On liveness in Extended Non Self-Controlling Nets - Springer Link

Download PDF
0 downloads 0 Views 1MB Size Report
Comment
Conservatoire National des Arts et M6tiers. 292 rue Saint-Martin. 75003 Paris - FRANCE. # IBP - Laboratoire MASI. Universit6 P. & M. Curie. 4, Place Jussieu.
On Liveness in Extended Non Self-Controlling Nets K. B A R K A O U I *

J.M. C O U V R E U R *

Laboratoire CEDRIC Conservatoire National des Arts et M6tiers 292 rue Saint-Martin 75003 Paris - FRANCE

C. D U T H E I L L E T # Laboratoire MASI Universit6 P. & M. Curie 4 , Place Jussieu 75252 Paris Cedex 05 - FRANCE # IBP -

: For several years, research has been done to establish relations between the liveness of a net and the structure of the underlying graph. This work has resulted in the proposition of polynomial algorithms to check liveness for particular classes of nets. In this paper, we present Extended Non Self-Controlling Nets, a class of nets that includes Extended FreeChoice Nets and Non Self-Controlling Nets. We develop some properties of this new class of nets and we propose polynomial algorithms whose application domain is wider than the domain of the previous algorithms. Abstract

Keywords

: liveness, deadlocks and traps.

1 Introduction Liveness and boundedness are the main behavioural properties o f Place/Transition nets (P/T nets) [1]. Liveness corresponds to the absence of global or local d e a d l o c k situations, boundedness to the absence o f overflows in stores. F o r classes o f P/T nets with a restricted m o d e l l i n g power, liveness can be structurally characterized and efficiently decided under the boundedness hypothesis [2] [3] [4] [5] [6]. A c o m m o n property to these restricted classes is that liveness is ensured by checking some particular sets o f places. A deadlock is a subset o f places that, once unmarked, can never be marked again. For these classes, the existence of a deadlock containing no mark is a necessary and sufficient condition for the net not to be live. Hence, every deadlock o f the net must be controlled, i.e., conditions must be defined on the net, which ensure that the deadlock remains marked for every reachable state. There are two Ways o f controlling a deadlock. The first one relies on the concept.of trap (trap-controlled deadlock) [7], the second one is based on the concept o f invariant (invariant-controlled deadlock) [4]. The control o f d e a d l o c k s to ensure liveness is very efficient as it can yield p o l y n o m i a l - t i m e algorithms. But the major drawback of the method is that it applies o n l y to restricted classes o f nets. In this paper, we introduce Extended Non SelfControlling (ENSeC) nets, a new class o f P/T nets for which the d e a d l o c k - t r a p p r o p e r t y is a sufficient liveness condition. W e p r o v e that this p r o p e r t y is also necessary in the bounded case. ENSeC nets include extended free-choice nets and non self-controlling nets and thus extend the class of nets for which the control o f every deadlock is a necessary and sufficient liveness condition.

26 We also present polynomial-time algorithms to decide the liveness of two subclasses of bounded ENSeC nets, namely elementary ENSeC nets and loop-flee ENSeC nets, that strictly contain bounded extended flee-choice nets and bounded non self-controlling nets. All these results are based on the new concept of conflict-free path, which emphasizes the characterization of minimal deadlocks in terms of path properties [8]. The remainder of the paper is :organized as follows: the next section presents the basic concepts and notations used, and introduces the notion of conflict-flee and loopfree paths. Some properties of deadlocks, and properties relating deadlocks to conflictfree paths are also exposed in this section. In Section 3, the new class of ENSeC nets is defined. The problem of liveness for ENSeC nets is investigated in Section 4. Section 5 presents a set of structural properties of bounded ENSeC nets, which are similar to the properties of Extended Free-Choice nets and Non Self-Controlling nets. In Section 6, we prove that liveness is decidable in polynomial time for two subclasses of bounded ENSeC nets, namely Elementary ENSeC nets and Loop-free ENSeC nets. Section 7 concludes the paper.

2

Basic

Definitions

and

2.1. Place / Transition

Nets

Notations

Definition 2.1 1) A net is a 3-tuple N = (P, T, F) where a) P and T are finite and disjoint sets, b) F c_ (P x T) u (T x P) The elements of P are called places and the elements of T transitions. 2) The preset of a node x ~ P u T is defined as .x = {y ~ P u T I (y, x) E F} Thepostsetofx~ PuTis x~ = { y ~ P u T l ( x , y ) ~ F} The preset (resp. postset) of a set is the union of the presets (resp. postsets) of its elements. D e f i n i t i o n 2.2 Let N = (P, T, F) be a net. Two transitions of N are in conflict iff the intersection of their presets is not empty : V tl, t2 ~ T, tl is in conflict with t 2 r "tl n ~ ~ 0 D e f i n i t i o n 2.3 Let N = (P, T, F) be a net. 1) A marking of a net N = (P, T, F) is a mapping M :S~ N ~2) The pair (N, M 0) is called a marked net. M 0 is called the initial marking. 3) A transition t is enabled under M, in symbols M[t>, iff V p e ~ M(p) > 0. 4) If M[t>, the transition t may occur, resulting in a new marking M', in symbols M[t>M', with: I M'(p) = for all p e P.

M(p)-I M(p)+l M(p)

if s ~ .t \ tif s e t. \ .t otherwise

27 5) The set of all reachable markings, in symbols [M0>, of a marking M 0 is the smallest set such that M 0 ~ [M0> M 0 6 [M0> /x M[t>M' ~ M ' ~ [M0> holds

D e f i n i t i o n 2.4 Let N = (P, T, F) be a net and (N, M 0) be a marked net. 1) A transition t ~ T is live under M0 iff V M 9 [M0>, 3 M' ~ [M>, M'[t>. 2) A transition t s T is dead under M0 iff ~ M s [M0>, M[t>. 3) The net N is live under M 0 iff V t ~ T, t is live under M 0. (N.B. : hence, a net with no transition is live). 4) The net N is structurally live iff 3 M0 such that N is live under M 0.

D e f i n i t i o n 2.5 Let N = (P, T, F) be a net and (N, M0) be a marked net. ~N, M0) is called bounded iff : 3k~N, V M ~ [M0>, V p ~ P, M(p) < k . D e f i n i t i o n 2.6 Let N be a net. N is called structurally bounded iff N is bounded for any initial marking. D e f i n i t i o n 2.7 Let N = (P, T, F) be a net and (N, M0) be a marked net. Let H c P be a non-empty set of places, and let M be a reachable marking. H is called empty in M iff V p c H, M(p) = 0 . !

D e f i n i t i o n 2.8 Let N = (P, T, F) be a net and let A _ P u T. The net (R \ A) is defined by the 3-tuple (PN, TN, FN) where ~ PN = P \ ( A n P ) 9 TN = T\(AnT)

9 FN = F n [ ( P N X T N ) 2.2.

Paths

and

U(T NxPN)]

Connectivity

D e f i n i t i o n 2.9 Let N = (P, T, F) be a net. In N, a path C from a node n 1 to a node n k is a sequence (n 1, n 2 . . . . . n k) such that (n i, ni+l) ~ F for 1 < i < k-1. The set PC = {ni, 1 < i < k} n P is called the set of places of the path. The set T C = {ni, 1 < i < k} n T is called the set of transitions of the path. D e f i n i t i o n 2.10 Let N = (P, T, F) be a net and C = (n 1. . . . . nk) be a path in N. 1) C is elementary iff for any two nodes n i, nj, i ~ j, of the path, n i ~ nj. 2) C is conflict-free iff for any transition n i of the path, j ~ i-1 ~ nj ~ oni 3) C is loop-free iff for any transition n i of the path, (ni+ 1, ni) ~ F. 4) C is in H ~ P iff all the places of C belong to H. The following examples clarify the notion of conflict-free path and highlight one of its important features, namely the fact that it is not transitive.

28 p

t

q

(p, t, q) is a conflict-free path: only p, which is the predecessor of t in the path, belongs to ~ (p, t, q) is a loop-free path : (q, t) ~ F.

p

t

q

(p, t, q) is not a conflict-free path: both p and q belong to ot. (p, t, q) is not a loop-free path : (q, t) E F.

tl

t2

There is a conflict-free path from p to q : (p, tl, q). There is also a conflict-free path from q to r : (q, t2, r): But there is NO conflictfree path from p to r : (p, tl, q, t2, r) is not conflict-free, as both p and r belong to otl.

D e f i n i t i o n 2.11 Let N = (P, T, F) be a net and H c_ P. H is strongly connected on N iff there exists a path in H between any two places of H. D e f i n i t i o n 2.12 Let N = ( P , T , F ) b e a n e t , l e t H c_ P. L e t G c _ H. H i s Gstrongly-connected on N iff V p a H, 3 gl, g2 ~ G such that there exists a path in H from p to gl and another path in H from g2 to p. 2.3. Deadlocks and Traps 2.3.1.

Definitions

D e f i n i t i o n 2.13 Let N = (P, T, F) be a net. 1) A non-empty set H ~ P is called a deadlock iff oH c Ho 2) A non-empty set H c_ P is called a trap iff Ho c oH 3) Let H be a deadlock (resp. a trap). H is called minimal iff there is no deadlock (resp. trap) included in H as a proper subset. 4) Let H be a deadlock (resp. a trap), H is called p-minimal iff there is no deadlock (resp. trap) containing p included in H as a proper subset. Deadlock-Trap Property (Commoner) Let (N, M 0 ) be a m a r k e d net. (N, M0) satisfies the deadlock-trap property iff the two following conditions hold 9 1) every minimal deadlock of N contains a trap, 2) the maximal trap of each minimal deadlock is marked for M0. Condition 1) alone is refered to as the structural deadlock-trap property.

2.3.2.

Properties

P r o p e r t y 2.1 Let N = (P, T, F) be a net, H b e a set of places and D be the m a x i m a l deadlock in H. Then H is a deadlock or there exist a m a p p i n g x : H \ D --+ T and a mapping ~ : H \ D ---) N such that 1) Vp~ H\D, ( ' c ( p ) , p ) ~ F, x ( p ) ~ D. 2) Vp~ H\D, Vq~ D ( q , x ( p ) ) ~ F. 3) V p, q ~ H \ D, ~(p) < (Y(q) ~ (q, x(p)) ~ F.

29 Proof: We operate by recurrence on the cardinality of H \ D. 9 H\D=O:Hisadeadlock. 9 H \ D = {p} : there exists a transition t such that (t, p) e F and t ~ Ho. Mappings t and cr can be defined by t(p) = t and or(p) = 0. 9 H \ D contains two or more elements. H is not a deadlock, then : There exist a place P0 ~ H \ D and a transition t o such that (tO, P0) ~ F and Vpe

H, (p, to) ~ F.

- H \ {P0} has D as a maximal deadlock.

By applying the recurrence hypothesis to the net H \ {P0}, we obtain two mappings t 0 et G 0 that fulfill conditions (1), (2) and (3). From t 0 et cr0, we define two mappings t and ~ on H \ D by : "c(p0) = t o and or(p0) = 0, V p e H \ (D u {P0}), t(p) = t0(p) and ~y(p) = cy0(p) + 1 which clearly fulfill conditions (1), (2) and (3). 2.2 Let N = (P, T, F) be a net. Let H be a set o f places which is not a deadlock and let D be the maximal deadlock in H. Then for every place p in H \ D there exist a transition t in 9 \ H 9 and a conflict-free path from t to p.

Corollary

Proof." Let t and cy be two mappings defined by Property 2.1 and let p be a place in H \ D. Let Lp be the set o f paths (tl, Pl . . . . tk, Pk) in H \ D with Pk = P which fullfill t i = t(pi) and ~(Pi) -< cY(Pi+I) for all i. 9 Lp is not empty because it contains the path (t(p), p) 9 Let 1 = (tl, Pl . . . . tk, Pk) be a maximal path in Lp. Then tl ~ 9 \ H9 Otherwise there exists a place q in H with (q, tl) ~ F. From conditions (2) and (3) of Property 2.1, q is in H \ D and ~(q) < G(pl) and then the path ('~(q), q, tl, Pl . . . . tk, Pk) is longer than 1. This is in contradiction with the maximality of 1. 9 Let L'p be the set of paths (tl, Pl . . . . tk, Pk) in H \ D, with tl is in 9 \ H 9 and Pk = P, which fullfill ti = t(pi) and cr(pi ) < c~(Pi+l) for all i. - This set is not empty because it contains the maximal paths o f Lp. - Let 1 = (tl, Pl . . . . tk, Pk) be a minimal path in L'p. The path 1 is conflict-free. Otherwise there exists a transition ti and a place pj in 1 with (pj, ti) in F and j ;e i-1. If j < i-2, then we can deduce from 1 a shorter path. If i l , 3 t ' ~ p o s u c h t h a t t ' ~ 3 t ~ p. such that H is a deadlock that contains no trap in N \ {t}. Proof: Let H be a minimal deadlock which contains at least two places. As H is not a trap, there exist a place p in H and a transition t' such that (p, t') is in F and t'o n H = 12t. There exists a transition t such that to n H ~ 0 and ot n H = {p}, otherwise H \ {p} is a deadlock. H is a deadlock that contains" no trap in N \ {t}. If S is a non empty trap of H in N \ {t} and not in N, t is in S.. Because ~ n H = {p}, p is in S. Hence t' is So \ ~ and S cannot be a trap.

3 Extended Non Self-Controlling Nets Before introducing the class of extended non-self controlling nets, we recall the definition of two subclasses of nets, namely extended free-choice nets [7] and non-self controlling nets [9] for which, in the bounded case, the deadlock-trap property is a necessary and sufficient liveness condition. Our class extends both subclasses.

Definition

Definition V t e p9 9 There 9 3 t '~

3.1

An Extended Free-Choice (EFC) net is a net such that : V p , p ' ~ P, p . c ~ p ' . ~ : O ~ p . = p ' .

3.2 A net is non self-controlling iff V p ~ P, if I p 9 I > 1 then at most one of the two following conditions holds : is a circuit containing both p and t, p9 t' e t, such that there is in the net an elementary path (p, t . . . . . t').

Definition

3.3 Let N = (P, T, F) be a net. N is an Extended N o n - S e l f Controlling (ENSeC) net iff for every couple (a, b) of transitions in conflict, there does not exist a conflict-free path leading from a to b.

Remark that we cannot have in the path a place in 9 because it creates a conflict for a. For this reason, Extended Free=Choice nets and strongly-connected Non-Self Controlling nets are ENSeC nets. The net in Figure 1 is a reduced representation o f the well-known dining philosophers problem. It is trivially not an Extended Free-Choice net (consider for

31 Tkl

Tk

gk2

Tk 3

Fig. !: The dining philosophers instance places Forkl and Fork2). Neither is it a Non Self-Controlling Net. For instance, the postset of Forkl contains two transitions, and we have highlighted a path between them that prevents the net from being non self-controlling. However, the only conflicts occur between transitions Tk i and Tk(i+l)mod 4, i = 0 . . . . . 3. Let us consider the couple (Tk2, Tkl). We are looking for a conflict-free path from Tk2 to T k l . The only way out o f Tk2 is Eat2, then Put2. From Put2, we can choose either Forkl or Fork2. In both cases, we create a conflict for Tk2 : for instance, in the path (Tk2, Eat2, Put2, Forkl), Forkl is not the predecessor of Tk2 and yet belongs to 9 Tk2. We have blackened in the path the transitions for which a conflict exists.

4 A Necessary and Sufficient Condition for the Liveness of E N S e C Nets 4.1. Sufficient Condition Property 4.1

Let N be an ENSeC net and t be a transition of N. Then (N \ {t}) is an ENSeC net.

Property 4.2

Let (N, M0) be a marked ENSeC net and let t be a transition of N. t is not live iff there exists a deadlock H containing a place p ~ ot and a reachable marking M such that H is empty in M.

Proof: I f such a deadlock exists, t is obviously not live : it is never enabled from M onward. Let us consider now the reciprocal property : we operate by recurrence on the number of transitions of the net. If is a net with only one transition t, the property holds : if t is not live, one of its input places becomes empty and this place is a deadlock.

32 Let be a net with at least two transitions. Let t be a transition that is not live. As t is not live, there exists a reachable marking M such that t is dead under M. Let us consider the following cases : (1) There exists in another transition, say b, that is not live. By applying the recurrence hypothesis for transition b on the net , we obtain a marking M' reachable from M and an empty deadlock H b that contains a place in the preset of b. As transitions t and b are dead for the net , we obtain a marking M" reachable from M and an empty deadlock Ht that contains a place in the preset of t. Now, Ht u H b is a deadlock in which contains a place in the preset of t. And we have a marking M" e [M0> for which the deadlock is empty. There exists no other transition in that is not live. (2) (a) t is not in conflict with another transition : hence, each time a place in the preset of t is marked, it remains marked until t fires. As t is dead under M, there exists a place p in the preset of t such that p is never marked from M onward. If the preset of p contains no transition, then {p} and M are a deadlock and a marking that fulfill the condition. Else, all the transitions in the preset of p are dead under M and we are in contradiction with the assumption that t is the only transition that is not live. (b) t is in conflict with another transition, say b : By applying the recurrence hypothesis for transition t on the net , we obtain a marking M' reachable from M and an empty deadlock H t that contains a place p in the preset of t. If p also belongs to the preset of b, H t is a deadlock in N and the property holds. Otherwise, we extract from Ht a pminimal deadlock Vt. By applying Corollary 2.3, we know that there exists a conflict-free path from every place of Vt to p. Let q be a place in the postset of b and not in its preset. From the definition of ENSeC nets, there cannot exist a conflict-free path from q to p. Hence, the p-minimal deadlock V t contains no such place as q and is a deadlock in N, and the property holds.

Theorem 4.3

The deadlock-trap property is a sufficient liveness condition for

ENSeC nets. Proof: The theorem is an immediate consequence of Property 4.2. In the example of the dining philosophers, we can find four minimal deadlocks : H1 = {Fork 1, Eat I, Eat 2} H2 = {Fork 2, Eat 2, Eat 3} H3 = {Fork 3, Eat 3, Eat 4} H4 = {Fork 4, Eat 4, Eat 1 } All these deadlocks are also marked traps, and we conclude that the net is live.

4.2. Necessary Property 4.4

Condition

Let N = (P, T, F) be an ENSeC net, and let H c P be a deadlock of N. H is a minimal deadlock iff the two following conditions hold: 1) V t e Ho, I o t n H I = 1, 2) H is strongly connected.

33 Proof: Necessary condition: From Corollary 2.4, if H is a minimal deadlock, there exists a conflict-free path between any two places of H, hence H is strongly connected. Now, let t be a transition in H 9 such that H contains at least two places, say p and q, in ot. We know that there is a conflict-free path from p to q. t cannot occur in this path because the path contains p and q that are both in ~ and it would not be conflict-free. Hence, the conflict-free path is of the form (p, t 1. . . . . t n, q) with t i ~ t, i = 1 . . . . . n. Now, (t 1. . . . . tn, q, t) is also a path in the net. This path is conflict-free if no place in 9 t occurs in (tl . . . . . tn, q). If such a place (and there can be several ones) occurs, we choose the one, say r, that occurs first in the path. Then (tl . . . . tk, r, t) is a conflict-free path. In both cases, we have a conflict-free path from tl to t. As tl and t are in conflict, the net cannot be an ENSeC net. Sufficient condition: directly deduced from Corollary l in [8]. L e m m a 4.5 Let (N, M0) be a marked ENSeC net. Let L c T be the set of live transitions. There exists a set A of transitions and a marking MA such that : 1) (N \ A, MA) is live 2) L n A = O 3) 3 VA a deadlock of N, empty in MA, such that A c VAO. Proof: We operate by recurrence on the number o f transitions of N. 9 If N has no transition, the net is live by definition. ~ If N has at least one transition : If (N, M0) is live, we define A as the empty set. If (N, M0) is not live, there exists a transition t l, a marking M 1 and a deadlock V1 empty in M such that t! e VlO (Property 4.2). One can note that the live transitions o f (N, M0) remain live in (N, M1). By applying the recurrence hypothesis to the net (N k {t 1 }, M1), we deduce a set A 1 and a marking MA which fullfill conditions (1), (2) and (3). The set A l t J { t 1 } and the marking M A clearly fulfill conditions (1) and (2) for (N, M0). The empty deadlock of condition (3) is the union of V 1 with the deadlock obtained by the previous step of recurrence. T h e o r e m 4.6 contains a trap.

Let (N, M0) be a marked live ENSeC net. Then every deadlock

Proof: We operate by recurrence on the number of transitions of N. 9 If N has no transition, every set of places is a trap. 9 If N has at least one transition, we suppose that there exists a deadlock in N which contains no trap. Let H be a minimal deadlock which contains no trap. (a) From Property 2.5, at least one of the two following conditions holds : l) H = {p}. 2) 3 p ~ H s u c h t h a t l p o J > l , 3t'e posuchthatt'onH=O, 3te posuch that H is a deadlock that contains no trap in N \ {t}. If H = {p}, N is obviously structurally not live. We consider now condition (2). (b) Transition t' is live for (N k {t}, M0) :

34

(c)

(a)

If t' is no live for (N \ {t}, M0), from Property 4.2, there exists a marking M1 and a deadlock V1 for (N \ {t}, M0), empty in M1, such that t' ~ VI 9 Let q be a place in ot' n V1, and V2 be a q-minimal deadlock in V1. Transition t is in ~ \ V2o. Otherwise t' is not live in (N, M0). Let q' be a place in to n V2. From Corollary 2.3, there exists a conflict-free path 1 from q' to q in V2. From this path, we deduce a path (t, 1, t') from which we can extract a conflict-free path by taking the first place in 1 that has t' in its postset. Since t and t' are in conflict with respect to p, this conflict-free path contradicts the ENSeC definition. From Lemma 4.5 for (N \ {t}, M0), there exists a set A of transitions and a marking MA such that : 1) (N \ (Au{t}), MA) is live 2) t ' ~ A 3) 3 VA a deadlock o f N \ {t}, empty in M A, such that A c VA o. Let Vp be a p-minimal deadlock in V for N \ (Au{t}). By applying the recurrence hypothesis to the net N \ (Au{t}), Vp contains a trap Sp for N \ (A u {t}).

Live transi!

' places

(e) Sp is not a trap for N, otherwise this contradicts the hypothesis that H contains no trap. Obviously, the presence of t' prevents p from being in Sp. Then, there exists a place r ~ p and a transition tr such that (r, tr)~ F and r ~ Sp. From Property 4.4, tr ~ t, hence tr ~ A. From Corollary 2.3, there exists a conflit-free path in Vp from r to p passing by t'r with t'r ~ ro. We denote lr the conflict-free path from t'r to p. (f) Let u a input place of tr in VA.deduce from Property (3) of step (c) Let V u an empty u-minimal deadlock in V A for N/{t}. As (N, M0) is live, the set V u is not a deadlock in N, hence t ~ Vu 9 and there exists a place v such (t,v)~ F, v ~ Vu. From Corollary 2.3, there exists a conflit-free path in Vu from v to u from which we deduce a conflit-free path lv from v to tr. (g) By concatenation, we obtain a path (lr, t, Iv) from t'r to tr. 9 Let q be a place in Iv. There is no arc (q, b) with b in lr, else b would be in A. 9 We recall that t ~ Vu 9 Suppose that there is no place q in lr having an output transition in Iv. So, it is clear that the path (1r, t, Iv) from t'r to tr is conflict-free. Otherwise, let q the first place in lr having a transition in lv in its postset. We deduce a conflit-free path from t'r to tr. Hence, this conflict-free path contradicts the ENSeC definition.

35

Corollary

4.7 contains a trap.

Let N be an ENSeC net. N is structurally live iff every deadlock

Proof: It is an immediate consequence of Theorem 4.3 and Theorem 4.6. We are not yet able to conclude about the deadlock-trap property being a necessary and sufficient liveness condition for unbounded ENSeC nets. We know that this property is sufficient, whether the net is bounded or not. We are going to show that it is also necessary if the net is bounded. For unbounded nets, we showed that every deadlock must contain a trap, but we have no information on the marking of this trap.

5 Deadlock and Trap Properties of Bounded ENSeC Nets The following theorem, as well as its corollaries, are classical properties of bounded Extended Free Choice nets and Non Self-Controlling nets. We show here that these properties also apply to bounded ENSeC nets. From now on, we consider ENSeC nets that have no isolated place (p*;~ 0 or 9 ~ 0).

Theorem

5.1 Let (N, M0) be a marked ENSeC net. If (N, M0) is bounded, the four following properties are equivalent : 1) (N, M0) is live 2) Every minimal deadlock is a trap and no deadlock is empty in M 0. 3) Every minimal deadlock is a marked state-machine in M 0. 4) The deadlock-trap property holds for (N, M0).

Proof." (1) ~ (2) 9 From Theorem 4.6, every minimal deadlock D contains a trap S. The sum o f tokens in S cannot decrease because of the characterization of minimal deadlocks (Property 4.4) : V t ~ S ~ I ot n S [=1 and the trap definition: V t ~ S9 ] to n S I >1. If SaD, S is a not deadlock, hence there exists a transition in 9 \ S* which increases strictly the sum o f tokens in S. Because N is assumed to be bounded and live, S must be equal to D. 9 Moreover, suppose there exists a deadlock D empty in M0. since there is no isolated places D * u oD =Do ~ O, the transition of D 9 are not live. (2) ~ (3) : If D is a marked trap but not a state machine, there exists a transition t such that I to n D l> 2 which increases strictly the sum of tokens in D. Because N is assumed to be bounded an live, D is necessarily a marked state machine. (3) ~ (4) : Since a marked state machine is a marked trap, then obviously the deadlock-trap property holds for (N, M0). (4) ~ (1) : It is a direct application of Theorem 4.3. A m o n g bounded ENSeC nets, we are only interested in structurally bounded nets. Actually, if the net is not structurally bounded, the following corollary allows us to conclude immediately that it is not live. L e m m a 5.2 Let (N, M0) be a bounded and live ENSeC net. Then every place belongs to a minimal deadlock.

36 Proof: Let p be a place which is not in a minimal deadlock. This place has at least one input transition, otherwise the net is structurally not live or the place is isolated. Let M1 be a reachable marking such that Ml(p) is maximal (N is bounded). Consider the marking M I ' where Ml'(p) = 0 and Ml'(q) = Ml(q) for q r p. The deadlock-trap property holds for (N, MI'). (N, MI') is live, hence we can reach a marking M2' from M I ' with M2'(p) r 0. Using the monotony property of the firing rule, the marking M2 defined by M2(p) = M2'(p) + Ml(p) and M2(q) = M2'(q) for q r p, can be reached from M1, hence from M0. We have a contradiction with Ml(p) being the bound of p. C o r o l l a r y 5.3 Let (N, M0) be an ENSeC net. If (N, M0) is bounded and live, then N is covered by a set of state machines. Proof: Follows immediately from Lemma 5.2 and Theorem 5.1 (3). C o r o l l a r y 5.4 Let (N, M0) be an ENSeC net. If (N, M0) is bounded and live, then N is structurally bounded. Proof: Follows immediately from Corollary 5.3. C o r o l l a r y 5.5 Let N = (P, T, F) be a structurally bounded ENSeC net. N is structurally live iff every minimal deadlock is a trap. Proof: Necessary Condition : N is structurally live, hence there exists a marking M 0 such that (N, M0) is live. As N is structurally bounded, (N, M0) is bounded and by applying Theorem 5.1, every minimal deadlock is a trap. Sufficient Condition : Let M0 be a marking such that no deadlock is empty in M0. As N is structurally bounded, (N, M0) is bounded and by applying Theorem 5.1, (N, M0) is live. Hence, N is structurally live. According to Theorem 5.1 and Corollary 5.5, the liveness of a structurally bounded ENSeC can be checked in two steps. The first one consists in verifying that the net is structurally live, i.e., that every minimal deadlock is a trap. Then, for a given initial marking, liveness is checked by verifying that every deadlock is marked. The second step can be performed in lineal" time [10]. Hence, we now focus on structural liveness. In Extended Free Choice nets and Non Self-Controlling nets, every strongly connected deadlock is a union of minimal deadlocks [2] [3] [6]. Structural liveness can be checked in polynomial time by looking for a strongly connected deadlock which is not a trap [3]. This is no longer true for ENSeC nets. In the model in Figure 2, H = {A, B, P2} is a strongly connected deadlock. But it is not a union of minimal deadlocks : {A} and {B} are minimal deadlocks in H, but P2 is not in a minimal deadlock in H. Actually, what we need is not a connectivity defined as the existence of a path between two nodes of the net, but a definition related to the existence of a conflict-free path between two nodes. D e f i n i t i o n 5.1 Let N = (P, T, F) be a net. Let H c P and let p be a place in H. H is p-conflict-free-connected iff for all q e H, there is a conflict-free path in H from p to q.

37

F i g . 2 : E N S e C net with a strongly connected d e a d l o c k that is not a u n i o n of m i n i m a l d e a d l o c k s

By replacing connectivity by p-conflict-free-connectivity, we obtain properties whose expression is similar to that of classical properties of EFC and NSC. 5.6 Let N = (P, T, F) be an ENSeC net. Let H _c P be a p-conflictfree-connected deadlock. Then there exists a minimal deadlock in H containing p.

Theorem

Proof: Let K be the set of strongly connected sets D in H such that p ~ H and V t Do, I ~ n D I = 1. K is not empty. It contains the set {p}. Let D be a maximal set in K. We will prove that D is a minimal deadlock. If D is not a deadlock, there exists a transition tr in ~176 Let r' in the postset of tr and in D. Let r be in the preset of tr and in H (H is a deadlock). There exists a conflict-free path 1 = (p, tl, Pl . . . . tk, r) from p to r in H. By considering the first place Pn in the preset of tr in 1, we deduce a conflict-free path 1' = (p, tl, Pl . . . . tn, Pn, tr) from p to tr. The set D'= D u {Pl Pn} is strongly connected but D' does not fulfill the property V t ~ D' o, I ~ t n D' I = 1. Otherwise, this contradicts the maximality of D in K. Then there exist two places u and v in D' and a transition t ~ in the postsets of u and v. Places u and v cannot be both in D. Otherwise it contradicts the definition of D. Let pj be the last place in 1' such that there exists a place u in D' and a transition t ~ in the postsets of u and pj. Let us consider the different cases: ~ I f t j + 1 ~ D , , then the set D u {Pj+I . . . . . Pn} is in K. This contradicts the maximality of D. ~ If tj+l ~ Do and u ~ D then from the strong connectivity of D, there exists a path 1" from r' to to in D. The path (tj+ 1, Pj+I . . . . tn, Pn, tr, 1") is a conflict-free path from tj+l to t ~ (the places in D u {Pj+I . . . . . Pn} have disjoint postsets). This contradicts the ENSeC definition. 9 If tj+l ~ D~ and u = Pi with i