, initially marked in some fixed way) reaches a final marking, where the set of final markings must be a semi-linear set. However, there are important differences between RPN and these multiset rewriting systems, that do not allow to reduce reachability in the latter to reachability in the former. For the model of ν-RN systems, that encompasses both name creation and replication, we prove that by forbidding name communication between components, while still allowing synchronizations, coverability is decidable. If communication is allowed, but restricted to names in a given finite set, then we also prove decidability of coverability. We show that, with these restrictions, ν-RN are Well Structured Transition Systems (WSTS) [13], for which coverability is decidable. Several works exist [7, 18] that use Petri nets with name creation. The paper [7] gives a semantics to an extension of BPEL with instance isolation, while in [18] the problem of transactions in Databases is studied using Petri nets with names. However, in both papers the Petri nets considered have tuples of names as tokens. In order to study the resulting model, in Sect. 6 we will consider polyadic ν-PN, an extension of ν-PN in which tokens are tuples of pure names, getting pν-PN. We show that the expressive power of pν-PN is strictly greater than that of ν-PN, reaching Turing completeness even if we restrict such tuples to be pairs. The proof is done by simulating any ν-RN system by a polyadic (binary) ν-PN. Moreover, we identify the subclass of polyadic ν-PN that can be simulated by ν-RN systems without communications, or with restricted communication, so that coverability is also decidable for them. The rest of the paper is structured as follows. Sect. 2 introduces notations and some basic concepts. Sect. 3 defines ν-RN systems, RN systems, and pν-PN. In Sect. 4 we prove decidability of reachability for RN systems without synchronizations. Sect. 5 proves decidability of coverability for the class of ν-RN systems without communications or with restricted communications. In Sect. 6 we prove Turing completeness of pν-PN. Finally, Sect. 7 presents our conclusions and some directions for future work.

1004


2. Preliminaries Given an arbitrary set A, we will denote by MS pAq the set of multisets of A, that is, the set of mappings m : A Ñ N. We denote by supp pmq the support of m, that is, the set ta P A | mpaq ¡ 0u. A multiset m ° is finite if supp pmq is a finite set, in which case we denote by |m| mpaq the cardinality of m.

P

p q

a supp m

All the multisets that appear in this paper are finite. Given two multisets m1 , m2 P MS pAq we denote by m1 m2 the multiset defined by pm1 m2 qpaq m1 paq m2 paq. We will write m1 m2 if m1 paq ¤ m2 paq for every a P A. In this case, we can define m2 m1 , given by pm2 m1 qpaq m2 paq m1 paq. ° We will denote by the extended multiset sum operator and by H P MS pAq the multiset Hpaq 0, for every a P A. We lift any f : A Ñ B to f : MS pAq Ñ MS pB q defining f pmq P MS pB q by ° f pmqpbq mpaq, whenever m P MS pAq. We identify each set with the multiset defined by its

p qb

f a

characteristic function, and we will use set notation to specify multisets, as standard, thus taking into account the possible presence of repeated elements. A quasi order in A is a reflexive and transitive binary relation on A. A partial order is an antisymmetric quasi order. Every quasi order ¤ defined in A induces a quasi order in MS pAq, given by ta1 , . . . , an u tb1, . . . , bm u if there is some h : t1, . . . , nu Ñ t1, . . . , mu injective such that ai ¤ bhpiq for all i P t1, . . . , nu. We write s s1 if s ¤ s1 and s1 s (analogously, we write for ). A quasi order ¤ is a well-quasi order (wqo) if for every infinite sequence s0 , s1 , . . . there are i and j, with i j, such that si ¤ sj . Equivalently, it is a wqo if every infinite sequence has a non-decreasing subsequence. It is a well known fact that the multiset order induced by a wqo ¤ is also a wqo. A family of quasi orders pAi , ¤i qni1 induces a quasi order ¤ in the set A1 . . . An , given by pa1 , . . . , an q ¤ pb1 , . . . , bnq whenever ai ¤i bi , for all i P t1, . . . , nu. If all the quasi orders ¤i are wqo then so is ¤. Given a set A, we denote by Seq pAq the set of tuples (finite sequences) of elements in A, that is, Seq pAq i¡0 Ai . We can also extend any f : A Ñ B to f : Seq pAq Ñ Seq pB q by taking f ppa1 , . . . , an qq pf pa1 q, . . . , f pan qq. We will sometimes use set notation for tuples, so that we will write, for instance, a P pa, bq. A transition system is a pair pS, Ñq, where S is a (possibly infinite) set of states and Ñ S S. We denote by Ñ the reflexive and transitive closure of Ñ. The reachability problem in a transition system consists in deciding for two given states s0 and sf whether s0 Ñ sf . For any transition system pS, Ñq endowed with a quasi order ¤ we can define the coverability problem, that consists in deciding, given two states s0 and sf , whether there is a a state s reachable from s0 such that sf ¤ s. A Well Structured Transition System (WSTS) is a tuple pS, Ñ, ¤q, where pS, Ñq is a transition system, ¤ is a decidable wqo compatible 1 with Ñ (meaning that s11 ¥ s1 Ñ s2 implies that there is s12 ¥ s2 with s11 Ñ s12 ), and so that for every s we can compute (a finite representation of) the set ts1 | s1 Ñ s2 ¥ su. We will refer to these properties as monotonicity of Ñ with respect to ¤, and computability of the set of predecessors, respectively. For WSTS the coverability problem is decidable [2, 13]. In the paper we assert several times that a model M1 simulates another model M. By that we mean that for every system N in M there is N 1 F pN q in M1 , where F is a computable function, such that the transition systems generated by the semantics of N and N 1 are isomorphic. Therefore, reachability in N and N 1 become equivalent. Moreover, the isomorphisms preserve the orders considered in each of the models, so that coverability in both models is also equivalent. 1

Different compatibility conditions are discussed in [13].


1005

3. Name creation and Replication In [31] we defined ν-PN and RN systems as extensions of P/T nets, and then ν-RN systems as an extension of ν-PN with replication or, equivalently, as an extension of RN systems with name creation.2 Here, we plan to consider also a polyadic version of ν-PN. This is why we prefer to start by defining pνRN systems, the most general model, that subsumes all of them, and then obtain ν-RN systems, pν-PN, ν-PN, and RN systems by restricting pν-RN systems in the adequate ways. Polyadic ν-RN systems (pν-RN systems for short) are a natural extension of ν-RN systems. A configuration of a pν-RN system is given by a multiset of the components that compose the system. Each of this components is a colored Petri net, where tokens are tuples of pure names (instead of a single pure name, as it was the case for ν-RN systems), taken from a set Id . In order to handle names, we need matching variables, taken from a set Var . Moreover, we add a primitive capable of creating fresh names, formalized by means of a special variable ν P Var . We will manage names by attaching those variables as labels in the arcs. In a ν-RN system transitions fire synchronously. For that purpose, we will consider a set S of service names, and a function arity : S Ñ N, and we take the set of synchronizing labels Sync tspiq | s P S, 1 ¤ i ¤ arity psqu. We will denote by T the set of tuples of names of arbitrary length, that is, T Seq pId q. The tokens of a pν-RN system are taken from T . We will use ϕ, ϕ1 , ϕ1 to range over tokens. Definition 3.1. A pν-RN system is a tuple N pP, T, F, λq, where P and T are finite disjoint sets of places and transitions, respectively, and F : pP T q Y pT P q Ñ Seq pVar q is a partial function. Components of N are represented by mappings M : P Ñ MS pT q. The set of possible components of N will be denoted by Comp, and we have λ : T Ñ Sync Comp.

The domain of the partial function F defines the set of arcs of N . An arc pp, tq is called a prearc, and an arc pt, pq is called a postarc. If pp, tq is a prearc, then F pp, tq is a tuple of variables, that is used to specify what tokens can be taken from preconditions. Analogously, for a postarc pt, pq, F pt, pq says what tokens are put in postconditions. We write pre ptq tx P Var | x P F pp, tq for some p P P u, post ptq tx P Var | x P F pt, pq for some p P P u and Var ptq pre ptq Y post ptq to denote the set of variables in labels of arcs that are adjacent to t. The function λ labels transitions for two different purposes. On the one hand, it defines how a transition t must synchronize (first part of λptq) as we will see in detail in a moment. On the other hand, it indicates which new components are created by their firing. We denote just by H the empty component, that without tokens, and by Init N , or simply Init when there is no confusion, the set of (non-empty) components that appear as labels of transitions, that is, Init N tM | λptq pℓ, M q for some t P T and ℓ P Sync with M Hu. Definition 3.2. A marking of N is a multiset of components of N . Markings of pν-RN systems are multisets of components. We will use M, M1 , M1 ,... to range over markings. We identify a component by its current marking, and talk about component M . Therefore, for a component M and a marking M, MpM q is the number of copies equal to M (including M itself) appearing in M. We define Id pM q ta P Id | a P ϕ for some ϕ P M ppq, for some p P P u Id , the 2

Actually, we used the terms ν-APN and g-RN instead, though we prefer to use here these simplified acronyms.

1006


pa, bq

p q

a

px, yq x

t1 t2

ν y

k k

Ñ

pa, bq

p q

px, yq

a

x

t1 t2

ν y

c b

pb, aq

p q

a

px, yq x

t1 t2

ν y

k k

Figure 1. A simple pν-RN system and the firing of its only tuple of compatible transitions, t pt1 , t2 q, assuming λpt1 q psp1q, M q, λpt2 q psp2q, Hq, with arity psq 2, M ppq tpb, aqu and M pq q tau

set of all the names appearing in some token in some place, according to component M . Analogously, Id pMq M PM Id pM q. A synchronous firing can happen whenever n compatible transitions (having labels sp1q, . . . , spnq for some s P S with arity n) are enabled. In that case they can all be fired simultaneously, following the ordinary token game. Moreover, the firing of each transition t will produce a new component, as indicated by the second part of the label λptq. For a tuple of transitions t pt1 , . . . , tn q we write pre ptq ni1 pre pti q, post ptq ni1 post pti q and Var ptq pre ptq Y post ptq. Definition 3.3. The transitions in a tuple of transitions t pt1 , . . . , tn q are said to be compatible if there is s P S with arity psq n such that: - λpti q pspiq, Mi q for all i P t1, . . . , nu, and - post ptqztν u pre ptq.

We will write N C ptq to denote the multiset tM1 , . . . , Mn u.

Therefore, every variable appearing in some postarc pti , pq (except the special variable ν) must necessarily appear in some prearc pp, tj q. N C ptq is the multiset of components created by the firing of the tuple t. Transitions are fired with respect to a mode, that chooses which components are involved in the firing and which tokens are taken from preconditions. Definition 3.4. A mode σ of a tuple of compatible transitions t is a pair pσ1 , σ2 q, where σ1 : t Ñ N and σ2 : Var ptq Ñ Id . The mapping σ1 will choose which components are involved in the firing of t. More precisely, given a marking M tM1 , . . . , Mn u, each transition t such that σ1 ptq i is fired by Mi . Notice that the definition of σ1 depends on an arbitrary enumeration of the multiset of components M; for the sole purpose of enumerating components in a multiset, we can fix any order between components, as the lexicographic order. The mapping σ2 is responsible for the flow of tokens, instantiating every variable x with some value σ2 pxq. In the following definition, by abuse of notation, we take tσ2 pF pt, pqqu H (resp. tσ2 pF pp, tqqu H) whenever F pt, pq (resp. F pp, tq) is not defined. Definition 3.5. Given a pν-RN system N , M tM1 , . . . , Mn u a marking of N and t a tuple of compatible transitions, we say t is enabled in mode σ pσ1 , σ2 q if: - For all t P t, σ1 ptq P t1, . . . , nu,

P Var ptq, then σ2 pν q R Id pMq Y Id pInit N q, and for every i P t1, . . . , nu and p P P , tσ2 pF pp, tqqu Mippq.

- if ν -

°

P p q

t t σ1 t i


pa, bq px, yq

k

x a

y

bc

ν

l

Ñ

ù

px, yq

k

x a ν

Figure 2. A simple pν-PN a

pa, cq

pa, xq

a

px, bq

px, bq

Figure 3.

pa, cq

a (d fresh)

y

c

1007

d

z

y

py, xq

a

px, zq

b

pa, cq

Labelling arcs by constants

For each i P t1, . . . , nu, let us denote by Mi1 the component given by Mi1 ppq Mi ppq

¸

Pt σ1 ptq i

tσ2 pF pp, tqqu

t

¸

Pt σ 1 pt q i

tσ2 pF pt, pqqu p P P

t

Then, the reached marking after the firing of t in mode σ is M1

tM11 , . . . , Mn1 u

N C ptq.

We require that ν is always instantiated to a fresh name that is not in the current marking, including the tokens in the newly added components. Though we have not forbidden the occurrence of ν in any prearc, if it did appear there then the corresponding transition would never be enabled. Accordingly, we rule out such situation assuming in the future that ν R pre ptq, for every transition t.3

pq

Notice that Mi1 coincides with Mi whenever there is no t with σ1 ptq i. We will write M ÝÑ M1 if M1 is reached from M when t is fired with mode σ. Analogously as for P/T nets, we also have the tσ

relations ÝÑ and Ñ . Fig. 1 depicts a simple pν-RN system with a single component. This component has two compatible and enabled transitions, so that they can synchronize. The reached marking after the synchronous firing of this pair has two components, the one we already had (after evolving) and a newly created one. Notice that after that firing the system is blocked, because we can not instantiate x uniformly anymore to fire the transitions (it should be instantiated to b, according to t1 , and to a, according to t2 ). Wlog., we assume that every transition has a precondition, so that every firing needs the presence of a token.4 Therefore, empty components can not fire any transition, so that they can be considered as garbage. An innocuous extension of Def. 3.1 is to consider not only variables, but also constant identifiers as part of the tuples that label arcs. For instance, if a pair pa, xq labels a prearc then only tokens of the form pa, cq for some c can be consumed. This extension is innocuous because these constants can be easily simulated by variables by introducing and extra place for each, as shown in Fig. 3. In particular, if the constant used is the “distinguished” identifier P Id , we can use ordinary black tokens as part of out nets. In that case, we will not attach the constant label to the arc, as done for instance in Fig. 10. We identify markings up to , the least congruence such that M M tHu. From now on we will implicitly identify markings up to . Moreover, we refine in order to capture the intuition that the names in Id are pure, we work modulo α-conversion, thus allowing consistent renaming of names in markings. t

Definition 3.6. Let N be a pν-RN system and M1 3 4

P

pq

tM1 , . . . , Mnu and M2 tM11 , . . . , Mm1 u two

We could have actually ruled out ν pre t from the beginning, but this would only unnecessarily complicate our definitions. For any autonomous transition t, we could add a place that is pre and postcondition of t.

1008


p

q1

q1

t1

t1

p

p

q1

q1

t1

t1

p

Ñ

p

q1

q1

t1

t1

p

t2

t2

t2

t2

t2

t2

q2

q2

q2

q2

q2

q2

Figure 4. RN system with λpt1 q psp1q, Hq, λpt2 q psp2q, Hq, arity psq 2, and with initial marking M ttp, pu, tp, puu and two possible firings

markings of N . We define M1 α M2 if there are two injections h : t1, . . . , nu Ñ t1, . . . , mu and ι : Id pM1 q Ñ Id pM2 q such that for every i P t1, . . . , nu, ιpMi ppqq Mh1 piq ppq, for all p. Function h has the role of mapping components of M1 to components of M2 , while ι maps names in M1 to names in M2 . We denote by α the relation α X α and identify markings up to α (that refines , that is, M1 M2 implies M1 α M2 ). We have defined pν-RN systems, that encompass name creation (with management of tuples of names) and replication. This model is an extension of ν-RN systems, in which no tuples of names were considered, so that tokens were plain names.

pP, T, F, λq with initial marking M0 is a pν-RN system satisfying: λptq pℓ, Hq with arity pℓq 1, for all t P T , and M0 tM0 u, for some component M0 .

Definition 3.7. A pν-PN N -

That is, pν-PN are pν-RN systems in which all transitions are non-synchronizing (that is, they can fire without needing to synchronize with others), the initial marking has one single component, and no new components can ever be created5 (technically, we always create empty components, which are garbage). Under those conditions, λ plays no role whatsoever, so that we may safely omit it. Fig. 2 depicts a simple pν-PN and the firing of its only transition. Moreover, given a transition t, in an enabled mode σ pσ1 , σ2 q, σ1 necessarily maps t to the only component in the current marking. Therefore, modes can be simply seen as mappings σ : Var ptq Ñ Id . RN systems are also easily obtained by restricting pν-RN systems, forbiding the use of names. Definition 3.8. A pν-RN system N

P Id and ε P Var ztν u such that:

pP, T, F, λq with initial marking M0 is a RN system if there is

- For all t P T , if λptq pℓ, M q then M ppq P MS pt uq for all p P P , - For all p P P and t P T , if F pp, tq is defined then F pp, tq ε (analogously for pt, pq), and - M0 ppq P MS pt uq for all p P P . 5

Actually, if we demand only that no new components are created, but they can synchronize, then we can build an equivalent net satisfying all the conditions in Def. 3.7. See [31].

Ñ

F. Rosa, D. de Frutos / Decidability problems in Petri nets with names and replication p

q

tp, q u aut

p

tp, q u

p

aut

q

tp, q u

aut

1009

q

Figure 5. RN system firing a replication transition

RN systems are pν-RN systems in which all components use a single token , which is managed by a single variable ε. In this case, given a transition t, if σ pσ1 , σ2 q is enabled in some marking M then necessarily Var ptq tεu and σ2 pεq , so that modes can be simply considered as mappings σ : t Ñ N, and components become isomorphic to multisets of places. Moreover, the order α , that we will simply write as (since no non trivial renaming can be done) is the multiset order induced by inclusion of components. Fig. 4 depicts a simple RN systems and the firing of its only pair of compatible transitions, with two different modes. Finally, we call ν-RN systems the subclass of pν-RN systems in which tokens are single pure names, that is, such that F pp, tq P Var whenever it is defined (and analogously for pt, pq), and M ppq P MS pId q for every component in Init N or in the initial marking. A ν-PN is a ν-RN system that is also a pν-PN. Therefore, ν-PN like the ones considered in [31, 29] are pν-PN in which every arc is labelled by a single variable, that is, a tuple of length 1. For ν-PN, components have names as tokens. Then, we can see markings of ν-PN as mappings M : Id pM q Ñ MS pP q, so that M paq is the multiset of places in which the token a can be found. Analogously, we can do the same thing for components of ν-RN systems. The reader is referred to [31] for further details on the study of these classes of nets. We proved there that ν-PN and RN systems are equivalent, because they simulate each other in the strong sense we mentioned in Sect. 2, so that the (un)decidability results for ν-PN can be transferred to RN systems, and vice versa. Thus, we obtained that both ν-PN and RN systems have undecidable reachability, but both have decidable boundedness (whether the set of reachable markings is finite or not) and coverability. Moreover, ν-RN systems are Turing complete, and in particular, coverability is also undecidable for them (consequently, also for pν-RN systems).

4. Decidability of reachability for RN systems without synchronizations In this section we consider RN systems that can not synchronize, that is, such that every transition t satisfies λptq ps, M q with arity psq 1, so that the synchronization labels do not play any role. Therefore, for RN systems without synchronizations, we will write λptq M . We prove that RN systems without synchronizations have decidable reachability. First let us introduce some notations that we will use throughout this section. They deal with the behavior of a component when considering it in isolation, that is, without considering it as part of a system. We will say t is a repliM cating transition if it creates a new component, that is, whenever λptq H. We will write M ÝÑ M 1 to denote the fact that M 1 can be reached from M by firing a sequence of transitions whose set of repliM¥

cating transitions produces the new components in M. Analogously, we will also write M ÝÑ M 1 , when M 1 can be reached from M by at least producing the new components in M. Since reachability and coverability are decidable for ordinary P/T nets [11], we immediately obtain the following results. Lemma 4.1. Given M1 , M2 and M, it is decidable whether M1 Proof: Deciding M1

¥

M M ÝÑ M2 and whether M1 ÝÑ M2 .

M ÝÑ M2 amounts to deciding whether M2 is reachable from M1 having fired some tran-

1010


sitions (the ones labelled with components in M) a certain number of times. As it is standard, we add M a postcondition pM to each transition t with λptq M P Init. Then, M1 ÝÑ M2 if and only if M1 ÝÑ M2 M , where M ppM q MpM q. M¥

In order to decide, M1 ÝÑ M2 we also add the places pM together with a new place ok, and we use the standard technique of reducing coverability to reachability, but only applied to the places pM . We add a transition6 with tpM | M P Mu as precondition and ok as postcondition. Then M1 only if the submarking M2 toku (without considering the places pM ) is reachable.

¥

M M2 if and ÝÑ [\

This section is devoted to proving that given M0 and Mf , markings of a RN system N without synchronizations, we can decide whether M0 Ñ Mf . Let us denote by RpM0 , Mf q or just R when there is no confusion, the set of components appearing in the initial or final marking, and those that could be created by the replicating transitions, RpM0 , Mf q supp pM0 q Y supp pMf q Y Init N . Consider any sequence of transitions reaching Mf from M0 . Every component that appears in any marking of that trace evolves on its own, because there are no synchronizations. When the final marking is reached, any of those components either has evolved to the empty component (possibly creating on their way other components) or to some of the components in the final marking (again, possibly creating other components). This is the part of the full behavior of components that we need to control: whether they can evolve to the empty marking, or whether they can evolve to some component in the final marking and, in each of both cases, what components it creates. Therefore, in order to carry out this analysis, we do not need to work over the reachability graph generated by the RN system, but it is enough to consider that of the following transition system. Definition 4.1. Let N pP, T, F, λq be a RN system without synchronizations, and M0 and Mf be two markings of N . Let us define the transition system lpN q pS, ÞÑq, given by:

MS pRpM0 , Mf qq{, ÞÑ is the least relation compatible with multiset addition such that

- S -

M ÝÑ M1 tM u ÞÑ tM 1 u

M

M

By compatibility with multiset addition, we mean that whenever M1 ÞÑ M2 then for every multiset M we also have M M1 ÞÑ M M2 . Each step M ÞÑ M1 represents part of the life of a component M in M, that either disappears if M 1 H, or evolves to a component in R. The behavior of N that we are interested in is reflected in lpN q, as asserted by the following Proposition 4.1. For any M1 and M2 in S, M1

Ñ M2 in N M1 ÞÑ M2 in lpN q.

Proof: We prove that M1 Ñ M2 implies M1 ÞÑ M2 (the converse implication is trivial by definition of ÞÑ). The proof is by induction on the number of created components in the trace. If no component 6

We are now assuming that arcs have weights to keep the ideas clear. Weights could have actually been considered, without affecting any of the results presented.

F. Rosa, D. de Frutos / Decidability problems in Petri nets with names and replication M02 1

111 1111

2 M12 12

11

M01 22 MH 122

112 1112

1011

H

1122

222 1222

2222

Figure 6. Computation of all minimal MH when |Init | 2.

H

is created, then M1 tM1 , . . . , Mn u, M2 tM11 , . . . , Mn1 u and Mi ÝÑ Mi1 for i 1, . . . , n. Then, for all i, we can derive tMi u ÞÑ tMi1 u, and because it is compatible with multiset inclusion, tM1 , . . . , Mn u ÞÑ tM11 , . . . , Mn1 u. Let us now suppose that some component is created in the trace. In that case, there is some component that is created last, by some other component M . This component was either in the initial marking or it was created by some other component, so in any case M P R. Let M be the multiset of all the components created by M . Since no more components are created after those in M, M evolves to some

H

M1 Mf , and every M P M satisfies M ÝÑ M 1 for some M 1 P supp pM2 q or for M 1 H. Then, we can derive that tM u ÞÑ tM 1 u and, as in the base case, M ÞÑ M1 . Now we have to distinguish between two cases: the one in which M evolves to the empty marking, M M ÝÑ H (so that tM u ÞÑ M ÞÑ M1 ), and the one in which it evolves to some component in the final M marking, M ÝÑ Mf (so that tM u ÞÑ M tMf u ÞÑ M1 tMf u). In the first case, we can reorder the trace so that M1 Ñ M2 M1 tM u Ñ M2

The induction hypothesis tells us that M1 ÞÑ M2 M1 Analogously, we obtain M1 ÞÑ M2 in the second case.

tM u ÞÑ

M2

M1

M1

M2 .

[\

From now on, we will study the reachability problem for the transition systems lpN q. The main problem when we try to devise an algorithm to decide reachability in RN systems is that caused by those components that may evolve to the empty marking, possibly by creating other components that could also eventually disappear. In order to handle this difficulty, we will define the following order, that takes into account those markings.

H M2 whenever M2 M1 M and M ÞÑ H. That is, M1 H M2 if M1 M2 and M2 M1 ÞÑ H. In the first place, the defined relation is

Definition 4.2. We write M1

reflexive, transitive and anti-symmetric, so that it is a partial order. Moreover, given M1 and M2 , there is a procedure to effectively determine whether M1 H M2 . In order to see it, we need the following auxiliary results. Lemma 4.2. Given M , the set of all minimal M (with respect to multiset inclusion) such that M is computable.

M ÝÑ H

Proof: Actually, we prove the more general result of computing all minimal M greater than a given M such

1012


that M ÝÑ H, so that we obtain the result by taking the particular case in which M H. If M Ñ H (as marking of a P/T net) then there is no such M, and the set we are computing is empty. Let us suppose that M Ñ H. We proceed by induction on n, the number of components in Init. If n 0 then it is the M

H

case that M ÝÑ H, so that the only marking to consider is the empty one (which is minimal). Let us now consider the inductive case, that is, Init tM1 , . . . , Mn u for some n ¡ 0. We know

that M Ñ H, so that we know that there is at least one MH such that M ÝÑ H. Then, we can do a breadth-first search in the lattice of markings (see Fig. 6) to compute one minimal MH greater than M MH

such that M ÝÑ H. Now we need to compute the rest of the minimal markings, though we do not need to search among those greater than MH (with respect to multiset inclusion) because we know that any solution greater than MH would not be minimal. Let us denote by ki the number of times that the component Mi P R appears in MH , that is, ki MH pMi q. For each i P t1, . . . , nu and all j P t0, . . . , ki 1u let Mji be the marking in which the i-th component Mi of Init appears j times, and the l-th component Ml appears kl times, for all l i, that is # j if l i, j Mi pMl q kl if l i MH

Now for each i and j, let us see that we only need to look for all minimal M1 greater than Mji and whose number of components Mi does not increase. Indeed, let i and j such that j ki 1 and M such that Mji M with MpMi q j 1. Since Mji M, MpMl q ¥ Mji pMl q kl Mji 1 pMl q, and MpMi q j 1 Mij 1 pMi q. Then we have that Mij 1 M. Similarly, we can see that for j ki 1, any M greater than Mji such that MpMi q j 1 satisfies that MH M. Then, for every Mji we can “block” the firing of the replicating transitions that create Mi , and apply the induction hypothesis to compute the set Min ji of all minimal markings greater than Mji that comply with the thesis. Now we can compute the set we are looking for as tMH u Y Min ji . [\ In Fig. 6 we can see an example of the reasoning followed in the proof of the previous result, in the restricted case in which |Init | 2. In it, the first four levels of the lattice of all multisets with elements in Init is depicted, denoting by 1 the component M1 and by 2 the component M2 , so that we write, for instance, 1122 to represent the multiset tM1 , M1 , M2 , M2 u. In Fig. 6 it is assumed that the first marking

that we find when we search the lattice for a marking MH such that M ÝÑ H is 122. In that case, we do not need to keep searching among those markings greater than 122, those inside the dashed line. In order to keep searching among the markings that are not greater than MH the proof of the above result builds M01 , M02 and M12 , which correspond to the markings inside boxes in the picture. As we can see, now it is enough to keep searching by following the arrows. For instance, the marking 1112 is greater than M02 if we allow 2 to be created, but is also greater than M12 , without allowing creation of component 2. Moreover, any marking greater than M12 that creates component 2 is also greater than MH . Next, two simple lemmas that we will need to prove that the order H is decidable. MH

Lemma 4.3. M ÞÑ

H if and only if for all M P supp pMq, tM u ÞÑ H.

Lemma 4.4. If M M1 and M1

ÞÑ H then M ÞÑ H.


Proof: If M ÞÑ H then, by the previous lemma there is M P M such that tM u ÞÑ M P M1 , so that again by the previous result, M1 ÞÑ H.

1013

H. Since M M1 then [\

The following result, that will allow us to conclude that the defined order is decidable, is a weak form of the decidability result we are looking for. Proposition 4.2. Given a marking M, it is decidable whether M ÞÑ

H.

Proof: By Lemma 4.3, it is enough to decide whether tM u ÞÑ H for a given component M . We proceed by induction on the number of components in Init. If there are no components then M can not replicate, and it is enough to decide whether M Ñ H, which is decidable. Let us see the inductive case. If M Ñ H then clearly tM u ÞÑ H. Otherwise, by Lemma 4.2 we can consider all minimal M M such that M ÝÑ H. We have to decide whether at least one of those M satisfies M Ñ H. Notice that, thanks to Lemma 4.4, it is enough to consider minimal markings (the empty marking can be reached if and only if it can be reached from the minimal ones). Notice also that, because we are beginning the trace in M , it is enough to consider traces that do not create marking M , so that we can remove M from Init. Therefore, we can apply the induction hypothesis and we can conclude. [\ Corollary 4.1.

H is a decidable partial order.

Though Proposition 4.2 is only a step away from the result we are looking for, that is decidability of general reachability, it does not seem immediate to generalize the previous result to the general one. essentially because we do not have a result analogous to Lemma 4.4 in the general case. But we can adapt the widely used technique of WSTS [13] for our purposes. In general, the technique is used to prove decidability of the so called control reachability [2], that in our setting amounts to coverability. However, the coverability problem induced by H is just reachability. Indeed, there exists some marking M1 such that M H M1 is reachable if and only if M is reachable: indeed, if such M1 is reachable, since it satisfies M1 M M with M Ñ H, then it also satisfies M1 Ñ M; conversely, it is enough to take M1 M. We can not use the technique directly, because the order we have defined is not a wqo. Indeed, if M is a component such that M Ñ H then the sequence tM u, tM, M u, tM, M, M u, . . . does not satisfy the wqo condition. Actually, we can work with an order similar to H that is indeed a wqo. We can classify components in R in those that perpetuate their offspring (that is, those M such that tM u ÞÑ H) and those that do not (that is, those M such that tM u ÞÑ H). Let us denote by P R the set of those that can not evolve to the empty marking. Any marking containing n components in P can only evolve to markings with at least n components. Thus, any marking with more than n |Mf | components in P can not reach Mf . If we denote by Pn the set of markings with more than n components in P, then we can define7 1H H YpPn Pn q. Intuitively, we are identifying all the markings in Pn . Notice that every successor of a marking in Pn is also in Pn . By the previous comments, reachability and coverability induced by 1H also coincide (as happened in the case of H ). We can effectively classify components in R as those in Pn and those not in Pn . Therefore, and because H is decidable, so is 1H . Moreover, we can prove the following result. 7

Equivalently, we could consider

H over the set obtained after quotiening over the equivalence relation pPn Pn q Y id.

1014

F. Rosa, D. de Frutos / Decidability problems in Petri nets with names and replication pre pC ptMuqq

C ptMuq M3H

M

M

M1H M

2 MH

minppre pC ptMuqqq M

Figure 7. Computation of minppre pC ptMuqqq

Lemma 4.5.

1H is a decidable wqo.

Proof: We have already seen that it is decidable. Let us see that is is also a wqo. Let pMi qiPN be an infinite sequence of multisets with elements in R. If there are i and j such that Mi , Mj P Pn then Mi 1H Mj , and we conclude. Otherwise, we can assume that there are no markings in Pn , so that for all i, Mi M1i M2i with |M1i | ¤ n and M2i Ñ H. Since the set tM1 P MS pRq | |M1 | ¤ nu is finite, there is a constant infinite subsequence I N in pM1i qiPN , that it, there is M such that Mi M for all i P I. Since multiset inclusion in MS pRq is a wqo, the infinite sequence pM2i qiPI contains two elements M2i and M2j with i j and i, j P I such that M2i M2j , and in particular, M2 M2j M2i Ñ H. Moreover, Mj M1 M2 , so that Mi 1H Mj , and we can conclude. [\ Lemma 4.6. The relation ÞÑ is monotonic with respect to 1H . Proof: Let M1 1H M2 . If M1 and M2 are in Pn and M1 ÞÑ M11 , then also M11 is in Pn , so that M11 1H M2 . Otherwise, M1 H M2 , which implies M1 is included (as multiset) in M2 . Since ÞÑ is compatible with respect to multiset inclusion, we can conclude. [\ In order to proof that we can compute the set of predecessors, we need the following lemma. Lemma 4.7. Given M , M 1 and M, the set of all minimal MH (with respect to multiset inclusion) such that M

ÝÑ

M MH

M 1 and MH

Ñ H is computable.

Proof: The proof is completely analogous to that of Lemma 4.2, by considering only markings of the form M MH with MH ÞÑ H, which can be done because reachability of the empty marking is decidable [\ by Prop. 4.2. Now we see how we can compute the predecessor function. Lemma 4.8. For every M, the set minppre pC ptMuqqq is finite and computable. Proof: Let us first assume that M R Pn . For all M1

tMf u M with Mf P supp pMf qYtHu, let us consider


1015

all the steps in which some component evolves to Mf , creating on its way at least the components in M1 , together with some others, that can necessarily evolve to the empty marking. 1¥

ÝÑ Mf then, by Lemma 4.7, we P R, let us see if M can be that component. If M M M1 MH can compute all minimal MH such that M ÝÑ Mf and MH Ñ H. Then we can add to the set of predecessors the marking M M1 tMf u tM u. Notice that thanks to Lemma 4.4 it is enough For all M

to consider only minimal markings MH . We have described a finite procedure, yielding finitely many markings in the set of predecessors. This finite set could be not minimal, but we can always minimize this finite set to compute the set we are interested in. If M P Pn then, considering that C pMq Pn , the set minppre pC ptMuqqq can be computed as M together with all the minimal markings that can evolve to Pn . However, notice that since from markings in Pn we can not reach Mf , we will never have to compute minppre pC ptMuqqq with M P Pn in the backwards reachability analysis. [\ Fig. 7 can give you some insight about the proof of the previous result. A marking M induces an upward closed set, the cone in the right handside of Fig. 7. We want to compute (a finite representation of) the set of the predecessors of the markings in that cone, that have the form M MH with M Ñ H. The proof of the previous result factorises (thanks to Lemma 4.7) all the ways in which such markings can be reached, yielding finitely many markings M1 such that M1 Ñ M MH . Therefore, every marking M1 M1H in the left handside cones can reach in one step the cone in the right. Proposition 4.3. pR{ , ÞÑ, 1H q is a WSTS.

As a corollary, the coverability notion induced by 1H in lpN q is decidable. Since reachability and coverability (induced by 1H ) are equivalent, and Prop. 4.1 holds, we finally have the result we were looking for. Proposition 4.4. Reachability for RN systems without synchronizations is decidable. We can obtain an analogous result for ν-PN thanks to the equivalence between RN systems and ν-PN proved in [31]. RN systems can simulate ν-PN, in the sense that for every ν-PN N there is a RN system F pN q such that the transitions systems generated by N and F pN q are isomorphic, and that isomorphism is monotonic, so that reachability and coverability are both preserved. Moreover, F itself is an isomorphism. The simulation consists in considering a different component to represent each different name. When different names can occur in the firing of a transition, the corresponding collection of components synchronize in the simulation. When all the variables adjacent to a transition t are the same (that is, |Var ptq| 1), then only one name is involved in its firing. If we denote by ν -PN the subclass of ν-PN such that every transition t satisfies |Var ptq| 1, or |Var ptq| 2 when ν P Var ptq, it is straightforward to see that ν -PN are the counterpart of RN systems without synchronizations. Proposition 4.5. If N is a ν -PN then F pN q is a RN system without synchronizations. Corollary 4.2. Reachability is decidable for the class of ν -PN.

For each RN system without synchronizations, we have defined a multiset rewriting system lpN q. This rewrite system can not be represented as a P/T net, though we are rewriting multisets in a monotonic

1016


way. The reason is that the rewritings are conditional ones, where the condition is reachability in an ordinary Petri net. This reminds of Recursive Petri Nets (RPN) [16, 17]. RPN have a special type of transitions: abstract transitions. The firing of abstract transitions is not atomic. They remove tokens from their preconditions, but instead of adding tokens to postconditions, they create a new thread, starting in a marking associated to the transition. Tokens are added to postconditions when the child thread finishes, which happens when it reached a final marking, where the set of final markings is a semi-linear set. Then, instead of looking for a direct proof of our decidability result above, as we have done, we could try to simulate lpN q by using an RPN, immediately obtaining the decidability of reachability as a corollary of the analogous result for RPN [17]. To obtain such a simulation, for each rule M ÝÑ M1 tM u ÞÑ M tM 1 u

M

we could consider creating a child thread starting in M . However, this “simulation” would not be correct. Indeed, we are writing a single rule for all such M , M 1 and M, although M and M 1 are taken from a finite set, M is taken from the infinite set MS pRq. We could use a different transition for every two components M and M 1 , but not for every M. The technique of considering only minimal such markings would not be valid in this case, since one needs to account for exactly the set of components generated to obtain a faithful simulation. Therefore, the simulation using RPN (or a similar model) must use a single M transition for every M such that M ÝÑ M 1 . The most intuitive way that we can think of to achieve it, is to allow child threads to communicate some results to their parent thread. In this way, if the child thread communicates how many times a transition has been fired (that, of course, can be controlled by the number of tokens in some special places) we would have a faithful simulation of the application of the rewrite rule. However, we suspect that any general model (allowing synchronization) with these features has undecidable reachability. Recently, the paper [5] presented an extension of RPN that, on the one hand, considers global places through which the different threads can communicate, and on the other hand, introduces the so called immediate outputs for abstract transitions. Immediate output places are updated when the transition is fired, unlike the postponed outputs of RPN, which were only updated after the child thread terminates. Reachability for RPN with these two extensions is undecidable [5]. However, RPN extended only with immediate outputs are enough to simulate RN systems without synchronizations. Indeed, any transition can be simulated by an abstract transition with only postponed output places. Moreover, threads only terminate when they reach the empty marking, which is semi-linear. Though they are more powerful that our RN systems without synchronizations, reachability could still be decidable for them. Then, a decidability proof of reachability would yield an alternative proof of our decidability result in Prop. 4.4.

5. Decidability of coverability for restricted ν-RN systems In the previous section we have restricted RN systems, for which reachability is undecidable, in order to obtain decidability. Our goal now is to do the same thing for ν-RN systems (Petri Nets extended simultaneously both with names and replication). As we proved in [31], ν-RN systems are Turing complete and, in particular, coverability is undecidable for them. We could think that we also need to forbid synchronizations in order to keep decidability of coverability for ν-RN systems. However, as we prove next, it is enough to restrict communications to obtain

F. Rosa, D. de Frutos / Decidability problems in Petri nets with names and replication k l

x y

sp1q sp2q

x x

k l

Ñ

k l

x y

sp1q sp2q

x x

1017

k k

Figure 8. A simple ν-RN system with communication (assuming arity psq 2)

decidability of coverability. A communication between components happens whenever there is a variable labelling an output arc of a transition, and an input arc of a different compatible transition (see Fig. 8). Moreover, notice that if we forbid all kinds of synchronizations, the obtain model is still an extension of ν-PN, so that reachability would still be undecidable. In a first step, we will forbid all name communications between different components. Therefore, components will still be able to synchronize among themselves, as long as no name moves from one component to another. A marking M of a ν-RN is a multiset tM1 , . . . , Mn u of components. Each component can be seen as a marking of a ν-PN, that maps each place to a multiset of names. Therefore, it makes sense to write M α M 1 for two components M and M 1 of a ν-RN. Let us denote by the multiset order induced 1 u if there is an injection h : t1, . . . , nu Ñ by the order α , that is, tM1 , . . . , Mn u tM11 , . . . , Mm 1 t1, . . . , mu such that Mi α Mhpiq . For each i there is an injection ιi such that ιi pMiq Mh1 piq. Notice that in the case of M α M1 , the mapping ι that renames names must be the same for all the components, while now we are allowing different mappings ιi . In other words, α considers names to be global, but for , names are local to components. As a consequence, the orders α and are different in general. Indeed, for the simple case in which the net has a single place p, it is enough to consider M tM1 , M2 u and M1 tM11 , M21 u with M1 ppq M2 ppq M11 ppq tau and M21 ppq tbu. Clearly, they satisfy M1 M2 , but not M1 α M2 (see Fig. 9). However, we can prove the following relation between them. Proposition 5.1. Let M tM1 , ..., Mn u and M1

tM11 , ..., Mm1 u be two markings of a ν-RN system.

- If M α M1 then M M1 . - If Id pMi q X Id pMj q M1 M M1 .

H for all i j and Id pMi1q X Id pMj1 q H for all i j, then M α

Proof: - If M α M1 then there are two injections h : t1, . . . , nu Ñ t1, . . . , mu and ι : Id Ñ Id such that ιpMi ppqq Mh1 piq ppq for every p and for all i P t1, . . . , nu. In particular, by definition of α , we have that for each i, Mi α Mh1 piq . By definition of multiset order we can conclude that M M1 . - Thanks to the previous item, it is enough to prove that if M M1 then M α M1 . By definition of there is an injection h : t1, . . . , nu Ñ t1, . . . , mu such that for all i, Mi α Mh1 piq . By definition of α, for each i there is an injection ιi : Id pMiq Ñ Id pMhpiq q such that ιipMi ppqq Mh1 piq ppq for all p. Since we are assuming that all the components in M have disjoint namespaces (so that the domains of the ιi s are disjoint), we can safely define ι : Id Ñ Id by ιpaq ιi paq whenever a P Id pMi q, which is an injection (in its domain) because each ιi is injective and the components in M1 have disjoint namespaces. [\ Then we have that ιpMi ppqq ιi pMi ppqq Mh1 piq ppq for all p, and we conclude that M α M1 . On the one hand, we saw that the converse of the first of the previous results is not true in general. On the other hand, since α considers names to be global, while considers them to be local, we can informally state the second of the previous results as follows: If each component has its own namespace,

1018


p a

a p

α

p a

b p

Figure 9. ν-RNs related by but not by α

then global and local names are the same thing. Components that can not communicate have its own namespace, if this is true at the initial marking. We call ν-lRN systems the class of all such ν-RN systems. Let us define it formally. Definition 5.1. A ν-RN system N pP, T, F, λq with initial marking M0 tM1 , . . . , Mn u is a ν-lRN system if for every tuple of compatible transitions t, post ptqzpre ptq tν u for all t P t, and for all i j, Id pMi q X Id pMj q H. Unlike in the previous section, where we forbid all synchronizations between components, now we are only forbidding communications between them. This means that components can synchronize, as long as they are anonymous synchronizations (that is, a component can synchronize with any component that is willing to do so, and the result of that synchronization is the same whichever that component was). Proposition 5.2. Coverability is decidable for ν-lRN systems. Proof: Once again, we prove that ν-lRN systems are WSTS. In the first place, we have to see that α is a wqo. Since is a wqo (it is the multiset order induced by a wqo), thanks to the previous result it is enough to prove that all reachable markings have disjoint namespaces. Since components do not communicate names, if they initially have disjoint namespaces then they will always have disjoint namespaces. Therefore, for every reachable marking the orders α and are the same, and therefore, α (which induces coverability) is a wqo. The proofs of monotonicity and computable predecessors are similar to the anal[\ ogous ones for ν-PN, which can be found in [29]. We could also allow a finite amount of names in a common namespace without affecting the decidability result. Let C be the finite set of names allowed in the common namespace. If all the names appearing in more than one component in the initial marking are taken from C, and communications are (semantically) forced to happen with names in C, then the previous decidability result can be easily extended to cope with this finite amount of names. For that purpose, we consider only C-modes, that is, modes σ such that σ pxq P C whenever x P ppost ptqztν uqzpre ptq. Intuitively, x is a variable that can produce a communication, and the C-modes are modes for which the name communicated is in C. Definition 5.2. Given a finite set of names C, we define ν-RN(C) as the variation of ν-RN systems whose transition relation is defined considering only C-modes. As a first step, we will prove that any ν-RN(C) is equivalent to some ν-RN system, so that the semantic restriction on ν-RN(C) is easily transformed into a syntactic one. Lemma 5.1. ν-RN systems can simulate ν-RN(C) systems. Proof: Let N pP, T, F, λq be a ν-RN(C) system. For any transition t, we take8 Xt as the set of variables 8

We are considering multisets of labels in arcs, the analogous concept to weights in P/T nets. In fact, we could have allowed them in our definitions without affecting any of our results.


1019

ppost ptqztν uqzpre ptq, which intuitively is the set of variables responsible for the communication of names. We will construct the ν-RN system N so that every synchronization is done by forcing that each variable in Xt is instantiated to a name in C. For that purpose, we introduce a new place ids that contains (enough copies of elements in) C. Let N pP , T , F , λ q, where: - P

P Y tidsu, T tpt, tq | t P t, t compatibleu, - F pp, pt, tqq F pp, tq and F ppt, tq, pq F pt, pq, for p P P , - F pids, pt, tqq F ppt, tq, idsq Xt , - λ ppt, tqq λptq. If k maxt| tPt Xt | | t compatibleu, we extend any marking M to M tM | M P Mu, by extending any component M to M with M pidsq ki1 C. We only need to read the tokens in ids,

°

so that we could consider that the arcs adjacent to ids are read-arcs. Instead, we consume and return the tokens in ids, but for that purpose we have to guarantee that there are enough copies of each token in the set C in place ids. By construction, any firing in N is of the form u ppt1 , tq, . . . , ptn , tqq with

pq

pq

t pt1 , . . . , tn q, and M1 ÝÑ M2 M2 ÝÑ M2 . Moreover, any reachable marking in N , starting from M0 is of the form M for some M, and by construction only names in C can be communicated [\ between components and matched. tσ

u σ

By the previous lemma, we will consider ν-RN systems for which every reachable marking has C as the common namespace of all its components. Now let us see that, thanks to this restriction, we can specify markings within a wqo. In other words, we will map markings of a ν-RN(C) system to a domain endowed with a wqo, and so that the order is preserved. Definition 5.3. Let C ta1 , . . . , am u. Let M be a reachable marking of a ν-RN(C) system. For every component M of M we define M pM pa1 q, . . . , M pam q, M |Id pM qzC q. Then, we define M as the multiset of tuples tM | M P Mu. M is a multiset of tuples. Those tuples have multisets of places in their first n positions, and a marking in its last position. However, the marking in its last position is local to each component in M, since it does not specify where the names in the common namespace C are. Let ! be the multiset order induced pA1 , . . . , An , M q ¤ pA11 , . . . , A1n , M 1 q iff Ai A1i for i P t1, . . . , nu and M M 1 . Then we have the following. Lemma 5.2. If M and M1 are two reachable markings, then M α M1

M ! M1.

Proof: 1 Let M tM1 , . . . , Mn u and M1 tM11 , . . . , Mn1 1 u,where M i pAi1 , . . . , Aim , M i q and M l pB1l , . . . , Bml , M 1l q. If M α M1 then there are h : t1, . . . , nu Ñ t1, . . . , n1u and ι : Id pMq Ñ Id pM1 q such that Mi paq Mh1 piq pιpaqq for every i P t1, . . . , nu and a P Id pMq. Moreover, ιpC q

¤ M 1hpiq , which 1 hpiq will allow us to conclude that M ! M . We have to prove that Aij Bj and M i M 1l . For aj P C, ιpC q and Mi paq Mh1 piq paq for all i whenever a ιpaq. Let us see that for every i, M i

1020


pa p

end p

x x

px, ν q, ν

a

p b

x x, ν , ν

q

a p η

px, yq px, yq

y x

p

y

x

t7

x

x

b x

x x

p pb

#

x x

p

x

p

t6

x

η

Figure 10. A pν-PN recognizing L tw#w | w P ta, bu u

Aji and Mh1 piq paj q Bjhpiq, and since Mipaq Mh1 piq pιpaqq we conclude that Aij Bjhpiq. For a R C, M i paq Mi paq Mh1 piq pιpaqq M 1hpiq pιpaqq and M i ι M 1hpiq . hpiq Conversely, by hypothesis there are h and ιi such that Aij Bj and Mi ι Mh1 piq . Let us define ιpaq a if a P C, and ιpaq ιi paq if a R C and a P Id pM i q. Notice that ι is well defined because Id pMi q X Id pMj q C for all i j. Then Mi paq Mh1 piq pιpaqq and we conclude that M α M1 . [ \ Mi paj q

i

By construction, the order ! is a wqo (both multiset inclusion and are wqo, and the product and the multiset orders of wqos are wqos), and we have the following result. Proposition 5.3. Coverability is decidable for ν-RN(C) systems for C finite. Proof: The previous lemma tells us that the order relating reachable markings is a wqo. Again, the proofs of [\ monotonicity and computable predecessors are similar to those for ν-PN.

6. Turing completeness of pν-PN It is easy to see that the expressive power of pν-PN surpasses that of ν-PN. The pν-PN in Fig. 10 can recognize the language L tw#w | w P ta, bu u (with # R ta, bu) in the following sense:9 If τ is a transition sequence reaching a marking that covers end and w is the word obtained by: - Removing from τ those transitions not labelled in Fig. 10. - Replacing the remaining transitions by its label, then w P L. Indeed, after some firings of the transitions labelled by a and b in the left handside of the net, the place p contains a multiset of pairs of identifiers pη, c1 q, pc1 , c2 q, . . . , pck1 , ck q, together with an identifier ck , where ci is the fresh identifier created by the i-th firing. This multiset of pairs can be seen as the codification of the sequence pη, c1 , c2 , . . . , ck q P Id . Moreover, pa holds all the ci ’s used to fire the transition labelled by a, and analogously for pb . This information is later used by the transitions on the right handside of the net to repeat the (labels of the) sequence of transitions. 9

Again, we consider multisets of labels in arcs.


1021

The class of languages recognized by WSTS are called Well Structured Languages (WSL) in [14]. Since ν-PN are WSTS, the languages they recognize are in WSL, but L is not. To see it, it is enough to consider the following pumping lemma proved in [14]: Lemma 6.1. [14, Lemma 6] Let L be a WSL and let w1 , w2 , . . . be an infinite sequence of words in L such that wk Bk Ek . Then there are i j st Bi Ej P L.

By applying this lemma, it follows that L is not a WSL. Indeed, if pBi q is an increasing sequence of words in ta, bu (so that Bi is a strict subword of Bi 1 ) then pBi #Bi q8 i1 is a sequence of words in L. According to the pumping lemma, there are i j such that Bi #Bj P L, but this can not happen because Bi is a strict subword of Bj and # occurs neither in Bi nor in Bj . Therefore, L can not be recognized by any ν-PN, and the expressive power of pν-PN strictly surpasses that of ν-PN. Actually, we will prove that pν-PN, even for the case in which only pairs of pure names are considered, are Turing complete. Moreover, we will see that it is enough to consider the case in which tokens are taken from a set Id 1 Id 2 , where Id 1 and Id 2 are disjoint sets of names. Since ν-RN systems are Turing complete [31], it is enough to prove that every ν-RN system can be simulated by a polyadic ν-PN satisfying the restrictions above mentioned. We will follow the same ideas used in [31, Prop. 6.1] to simulate RN systems by means of ν-PN. There, we considered a different identifier for each of the different simulated components, so that a token in some place of the component identified by a was simulated by a token a in that place. Now, we will simulate the occurrence of a token b in a place of a component identified by a by a token pa, bq in that place. Then, we can use matching variables in the arcs to force that the behavior of a component is mimicked by the use of tokens with the same name in its second component. Proposition 6.1. Polyadic ν-PN are Turing-complete. Proof: Given a ν-RN system N pP, T, F, λq we consider a different variable xt for each transition t. For the sake of readability, we will consider polyadic ν-PN that have multisets of tuples and constants labelling their arcs, as we did in the proof of Lemma 5.1. Moreover, without loss of generality, we will assume that every component in Init N is safe (|M ppq| ¤ 1), and we will consider different special ν variables, ν1 , ν2 , . . . Several of these variables can label postarcs of the same transition. In that case, they must be instantiated by pairwise different fresh names. Then we take N pP, T , F q, where: - T -

tpt1 , . . . , tnq | for all i P t1, . . . , nu, λptiq spiq, for some s P S with arity psq nu, F pp, tq tpF pp, tq, xt q | t P tu, F pt, pq tpF pp, tq, xt q | t P tu tpMi ppq, νi q | for all i P t1, . . . , t u, λpti q pspiq, Mi q, Mi ppq Hu

Moreover, given a marking M tM1 , . . . , Mk u we proceed as follows to build M . Let us choose k new and pairwise different identifiers n1 , . . .#, nk and take M ppqpa, ni q Mi ppqpaq for all ni if x xti , i P t1, . . . , ku. Finally, for a mode σ we take σ pxq σ pxq otherwise.

1022

ù


x

t1

s?

x

s?

x

p

x

p q2

x t2

q1

ac

q2

x s!

x

t1

q1 ab

t2

s!

x

p

px, xt q 1

k

q1

pa, n1 qpa, n2 q px, xt q pt , t q pb, n1 qpc, n2 q px, xt q 1 2 q2 px, xt q

1

2

2

Figure 11. Simulation of a ν-RN system by means of a pν-PN.

pq

p q

t σ

Then, it is always possible to choose all those identifiers so that M1 ÝÑ M2 M1 ÝÑ M2 . Moreover, any reachable marking in N , starting from a marking M0 is of the form M for some M, and we conclude. [\ tσ

Fig. 11 shows a ν-RN system and its simulation. The only possible firing is that in which the two different components synchronize with each other (there is no auto-synchronization), taking each a token a from p, and moving them to q1 and q2 , respectively. This behavior is simulated in the right handside by the consumption of both pa, n1 q and pa, n2 q from p, which are transferred to q1 and q2 , respectively. In the previous section we proved that though ν-RN systems are Turing complete, ν-RN systems without communication are not, and have decidable coverability. It is natural to infer from this result a subclass of pν-PN which is not Turing complete and for which coverability is decidable. Binary ν-PN obtained in the construction in the proof of Prop. 6.1 are such that every arc is labelled with variables in Var 1 Var 2 where Var 1 and Var 2 are two disjoint sets of variables. For them, we can perform the converse simulation. Proposition 6.2. Binary ν-PN with labels of arcs in Var 1 Var 2 , where Var 1 and Var 2 are two disjoint sets of variables, can be simulated by ν-RN systems. Proof: The proof follows exactly the same ideas detailed in [31, Prop. 6.2.] to simulate ν-PN by means of RN systems. Intuitively, we can map the second components in pairs of names to replication, while maintining the first component. More precisely, let N pP, T, F q be a binary ν-PN with labels in Var 1 Var 2 . We assume an arbitrary order in the set Var 2 , so that we will write py1 , . . . , ym q instead of ty1 , . . . , ym u to point out that yi yi 1 . Without loss of generality, we may assume that whenever F pt, pq px, ν q then x is the constant (if it is not the case, we may split t into t1 and t2 that are fired consecutively, that mimic the firing of t and satisfy the previous condition). Let us build N pP, T , F , λ q, where: - T -

tty | ν y P Var ptq X Var 2u, F pp, ty q x if F pp, tq px, y q (analogously for F pty , pq), λ pty q pst piq, Mtν q, where pVar ptq X Var 2 qztν u py1 , . . . , ym q and y yi , and Mtν

pp q

#

t u H

if F pt, pq p , ν q, otherwise.


pν-RN

1023

Turing complete

ν-RN

pν-PN

ν-RN without comm.

Restricted binary ν-PN Decidable coverability

RN

ν-PN

RN without sync.

ν -PN Decidable reachability

P/T

Figure 12. Summary of results

Let M be a marking with tb1 , . . . , bm u as set of names appearing as second components of its tokens, u, where M ppqpaq M ppqpa, bi q, and and σ a mode for a variable t. We define M tM1 , . . . , Mm i σ pσ1 , σ2 q by taking σ1 pty q i if σ py q bi , and σ2 pxq σ2 pxq whenever x P Var ptq X Var 1 . Then, if for any t with pVar ptq X Var 2 qztν u py1 , . . . , ym q we write t pty1 , . . . , tym q then

pq

p q

t σ

M1 ÝÑ M2 M1 ÝÑ M2 . Moreover, any reachable marking in N , starting from a marking M0 is of the form M for some M , and we conclude. [\ tσ

According to the previous result, any binary ν-PN with labels in Var 1 Var 2 can be simulated by a ν-RN system F pN q. Notice that if a transition of N has some input arc labelled with px, z1 q and some output arc labelled with px, z2 q, then F pN q can communicate a value (that to which x is instantiated) from one component (the one that z1 represents) to other component (the one that z2 represents). But if we forbid such situation, the yielded ν-RN system will be communication-free. Let us define the following subclass of binary ν-PN. Definition 6.1. A pν-PN is a restricted binary ν-PN if there are two disjoint sets of variables Var 1 and Var 2 such that: - For every prearc pp, tq, F pp, tq P Var 1 Var 2 (analogously for every postarc), - For all t, if F pp, tq px, z1 q and F pt, q q px, z2 q then z1

z2 .

If N is a restricted binary ν-PN then F pN q is a ν-RN system without communications, so that we obtain the following result. Proposition 6.3. Coverability is decidable for restricted binary ν-PN.

1024


7. Conclusions and Future Work In this paper we have established a number of decidability results about extensions of Petri nets with the capability of managing tuples of pure names, and extensions with replication primitives. The existing results can be summarized as shown in Fig. 12. An arrow from A to B means that A is a (syntactical) subclass of B. A double line from A to B means that A and B can simulate each other. We have restricted the models of RN systems and ν-RN systems presented in [31] to obtain decidability results that do not hold in the unrestricted models. More precisely, reachability, which is undecidable for RN systems, has been proved to be decidable in the subclass of RN systems in which we do not allow synchronizations between the different components that compose a system. This decidability result is interesting by itself. Moreover, the proof has been carried out by reducing the problem to reachability in a multiset rewriting system with conditional rules, in which the conditions are reachability problems in ordinary P/T nets. As we mentioned at the end of Sect. 4, the rewriting systems lpN q that we have used are quite similar to the model of Recursive Petri Nets (RPN), thus bringing close two apparently quite different models. However, it seems that RPN are not enough to capture the behavior of lpN q. We have used these rewrite systems only as a technicality for our purposes, but perhaps it would be interesting to study which is the minimal extension (or modification) of RPN that suffices to capture the behavior of lpN q, in such a way that reachability remains decidable. As we said, the main point is that child threads should have some result places, associated to other places in the father thread, so that when the former finished, the latter could receive the results obtained by its child. In our setting, the result places would be places added in an ad hoc way, that count how many times each of the replicating transitions have been fired. Many of the models described in this paper and in [31] are well structured, to that coverability is decidable. Since in most of them reachability is undecidable, we need a finer way to compare the expressive power of these models. In [3] a comparison between well-structured systems is done. The comparison criterion is weak trace equivalence, with coverability as accepting condition for traces. We plan to place ν-PN and the related models that appear in this paper inside the hierarchy obtained in [3]. For instance, it seems that Lossy Channel Systems (LCS) [1], that are WSTS, are incomparable to ν-PN, because ν-PN can not have a FIFO-like behavior. More precisely, L1 tw#w1 | w1 subword of wu can be recognized by a LCS (notice that the pumping lemma does not prove anything in the case of L1 ), but it does not seem possible to recognize it by means of a ν-PN. The comparison is achieved by seeing those systems as subclasses of MSR(C) [8], which is a model based on multiset rewriting. Therefore, it would also be interesting to see how the rewrite systems lpN q fit inside the hierarchy. In the same line, we plan to study how is the expressivity affected when we consider the possibility of creating fresh components with an initial marking that depends on the marking of the net that creates that component; or broadcast primitives, that is, the possibility of synchronizing with an undetermined number of components. These mechanisms are closely related to transfer arcs. That is the reason that we conjecture that coverability is still decidable for them, as happens in [24], but it would be interesting to see what properties are lost in the gain of expressivity. We have also restricted ν-RN systems, for which coverability is undecidable, obtaining ν-RN systems without communication or with restricted communication, and proved that, in both cases, coverability is decidable. Moreover, we have seen that binary ν-PN can simulate ν-RN systems, so that they are Turingcomplete, and we have identified a subclass of binary ν-PN, binary restricted ν-PN, that are equivalent to ν-RN systems without communications, so that coverability is also decidable for them.


1025

The paper [27] defines a subclass of the π-calculus, namely that of depth-bounded processes, where the depth of a process measures the interdependence of names in processes. The subclass of depthbounded processes is a WSTS. It would be interesting to see if the concept of depth-boundedness in the π-calculus (different from the depth-boundedness notion defined in [30]) can be transferred to pν-PN, to obtain a subclass of them (more expressive than the restricted binaries ν-PN) which is a WSTS.

Acknowledgments The authors would like to thank the anonymous referees for their valuable comments.

References [1] P. A. Abdulla, and B. Jonsson. Verifying Programs with Unreliable Channels. Information and Computation, 127(2):91-101, 1996. [2] P. A. Abdulla, K. Cerans, B. Jonsson, and Y. Tsay. Algorithmic analysis of programs with well quasi-ordered domains. Information and Computation 160:109-127. Academic Press Inc., 2000. [3] P. A. Abdulla, G. Delzanno, and L. Van Begin. Comparing the Expressive Power of Well-Structured Transition Systems. 21st Int. Workshop on Computer Science Logic. Lecture Notes in Computer Science vol. 4646, pp. 99-114. Springer, 2007. [4] A. Bouajjani, M. Müller, and T. Touili. Regular symbolic analysis of dynamic networks of pushdown systems. In Proc. of CONCUR’05, LNCS vol. 3653, pp. 473-487. Springer, 2005. [5] D. Dahmani, J-M. Ilié, and M. Boukala. Reachability analysis for Recursive Petri Nets with shared places. Int. Workshop on Abstractions for Petri Nets and Other Models of Concurrency, APNOC’09. [6] G. Delzanno, J.-F. Raskin, and L. Van Begin. Towards the automated verification of multithreaded java programs. In TACAS 2007, LNCS. vol. 2280, pp. 173-187. Springer, 2002. [7] G. Decker, and M. Weske. Instance Isolation Analysis for Service-Oriented Architectures. In Proceedings of the 2008 IEEE International Conference on Services (SCC’08), pp. 249-256. IEE Computer Society, 2008. [8] G. Delzanno. An overview of MSR(C): A CLP-based Framework for the Symbolic Verification of Parameterized Concurrent Systems. 11th Int. Workshop on Functional and Logic Programming, WFLP’02. Electronic Notes in Theoretical Computer Science vol. 76. Elsevier, 2002. [9] R. Dietze, M. Kudlek, and O. Kummer. Decidability Problems of a Basic Class of Object Nets. Fundamenta Informaticae 79(2007) 295-302. IOS Press. [10] C. Dufourd, A. Finkel, and Ph. Schnoebelen. Reset Nets Between Decidability and Undecidability. 25th Int. Automata, Languages and Programming Colloquium, ICALP’98. LNCS vol. 1443. Springer (1998) 103-115. [11] J. Esparza and M. Nielsen. Decidability issues for Petri Nets-a survey. Bulletin of EATCS 52:244-262(1994). [12] J. Esparza, A. Finkel, and R. Mayr. On the verification of broadcast protocols. In Proc. of LICS’99, pp. 352-359. IEEE Computer Society, 1999. [13] A. Finkel, and P. Schnoebelen. Well-Structured Transition Systems Everywhere! Theoretical Computer Science 256(1-2):63-92 (2001). [14] G. Geeraerts, J-F. Raskin, and L. Van Begin. Well-structured languages. Acta Informatica 44(3-4): 249-288 (2007)

1026


[15] A. Gordon. Notes on Nominal Calculi for Security and Mobility. Foundations of Security Analysis and Design, FOSAD’00. Lecture Notes in Computer Science vol. 2171, pp. 262-330. Springer, 2001. [16] S. Haddad, and D. Poitrenaud. Recursive Petri Nets. Acta Informatica 44(7-8):463-508, 2007. [17] S. Haddad, and D. Poitrenaud. Modelling and Analyzing Systems with Recursive Petri Nets. Proceedings of the 5th Workshop on Discrete Event Systems, WODES’00, pp. 449-458. Kluwer Academic Publishers, 2000. [18] K.M. van Hee, N. Sidorova, M. Voorhoeve, and J.M. van der Wer. Generation of Database Transactions with Petri Nets. Fundamenta Informaticae 93(1-3):171-184 (2009) [19] M. Köhler, and H. Rölke. Properties of Object Petri Nets. 25th Int. Conf. on Petri Nets, ICATPN’04. LNCS vol. 3099, pp. 278-297. Springer, 2004. [20] M. Köhler. Reachable markings of object Petri nets. Fundamenta Informaticae 79(3-4):401-413 (2007) [21] M. Köhler, and F. Heitmann. On the expressiveness of communication channels for object nets. Fundamenta Informaticae 93(13):205-219 (2009) [22] O. Kummer. Undecidability in object-oriented Petri nets. Petri Net Newsletter, 59:18-23, 2000. [23] O. Kummer, F. Wienberg, M. Duvigneau, J. Schumacher, M. Köhler, D. Moldt, H. Rölke, and R. Valk. An Extensible Editor and Simulation Engine for Petri Nets: Renew. In 25th Int. Conf. on Petri Nets, ICATPN’04. LNCS vol. 3099, pp. 484-493. Springer, 2004. [24] R. Lazic, T.C. Newcomb, J. Ouaknine, A.W. Roscoe, and J. Worrell. Nets with Tokens Which Carry Data. Fundamenta Informaticae 88(3):251-274. IOS Press, 2008. [25] I. Lomazova. Nested Petri nets - a formalism for specification and verification of multi-agent distributed systems. Fundamenta Informaticae 43(1-4):195-214. IOS Press, 2000. [26] I. Lomazova, and Ph. Schnoebelen. Some Decidability Results for Nested Petri Nets. 3rd Int. Andrei Ershov Memorial Conf. on Perspectives of System Informatics, PSI’99. LNCS vol.1755, pp. 208-220. Springer,2000. [27] R. Meyer. On Boundedness in depth in the π-Calculus. In IFIP Int. Federation for Information Processing, Volume 273; Fifth IFIP Int. Conference on Theoretical Computer Science, pp 477-489. Springer, 2008. [28] R.M. Needham. Names.Distributed Systems, pp. 89-101. Addison-Wesley, 1989. [29] F. Rosa-Velardo, D. de Frutos-Escrig, and O. Marroqu´ın-Alonso. On the expressiveness of Mobile Synchronizing Petri Nets. 3rd Int. Workshop on Security Issues in Concurrency, SecCo’05. ENTCS 180(1):77-94. Elsevier, 2007. [30] F. Rosa-Velardo, and D. de Frutos-Escrig. Name Creation vs. Replication in Petri Net Systems. 28th Int. Conf. on Applications and Theory of Petri Nets and other models of concurrency, ATPN’07, LNCS vol. 4546, pp. 402-422. Springer, 2007. [31] F. Rosa-Velardo, and D. de Frutos-Escrig. Name Creation vs. Replication in Petri Net Systems. Fundamenta Informaticae 88(3):329-356. Special issue on Selected Papers from ATPN’07. IOS Press, 2008. [32] F. Rosa-Velardo, and D. de Frutos-Escrig. Decidability results for restricted models of Petri nets with name creation and replication. 30th Int. Conf. on Applications and Theory of Petri Nets and other models of concurrency, ATPN’09, LNCS vol. 5606, pp. 63-82. Springer, 2009. [33] R. Valk. Nets in Computer Organisation. Advances in Petri Nets, LNCS vol. 255, pp. 218-233. Springer, 1987. [34] R. Valk. Petri Nets as Dynamical Objects. 16th Int. Conf. on Application and Theory of Petri Nets. Workshop proceedings, 1995. [35] R. Valk. Petri Nets as Token Objects - An Introduction to Elementary Object Nets. 19th Int. Conf. on Applications and Theory of Petri Nets, ICATPN’98, LNCS vol. 1420, pp. 1-25. Springer, 1998.