E cient Encoding Schemes for the Symbolic ... - Semantic Scholar

Ecient Encoding Schemes for the Symbolic Analysis of Petri Nets Enric Pastor and Jordi Cortadellay UPC/DAC Report No. RR-98/24 August 1998

This work has been supported in part by the Ministry of Education of Spain (CICYT) under contract TIC 95-0419 and by the ACiD-WG under contract ESPRIT-21949. On leave to Newcastle University, at the Computer Science Department as 1998 Leverhulme fellow.

Ecient Encoding Schemes for the Symbolic Analysis of Petri Nets Jordi Cortadella Enric Pastor Department of Software Department of Computer Architecture Universitat Politecnica de Catalunya Universitat Politecnica de Catalunya 08034 Barcelona, Spain 08034 Barcelona, Spain [email protected] [email protected]

Abstract Petri nets are a graph-based formalism appropriate to model concurrent systems such as asynchronous circuits or network protocols. Symbolic techniques based on Binary Decision Diagrams (BDDs) have emerged as one of the strategies to overcome the state explosion problem in the analysis of systems modeled by Petri nets. The existing techniques for state encoding use a variable-per-place strategy that leads to encoding schemes with very low density. This drawback has been partially mitigated by using Zero-Suppressed BDDs, that provide a typical reduction of BDD sizes by a factor of two. This work presents novel encoding schemes for Petri nets. By using algebraic techniques to analyze the topology of the net, sets of places \structurally related" can be derived and encoded by only using a logarithmic number of boolean variables. Such approach allows to drastically decrease the number of variables for state encoding and reduce memory and CPU requirements signi cantly.

1

1 Introduction Petri nets (PN) are a graph-based mathematical formalism adequate to describe, model and analyze the behavior of concurrent systems. PNs allow the description of sequential and non-sequential behaviors (including concurrence and non-deterministic choice). Since its introduction by C.A.Petri in 1962, PNs have been extensively used in a wide range of areas such as communication protocols and networks, computer architecture, distributed systems, manufacturing planning, digital circuit synthesis and veri cation, and high-level synthesis. In particular, they play an increasingly important role in the synthesis and veri cation of digital asynchronous circuits [25, 15, 5], and have been recently proposed to specify and synthesize systems in hardware/software codesign frameworks [14, 6]. In [11, 24] it has been proposed ecient enumerative techniques for the analysis of bounded Petri Nets. The proposed technique de nes an isomorphism between PNs and Boolean algebras. Each marking in the PN is described by means of boolean variables, and the speci cation of its behavior by means of boolean functions . The potential state explosion derived from the enumeration of markings is managed by using Binary Decision Diagrams (BDD) [3, 1]. Experiments show that large sets of encoded markings can be represented with small BDDs, and therefore PNs can be eciently analyzed manipulating those sets. The existing techniques for the symbolic analysis of safe PNs use naive schemes to encode the markings [11, 24]. Each place is represented by means of a boolean variable that is asserted in case the place is marked. This scheme results in a very sparse state space. Zero-suppressed BDDs have been proposed to eciently handle this sparsity [27]. It is also well-known that the number of encoding variables is one of the crucial factors that in uence on the eciency of BDD techniques. Encoding schemes that reduce the number of variables provide more compact representations, and therefore allow the analysis of more complex systems. In this work we propose a dense encoding scheme that results in an increased eciency for the symbolic analysis of safe Petri Nets. It is based on a drastic reduction of the number of variables that produces very dense encodings. The proposed method is based on the optimal encoding of the individual State Machines (SMs) of the PN and the combination of these SMs to obtain a global encoding. Moreover, such density is achieved without introducing signi cant encoding overhead and complexity in the analysis of the dynamic behavior of the net. The paper is organized as follows. In Section 2 we review some basic properties of PNs and sketch techniques for symbolic analysis. Binary Decision Diagrams (BDDs) are introduce in Section 3. Section 4 overviews the new encoding method by means of an example. The encoding scheme is presented in detail in Section 5. First, a density function is introduced to evaluate the quality of an encoding. After that, a methodology is presented to encode individual SMs and to combine sets of encoded SMs to create an optimal global encoding of the PN. In Section 6 a heuristic algorithm is presented to select the SM components that should be used for encoding. Then, in Section 7 a second heuristic algorithm is described to assign the actual binary codes to the places in each SM. Section 8 describes the basic boolean equations required for BDD-based symbolic analysis using the presented encoding scheme. Experimental results are presented in Section 9. Finally, Section 10 concludes the paper including a discussion of the current 2

and future scope of this work.

2 Petri nets An ordinary Petri Net (PN) is a 4-tuple N = hP ; T ; F ; M0i, where P and T are disjoint and nite sets of places and transitions, F  (P  T ) [ (T  P ) is the ow relation, and M0 : P ! IN is the initial marking. The set of places and transitions is called the set of nodes of the net. The pre- and post-sets of nodes are speci ed by a dot notation, where  u = fv 2 P [ T j(v; u) 2 Fg is called the pre-set of u, and u = fv 2 P [ T j(u; v) 2 Fg is called the post-set of u. The pre-set of a place (transition) is the set of input transitions (places). The post-set of a place (transition) is the set of output transitions (places). A marking of a PN is an assignment of a non-negative integer to each place. If k is assigned to place p by marking M , we will say that p is marked with k tokens, i.e. M (p) = k. A State Machine (SM) is a PN such that each transition has exactly one input place and one output place. A free-choice net (FC net) is a PN such that every arc from a place is either a unique outgoing arc or a unique incoming arc to a transition. PNs are graphically represented by drawing places as circles, transitions as boxes (or sometimes bars), the ow relation as directed arcs, and tokens as dots. Figure 1 depicts a PN with the set of places P = fp1; : : :; p7g, the set of transitions T = ft1; : : :; t7g, and the ow relation F = f(p1; t1); (p1; t2); (t1; p2); : : :g. In the initial marking M0 , place p1 is marked. A transition t is enabled in a marking M , denoted by M [ti, when all places in t are marked. An enabled transition in M is allowed to re . When it res, it removes a token from each place in  t and adds a token to each place in t , reaching a new marking M 0 (M [tiM 0). A marking M is reachable from M0 if there is a sequence of rings t1 t2 : : :tn that transforms M0 into M (M0[t1 t2 : : :tn iM ), hence t1 t2 : : :tn is a feasible sequence. The set of reachable markings from M0 is denoted by [M0i. The nite automata that contains the set of reachable markings and all the possible ring sequences of a PN is called the reachability graph . Figure 1(b) depicts the reachability graph for the PN previously presented in Figure 1(a). There are a total of eight reachable markings in [M0i, each one represented by the subset of marked places. A PN is live if every transition can be in nitely enabled through some feasible sequence of rings from any marking in [M0 i. A PN is safe if no marking in [M0i can assign more than one token to any place. This paper only covers the analysis of safe PNs, although the extension to bounded PNs is currently under study [24, 23].

2.1 Algebraic analysis of Petri nets Let us represent the sets P and T as vectors, [p1 : : :pjPj] and [t1 : : :tjT j ], with some arbitrary order of places and transitions. Given a subset of places R  P , [R] denotes the characteristic vector of R w.r.t. P , de ned as,

8 < 1 if p 2 R [R](p) = : 0 if p 62 R

3

p1 M0

t1

p1

t2

t2

t1 M1

p2

p2 , p3

p5

p3 p4

M2

t3 M3

t3

t4

t5

t5

t6 M5

p2 , p7 t4

p6

t7

t4 M4

p6 , p3

t6

p4 , p5

p7

p6 , p5 t6

t3

M6

p4 , p7 t5

p6 , p7 M7

t7

(b) (a)

Figure 1: (a) A Petri net with its initial marking, (b) its corresponding reachability graph. The structure of a PN net can be represented by an incidence matrix. The incidence matrix C : P  T ! f?1; 0; 1g is de ned as: 8t 2 T : C (?; t) = [t] ? [t] A marking M is represented as a jPj  1 column vector [M (p1) : : :M (pjPj)], where the ith element of M denotes the token count of pi. The incidence matrix of PN depicted in Figure 1 is the following:

0 BB BB BB B C =B BB BB BB @

?1 ?1 1 1 0 0 0 0

0 0 1 1 0 0

0 0 0 0 1 ?1 0 0 0 0 0 ?1 0 0 0 0 0 ?1 0 0 0 0 0 ?1 0 1 0 1 0 ?1 0 1 0 1 ?1

1 CC CC CC CC CC CC CC A

with M0 = [1 0 0 0 0 0 0]. The interpretation of the incidence matrix is as follows. The non-zero elements of each row indicate the eect of the corresponding transitions on the token count of the corresponding place: input transitions put a token (1), whereas output transitions remove a token (-1). Given a marking M and a ring sequence of transitions  such that M [ iM 0 then

M 0 = M + C
~

(1)

where ~ is the ring count vector, i.e. ~] is the number of occurrences of transition ti in  . Equation (1) is known as the state equation of the PN.

2.2 Place-invariants and State Machines Components Every solution X 2 QjPj of the equation X T
C = 0 is said to be a P-invariant [22]. A P-invariant I is called semi-positive if I  0 and I 6= 0. The support of a semi-positive invariant I , denoted by hI i, is 4

the set of places p satisfying I (p) > 0. A semi-positive invariant I is minimal if no other semi-positive invariant J satis es hJ i  hI i. In the example of Figure 1, the vector I = [2 1 1 1 1 1 1] is a semi-positive P-invariant. However it is not minimal. The vectors I1 = [1 1 0 1 0 1 0] and I2 = [1 0 1 0 1 0 1] are minimal semi-positive P-invariants. Note that the invariant I can be obtained as a linear combination of I1 and I2 (I = I1 + I2 ). Given a PN N = hP ; T ; F ; M0i and a subset of places Pi  P a new PN Ni = hPi ; Ti; Fi; M0i i can be generated as follows:

 Ti = ft 2 p [ pjp 2 Pig  Fi = F \ ((Pi  Ti) [ (Ti  Pi))  M0i(p) = M0(p) for every p 2 Pi. The PN Ni generated by a subset of places is said to be a State Machine Component (SM) of N if Ni is a strongly connected State Machine. Figure 2 shows two SMs generated from the PN of Figure 1. The SMs have been generated by the sets of places fp1 ; p2; p4; p6g (invariant I1 = [1 1 0 1 0 1 0]) and fp1; p3; p5; p7g (invariant I2 = [1 0 1 0 1 0 1]) respectively. The places of an SM are said to be covered by the SM. A PN is said to be decomposable into SMs if there is a set of SMs that cover all places of the PN. It is known that some classes of PNs are decomposable into SMs and in particular into one-token SM-Components; that is, SMs that contain exactly one token [10]. In general, only a subset of places can be covered by SMs. A key theorem for the contribution of this work is the following.

Theorem 2.1 ([8]) Let Ni = hPi; Ti; Fi; M0i i be a State Machine Component of a Petri Net N . Then [Pi ] is a minimal semi-positive P-invariant of N .

Informally this means that the token count of an SM is preserved for all reachable markings. As a consequence, if an SM contains only one token, then one and only one place of the SM will be marked in all reachable markings of the PN. This suggests that ecient encodings can be found for SMs. Calculating SMs that cover selected places can be eciently done by using linear programming techniques [21, 16]. An SM covering a place p can be obtained by computing a minimal semi-positive P-invariant ISM that includes p, with the additional restriction of only containing one token in the initial marking M0. This minimal P-invariant is computed by solving the linear system of equations [16]:

8 > min ISM > > > < ISM
C > ISM(p) > > P > : I (p)
M0(p)

 0 = 0  1 = 1

5

x1 x2

x3 x4

p1 00

p1 00

t1

p2

t2

p4

10

t3

t1

10

01

p3

01

t4

t5

p6

t2

p5

t6

11

11 t7

t7

SM1

SM2

p7

Figure 2: Two State Machine Components covering the PN in Figure 1.

2.3 PN Symbolic Analysis A marking in an ordinary and safe PN can be represented by a set of places M = fp1 ; :::; pk g  P , where pi 2 M denotes the fact that there is a token in pi. Let MP be the union of all potential sets of places representing markings of a PN with jPj places (jMP j = 2jPj). Then, the system (2MP ; [; \; ;; MP ) is the boolean algebra of sets of safe markings. This system is isomorphic with the boolean algebra of n-variable logic functions, where n = jPj. The methods proposed so far to represent markings of a safe PN [24, 27] have used the fact that each marking can be represented by the characteristic function of a subset of places. Thus, by using a boolean variable for each place, any of the 2jPj safe markings corresponds to a minterm of B jPj . With an abuse of notation, let us call pi the boolean variable representing the marking of place pi . The transition function  = (1 ; :::; jPj) for a transition t 2 T de nes how the contents of each place is transformed as a result of ring t (M 0 =  (M; t)). i (p1 ; : : :; pjPj; t) is a function only de ned for those markings in which t is enabled:

8  > > < 1 if pi 2 t i (p1; :::; pjPj; t) = > 0 if pi 2 t and pi 62 t > : pi otherwise

(2)

The characteristic function of the set of markings in which transition t is enabled, Et, is de ned as:

Et =

^

pi 2 t

pi

The function  also induces a binary relation between markings. Thus M RtM 0 i M 0 =  (M; t). By using two dierent sets of variables, P = fp1 ; :::; pjPjg and Q = fq1 ; :::; qjPjg, to represent the current and the next marking before ring a transition t, the characteristic function of Rt can be represented by a 6

transition relation1:

Rt(P; Q) =

jPj ^

i=1

qi  i(P; t)



Finding the set of markings M 0 that can be reached after ring transition t from any marking in the set M (the image computation for transitions) is reduced to compute: M 0 = 9P [M
Rt(P; Q)] : The transition relation of the PN for the calculation of all markings reachable after ring one transition is

R(P; Q) =

_

t2T

Rt(P; Q) :

This expression suggests that R(P; Q) can be eciently manipulated by representing it as partitioned transition relation in disjunctive form [4]. The reachability set can be obtained by computing the least x point of the following recurrence:

Mo = Mo Mi+1 = Mi [ Image(N; Mi) where Image is the image computation function that returns the markings reachable from Mi after ring in one step all transitions in the PN.

3 Binary Decision Diagrams 3.1 Basic Concepts A logic function can be represented in many canonical ways, such as truth tables , Karnaugh maps , minterm canonical forms or sum of products [2]. A form is canonical, if the representation of any function in that form is unique. Canonical forms are useful for veri cation techniques, because the equivalence test between functions can be easily computed. However, all these canonical forms are inecient for large functions. Binary Decision Diagrams (BDDs) have emerged as an ecient canonical form to manipulate large logic functions. Even though the introduction of BDDs is relatively old [17], only after the recent work of Bryant [3] they become a useful tool for many applications [1, 26, 19]. This section presents BDDs by means of an example. Given the function

f = bc + abc + ac :

(3)

its corresponding BDD is shown in Figure 3(a). A BDD is a Directed Acyclic Graph with one root node (the unique node without predecessors), and two leaf nodes (labeled 0 and 1). Each node in the BDD has two outgoing arcs labeled T (then branch) and E (else branch). The BDD provides the image evaluation for every possible assignment of variables in the domain of the function. To evaluate Equation (3) for the assignment of variables (a = 1; b = 0; c = 1), we only have to follow the corresponding directed arcs from the root node (dashed arcs in Figure 3). The rst node we encounter is labeled with variable a, whose value is 1. Given this assignment, the T (then ) arc must 1 Note that

the operator a  b stands for a equivalent to b and it is de ned as a  b = ab + a b.

7

T

c

a

a

T

E

E

b

T

b

b E

T

c

c

E

T

E

c c

E

E

T T

T

1

E

T

E

0

T

1

0

(a)

(b)

E

b E

E

T

T

E

b

c

E

c

a

a

T

T

E

E

T

T

1

0 (c)

Figure 3: BDD example for Equation (3). be taken. Next, a node labeled with variable b is found. Since b = 0 the E (else ) arc must be followed now. Finally, following the T (then ) arc for variable c = 1 we reach the 0 leave node. Thus, the image for f (a = 1; b = 0; c = 1) is 0.

3.2 Reduced and Ordered BDDs The representation of a function by means of a BDD is not unique. Figures 3(a,b, and c) depict dierent BDDs representing (3). The BDD in Figure 3(b) is obtained from the BDD in Figure 3(a) after successively applying a number of reduction rules that eliminate: repeated isomorphic subgraphs and redundant nodes from the representation [3]. On the other side, Figure 3(c) uses a dierent variable ordering and also applies the same reductions. Note that all BDDs shown in Figure 3 are ordered BDDs. In an ordered BDD, all variables appear in the same order along all paths from the root to the leaves. If a BDD is ordered and reduced then it is called a Reduced Ordered BDD (ROBDD). Given a xed total ordering of the variables, the reduced BDD of a function is unique. Therefore, an ROBDD is a canonical form [3]. Figures 3(b, c) are ROBDDs with variable ordering a < b < c and c < a < b respectively. In the sequel, we will implicitly assume that BDDs are reduced and ordered. The most important properties of ROBDDs can be summarized as:

 The size of the BDD can be exponential in the number of variables [18]. In general, however, BDDs are a compact representation for many functions.

 Boolean binary operations such as union, product, cofactor and abstraction, can be eciently calculated in polynomial time in the size of the BDDs.

 Some interesting problems like satis ability , tautology and complementation are solved in constant time using BDDs.

Note that each BDD node represents at the same time a function whose root is the node itself. This property allows the implementation of BDD packages managing all BDDs using the same set of variables 8

in only one multi-rooted graph [1]. However, the size of the BDD heavily depends on the ordering. Hence, determining a good ordering becomes a critical issue to increase the eciency of any BDD-based application.

3.3 Boole's Expansion Theorem The boolean functions fxi = f (x1 ; : : :; xi?1 ; 1; xi+1; : : :; xn) and fxi = f (x1 ; : : :; xi?1 ; 0; xi+1; : : :; xn) are called the positive and negative cofactors of f with respect to xi and xi respectively.

Theorem 3.1 Boole's Expansion If f : Bn ! B is a n-variable boolean function, then f (x1 ; : : :; xn) = xi
fxi + xi
fxi ; for all (x1 ; : : :; xn ) 2 Bn .

3.4 Boolean Operations with ROBDDs Given the variable ordering a < b < c, let us calculate the BDD for Equation (3). We denote by (v; T; E ) a BDD node labeled with variable v , and T and E as Then and Else BDDs respectively. Applying Boole's theorem to expand function (3) with the cofactors of variable a we have: f = a
fa + a
fa ; with fa = bc + bc, and fa = c. Then, expanding variable b in fa and fa respectively yields to



  
fab + b
fab + a
b
fab + b
fab ; with the cofactors fab = c, fab = c, fab = c, and fab = c. Thus, the BDD for Equation (3) is f = (a; (b; c; c); (b; c; c)) ; (see Figure 3(a)). Note that the logic functions fab = fab = fab = c and fab = c are isomorphic, and must be represented with the same node to preserve the canonicity of the f = a


b

BDD. BDDs can also be created by combining existing BDDs by means of boolean operations like AND, OR, and XOR. This approach is implemented using the if-then-else (ITE) operator, de ned as follows: ITE(F; G; H ) = F
G + F
H ;

(4)

where F , G, H are logic functions represented by BDDs. The interesting property of the ITE operator is that it can directly implement any two-operand logic function. For example: AND(F; G) = ITE(F; G; 0); XOR(F; G) = ITE(F; G; G): In general, any boolean operation between two logic functions can be decomposed using the expansion theorem, i.e. Z = f hopi g = xi (fxi hopi gxi )+ xi (fxi hopi gxi ) : The same operation can be implemented by the ITE operator. Let Z = ITE(F; G; H ), and let v be the top variable of F , G, H . Then, the BDD for Z is recursively expanded as follows [3]: Z = (v; ITE(Fv ; Gv ; Hv); ITE(Fv ; Gv ; Hv )) ; where the terminal cases of the expansion are: ITE(1; F; G) = ITE(0; G; F ) = ITE(F; 1; 0) = ITE(G; F; F ) = F: An implementation for the ITE operator is shown in Figure 4. The algorithm keeps the BDD reduced by checking if T equals E, and checking in a unique-table if the newly produced node already exists in the BDD. In this way, isomorphic subgraphs are avoided. Unless there is a terminal case, every call to the procedure generates two other calls, so the total number of ITE calls would be exponential in the number of variables. To avoid this exponential complexity, ITE uses a table of pre-computed operations 9

ITE (F ,G,H ) f

if ( terminal case ) then return result for terminal case; if ( fF , G, H g is in computed-table ) then return pre-computed result; let v be the top variable of f F , G, H g;

T E

:= :=

if (T

g

ITE (Fv ,Gv ,Hv ); ITE (Fv ,Gv ,Hv );

E ) then return T ; R := nd or add unique table (v,T ,E ); insert in computed table (f F , G, H g, R); return (R); equals

Figure 4: A recursive implementation of the ITE operator in Equation 4. (the computed table ). This computed table acts as a cache memory, in such a way that the most recently used results are stored in the table. The eect of this computed table is to cause ITE to be called at most once for each possible combination of the nodes in F , G, H . Therefore, the complexity of the algorithm |under the assumptions of in nite memory and constant access time (hash) tables| is reduced to O(jF j
jGj
jH j).

4 Overview of the Encoding Technique Most nite systems that can be modeled as Boolean algebras can also be eciently manipulated by using Binary Decision Diagrams (BDDs) |directed acyclic graphs that allow compact representations of logic functions. A number of boolean variables encode the nite state space, creating an isomorphism between the system and a Boolean algebra. Given that sets of states are represented as functions, the complexity of operations between functions |that is, between BDDs| directly depends on the number of nodes to be represented. Therefore, we can conclude that the eciency of symbolic algorithms strongly depend on the number of boolean variables that encode the state space of the system. Multiple encoding schemes can be applied to model the same system depending on the objectives of the application. The ratio between the number of states in the system and the variables used to represent each state de nes the density of the encoding. High density encodings will be preferred since they lead to reduced number of BDD nodes. During the last few years several symbolic techniques have been derived to analyze PNs. The eectiveness of these symbolic techniques rely on the fact that exists an ecient isomorphism between PNs and Boolean algebras. Safe PNs are a class of concurrent system in which its structure oers a direct methodology to encode its state space. In this work we will propose an encoding scheme that is based on using the information that can be 10

known a priori from the PN structure |its SM components. This information allows to discard sets of unreachable markings and nd more ecient encodings for those that are still potentially reachable. We now describe and compare dierent encoding schemes for the example of Figure 1(a).

One variable per place: (also named sparse encoding) each marking is represented by the characteristic vector of the marked places (see Figure 5(a)). The number of variables is jPj. Optimal number of variables: the markings are arbitrarily encoded with dlog2 j[M0ije variables (see Figures 5(c) and 5(d)).

SM-based encoding: each SM with k places is encoded with dlog2 ke variables. Each code corresponds

to one place of the SM, the one containing the token. Figure 5(b) shows an encoding based on the SMs SM1 and SM2 shown in Figure 2. Two variables are used to encode each SM (x1x2 and x3 x4). The encoding corresponds to p1 = 00, p2 = 10, p4 = 01 and p6 = 11 for SM1 and p1 = 00, p3 = 10, p5 = 01 and p7 = 11 for SM2. The encoding of each particular marking is obtained after combining the codes in each SM.

Deriving optimal encoding schemes with minimum number of variables is not a viable strategy because it requires knowing the existing markings a priori, that it is in fact the problem that was originally posed. Hence, the goal of this work is to propose alternative dense encoding schemes for PNs, that lay in between the conventional one-variable-per-place (sparse encoding) and the optimal schemes. The proposed methodology should reduce the number of variables, while maintaining a reasonable computation eort. Besides minimizing the number of variables to represent reachable markings, the proposed scheme will also attempt to reduce the switching activity of the transitions. The switching activity gives a measure of the amount of modi cations that have to be applied to the BDDs representing the current marking of the PN to transform it into the next-state marking, and can be computed as the Hamming distance between adjacent markings of the reachability graph. The goal of this strategy is to take advantage of the eciency of \ad-hoc" BDD procedures that have been specially devised for the manipulation of Petri nets (see Section 8.3). The sparse encoding technique in Figure 5(a) will require switching 25=11 bits in average, while the SM-based encoding in Figure 5(b) requires switching 16=11 bits in average. An sparse encoding not only introduces redundant unnecessary variables but increases the computation eort each time a transition has to be red. SM-based encodings provide much dense encodings while reducing the switching activity in the system. Figures 5(c) and 5(d) depict two possible assignments using an optimal encoding scheme with three variables. The assignment proposed in (c) requires switching 15=11 bits on average every time a transition is red, while the assignment in (d) requires 19=11 bits. Therefore encoding (c) would be preferable. Next, the method proposed in this paper for encoding reachable markings of PNs eciently is sketched: 1. A set of SMs of the Petri net is calculated. Algebraic and linear programming techniques will be used for such purpose. The primary goal will be to maximize the subset of places covered by SMs. 11

M0

1000000

0000

M1

t3

t7

t5

M4

0010010 t4

t4

M0

001

t7

t5

M4

t4

111

M3

M6

111

(c)

t6 M6

101 t6

t3

000

M7

t5 M5

010 t4

t5

t7

t4 M4

011

010

110 t6

t3

M2

t3

t6 M5

101

011

t2

100

100

001

M0

M1

M2

t4

M7

t1

t2

M1

t3

t5

(b)

t1

M3

0111

t6

1111

M7

M6

1101

t3

(a)

000

t6 M5

1011

t5

0000011

t5

M4

1110

0001001

t6

t7

t4

M3

M6

0000110

t3

t3

t6 M5

0100001

M2

0101

1010

0001100 t4

M3

t2

M1

M2

0110000

M0

t1

t2

t1

110 t5

M7

(d)

Figure 5: Encoding schemes: (a) one variable per place, (b) SM-based, (c,d) with minimum number of variables. The calculation of the SMs is out of the scope of this paper. We refer the reader to [21, 16] for more details. 2. A SM-based encoding is derived for the places covered by SMs. The rest of places are encoded by using the conventional one-variable-per-place scheme. 3. Assign binary codes to the places in the SMs, in such a way that the switching activity is minimized. 4. Given the selected encoding, calculate the transition relation of the PN and the reachability graph by using symbolic traversal techniques.

5 SM-Based Encoding The proposed encoding scheme is based on the fact that PNs can be totally or partially decomposed into SMs that contain an invariant number of tokens. The places in each SM can be encoded separately using a logarithmic encoding technique. After combining the variables in each component, the result is a reduced number of boolean variables compared to the conventional sparse techniques. This section describes how to evaluate the quality of an encoding by using the encoding density function; that is, the ratio between the optimum and the actual number of variables in the encoding. We start presenting the encoding mechanism by describing how an SM can be encoded by using an optimal number of variables. Given this result, it is necessary to determine the set of SMs that allows to encode the overall PN while minimizing the total number of required variables. Two dierent algorithms to 12

select the set of SMs are proposed, a simple algorithm that does not consider the interactions between SMs, and a more elaborated algorithm that takes into account those interactions. The encoding density will show us that the improved algorithm generates better encodings.

5.1 Encoding Density In order to compare the density of dierent encoding schemes we introduce an homogeneous cost function: the encoding density D. Given a PN, D is calculated as the optimum number of variables required to encode the whole reachability set, divided by the actual number of variables that are used, i.e. j[M0ij) D = #logof2(variables An encoding will be optimal if D = 1. This optimality also implies that the Boolean space is fully used and no binary code is left unassigned. Given the encodings introduced in Figure 5 we obtain D = 0:43 for (a), D = 0:75 for (b) and D = 1 for both (c) and (d). Density provides a general idea of the quality of a particular encoding. This function can also be applied to individual SM-Components to help deciding which of them will lead to more dense encodings.

5.2 Encoding SMs Let Pi  P be the subset of places covered by one SM Si containing only one token. Since one and only one of the places of Pi will be marked at each reachable marking, a logarithmic encoding can be found for the places. Thus, any injective encoding function ESi : Pi ! Bn , where n = dlog2(jPij)e, is appropriate. Each dierent place must be assigned a unique binary code in order to uniquely identify the location of the token in the Si , i.e.

8pj ; pk 2 Pi; j 6= k : ESi (pj ) 6= ESi (pk ) :

(5)

When using SM-based encoding, the density of each SM Si can be computed as: log2 (jPij) ; DSi = dlog 2 (jPij)e compared to the density for the same SM Si when sparse encoding is used: D = log2(jPij) : Si

jPij

In general, when selecting the SMs that must be used in the encoding, those with higher densities will be preferred over the rest. Heuristically we assume that SMs with higher densities will provide more dense global encodings.

5.3 Selecting SMs The number of variables required to encode a PN will directly depend on the selected SMs. Given that the same place may be covered by dierent SMs, the density of the encoding may decrease because dierent sets of variables are used to encode the same place at those components. To achieve a dense encoding it is important to select a set of SMs that minimize the overencoding of common places. 13

p9

p1

(idle) t1

t6 Go to Table

p2

Go to Table

p5

t3

Take left fork

Take right fork

t4

t7

Take left fork p13

p12

Start eating

p4

t8

Take right fork

p7

p6

p11

p10

p3

t2

p4

(idle)

t9

Start eating

p8

(eating) t5

p14

Leave forks and table

t10

(eating) Leave forks and table

Figure 6: PN for two dining philosophers (two instances of place p4 are depicted for clarity). As an example, consider a PN with one of the SMs covering 4 places. However 3 out of these 4 places are already covered by other SMs. If we strictly apply the SM-based encoding, we would require two additional variables for the new SM. On the other hand, encoding the only uncovered place with only one variable would result in a smaller total number of variables. Let SMC = fSi g be a set of SMs that (totally or partially) cover the places of the PN. The problem of nding an optimal subset of SMC to encode the PN can be formulated as a Unate Covering Problem[20] as follows: 1. Let us take SMC [ P as the set of covering objects and P as the set of covered objects. Each Si covers a subset of places Pi  P . Each place pi 2 P covers itself. 2. For each Si 2 SMC, de ne cost(Si ) = dlog2(jPij)e. 3. For each pi 2 P , de ne cost(pi ) = 1. 4. Find a minimum cost cover of SMs and places. The nal encoding of each place can be computed as the conjunction of the encoding function used in each particular SM; that is,

E (pj ) =

Y

Si :pj 2Pi

ESi (pj ) :

5.4 Example To illustrate the proposed encoding scheme we will use the PN depicted in Figure 6 as example through the paper. This PN has 14 places, 22 reachable markings and can be decomposed into six SMs that cover 14

all places (see Figure 7). The sparse encoding scheme previously used requires 14 boolean variables to encode each one of the places, resulting into a density of DN = dlog2 (22)=14e = 0:36. The following minimum cost encoding using 10 variables (with density DN = 5=10 = 0:5) can be found:

 SM1 covering places fp1; p2; p6; p8g (2 variables).  SM3 covering places fp9; p10; p12; p14g (2 variables).  SM4 covering places fp9; p11; p13; p14g (2 variables).  The rest of places encoded with one variable per place (p3, p4, p5 and p7).

5.5 Combined SMs for Improved Encoding The encoding scheme presented in the previous section can be further improved by taking into account that some place may be covered by more than one SM. In that case, the place can be overencoded, resulting in a less dense encoding scheme. Intuitively, each place only needs to be encoded once even though it can be covered by several SMs. An improved encoding scheme can be implemented as follows. Let us assume that a subset of SMs, fS1; : : :; Si?1g is already used to encode some places of the PN. Let us include now a new SM Si covering the places Pi. We can partition Pi into two subsets Pi = Picov [ Pinew . Picov contains all those places already covered by fS1; : : :; Si?1 g, whereas Pinew contains the places only covered by Si . Since places in Picov have been already encoded in other SMs, we only need additional variables to encode the remaining places in Pinew ; that is, dlog2(jPinew j)e variables. In general, most of the SM components of a PN overlap each other, hence encoding the places in Pinew rather than the whole set Pi will lead to much dense encodings. Once we have determined the number of variables we need to de ne the conditions under which the actual binary codes have to be assigned to encode each place. A valid encoding for Si would be any function ESi : Pi ! Bn , where n = dlog2 (jPinew j)e, such that assigns a unique binary codes to each place in Pinew ; i.e.

8pj ; pk 2 Pinew ; pj 6= pk : ESi (pj ) 6= ESi (pk ) :

(6)

Equation (6) imposes much more exible restrictions than (5), because no encoding restriction is de ned over the places in Picov . Now, depending on how binary codes are assigned to places in Picov , there exists two general families of encoding functions can be derived according to (6). The rst family may assign multiple binary codes to represent the same marking (we will call it diuse encoding). On the other side, the second family will maintain a one-to-one relation between binary codes and markings (we will call it a non-diuse encoding or simply an encoding).

Diuse Encodings: The rst family of encoding functions will use the new Boolean variables to exclusively encode the places in Pinew (following Equation 6). Given a SM component Si , the already 15

covered places in Picov will be assigned the tautology function, i.e. 8p 2 Picov : ESi (p) = 1. Therefore, it will not have any in uence when computing the nal encoding of all the rest of already covered places. Let us go back for a moment to the example in Figure 1. If we select SM2 for encoding (assuming new = fp3; p5; p7g. To enthat SM1 has already been selected) the set of newly covered places is PSM 2 code these places we need to use two variables (x3 x4) and assign binary codes, e.g. ESM2 (p3) = x3x4 , ESM2 (p5) = x3x4, and ESM2 (p7) = x3x4. Since p1 was already covered we will assign the tautology function (ESM2 (p1) = 1) so that variables x3 and x4 will not have any in uence in its encoding. Given that code assignments, we end up having marking M1 encoded with four dierent binary codes because it does not depend on variables x3 and x4 , i.e. E (p1) = x1 x2 .

Non-diuse Encodings: The second family of encoding functions will use the new Boolean variables to both encode the places in Pinew and Picov . In that way, a certain degree of overencoding is introduced for the already covered places in Picov . Note that for each place p 2 Pinew there may be a set of places Pp in Picov with the same code as p, i.e.

Pp = fp0 2 Picov j ESi (p)
ESi (p0) 6= ;g : This ambiguity is only apparent since the marking of p can be indirectly determined by the marking of the other SMs encoding the places of Pp. In the extreme case of having a single place in Pinew no additional variables are required because the value of p can be determined by using the places in Picov , i.e. p will be marked i no other place in Picov is marked. Diuse encoding may lead to global encodings with less switching activity, because each place is encoded with a smaller number of variables. However, it presents two main drawbacks that prevent they practical application:

 The total number of markings in the PN it is not exactly known, since markings may appear as duplicated due to the encoding.

 The duplication of codes reduces the number of unused binary codes, which can be used to further minimize the BDDs [7]. Therefore, diuse encoding may prevent crucial BDD minimizations during the symbolic PN analysis.

The calculation of the characteristic function corresponding to each place in diuse and non-diuse encodings will be discussed in Section 8. An example on how to use the improved encoding following both schemes will be presented in Section 8.4.

5.6 Example (cont.) The number of variables required to encode the PN depicted in Figure 6 can be reduced by using the improved encoding technique. A minimum cost encoding using 6 variables (with density DN = 5=6 = 0:84) can be found. To derive this encoding all SMs available in Figure 7 have been used, but only a subset of places in each SM is covered: 16

x1 x2

x5

p1 00

p2

01

x3 x4

x6

p9 00

p1 0

p3

0

01

p9 0

p10

0

p11

p5

11

p7

p6

p8

10

SM1

p8

1

1

SM2

11

10

p14

1

p13

p12

1

p14

SM3

SM4

p7

p4

p13

p12

p8

p14

SM5

p14

p6

p8

SM6

Figure 7: SM decompositions for the dining philosophers example.

 SM1 covering places fp1; p2; p6; p8g (2 variables).  SM2 covering places fp3; p7g (1 variable).  SM3 covering places fp9; p10; p12; p14g (2 variables).  SM4 covering places fp11; p13g (1 variable).  SM5 covering place fp5g (0 variables).  SM6 covering place fp4g (0 variables).

6 Heuristics for the Selection of SMs The improved encoding technique presented in the previous section is a complex combinational selection process similar to a binate covering problem. To avoid this bottleneck in the encoding process, this section describes an heuristic algorithm to select the SMs that will be used to minimize the variables in the PN encoding in short computation times. We will start the section by providing a general view of the selection heuristic (based on the Fiduccia&Mattheyses algorithm). Then, we will describe the details of the selected algorithm and cost functions used to minimize the number of variables in the encoding. Finally, we will apply the algorithm to the PN in Figure 6 to demonstrate how the encoding results presented in Section 5 have been generated.

6.1 Algorithm overview The set of SMs used in the selection process is obtained from the PN using linear programming techniques [21, 16] previously introduced in Section 2. Since it is known that the potential number of SMs in a PN is exponential, we must rely on a subset of components that can be eciently computed. Many dierent initial sets of SMs can be derived. The nal encoding result will not depend on the number of SMs but on the amount of interrelations between places that they describe. In our case we 17

will derive a set of SMs that, when possible, covers all places in the PN. Note that, in some cases, places may not be covered by any SM. A complete cover is only guaranteed for some subclasses of PNs [10]. Choosing these initial set of SMs guarantees that all places are given the chance of being encoded used a dense technique. A subset of these SMs should be selected to derive an optimum dense encoding; that is, the set of SMs should be bi-partitioned into a subset of SMs used for the encoding |a SM-Cover| and a subset of non-used components. The selection methodology is based on the Fiduccia&Mattheyses technique to eciently derive nonbalanced bi-partitions [9] (a variation of the classical Kernighan&Lin algorithm designed to provide balanced partitions [13]). Initially, each place is encoded by a unique Boolean variable (sparse encoding). SMs will be added and removed from the SM-Cover in order to progressively decrease the number of required variables. The process will be repeated until all possible interchanges have been applied. The best subset of interchanges is selected to create a new SM-Cover. From this new SM-Cover the process is repeated until no further variable reduction is achieved (typically a few iterations are required). Once the SMs have been selected, Section 7 will describe how the actual binary codes are assigned to each place.

6.2 Individual SM selection Since each place is represented by a separate boolean variable, the total number of variables required to encode the PN (denoted NT(N )) is equivalent to its places jPj (at this point the SM-Cover is empty). Two main operations may modify the number of variables required for the encoding: adding and eliminating SMs from the SM-Cover. Every time a SM Si is added to the SM-Cover, a set of places Pinew is newly covered, while the set of places Picov was already covered by other components in the SM-Cover. The set of newly covered places should be assigned binary codes using a logarithmic number of variables to determine in which place is located the token. By adding Si to the SM-Cover the number of variables NT(N ) decreases by jPinew j and increases by dlog2 (Pinew )e, i.e. the variable reduction obtained by adding a component is ADD(Si; SM-Cover) = jPinew j ? dlog2(Pinew )e ; where the set of newly covered places Pinew can be computed as:

Pinew = fp 2 Pi : 6 9Sj 2 SM-Cover; i 6= j such that p 2 Pj g : Note that the set of newly covered places Pinew will be uniquely assigned to Si in order to know which places will be uncovered if Si is removed from the SM-Cover. This set of places will be uniquely allocated to the SM component Si . Now, each time a SM Si is removed from the SM-Cover the number of variables NT(N ) is increased by jPinew j and decreased by dlog2 (Pinew )e, i.e. the variable reduction increase obtained by eliminating a SM component is SUB(Si; SM-Cover) = dlog2 (Pinew )e ? jPinew j : 18

select SM-Cover SM-Cover := SM-Set :=

repeat

(N)

;;

f

compute SM Components (N);

k be the index of the internal iteration Gk be the variable reduction (gain factor) at iteration k // S-MAXk be the component that maximizes Gk at iteration k let G0 := 0; let k := 1; //

//

let

SM-Covera := SM-Cover; //temporal copy of the SM-cover

Set all components as non-moved

repeat foreach (non-moved SM-Component Si 2 SM-Set) do if (Si 2 SM-Covera ) then D(Si ) := SUB (Si; SM-Cover); else D(Si ) := ADD(Si ; SM-Cover); //add to the cover S-MAXk := non-moved

Si : 8Sj 2 SM-Set D(Si ) > D(Sj );

if (S-MAXk 2 SM-Covera ) remove else add S-MAXk to SM-Covera ;

Gk

:=

until(all

//eliminate from the cover

//best local interchange

S-MAXk from SM-Covera ; //apply the interchange

Gk?1 + D(S-MAXk ); k + +;//update the

gain factor

SM-Components have been moved);

//Now the best subset of interchanges is applied

let k := 0; let Gmax := maxk Gk ; //best sequence of interchanges while (Gk 6= Gmax ) do //apply the interchanges to the if (S-MAXk 2 SM-Cover) remove S-MAXk from SM-Cover; else add S-MAXk to SM-Cover;

SM-Cover

k + +;

g

until(G0 = Gmax ); return SM-Cover;

//no further gain is achieved

Figure 8: Fiduccia&Mattheyses based algorithm for SM-Cover selection. When a SM component such that all its places have been already allocated is added into or removed from the cover, no variable reduction or increase is obtained. Therefore, SMs without uncovered places will no be further explored. The SM-Cover selection algorithm is shown in Figure 8. The procedure compute SM Components should provide the necessary SMs from which the SM-Cover will be selected (SM-Set). The selection algorithm consists mainly of two repeat loops. The outermost loop will generate dierent SM-Covers with progressively reduced variable cost. The internal loop will explore a particular SM-Cover, adding or removing SMs from it in order to generate a new SM-Cover requiring less variables. For each generated SM-Cover the variable increase/decrease due to adding or removing each SM component is analyzed, generating a sequence of interchanges with cost Gk . At each step the SM that provides a better variable decrease is selected (S-MAXk ). Once all SMs have been analyzed, the subset of interchanges that maximizes the cost function Gmax is actually applied in order to create a new SM-Cover. This process may leave places not covered by the SM-Cover. In fact, as we have previously mentioned, only some subclasses of PNs are guaranteed to have SM decompositions covering all its places [10]. 19

6.3 Example (cont.) In order to illustrate the proposed encoding scheme we will use as example the PN depicted in Figure 6. Recall that the dense encoding scheme based on the analysis of individual SMs required 10 variables, while the improved technique reduced this number to 6. The proposed algorithm requires two external iterations until convergence is achieved. Figure 9 condenses the rst iteration; the second just detects that no further improvement can be achieved. Columns G and NT denote the gain factor at each iteration and the total number of variables required for the encoding respectively. Each row describes an internal iteration with the selected interchange remarked. After all internal interchanges are completed (one per SM), the following row indicates the selected SM-Cover and its cost. Along the rst iteration SM1 is added to the SM-Cover eliminating 4 sparse variables and adding 2 binary variables (overall reduction of 2 variables). Then, adding SM3 allows a further reduction of 2 variables because eliminates 4 sparse variables (not previously covered by SM1) and adds 2 binary variables. Then, SM2 and SM4 will be added obtaining a further reduction of one variable for each SM. Finally, after the addition of both SM5 and SM6 an additional reduction of 2 variables is generated because both places p5 and p4 (that remain uncovered) can be expressed as combinations of the already encoded places and therefore do not require extra variables. The best result after the rst iteration gives a SM-Cover composed by all SMs and requiring 6 variables. The second iteration will detect that no further improvement is possible and will return the best solution obtained so far. In this example the Fiuducca-Matteyses technique behaves as a greedy algorithm, always taking the best SM at hand. However, on practical examples a few number of iterations (until convergence is reached) may still improve the results. NT 14 12

G 0 2

10

4

9

5

8

6

7

7

6

8

6

8

SM-Cover = ; ADD SM1 D= 4-2 =2

Covered places ADD SM2 D= 4-2 =2 ADD SM2 D= 2-1 =1 ADD SM2 D= 2-1 =1

ADD SM3 D= 4-2 =2 ADD SM3 D= 4-2 =2

ADD SM4 D= 4-2 =2 ADD SM4 D= 2-1 =2 ADD SM4 D= 2-1 =1 ADD SM4 D= 2-1 =1

SM-Cover = fSM1 ; : : : ; SM6 g

ADD SM5 D= 5-3 =2 ADD SM5 D= 4-2 =2 ADD SM5 D= 2-1 =1 ADD SM5 D= 1-0 =1 ADD SM5 D= 1-0 =1

ADD SM6 D= 5-3 =2 ADD SM6 D = 3-2 =1 ADD SM6 D = 2-1 =1 ADD SM6 D = 2-1 =1 ADD SM6 D = 1-0 =1 ADD SM6 D = 1-0 =1

p1 ; p2 ; p6 ; p8 p1 ; p2 ; p6 ; p8 ; : : : ; p10 ; p12 ; p14 p1 ; : : : ; p3 ; p6 ; : : : ; p10 ; p12 ; p14 p1 ; : : : ; p3 ; p6 ; : : : ; p14 p1 ; : : : ; p3 ; p5 ; : : : ; p14 p1 ; : : : ; p14 p1 ; : : : ; p14

Figure 9: SM selection process for the dining philosophers example.

20

7 Binary code assignment Once the number of variables required to encode the PN have been derived it is necessary to assign particular binary codes to each place. The main goal when assigning codes is to minimize the overall eort that must be carried out each time a transition is red. This computational eort can be measured as the switching activity which is proportional to the Hamming distance between the binary codes assigned to places that are adjacent in a SM component. In this section we start by de ning the switching activity in an encoded PN. Then, we present a methodology to assign binary codes to places in such a way that the switching activity is minimized. We describe an heuristic algorithm to perform the code assignment in short computation times.

7.1 Encoding activity Evolving from one marking M1 to another marking M2 by ring a transition t can be see as a transformation from the binary code of M1 to the binary code of M2 . This transformation implies switching some variables from 0 to 1 and vice versa. The total number of variables that must be switched corresponds exactly to the Hamming distance between both codes E (M1 ) and E (M2). The objective the proposed encoding process is to minimize the total amount of switching for the PN. In order to be able to compare the switching eort required for dierent code assignments we introduce a normalized cost function that approximates the average number of variables switching per transition |the switching activity. Note that the exact activity depends on the exact number of times a transition is red, but this information is not available before constructing the reachability graph. The switching activity for a particular encoding and code assignment is computed as the average number of variables that switch per transition ring (where the distance dH between codes is their Hamming distance), i.e. P d (Q  E (p); Q  E (p)) p2t t A(N ) = t2T H p2 jT : (7) j

where E (p) is the total encoding function of the place in the PN. As an example, the switching activity for the PN in Figure 1 given the place encoding suggested in Figure 2 is computed as: A(N ) = [(dH (E (p1); E (p2)E (p3)) = 2) + (dH (E (p1); E (p4)E (p5)) = 2)+ (dH (E (p2); E (p6)) = 1) + (dH (E (p4); E (p6)) = 1)+ (dH (E (p3); E (p7)) = 1) + (dH (E (p5); E (p7)) = 1)+ (dH (E (p6)E (p7); E (p1)) = 4)]=7 = 12=7 = 1:7

7.2 Minimum distance code assignment Every place pj in a SM component Si of the selected SM-Cover should be assigned a binary code, that will be denoted ESi (pj ). This code should be unique with respect the rest of places encoded in the same SM component according to Equation 6. The combination of codes assigned to a place pj in every SM component will de ne its true code. However, in some cases the marking of pj is also indirectly determined by the marking of other places 21

(see Section 5.5). Therefore, the true code of a place cannot be simply computed as the conjunction of the codes ESi (pj ) used in the SM components that include pj . This section presents a code assignment mechanism for individual SM components based on the generation of Gray code sequences. The derivation of the true code of a place will be described in Section 8. A Gray code sequence is a set of binary codes of xed length, in which contiguous numbers have only one bit dierence. A formal de nition of a Gray code sequence is as follows [12]: Let N1 = 0; 1 and Nk = n0 ; n1; : : :; n2k ?1 . We form Nk+1 by rst preceding all members of the sequence Nk by 0, then repeating Nk with the order reversed and all members preceded by 1. In other works, Nk = 0n0 ; 0n1; : : :; 0n2k?1 ; 1n2k ?1 ; : : :; 1n1; 1n0 : For example, if N2 = 00; 01; 11; 10, then N3 = 000; 001; 011; 010; 110; 111; 101; 100. Clearly this construction ensures that consecutive elements of a Gray code sequence dier in exactly one bit. The proposed methodology is based on performing the code assignment of each SM component in the SM-Cover by a two step algorithm: 1. Assign consecutive codes in a Gray sequence to adjacent places in the SM component Si . The assignment must guarantee that all places in the set Pinew have dierent codes in order to conform with Equation (6). 2. Apply an iterative improvement of the initial assignment by interchanging binary codes, in order to eliminate the de ciencies of the initial greedy step. Again, any code interchange must guarantee that Equation (6) is satis ed. The code assignment algorithm for a given SM component is depicted in Figure 10. The algorithm generates a Gray sequence of binary codes according to the number of places that must be encoded. First, consecutive codes in the sequence are assigned to adjacent places in Pinew so that Equation (6) is guaranteed. A second step assigns the same codes to the rest of places in Picov . In that case, the same code may be assigned to dierent places without aecting Equation (6). Assigning consecutive codes to adjacent places reduces the switching activity. However, the existence of places with multiple successors and places that are already encoded may prevent getting an optimal result. For that reason, the function swap gray sequence improves the code assignment generated after the rst part of the algorithm. This function iteratively checks all interchanges of codes that guarantee Equation (6), taking the one that provides the best activity reduction. The process is repeated until no further reduction is obtained.

7.3 Example (cont.) The currently used one-hot sparse encoding schemes generally produce high levels of switching activity. For the example in Figure 6, we have 10 transitions, with a total amount of 32 variables switching. This values give an average activity of 3:2 bits per transition. Figure 6 describes a binary code assignment in which the switching activity at each SM is minimized. The total switching activity cannot be determined yet, because the total codes for each place still have to be computed (see Section 8). 22

code assignment (Si ) f foreach ( p 2 Pi ) do ESi (p) = 1;

gray sequence assignment (p1 ,Si ) f ESi (p1 ) = next gray code(); set place p1 as assigned; p2 = get non assigned successor(p1 ; Si ); if (p2 exists) then gray sequence assignment (p2,Si );

set all places as non-assigned;

generate gray sequence (jPinewj);

Pinew p 2 Pinew ) do gray sequence assignment (p,Si); //Reuse codes to places in Picov reset gray sequence (); foreach (non-assigned p 2 Picov ) do gray sequence assignment (p,Si); //Assign unique codes to places in

foreach

(non-assigned

g

swap gray sequence (Si ) f

do foreach (pair p1 and p2 in Pi ) do if valid code interchange (p1 ,p2 ) then

//Random place code interchange

g

switching activity reduction (p1 ,p2); store best interchange (p1 ,p2); apply best interchange ();

swap gray sequence (Si );

g

while

(activity reduction);

Figure 10: Algorithm for the binary code assignment of individual SM components.

8 Symbolic Model Checking This section describes how the characteristic functions for places and transition functions are derived. These functions are the basic elements to execute BDD-based symbolic traversal algorithms for the analysis of the PN. First, given the set of SM components selected for encoding and the actual binary codes assigned to each place, we derive the true code or characteristic function of each place. Then, the dynamic behavior of the PN is described by deriving the transition function for each PN transition. Finally, we derive the characteristic functions for the places in Figure 6 using both a diuse and a non-diuse encoding.

8.1 Characteristic functions of places In general, every place p can be covered by several SM components. By using the improved encoding approach presented in Section 5.5, only one of the SMs will be used to encode p, whereas the other SMs will merely assign p a code already used for other places. Let us call Sp the SM used to encode place p and XSp = x1 : : :xk the set of variables used to encode the places of Sp. The characteristic function of place p (markings with p marked) will be the following:

[p] = (XSp = ESp (p))


^

XSp0 = ESp0 (p0 )

p0 6=p: ESp (p)
ESp (p0 )6=;

(8)

Informally, a place p is marked when some of the places with code ESp (p) is marked in Sp ( rst factor of the product) but none of the places which share the same code is marked in their corresponding encoding SMs (the second factor of the product).

8.2 Transition functions 23

SM / place

SM1

SM3

SM2

SM4

variables

x1x2

x3x4

x5

x6

p1 = x1 x2

p9 = x3 x4

p1 = x5

p9 = x 6

p2 = x1 x2

p10 = x3 x4

p3 = x5

p11 = x6

p6 = x1 x2

p12 = x3 x4

p7 = x5

p13 = x6

p8 = x1 x2

p14 = x3 x4

p8 = x5

p14 = x6

Encoding

SM5

SM6

p5 = 1

p4 = 1

Table 1: Non-diuse encoding for the dining philosophers example. SM / place

SM1

SM3

SM2

SM4

variables

x1x2

x3x4

x5

x6

p1 = x1 x2

p9 = x3 x4

p1 = 1

p9 = 1

p2 = x1 x2

p10 = x3 x4

p3 = x5

p11 = x6

p6 = x1 x2

p12 = x3 x4

p7 = x5

p13 = x6

p8 = x1 x2

p14 = x3 x4

p8 = 1

p14 = 1

Encoding

SM5

SM6

p5 = 1

p4 = 1

Table 2: Diuse encoding for the dining philosophers example. Given the encoding for each of the places of a Petri net, we only need now to derive the expressions for the transitions functions to be able to perform a symbolic traversal and calculate the reachability graph. The enabling function Et for each transition t is simply obtained as follows:

Et =

^

p2t

[p]

(9)

Let us now derive expressions for i (X; t), corresponding to variable xi of the encoding. Let us call Si = hP 0; T 0 ; F 0; M00 i the SM using variable xi for encoding. In case t 2 T 0 (covered by Si ), let us call p the output place of t in Si , i.e. fpg = t \ P 0. Thus, the transition function, partially de ned over the markings in which t is enabled, is the following:

8 > > 0 > xi :

if t 2 T 0 and [p] ) xi if t 2 T 0 and [p] ) xi if t 62 T 0

(10)

Informally, the value of xi will not change if t is not covered by Si , and will take the corresponding encoding value of the output place of t in Si otherwise. The transition function for variables corresponding to places not covered by SMs is identical to the one described by Equation (2).

8.3 Toggling activity Moving from one marking M1 to another marking M2 results in switching some variables from 0 to 1 and some variables from 1 to 0. Implementing the ring of one transition with BDD operations can be 24

BDD AND toggle (F ,E ,C ) f

if ( terminal case ) then return result for terminal case; if ( fF , E , C g is in computed-table ) then return pre-computed result; let v be the top variable of f F , E , C g; let u be the top variable of f F , E g; let c be the top variable of f C g; if (c = v ^ c =6 u) then return BDD AND toggle (F ,E ,Cc); T E

:= :=

ITE (Fv ,Ev ,Cv ); ITE (Fv ,Ev ,Cv );

if (c 6= u) then

else

R

:=

R

:=

nd or add unique table (v ,T ,E );

nd or add unique table (v ,E ,T ); insert in computed table (f F , E , C g, R);

g

return (R);

Figure 11: A recursive implementation of the BDD AND toggle operator. reduced to toggling some variables in the BDD. Informally, toggling one variable can be performed by simply interchanging the then and else arcs of the nodes labeled with the variable. We will omit the details on how this is performed. We refer the reader to [27] for a similar approach implemented for BDDs and Zero-suppressed BDDs. The important aspect of this strategy is that minimizing the switching activity for each transition results in a speed-up of BDD operations for that transition. Therefore, one of the goals of the encoding scheme is to minimize the number of toggling bits for each transition. The strategy used in this work is based on using a Gray-like encoding for the places of each SM component in such a way that the ring of a transition will only produce the toggling of one of the variables used to encode the SM. We could think of those operations as divided into two dierent parts: the rst one devoted to calculating the set of markings in which a transition is enabled, and the second one to complement or toggle the variables of predecessor and successor places that must change. Given a BDD representing a logic function, the fact of complementing a set of variables is equivalent to interchanging the and else arcs in each node labeled with one of the variables to complement. In addition, if we represent the set of variables as a cube, we could implement a BDD AND toggle operation as a function that given two BDDs, F and E , and a set of variables C , performs the product E
F 25

[p1] = x1 x2 x5

[p8] = x1 x2 x5

[p2] = x1 x2

[p9] = x3 x4 x6

[p3] = x5 (x1 + x2)

[p10] = x3 x4

[p4] = x1 x3 x6 + x1 x4 x6

[p11] = x6 (x3 + x4)

[p5] = x1 x3 x5 + x2 x3 x5

[p12] = x3 x4

[p6] = x1
x2

[p13] = x6 (x3 + x4)

[p7] = x5 (x1 + x2)

[p14] = x3 x4 x6

Table 3: Non-diuse characteristic functions for the places according to Table 1. and complements the variables in C . The set C is represented as a cube containing the literals to be complemented. Th algorithm in Figure 11 implements the BDD AND toggle operation with exponential complexity as occurred in the ite algorithm described in Figure 4. This complexity can be overcomed in a similar way by keeping the result of each call in a table of computed results. As an example, we can use the BDD AND toggle operation to compute the reachable markings after ring transition t4 (see Figure 6) from a set of markings M (using a non-diuse encoding). The set M should be multiplied by the enabling function of t4 to restrict the computation to those markings that enable t4 ; that is, E = x1
x2
x5 . After ring t4 , place p8 should be marked ([p8] = x1 x2 x5 ), therefore only variable x2 must be complemented; that is, C = x2. The set of reachable markings is computed as M 0 := BDD AND toggle(M; x1x2x5 ; x2).

8.4 Example (cont.) Figure 7 shows all SMs of the PN with the suggested codes to be assigned to each place. As we have seen two possible types of encodings are possible, diuse and non-diuse encodings. The encoding described by Table 1 can be derived for the places of the PN maintaining the one-to-one relation between markings and binary codes (non-diuse encoding). The characteristic function for each place is shown in Table 3. On the other side, the encoding in Table 2 allows the diuse encoding of certain markings. The characteristic function for each place is shown in Table 4. As an example we can derive the binary code assigned to the marking fp1; p4; p11; p12g for both types of encoding. The binary code will be computed as the conjunction of the characteristic functions, i.e [p1]
[p4]
[p11]
[p12]. The proposed non-diuse encoding will assign the code x1 x2 x5
(x1 x3 x6 + x1 x4 x6)
x6 (x3 + x4 )
x3 x4 = x1 x2 x3 x4 x5 x6. Conversely, the proposed diuse encoding will assign the function x1 x2
(x1 x3 x6 + x1 x4 x6 )
x4 x6
x3 x4 = x1 x2 x3 x4 x6 , which does not depend on variable x5. Therefore, two binary codes are assigned to the same marking. Finally, Table 5 presents the enabling functions for all transitions of the PN, and the transitions functions for variable x5 according to the de nitions given by the Equations (9) and (10).

26

[p1] = x1 x2

[p8] = x1 x2

[p2] = x1 x2

[p9] = x3 x4

[p3] = x2 x5

[p10] = x3 x4

[p4] = x1 x3 x6 + x1 x4 x6

[p11] = x4 x6

[p5] = x1 x3 x5 + x2 x3 x5

[p12] = x3 x4

[p6] = x1 x2

[p13] = x4 x6

[p7] = x2 x5

[p14] = x3 x4

Table 4: Diuse characteristic functions for the places according to Table 2. Et1 = x1
x2

5 (X; t1 ) = Et1
x5

Et6 = x3
x4

5 (X; t6 ) = Et6

Et2 = x1
x2
x7

5 (X; t2 ) = Et2

Et7 = x3
x4
x8

5 (X; t7 ) = Et7

Et3 = x5
(x1 + x2)
x8

5 (X; t3 ) = Et3
x5

Et8 = x6
(x3 + x4 )
x7

5 (X; t8 ) = Et8

Et4 = x1
x2
x5

5 (X; t4 ) = Et4
x5

Et9 = x3
x4
x6

5 (X; t9 ) = Et9

Et5 = x1
x2

5 (X; t5 ) = Et5
x5

Et10 = x3
x4

5 (X; t10) = Et10

Table 5: Enabling functions and transition function for variable x5 .

9 Experimental Results The eciency of the proposed encoding technique will be measured in terms of the BDD node count reduction to represent the reachability set of the PNs, and the speed-up for that computation. Two experimental scenarios will be analyzed. First, number of variables, BDD sizes and CPU times are compared between the conventional sparse encoding and the proposed dense encoding schemes. Second, the improvements achieved by using the more dense code representation oered by ZDDs (as proposed by Yoneda et al. [27]) are compared against the dense encoding scheme. CPU times have been obtained by executing the algorithms using the BDD library developed by David Long [19] on a Sun SPARC 20 workstation (128MB).

9.1 Sparse v.s. dense encoding Table 6 shows the experimental results obtained onto a number of scalable PNs (Muller pipeline, dining philosophers and slotted ring protocol) when using both sparse (one variable per place) and dense encoding schemes. Columns labeled V show the number of boolean variables required for each type of encoding. Columns labeled BDD show the nal size of the reachability set. Since it is well known that BDD size strongly depend on variable ordering, no special initial order has been used, while dynamic reordering has been applied at each iteration for both encoding schemes. Columns labeled CPU denote the total computation times for both schemes, including the encoding time itself, which roughly takes 1% of the total computation time in most cases. The results show a variable reduction around 50% and a BDD node reductions ranging from 2 to 4. CPU times are also reduced at least one order of magnitude for muller and slot. Even with the BDD node 27

PN name markings muller-30 6:0  107 muller-40 4:6  1010 muller-50 3:6  1013 phil-5 8:5  104 phil-8 7:8  107 phil-10 7:4  109 slot-5 1:7  106 slot-7 7:9  108 slot-9 3:8  1011

Sparse encoding V BDD CPU 120 4475 585 150 4897 7046 200 t.o. 65 640 2 104 2933 12 130 1689 90 50 492 14 70 807 109 90 t.o.

Dense encoding V BDD CPU 60 1315 32 80 2339 131 100 3651 449 35 155 3 56 373 19 70 425 285 25 131 5 35 239 9 45 400 110

Table 6: Comparison between sparse and dense encoding schemes. PN name DMEspec8 DMEspec9 DMEcir5 DMEcir7 JJreg-a JJreg-b

markings 7:8  105 3:5  106 8:5  105 9:0  107 1:8  106 1:1  105

ZDD [27] V ZDD CPU 137 32178 14 154 71602 39 491 92214 622 687 504324 10205 251 952246 2326 248 181701 42

Dense encoding V BDD CPU 85 1748 12 94 2544 20 249 47952 418 347 394334 7584 122 17874 836 120 24355 397

Table 7: Comparison between ZDD compaction and dense encoding schemes ( CPU times for ZDD usage HP-9000 (120MHz, 650MB)). reduction, the computation time increases for phil. This is produced by the cost of variable reordering, due to an extremely bad initial order for this set of benchmarks. Deriving good initial orders is still an open line of research.

9.2 ZDDs v.s. dense encoding Using ZDDs instead of BDDs allows a more compact representation of data without requiring any special encoding strategy. The results in Table 7 show a number of PNs with BDD and ZDD sizes for the reachability set, and computation times as published in [27]. We have executed those benchmarks in our framework obtaining results for both the sparse and dense encoding schemes. The experimental results show important variable reductions (around 40%) that result in signi cant BDD node reductions compared to ZDDs [27].

10 Conclusions As PNs become more popular in the speci cation, synthesis and analysis of concurrent systems there is an increasing need of manipulating them in an ecient way. This paper has presented an encoding scheme that drastically improves the eciency of symbolic methods for the analysis of PNs. The structural theory is the key basis for this scheme, which allows to immediately identify sets of markings that will never be reachable. This study is based on the identi 28

cation of State Machine components with only one token. The eciency of the encoding scheme lies on the fact that two places in the same State Machine component will never be marked simultaneously. The structural theory of PNs goes beyond the theory of P-invariants and State Machines components. Although the structure is not enough for a detailed analysis of the PN, it provides crucial information that can be eciently combined with symbolic enumeration techniques. The authors are now studying a more general framework that combines the eciency of the structural theory with the accuracy of the symbolic enumeration techniques.

Acknowledgments We thank T. Yoneda for providing the benchmarks used in their work. This work has been supported by the Ministry of Education of Spain (CICYT) under contract TIC 95-0419. On leave to Newcastle University, at the Computer Science Department as 1998 Leverhulme fellow.

References [1] K. S. Brace, R. E. Bryant, and R. L. Rudell. Ecient implementation of a BDD package. In Proc. DAC, pages 40{45, 1990. [2] F. M. Brown. Boolean Reasoning: The Logic of Boolean Equations. Kluwer Academic Publishers, 1990. [3] R.E. Bryant. Graph-based algorithms for boolean function manipulation. IEEE Transactions on Computers, C-35(8):677{691, August 1986. [4] Jerry R. Burch, Edmund M. Clarke, D. E. Long, Kenneth L. McMillan, and David L. Dill. Symbolic model checking for sequential circuit veri cation. IEEE Trans. on CAD, 13(4):401{424, 1994. [5] J. Cortadella, M. Kishinevsky, L. Lavagno, and A. Yakovlev. Synthesizing Petri Nets from StateBased Models. In Proc. ICCAD, pages 164{171. IEEE Computer Society Press, November 1995. [6] J. Cortadella, L. Lavagno, and Ellen Sentovich. Logic synthesis techniques for embedded control code optimization. In Proc. Int. Workshop on Logic Synthesis, 1997. [7] O. Coudert, C. Berthet, and J. C. Madre. Formal boolean manipulations for the veri cation of sequential machines. In Proc. EDAC, pages 57{61, March 1990. [8] J. Desel and J. Esparza. Free Choice Petri Nets. Cambridge University Press, Cambridge, Great Britain, 1995. [9] C.M. Fiduccia and R.M. Mattheyses. A linear time heuristic for improving network partitions. In Proc. DAC, 1982. [10] M. Hack. Analysis of production schemata by Petri nets. M.s. thesis, MIT, February 1972. 29

[11] Kiyoharu Hamaguchi, Hiromi Hiraishi, and Shuzo Yajima. Design veri cation of asynchronous sequential circuits using symbolic model checking. In International Symposium on Logic Synthesis and Microprocessor Architecture, pages 84{90, July 1992. [12] John P. Hayes. Introduction to Digital Logic Design. Addison Wesley, 1996. [13] B. W. Kernighan and S. Lin. An ecient heuristic procedure for partitioning graphs. Bell System Technical Journal, 49:291{307, February 1970. [14] M. Kishinevsky, J. Cortadella, A. Kondratyev, L. Lavagno, Alex Taubin, and A. Yakovlev. Coupling asynchrony and interrupts: Place chart nets and their sinthesys. In 18th Int. Conf. on Application and Theory of Petri Nets, volume 1248 of LNCS, pages 328{347. Springer-Verlag, June 1997. [15] A. Kondratyev, J. Cortadella, M. Kishinevsky, E. Pastor, O. Roig, and A. Yakovlev. Checking signal transition graph implementability by symbolic BDD traversal. In Proc. EDAC-ETC-EuroASIC, pages 325{332, Paris, March 1995. [16] K. Lautenbach. Linear algebraic techniques for place/transition nets. In W. Brauer, W. Reisig, and G. Rozenberg, editors, Petri Nets: Central Models and Their Properties, Advances in Petri Nets 1986, volume 254 of LNCS, pages 142{167. Springer-Verlag, 1987. [17] C. Y. Lee. Representation of switching circuits by binary-decision programs. Bell Technical Journal 38, pages 985{999, 1959. [18] H-T. Liaw and C-S. Lin. On the OBDD representation of generalized boolean functions. IEEE Trans. on Comp., 41(6):661{664, June 1992. [19] David E. Long. A binary decision diagram (BDD) package, June 1993. Manual page. [20] E. J. McCluskey. Minimization of boolean functions. Bell Syst. Technical Journal, (35):1417{1444, November 1956. [21] G. Memmi and G. Roucairol. Linear algebra in net theory. In W. Brauer, editor, Net Theory and Applications, volume 84 of LNCS, pages 213{223. Springer-Verlag, 1980. [22] Tadao Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541{ 574, April 1989. [23] E. Pastor and J. Cortadella. Ecient encoding schemes for symbolic analysis of petri nets. In Proc. Design, Automation and Test in Europe, pages 790{795, Paris (France), February 1998. [24] E. Pastor, O. Roig, J. Cortadella, and R. M. Badia. Petri net analysis using boolean manipulation. In 15th Int. Conf. on Application and Theory of Petri Nets, volume 815 of LNCS, pages 416{435. Springer-Verlag, June 1994. [25] O. Roig, J. Cortadella, and E. Pastor. Veri cation of asynchronous circuits by BDD-based model checking of Petri nets. In 16th Int. Conf. on Application and Theory of Petri Nets, volume 935 of LNCS, pages 374{391, Torino, June 1995. Springer-Verlag. 30

[26] H. Touati, H. Savoj, B. Lin, R. K. Brayton, and A. Sangiovanni-Vincentelli. Implicit enumeration of nite state machines using BDD's. In Proc. ICCAD, pages 130{133, November 1990. [27] T. Yoneda, H. Hatori, A. Takahara, and S. Minato. BDDs vs. Zero-Suppressed BDDs: for CTL symbolic model checking of petri nets. In Proc. of Formal Methods in Computer-Aided Design, volume 1166 of LNCS, pages 435{449. Springer-Verlag, 1996.

31