Improved Region Based TCTL Model Checking of ...

Improved Region Based TCTL Model Checking of Time Petri Nets Mohammad Esmail Esmaili

Reza Entezari-Maleki

Ali Movaghar

Department of Computer Engineering, Sharif University of Technology, Tehran, Iran

Department of Computer Engineering, Sharif University of Technology, Tehran, Iran

Department of Computer Engineering, Sharif University of Technology, Tehran, Iran

[email protected]

[email protected]

[email protected]

The most important challenge in region based abstraction method as one of the approaches to compute the state space of Time Petri Net (TPN) models for model checking is that the method results in huge number of regions causing state explosion problem. Hence, region based abstraction method is not appropriate to be used in developing practical tools. To overcome this shortcoming, this paper applies a modification to the basic region abstraction method to be specially used for computing the state space of TPN models, so that, the number of regions becomes less than the situations in which the existing methods are applied. Therefore, the proposed approach can be used in practical applications and tools since it does not show state explosion. The proposed approach is based on the special features of TPN that enables us to construct very suitable and small region graph which preserves time properties of TPN. To achieve our goal, we extend TPN-TCTL as a timed extension of CTL for specifying a subset of properties on TPN models. Afterward, for model checking TPN-TCTL properties on TPN models, by translating TPN-TCTL to the equivalent CTL, CTL model checking is used on TPN models. Finally, we compare our proposed method with the previously proposed region based abstraction methods for TPN considering the number of regions resulting from the methods.

1 Introduction Formal methods are most popular techniques for modeling and verification of real time systems. Because of importance of real time systems in critical applications, verification of these systems has been addressed by many research papers in last decades. One of the most successful formal methods is model checking which tries to verify a property of a system expressed in temporal logic upon a model of the system which shows the behavior of the system. Time dependent models are generally exploited to model time features of time systems. In order to specify the property of behavior of time systems, time temporal logic is used. Several models have been proposed for modeling time systems such as Timed Automata (TA) [3, 4] and Time Petri Net (TPN) [20, 23]. In TA as one of the most popular and applicable models which has been generated by extending -automata, time can be presented by a real variable called clock [3, 4]. However, TPN is an extension of Petri Nets for modeling time systems in which time feature is demonstrated by a time interval. The two main timed extensions of Petri Nets are Time Petri Net (TPN) [20] and Timed Petri Net (TdPN) [23]. TPN, for any transition, assigns a time interval that a transition can fire in this interval, but in TdPN, each enabled transition fires upon passing the given duration as soon as possible. Therefore, TPN is a general concept compared to TdPN which makes it most popular and compatible approach for modeling the behavior of time systems. In both models, time interval can be assigned to places (P-TPN, P-TdPN), transitions (T-TPN, T-TdPN)

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

2

or arcs (A-TPN, A-TdPN). Here, we consider the extension of TPN in which the time is assigned to transitions (T-TPN). In recent years, several major abstraction methods have been proposed to compute the state space of TA [7]. Two main methods are region based abstraction [3, 4, 5] and zone based abstraction [5, 14, 17]. Region based methods are based on constructing region graph according to equivalence class relation which tries to partition the state space of clock variable's valuations into finite number of segments called regions. Afterwards, using the regions, a transition system with finite number of states can be constructed and verified against the property expressed in TCTL by translation to corresponding CTL on the transition system [2, 6, 24]. Zone based methods construct zone graph at which each zone groups several regions, so each zone contains valuation of clock variables that satisfies a clock constraint in which the corresponding zone expressed by it [14, 17]. Two main approaches can be found in literature for model checking of TPN. The first approach is translating TPN model into a TA model [11, 13, 18, 19], and the second one is directly computing the state space of the TPN model [8, 9, 15, 26]. Since using continuous time firing interval for transitions in a TPN generates infinite state space, abstraction methods are used to represent the state space of a TPN in a finite manner. In order to compute the state space of a TPN, there are three major abstraction methods: state class, region based and zone based. The state class method defines a graph in which each node shows a state class containing a special marking and firing domain of transitions enabled in the state class [8, 9]. Region and zone based methods in TPN context are the same methods defined for TA where use possible clock valuation of transitions for constructing a finite number of states. In [16], the state class based abstraction method was used for on-the-fly model checking of a subset of TCTL properties. In [21, 25, 26], the region graph of the TPN model was exploited to TCTL model checking of TPN. In order to reduce the state space of TPN, a partial order reduction algorithm has been proposed in [25]. A zone based approach has been used for computing the state space of TPN in [10, 15]. In [22], the proposed methods for model checking temporal properties on TPN and TA have been studied comprehensively. The most important challenge in region based abstraction methods is that these methods generate very large number of regions causing state explosion. Hence, region based abstraction methods are not suitable methods to be exploited in practical model checking tools. Similar to TA, region based abstraction methods for TPN also result in huge number of regions which causes state explosion .To overcome this shortcoming, this paper proposes a modified region based abstraction method to compute the state space of TPN models, so that the number of regions is more less than the existing methods which makes it possible to be used in practical applications and tools. The proposed approach is based on the distinguished feature of TPN against TA that enables us to construct very suitable and small region graph which preserves time properties of TPN. Furthermore, we use TPN-TCTL logic [10, 16] as an extension of TCTL [1, 2] for specifying the subset of properties on TPN model. Due to the nature of the TPN models, we try to define region graph more effectively in which nonessential regions are integrated into a region, so that, the graph obtained from the proposed method is much smaller than the graphs resulted from current region based approaches. The main idea is based on two specific features of TPN models: (1) since transitions of a TPN are enabled and disabled in specific times, it suffices to consider the time value of the clock variables of enabled transitions only during their enabling period, and (2) in the consecutive regions in which there is no possibility to change the marking, and also, in all consecutive regions in which just one single specific transition can fire, we can group these regions into a single region with a single time interval obtained by combining the value of each clock in all its related regions. Hence, merging the aforementioned regions, the

3

Improved Region Based TCTL Model Checking of Time Petri Nets

resulting region graph will have a smaller number of regions, and consequently, the state space of a TPN model can be represented by a fewer number of states. The rest of the paper is organized as follows. In Section 2, some preliminaries required to explain the proposed abstraction method are given. In Section 3, the proposed approach for region-based state space abstraction of TPN models is introduced. In Section 4, TPN-TCTL which is based on TCTL is introduced for TPN model to specify the time properties, and then, its semantic is defined by means of a transition system. Moreover, the results of applying the proposed method to the several models to compute the number of regions are given in Section 4. Finally, Section 5 concludes the paper and presents some guidelines for future work.

2 Preliminary In this section, some background information related to TA and TPN which is required to be able to explain the proposed idea are given. Because of the lack of space, only the important definitions and concepts are introduced here. For more comprehensive information please see [3, 4, 5, 7, 20, 22, 23].

2.1 Timed Automata Definition 1. A Timed Automat (TA) is an 8-tuple

where:

   

L is a finite set of locations (states), Act is a finite set of actions, C is a finite set of real-valued clock variables, is a finite set of transitions where is a transition from location to location with the clock constraint (guard) , the action and a set of clock variables that must be reset,  is a finite set of initial locations,  is invariant-assignment function that for each location assigns a clock | | | | constraint over clocks which is defined as | , where and ,  is a finite set of atomic propositions, and  is a labeling function for each location. Moreover, we can define clock valuation function as that for all clocks assigns their current value . The semantic of a TA can be defined as a timed transition system.

2.2 Semantics of TA Definition 2. Let System (TTS)   

, the semantics of TA is a Timed Transition , where:

is a finite set of states, is a finite set of initial states, is transition relation including discrete and continuous transitions which are defined as follows. - Discrete transition: for all by Eq. (1).

, discrete transition

is defined

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

4

[

{

- Continuous transition: for all defined by Eq. (2).

]

(1)

, continuous transition

is

{

(2)

2.3 Region Based TCTL Model Checking of TA As mentioned, there have been proposed two general abstraction methods for computing the state space of a TA; region based and zone based methods. The region based method is based on the concept of equivalence class. The basic idea in this approach is constructing a finite transition system from a TA in which the states are equivalence classes of the states in the related TA [3, 4]. Therefore, region graph is defined by the following definitions. Definition 3. Let ⌊ ⌋ and fract(x) denote the integral and fractional parts of clock x, respectively, and denote the largest constant that clock x is compared to it in TA. Hence, clock valuations and are clock equivalent, denoted by , iff the following conditions are hold: 1. For all

⌊

,

2. For all

⌋

⌊

⌋

⌊

,

⌊ (

, (

iff

⌋

)

(

)

(

)

) (

3. For all

⌋

)

iff

(

)

Definition 4. After defining equivalence class, , a clock region denoted by [v] is defined by all clock | valuations belonging to the same equivalence class, [ ] { . Each region can be represented by specifying: 1. For each clock {

, one clock constraint from the set |

{

2. For each pair of clocks x and y, such that part of clocks are considered as following sets:

|

{ and

(3) in (1), fractional

{ { { In order to represent the behavior of a TA as a transition system, each state is shown as [ ] [ ] . The resulting pair , and state region is defined as [ ] { | regions changes by passing the time. So, the concept of successor region is defined for computing consecutive regions so that the time continuity is preserved [3, 4, 5].

5

Improved Region Based TCTL Model Checking of Time Petri Nets

Definition 5. The successor region of is

, if (5)

Also, successor state can be defined as . Now, we can define a Region Transition System (RTS) in which each state includes a state region [3, 4, 5]. To check TCTL properties on RTS obtained from a TA, we need to translate TCTL to the corresponding CTL by eliminating timing constraints in TCTL in which all timed properties have been preserved [2, 6, 24].

2.4 Time Petri Net   Definition 6. A Time Petri Net (TPN) is a 7-tuple , where P is a finite set of   places, T is a finite set of transitions, and where N denotes natural numbers are backward and forward incidence mappings, respectively, is the initial marking, is the earliest firing time of transitions (EFT), and finally { is the latest firing time of transitions (LFT).

The semantics of a TPN is also defined by a TTS. Before defining the related TTS, we need to define several concepts. The marking M in TPN is defined by an element of in which for each , M(p) denotes the number of tokens in place p. The transition is enabled in marking M,  if ; where the number of tokens in marking M satisfies the condition required for each place  in . Also, newly enabled transition after firing transition in marking M which is denoted by is defined as follows. 









To demonstrate elapsing of time for transitions, is defined valuation function expresses the time elapsed since transition has been last enabled.

(6) in which

2.5 Semantics of TPN Definition 7. The semantics of a TPN is , where is a set of infinite states, is an initial state that includes initial marking and zero value of all enabled transitions in M0, and is transition relation including discrete and continuous transitions as follows. 

Discrete transition: for all following conditions hold:

, discrete transition 

is defined if the



(7) { 

{

Continuous transition: for all follows. {

, continuous transition

[

]



is defined as

(8)

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

6

3 The Proposed Abstraction Method We propose an abstraction method to compute the state space of TPN models which is based on region approach. We try to use the region method efficiently according to the special features of TPN models compared to TA models. To achieve this, several modifications are applied to the region based abstraction method used in TA for decreasing the number of regions. Following, we describe our proposed method step-by-step by defining some concepts. Definition 8. The state space of a bounded TPN can be defined as a TTS in which each state is shown as where M is a special marking among all finite markings obtained from the related bounded TPN, and V is the clock valuation of all enabled transitions in marking M. In order to demonstrate all possible states of a TPN model finitely, clock equivalence is used as described in Definition 3. It turns out that the clock valuation of enabled transitions in marking M should be only considered in definition of regions. Therefore, the concept state regions are defined as Eq. (9) by paying attention to the Definition 4. [ ]

[

{ |

]

{

{

|

|

[ ]

(9)

In a sequence of consecutive regions in which changing the marking is not possible and in consecutive regions in which only a single specific transition can fire, we can merge these regions into a single merged region. A merged region is expressed by a time constraint which obtained by merging clock valuations of all regions that merged. Hence, a merged region with length k includes k consecutive regions which ensures marking will not change. Definition 9. Let

{

denote the k-th region after region

⏟

(

which is denoted by

)

if

(10)

Therefore, a merged region with length k where the first region is is defined as Hence, in a merged region with length k, the clock valuation of each ⋃ transition can be represented by one of the following clock constraints. 1.

shown as interval where in the first region, is represented by clock , and in the last region, is represented by clock constraint and . 2. shown as interval [ where in the first region, is represented by clock constraint , and in the last region, is represented by clock constraint and . 3. shown as interval ] where in the first region, is represented by clock constraint , and in the last region, is represented by clock constraint and . 4. shown as interval [ ] where in the first region, is represented by clock constraint , and in the last region, is represented by clock constraint and . constraint

7

Improved Region Based TCTL Model Checking of Time Petri Nets

The fractional parts of clocks are also considered in each merged region. For example, a merged region expressed by has the length , and can be computed by getting union of regions , , , and . The distinguished features of TPN models considered in our work for decreasing the number of regions are listed as follows. 1. In a sequential sequence of transitions in a TPN model, where in each marking only a single transition is enabled and no transition can enable before firing its previous transition, it is obvious that the marking does not change before the earliest firing time of the enabled transition. For example, at Figure 1 that represents a small part of a TPN model, marking is hold in the interval [0, 2). To represent this, we can define a single merged region in which clock valuation of corresponding transition is expressed as domain [0, 2) . Also, for firing this transition, a merged region can be defined in which clock valuation of a transition is represented by clock constraint that is equal to the firing interval of the transition. Therefore, each state of a TPN at which only a single enabled transition can fire, it is possible to express clock valuation of an enabled transition by a merged region. So, we use the time interval demonstrating minimum and maximum possible times for changing clock valuations. [

]

𝑚𝑖

𝑚𝑗

Figure 1: A small part of a TPN model with a single enable transition

2. In TPN models, when several transitions are enabled in a special marking, before minimum EFT of these transitions, marking cannot change. This circumstance can be declared by a single merged region in computing the state space of the corresponding TPN. Also, the several concurrent enabled transitions can fire one-by-one in which firing a transition, a new marking is obtained that can be shown by a new region. For example, in Figure 2, three transitions are enabled in marking . It is obvious that marking in time interval (0, 1] cannot change. In interval (1,2], only transition t0 can fire which can be expressed by a single merged region, but in interval (2,4) in which two transitions t1 and t2 can fire at any moment, we should consider all possible base regions as Definition 4. Finally, in interval [4, 5] which can be represented by a single merged region, transition t1 should fire. [

]

𝑡

𝑚𝑖

]

𝑚

𝑡

𝑡

𝑚𝑗

𝑚𝑘

Figure 2: A small part of a TPN model with three concurrent transitions

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

8

3.1 Region Transition System for TPN Now, we can compute all regions of a TPN model as finitely in which all clock valuations of transitions in the TPN are represented by regions. There exist two types of regions; base region as Definition 4, and merged region as Definition 9. For merged region, we can define state merged region in which clock valuation of transitions belong to one of its regions: [ ]

{

{

|

|

(11)

Subsequently, we compute the state space of a TPN model as a Region Transition System (RTS) in which each state is a state region or state merged region. Definition 10. The state space of a Region Transition System   





can be defined as a

, where:

S is a finite set of states, each is formed as where M is a marking and r is a region (base or merged region). [ ] where is the initial state as is initial marking in TPN, and [ ] is a region { | where . is transition relation including discrete and continuous transitions defined as follows. -

Discrete transition: for all , discrete transition the conditions listed in Eq. (12) are hold.   * *

{

is defined if all

(12)

* -

Continuous transition: for action , in continuous transition , region is a base or merged region specified by considering aforementioned features described for all sequential and concurrent parts of TPN. In a sequential part of a TPN, only a single transition is enabled in each marking, and in a concurrent part, several transitions can fire simultaneously at a specific marking. Continuous transition is used to move from one state to another state when actually no transition fires in that state. All details for computing the regions are given in the following subsections.

To construct RTS, we propose an algorithm as shown in Figure 3 where for each state, its region is directly computed using successor region according to Definition 9.

3.2 The Proposed Algorithm to Construct RTS The RTS obtained from a TPN model depends on the structure of the TPN. All the regions resulted from the proposed algorithm by applying depth first search can be computed from the initial state which includes the initial marking of TPN model. Figure 3 shows the proposed algorithm.

9

Improved Region Based TCTL Model Checking of Time Petri Nets

1. 𝑹𝑻𝑺 𝒔 𝑺𝒕𝒂𝒕𝒆 2. { {𝑡𝑖 𝑡 𝑒𝑛 3. 𝐼𝑓 𝐸𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 / |𝑇| / 4. 𝐼𝑓 𝑥𝑖 𝛼 𝑡𝑖 5. k= 2* (𝛼 𝑡𝑖 𝑈𝐵 𝑥𝑖 6. 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑀𝑒𝑟𝑔𝑒𝑑𝑅𝑒𝑔𝑖𝑜𝑛 𝑠 𝑟 𝑘 7. 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠 8. k= 2* (𝛽 𝑡𝑖 𝛼 𝑥𝑖 9. 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑀𝑒𝑟𝑔𝑒𝑑𝑅𝑒𝑔𝑖𝑜𝑛 𝑠 𝑟 𝑘 10. 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠 11. 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑁𝑒𝑥𝑡 𝑠 𝑀 𝑡𝑖 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 | 𝑥𝑗 𝑡𝑗 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 12. 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝑡𝑖 𝑠 13. 𝑅𝑇𝑆 𝑠 14. 𝐸𝑙𝑠𝑒 /* create edge for firing transitions 𝑡𝑖 */ 15. 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒(𝑁𝑒𝑥𝑡 𝑠 𝑀 𝑡𝑖 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 | 𝑥𝑗 𝑡𝑗 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 {𝑥𝑘 𝑥𝑘 | 𝑡𝑘 𝑖 {𝑥𝑙 | 𝑡𝑙 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 𝑑𝑖𝑠𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 16. 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝑡𝑖 𝑠 17. 𝑅𝑇𝑆 𝑠 /* create 𝜏 transitions for elapsing time 𝑘 k= 2* (𝛽 𝑥𝑖 𝑈𝐵 𝑡𝑖 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑀𝑒𝑟𝑔𝑒𝑑𝑅𝑒𝑔𝑖𝑜𝑛 𝑠 𝑟 𝑘 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠

18. 19. 20.

/* create edge for firing transitions 𝑡𝑖 after its interval */ 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑁𝑒𝑥𝑡 𝑠 𝑀 𝑡𝑖 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 | 𝑥𝑗 𝑡𝑗 𝑒𝑛𝑎𝑏𝑙𝑒𝑑(𝑁𝑒𝑥𝑡 𝑠 𝑀 𝑡𝑖 ) 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝑡𝑖 𝑠 𝑅𝑇𝑆 𝑠 𝑠

21.

22. 23. 24. 25. 26. 27. 28. 29.

*/

𝐸𝑙𝑠𝑒

/* create edge for transitions with last LFT deadline */ 𝑡𝑖 | 𝛽𝑖 𝑥𝑖 𝛽𝑖 ∉ 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 𝑡𝑖 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 : 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒(𝑁𝑒𝑥𝑡 𝑠 𝑀 𝑡𝑖 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 | 𝑥𝑗 𝑡𝑖 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 {𝑥𝑘 | 𝑡𝑘 𝑖 {𝑥𝑙 | 𝑡𝑖 𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 𝑑𝑖𝑠𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝑡𝑖 𝑠 𝑅𝑇𝑆 𝑠 𝑪𝒐𝒏𝒕𝒊𝒏𝒖𝒐𝒖𝒔 𝑻𝒓𝒂𝒏𝒔𝒊𝒕𝒊𝒐𝒏

30. 31. 32. 33. 34. 35. 36. 37. 38. 39.

𝑖𝑓

𝑒𝑙𝑠𝑒

𝑡𝑖

𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 | 𝑥𝑖 𝛼𝑖 𝑘 𝑚𝑖𝑛 𝛼𝑖 𝑈𝐵 𝑥𝑖 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑀𝑒𝑟𝑔𝑒𝑑𝑅𝑒𝑔𝑖𝑜𝑛 𝑠 𝑟 𝑘 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠 𝑠 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒 𝑠 𝑀 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝜏 𝑠 𝑅𝑇𝑆 𝑠

𝑫𝒊𝒔𝒄𝒓𝒆𝒕𝒆 𝑻𝒓𝒂𝒏𝒔𝒊𝒕𝒊𝒐𝒏

40. 41. 42. 43. 44.

𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑠 𝑟 𝑡𝑖 𝐼𝑛𝑡𝑒𝑟𝑣𝑎𝑙 𝑡𝑖 : 𝑁𝑒𝑤𝑆𝑡𝑎𝑡𝑒(𝑠 𝑀 𝑠𝑢𝑐𝑐𝑒𝑠𝑠𝑜𝑟 𝑠 𝑟 | 𝑥𝑗 𝑡𝑖 {𝑥𝑖 | 𝑡𝑖 𝑎𝑑𝑑𝑒𝑑𝑔𝑒 𝑠 𝑡𝑖 𝑠 𝑅𝑇𝑆 𝑠 𝑠

𝑡𝑖

𝑒𝑛𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖 𝑑𝑖𝑠𝑎𝑏𝑙𝑒𝑑 𝑠 𝑀 𝑡𝑖

Figure 3: The proposed algorithm for constructing RTS of a TPN model

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

10

Without loss of generality and for the sake of simplicity, for each transition in TPN model have been assigned a single clock , and the firing interval of each transition is considered as | [ ]. In Figure 3, we use procedure for creating a new state in RTS in which M is a marking and r is a region in the new state which satisfies clock constraint cond. According to Definition 9, procedure is defined in Figure 3 to compute a  merged region with length k and first region successor (r). Also, procedure  is used to compute the new marking resulted after firing transition in marking .

3.3

The Number of Regions in the Proposed Abstraction Method

The number of regions for a TPN model is computed by considering the number of sequential and concurrent parts of the model and firing intervals of its transitions. To compute the number of regions, each TPN model can be considered as a combination of set of sequential and concurrent parts. Therefore, the number of regions in TPN model can be computed by considering the following cases. 

Sequential transitions

When there is a set of consecutive transitions { in which { and for each k, , { , a single merged region is used in the proposed algorithm for expressing the elapsing time from till EFT of a newly enabled transition . Also, for expressing firing interval of an enabled transition, a single merged region is used where clock valuation of the enabled transition is equal to its firing interval. Then, the enabled transition by a discrete transition can fire in region which causes a new state to be obtained in which the clock valuation of each newly enabled transition in its related region is zero. Therefore, the number of all regions in a set of sequential transitions will be | | where | | is the number of sequential transitions. According to the description provided above, the number of all regions for each segment of TPN model such as can be computed linearly in the order of . 

Concurrent transitions

When several transitions in a TPN model can fire in a single marking, all possible clock valuations of the transitions should be considered to compute the number of regions. For this end, we use the concept of base region according to the conditions we mentioned earlier. The worst case occurs when the concurrent transitions have the most possible overlap in their firing intervals. In this case, all base regions for clock valuation of concurrent transitions should be taken into account. If the firing intervals of all concurrent transitions in this case are assumed to be the same, then the number of all required based regions is where is LFT, is EFT of transitions, and firing interval is [ ]. In a region that all |T| transitions can fire, new regions are created until either all transitions fire or some transitions do not fire, but the last possible region is reached (given the above conditions, in the last region, the clock valuation of transitions is equal to ). Therefore, the number of all possible subset of transitions which can be selected to fire in each region can be computed by Eq. (13).

( | |)

( | |)

(|| ||)

| |

(13)

11

Improved Region Based TCTL Model Checking of Time Petri Nets With number of regions, the number of all possible regions obtained after firing |T| number of transitions is estimated as ( | | ) where in which is the maximum LFT and is the minimum EFT of transitions in the concurrent part of TPN. Therefore, all regions required for a concurrent part of TPN with |T| transitions are bounded to ( | | ).

Hence, to compute all number of regions considering the set of all sequential and concurrent parts of a TPN model, the formula presented in Eq. (14) can be used. ∑

∑

| |

(14)

where s is the set of all sequential parts of TPN that contains | | sequential transitions in i-th part, and c is the set of all concurrent parts of the TPN that is MaxDomain of j-th part in set c. Therefore, in the worst case, all transitions in a TPN model can be considered to be in a concurrent part which results in the order of the algorithm to follow ( | | ).

3.4

Region Transition System with Real Clock

In the RTS resulted from a TPN model applying the proposed algorithm, we use clock variable for each transition in a certain period to show the passing of time. To be able to check time properties in a desired RTS, it is needed to measure the actual time elapsed till each state. For this purpose, we add a new clock called Real Clock (RC) to the RTS for expressing elapsing time till each state. In fact, the new clock independently increases without resetting until a certain property is satisfied [2, 6, 24]. Hence, this clock is used to measure the actual time elapsed till each state which is expressed by a time interval. The RTS with adding this clock variable is defined as , where:    

| |

, { , is the relation function same as the function defined for RTS in Definition10.

Since clock valuations of transitions are expressed by a time intervals in merged regions against the base region where clock valuations expressed as Definition 4, the clock valuation of RC is expressed by an interval in each state. The lower and upper bounds of this interval are the minimum and maximum time required to be elapsed to reach the considered state, respectively.

4 TCTL for TPN models In order to model check the time properties on TPN models, several logic based on TCTL [1, 2] have been proposed [10, 16]. TCTL can be used for specifying time properties in TPNs, so we define an extension of TCTL logic for specifying time properties of TPN models. Definition 11. With considering a bounded TPN model in which LFT of transitions is not infinite, we define time temporal logic TPN-TCTL as follow: |

|

|

where I is a time interval bounded to natural number, operators, and is a natural constant. The notation

|

|

|

(15)

{ is a set of relational denotes the number of tokens in place

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

12

. So, to show a special marking, we can use conjunctions of in which is =. For model checking of TPN-TCTL on TPN, we should translate TPN-TCTL to the equivalent CTL to be able to apply the model checking on desired RTS using the standard CTL [12]. For translating TPN-TCTL to the corresponding CTL, timing parameters should be eliminated from the TCTL formula, and a new clock should be added to the corresponding CTL formula to measure the elapsing of time until a certain time [2, 6, 24]. Timing parameters can be replaced by a clock constraint which is based on the new clock added to CTL formula for specifying the time interval considered in TCTL formula.

4.1 Translating TPN-TCTL to CTL The basic idea for translating a TPN-TCTL formula is that we can express timing parameter by clock constraint of a new clock in the equivalent CTL formula. The new clock in CTL measures the elapsing time expressed by the timing parameter in TPN-TCTL which is denoted by an interval. In fact, we need to express the actual time required to get to each state. For this end, we use the concept of RC defined for RTS. As stated earlier, RC represents the actual time required to reach to each state as a time interval. Therefore, to check the clock constraint of a new clock added to CTL formula, we can use the valuation of RC. In the TPN-TCTL formula, timing parameter appears only as until operator; therefore, it is sufficient to translate the TCTL until operator to the equivalent CTL, and consequently, modal operators and □ can be obtained. CTL until operator after eliminating timing parameter from TPN-TCTL can be obtained as follows [2, 6, 24]: {

(

{

)

⋁

(

(16)

)

where { } denotes the clock valuation of RC in state s which can be considered as zero, so we can use the difference existing between the clock valuation of RC in state s and the desired states to measure the actual elapsed time. Since the atomic propositions in each state of RTS and in TPN-TCTL are markings, we can use the resulted CTL for model checking of TPN-TCTL formula on the RTS.

4.2 Semantics of TPN-TCTL Let denote a region transition system after adding the new clock   RC obtained from a bounded TPN model . In , each state is denoted by where M is a marking and r is a region together with the clock valuation of RC. The semantics of TPN-TCTL formula is defined as follows:      

, iff iff

, ,

iff iff

and , or , that equivalent CTL formula is if for some π : ⋁ . that equivalent CTL formula is [] if for all π :

[ ]  ⋁

.

⋁

. Therefore, []

⋁

. Therefore, [ ]

13

4.3

Improved Region Based TCTL Model Checking of Time Petri Nets

Complexity of TPN-TCTL Model Checking of TPN

Although the number of regions in transition system of a TA model is exponential in the length of clock constraints, by observing only required paths for considered TCTL formula, TCTL model checking on TA is PSPACE-Complete [1, 2]. Our approach is also based on region method that has been proposed for TA [3, 4]. Although the number of regions, and consequently, the number of states of RTS resulted from a bounded TPN by applying the proposed abstraction method depend on the structure of the model, in the worst case, it is exponential in the number of transitions. With translating TPN-TCTL formula to the equivalent CTL formula, the problem of TPN-TCTL model checking is reduced to CTL model checking on a resulted RTS. Complexity of the CTL model checking on a | | | | | | where | | is the number of states, | | is the number of transition system is transitions in a given transition system, and | | is the length of CTL formula [12]. Therefore, TPNTCTL model checking on the RTS of a TPN model reduces to CTL model checking. Hence, TPNTCTL model checking is PSPACE-Complete.

4.4 Comparing the Number of Regions The most important challenge in the region based abstraction method of TPN models is the number of regions. Using the basic region abstraction method, the number of regions for a k-bounded TPN is | | | |∏ bounded by [10, 25], where | | is the number of transitions, is clock associated to transition , and is greatest constant that is compared to it for constructing a region graph. The number of regions in the proposed method is bounded by Eq. (17) according to the explanations given in Subsection 3.3. | |

| |

(17)

| |

By developing the proposed method, the number of all regions for several TPN models in the worst case is calculated. The number of all regions resulted from the proposed method and the most relevant previously represented method [10, 25] regardless of the value of k is reported in the Table 1. Table 1: The number of regions resulted by the proposed method and the method presented in [10, 25] |T|

Proposed method

Previous method

|T|

Proposed method

Previous method

2

2

22

64

6

4

610

1658880

2

3

32

80

7

3

925

22579200

3

6

125

1152

8

4

2352

4.95E+08

4

3

126

7680

10

3

7212

1.86E+11

4

2

88

6144

10

4

9287

2.23E+11

5

3

243

96000

12

8

69797

2.35E+14

5 Conclusions and Future Work For TCTL model checking of TPN models, region and zone based abstraction methods have been proposed to generate the state space of TPNs which both of them preserve state reachability. Zone based method in which zones are used to expresses symbolic states presents more efficient and compact representation of state space compared to region based method. Because of the enormous

M. E. Esmaili, R. Entezari-Maleki, & A. Movaghar

14

number of regions generated by region based method, this method is not appropriate to be used in practical tools. However, model checking of a region transition system obtained from a region method demonstrates much less overhead compared to zone based method due to the more operations required to be done in model checking algorithms used in zone based method. In this paper, we consider two special features of TPN models for computing the state space of TPN models based on region abstraction method with much less number of regions which preserves marking reachability. To do this, all consecutive regions in which changing the marking is not possible in them are firstly merged into a single region where clock valuations of transitions are represented by a time interval. Next, all consecutive regions in which just a single specific transition can fire on them, are represented by a single region where value of its clock constraint is specified by a time interval that represents actual time duration for firing the given transition. Afterwards, we exploit TPN-TCTL for specifying a subset of time properties of TPN models. Then, by translating TPN-TCTL to the equivalent CTL, CTL model checking is used for model checking of TPN models. Therefore, by decreasing the number of regions, the proposed method can be used efficiently to be applied to the large subset of TPN models. As a future work, other temporal properties (e.g. CTL* and MITL) and efficient on-the-fly model checking techniques can be studied to be used in the proposed abstraction method for decreasing the complexity of model checking algorithms in both time and space aspects. In addition, the proposed method can be improved by using symbolic methods to store the merged regions in a suitable structure. We are also working to develop a tool for analyzing and directly TCTL model checking of TPN models based on the proposed abstraction method.

References [1]

[2]

[3] [4] [5] [6] [7]

[8] [9] [10]

Rajeev Alur, Costas Courcoubetis & David L. Dill (1990): Model-checking for real-time systems. Proceedings In: Fifth Annual IEEE Symposium on Logic in Computer Science, LICS ’90, pp. 414–425, doi : 10.1109/LICS.1990.113766. Rajeev Alur, Costasand Courcoubetis & David L. Dill (1993): Model-Checking in Dense Real-Time. Information and Computation 104(1), pp. 2 – 34, doi: http://dx.doi.org/10.1006/inco.1993.1024. Available at http://www.sciencedirect.com/science/article/pii/S0890540183710242. Rajeev Alur & David Dill (1990): Automata for modeling real-time systems 443, pp. 322–335. doi:10.1007/BFb0032042. Available at http://dx.doi.org/10.1007/BFb0032042. Rajeev Alur & David Dill (1992): The theory of timed automata 600, pp. 45–73. doi:10.1007/BFb0031987.Available at http://dx.doi.org/10.1007/BFb0031987. Rajeev Alur & David L Dill (1996): Automata-theoretic verification of real-time systems. Formal Methods for Real-Time Computing, pp. 55–82. Christel Baier, Joost-Pieter Katoen et al. (2008): Principles of Model Checking. 26202649, MIT press Cambridge. Johan Bengtsson & Wang Yi (2004): Timed Automata: Semantics, Algorithms and Tools. Lecture Notes in Computer Science 3098, Springer Berlin Heidelberg, pp. 87–124, doi: 10.1007/978-3-540-27755-2 3. Available at http://dx.doi.org/10.1007/978-3-540-27755-2_3. Bernard Berthomieu & Michel Diaz (1991): Modeling and Verification of Time Dependent Systems Using Time Petri Nets. IEEE Transactions on Software Engineering 17(3), pp. 259–273, doi: 10.1109/32.75415. Bernard Berthomieu & Miguel Menasche (1983): An Enumerative Approach For Analyzing Time Petri Nets, pp. 41–46. Available at http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.11.4063. Hanifa Boucheneb, Guillaume Gardey & Olivier H. Roux (2009): TCTL Model Checking of Time Petri Nets. Journal of Logic and Computation 19(6), pp. 1509–1540, doi: 10.1093/logcom/exp036. Available at http://logcom.oxfordjournals.org/content/19/6/1509.abstract.

15 [11]

[12]

[13]

[14]

[15]

[16] [17]

[18]

[19]

[20] [21]

[22]

[23] [24]

[25] [26]

Improved Region Based TCTL Model Checking of Time Petri Nets Franck Cassez & Olivier H. Roux (2006): Structural translation from Time Petri Nets to Timed Automata. Journal of Systems and Software 79(10), pp. 1456 – 1468, doi:http://dx.doi.org/10.1016/j.jss.2005.12.021. Available at http://www.sciencedirect.com/science/article/pii/S0164121205001895. Edmund M. Clarke, E. Allen Emerson & A. Prasad Sistla (1986): Automatic Verification of Finite-state Concurrent Systems Using Temporal Logic Specifications. ACM Trans. Program. Lang. Syst. 8(2), pp. 244–263, doi:10.1145/5397.5399. Available at http://doi.acm.org/10.1145/5397.5399. Davide D’Aprile, Susanna Donatelli, Arnaud Sangnier & Jeremy Sproston (2007): From Time Petri Nets to Timed Automata: An Untimed Approach. Lecture Notes in Computer Science 4424, Springer Berlin Heidelberg, pp. 216–230,doi:10.1007/978-3-540-71209-1_18. Available at http://dx.doi.org/10.1007/9783-540-71209-1_18. David L. Dill (1990): Timing assumptions and verification of finite-state concurrent systems. Lecture Notes in Computer Science 407, Springer Berlin Heidelberg, pp. 197–212, doi: 10.1007/3-540-521488_17. Available at http://dx.doi.org/10.1007/3-540-52148-8_17. Guillaume Gardey, Olivier H. Roux & Olivier F. Roux (2004): Using Zone Graph Method for Computing the State Space of aTime Petri Net. Lecture Notes in Computer Science 2791, Springer Berlin Heidelberg, pp. 246–259, doi: 10.1007/978-3-540-40903-8_20. Rachid Hadjidj & Hanifa Boucheneb (2006): On-the-fly TCTL model checking for Time Petri Nets using state class graphs, pp. 111–122. doi: 10.1109/ACSD.2006.18. Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis & Sergio Yovine (1994): Symbolic Model Checking for Real-Time Systems. Information and Computation 111(2), pp. 193 – 244, doi:10.1006/inco.1994.1045. Didier Lime & Olivier H. Roux (2003): State class Timed Automaton of a Time Petri Net. In: The 10th International Workshop on Petri Nets and Performance Models, (PNPM’03), Urbana, tats-Unis, pp. 124–133. Available at http://hal.archives-ouvertes.fr/hal-00523588. Didier Lime & Olivier H. Roux (2006): Model Checking of Time Petri Nets Using the State Class Timed Automaton. Discrete Event Dynamic Systems 16(2), pp. 179–205, doi:10.1007/s10626-006-8133-9. Available at http://dx.doi.org/10.1007/s10626-006-8133-9. Philiph M. Merlin & David J. Farber (1976): Recoverability of Communication Protocols–Implications of a Theoretical Study. Ph.D. thesis, doi:10.1109/TCOM.1976.1093424. Yasukichi Okawa & Tomohiro Yoneda (1997): Symbolic computation tree logic model checking of time Petri nets. Electronics and Communications in Japan (Part III: Fundamental Electronic Science) 80(4), pp. 11–20, doi: 10.1002/(SICI)1520-6440(199704)80:43.0.CO;2-7. Wojciech Penczek & Agata Pólrola (2004): Specification and Model Checking of Temporal Properties in Time Petri Nets and Timed Automata 3099, pp. 37–76. doi: 10.1007/978-3-540-27793-4_4. Available at http://dx.doi.org/10.1007/978-3-540-27793-4_4. Chander Ramchandani (1974): Analysis of Asynchronous Concurrent Systems by Timed Petri Nets. Available at http://dl.acm.org/citation.cfm?id=889750. Stavros Tripakis & Sergio Yovine (2001): Analysis of Timed Systems Using Time-Abstracting Bisimulations. Formal Methods in System Design 18(1), pp. 25–68, doi: 10.1023/A:1008734703554. Available at http://dx.doi.org/10.1023/A%3A1008734703554. Irina Virbitskaite & E. Pokozy (1999): A partial order method for the verification of time Petri nets 1684, pp.547–558. doi: 10.1007/3-540-48321-7_46. Available at http://dx.doi.org/10.1007/3-540-48321-7_46. Tomohiro Yoneda & Hikaru Ryuba (1998): CTL model checking of time Petri nets using geometric regions. IEICE Transactions on Information and Systems 81(3), pp. 297–306. Available at http://search.ieice.org/bin/summary.php?id=e81-d_3_297.