On the decidability of model checking for several-calculi and Petri nets

On the decidability of model checking for several -calculi and Petri nets Javier Esparza Laboratory for Foundations of Computer Science University of Edinburgh King's Buildings Edinburgh EH9 3JZ e-mail: [email protected]

Abstract

The decidability of the model checking problem for several -calculi and Petri nets is analysed. The linear time -calculus is decidable; if simple atomic sentences are added, it becomes undecidable. A very simple subset of the modal -calculus is undecidable.

1 Introduction Research on decidability issues for Petri nets (or vector addition systems, a closely related model) has a long tradition. Two milestones are the introduction by Karp and Miller of coverability graphs [9] { which can be used to prove, among other properties, the decidability of boundedness { and the proof by Mayr and Kosaraju of the decidability of the reachability problem [12, 10]. A natural next step is to examine the decidability of the model checking problem for temporal logics able to express a large class of properties. This problem was rst studied by Howell and Rosier in [6]; they observed that a linear time temporal logic interpreted on the in nite occurrence sequences of the net is undecidable even for con ict-free Petri nets, a fairly small class. In a subsequent paper [7], Howell, Rosier and Yen showed that the model checking problem for a fragment of this logic can be reduced to the reachability problem, and is thus decidable. This fragment consists of a set of atomic sentences, which can be combined using boolean connectives, and the operator F (eventually). The atomic sentences are of type ge(p; c) (with intended meaning `the number of tokens on place p is greater than or equal to c') or fi(t) (with intended meaning `transition t is the next one in the sequence') . Jancar showed in [8] that for the logic with these basic 1

Actually, the fragment is somewhat larger, but a detailed description is out of the scope of this paper. 1

1

predicates and the operator GF (always eventually), the model checking problem is decidable as well. We analyse in this paper the decidability of several -calculi, logics with xpoint operators [15]. Our three results are:

The linear time -calculus is decidable. The linear time -calculus extended with atomic sentences of the form A = 0 { meaning `the place A contains 0 tokens' { is undecidable, even for formulas with

one single xpoint and a very simple class of Petri nets in which every transition has at most one input and at most one output place. The modal -calculus is undecidable, even for formulas with one single xpoint and the same class of Petri nets.

The third result (which is a small modi cation of Theorem 5.4 in [1]) is not very surprising, because the modal -calculus is known to be a extremely powerful logic, which properly contains many branching time logics such as PDL, CTL or CTL?. Since the decidability of branching time logics seems not to have been explored so far, we complement the paper with a fourth result, unfortunately negative: a rather weak branching time subset of the modal -calculus, which extends propositional logic with possibility operators, is undecidable. The note is organised as follows: sections 2 and 3 contain basic de nitions about Petri nets and the linear time -calculus, respectively. Sections 4 and 5 prove the rst and second results above. Section 6 proves the other two.

2 Petri nets A labelled net N is a fourtuple (S; T; F; l), where

S and T are two disjoint, nite sets, F is a relation on S [ T such that F \ (S S ) = F \ (T T ) = ;, and l is a surjective mapping T ! Act, where Act is a set of actions (surjectivity is assumed for convenience).

The elements of S and T are called places and transitions, respectively. Places and transitions are generically called nodes. Given a node x of N , x = fy j (y; x) 2 F g is the preset of x and x = fy j (x; y) 2 F g is the postset of x. Given a set of nodes X of N , we de ne X = Sx2X x and X = Sx2X x. 2

A marking of a net N = (S; T; F ) is a mapping M : S ! IN . A marking M enables a transition t if it marks every place in t. If t is enabled at M , then its occurrence leads to the successor marking M 0 which is de ned for every place s by 8 > if s 2= t and s 2= t or s 2 t and s 2 t < M (s) 0 M (s) = > M (s) ? 1 if s 2 t and s 2= t : M (s) + 1 if s 2= t and s 2 t (a token is removed from each place in the pre-set of t and a token is added to each place in the post-set of t). A marking M is called dead if it enables no transition of N . A labelled Petri neta is a pair = (N; M ) where N is a labelled net and M is a marking of N . M ?! M , where M , M are markings of N , denotes that M enables some transition t labelled by a, aand thata the marking reached by the occurrence of t a1 2 ?! n M is a nite occurrence sequence leading is M . A sequence M ?! M ?! n a1 :::an from M to Mn and we write M ??! Mn. The empty sequence is an occurrence sequence: we have M ?! M for every marking M . We assume that if two transitions have the same label, then they do not have the same preset and postset. Under this assumption, every label of an occurrence sequence can be uniquely mapped to its underlying transition. Making implicit use of this property, we sometimes speak about the transitions that occur in an occurrence sequence. 1 a2 ::: a2 a1 is an in nite occurrence sequence. We write M ?a??! . M ?! A sequence M ?! 0 A sequence of actions is enabled at a marking M if M ?! M for some marking M 0 (if is nite) or M ?! (if is in nite). An occurrence sequence is maximal if either it is in nite or it leads to a dead marking. The language of , denoted by L(), is the set of words obtained dropping the intermediate markings in the maximal occurrence sequences of . 0

1

2

2

0

1

2

0

1

1

0

0

1

3 The linear time -calculus The linear time -calculus has the following syntax:

::= Z j : j ^ j Oa j Z: where a ranges over a set Act of a actions, and Z over propositional variables.

Formulas are built out of this grammar, subject to the monotonicity condition that all free occurrences of X lie in the scope of an even number of negations. Let Act?, Act! be the set of nite and in nite words on Act, and let Act1 = Act? [ Act1! . A valuation V of the logic assigns to 0each variable X a set of words V (X ) in Act . We denote by V [A=Z ] the valuation V which agrees with V except on Z where V 0(Z ) = A. Given a word = a a : : : on Act1, (1) denotes the rst action of , 1

2

3

i.e., a , and is the word a a : : :. With these notations, the denotation kkV of a formula is the set of words of Act1 inductively de ned by the following rules: kZ kV = V (Z ) k:kV = Act1 ? kkV k ^ kV = kkV \ k kV kOa kV = f 2 Act1 j (1) = a ^ 2 kkV g kZ:kV = [fA Act1 j A kkV A=Z g 1

1

2

3

1

[

]

Observe that the denotation of a closed formula is independent of the valuation; we then use the symbol kk. Let be a labelled Petri net and a closed formula of the linear time -calculus. We say that satis es if L() kk. Notice that, with this de nition of satisfaction, it can be the case that satis es neither a formula nor its negation.

4 Decidability of the linear time -calculus The model checking problem for the linear time -calculus consists in deciding, given a Petri net and a closed formula , if satis es or not. We prove in this section that this problem is decidable. The decision procedure is based on an automatatheoretic characterisation of the logic [16]. We show that there exist two automata A:, B: that accept the nite and in nite words of k:k, respectively. It follows that satis es if and only if L() \ L(A:) = ; and L() \ L(B:) = ;. To decide these two properties we construct Petri net representations of A: and B:, and combine them with in a way similar to the product of automata; it is then easy to show that the two properties are equivalent to two decidable properties of Petri nets. An automaton over an alphabet Act is a fourtuple (Q; q ; ; F ), where Q is the set of states, q the initial state, : Q Act ! Q the transition function and F the set of nal states. Finite and Buchi automata are automata with dierent acceptance conditions: a nite automaton A accepts a word w in Act? if the computation of A on w ends in some nal state; a Buchi automaton B accepts a word w in Act! if the computation of B on w passes in nitely often through some nal state. Dam provides in [3] a procedure to construct, given a formula of a linear time calculus dierent from ours, a Buchi automaton whose language is the denotation of the formula. Dam's version of the linear time -calculus has one single next operator O, instead of an operator Oa for every action a. Given a nite set V of propositional variables, the denotation of a formula with free variables in V is a set of words over the alphabet 2V . The rules de ning the denotation of a formula are like the ones de ned above for :, ^ and greatest xpoints, plus the following rule for the new next operator: kOkV = f 2 Act1 j 2 kkV g 0

0

1

4

We brie y discuss how to adapt Dam's construction to our case. Dam's automaton has as alphabet P (V ) P (V ), where P (V ) is the powerset of V ; the automaton is constructed in a compositional way. A word w is accepted by the automaton if and only if there is an accepting run +1 ;?1 )

+2 ;?2 )

q ???! q ???! : : : such that at the ith point of w all variables in i hold and no variable in ?i holds. For our version of the linear time -calculus, we enrich the alphabet of the automaton to P (V ) P (V ) (Act [ f g), where 2= Act. Dam's construction can now be easily modi ed to take this third component of the alphabet into account. A word w is (

0

(

1

+

accepted by the new automaton if and only if there is an accepting run + ;? ;a1 )

+ ;?;a2 )

1 1 2 2 q ????????! q ????????! ::: such that at the ith point of w all variables in i hold, no variable in ?i holds, and the third component of w at this point is ai. If is a closed formula, we choose V = ;. In this case, the automaton we obtain has just Act [ f g as alphabet. The r^ole of the action is the following: in our case, the Buchi automaton does not accept exactly kk, because kk may contain nite words (for instance, a 2 kOattk), while a Buchi automaton only accepts in nite ones. If kk contains a nite word w, then the automaton accepts w ! . only appears in transitions of the form (q; ; q). (

0

(

1

+

Proposition 4.1

Let be a closed formula of the linear time -calculus over a a set of actions Act. There exist a Buchi automaton B with alphabet Act [ f g which accepts a word w i w 2 kk \ Act! or w = w0 ! and w0 2 kk \ Act?.

Proof:

Use Dam's construction with the modi cations discussed above. It is convenient for our analysis to split the automaton B of Proposition 4.1 into a nite automaton which accepts the nite words of kk and a Buchi automaton which accepts the in nite ones.

Proposition 4.2

Let be a closed formula of the linear time -calculus over a set of actions Act. There exist a nite automaton A and a Buchi automaton B , both with alphabet Act, such that L(A) = kk \ Act?, and L(B) = kk \ Act! .

Proof:

A and B are the same automaton (i.e., they dier only in the acceptance condition), obtained by just removing the transitions of the form (q; ; q) from . 5

We now assign to a given automaton a Petri net. Let A = (Q; q ; ; F ) be an automaton over an alphabet Act. The labeled Petri net A = (S; T; F; M ; l) { with labels on Act { is de ned as follows: 0

0

S T F M (q) l((q; a; q0)) 0

Q f((q; (q; a; q0)); ((q; a; q0); q0) j (q; a; q0) 2 g 1 if q = q

= = = =

0

0 otherwise

= a

It follows immediately from this construction that the nite automaton A accepts a word if and only if is an occurrence sequence of the Petri net A leading to a marking in which some nal state is marked (recall that the places of A are the states of A). Similarly, B accepts a word if and only if is an in nite occurrence sequence such that in nitely many intermediate markings along the sequence put one token in some of the nal states of B. If TF is the set of input transitions of these states, then an equivalent condition is that contains in nitely many occurrences of some transition of TF . Let = (S ; T ; F ; l ; M ), = (S ; T ; F ; l ; M ) be two labelled Petri nets with disjoint sets of nodes. The labelled Petri net = (S; T; F; l; M ) is de ned as follows: 1

1

1

1

1

01

2

2

2

2

2

02

1

2

0

S = S [S T = fft ; t g j t 2 T ^ t 2 T ^ l (t ) = l (t )g F = (S T ) \ f(s; ft ; t g) j (s; t ) 2 F _ (s; t ) 2 F g [ ((S T ) \ f(ft ; t g; s) j (t ; s) 2 F _ (t ; s) 2 F g M (s) if s 2 S M (s) = M (s) if s 2 S l(ft ; t g) = l (t ) 1

2

1

2

1

1

2

1

1

0

1

2

1

2

2

1

1

2

1

2

1

1

01

1

02

2

2

2

1

2

2

2

1

Observe that this product operation is very similar to the usual product of automata. Every marking M of projects onto a marking M of and a marking M of ; moreover, these two projections determine M . Making use of this property, we denote M = (M ; M ). So, in particular, M = (M ; M ). The following lemma is an immediate consequence of the de nitions and the occurrence rule for Petri nets. 1

2

1

1

2

2

1

2

0

01

02

Lemma 4.3

(M ; M ) ?! (M 0 ; M 0 ) i M ?! M 0 and M ?! M 0 . (where M ; M 0 are 0 markings of and M ; M markings of ) 1

2

1

1

1

2

2

2

1

2

2

6

2

1

1

Proof:

()): Let ft ; u g ft ; u g : : : be the sequence of transitions of underlying . Then, t t : : : and u u : : : are sequences of transitions underlying the occurrence sequence in and , respectively. (): Similar to . We can now reduce L() \ L(B) 6= ; to a property of the Petri net B . 1

1

1

2

2

2

1

1

1

2

2

2

Lemma 4.4

L() \ L(B ) 6= ; i B has an occurrence sequence which contains in nitely many occurrences of some transition ft; ug, where u 2 TF .

Proof:

()): Let be a word of L() \ L(B). Then is the sequence of labels of two occurrence sequences in and B ; moreover, contains in nitely many occurrences of some transition u of TF . By Lemma 4.3, is the sequence of labels of an occurrence sequence in B , in which transitions of the form ft; ug occur in nitely often. ((): Let (M ; M ) ?! be an in nite occurrence sequence of B which contains in nitely many occurrences of of some transition ft; ug, where u 2a TF . Bya Lemma a1 B 2 M ?! 3 : : : be ?! M ?! . Let M of 4.3, M ?! is an occurrence sequence . By the de nition of B , each marking Mi puts the full representation of M ?! one token in exactly one place of B , and no tokens in the rest. So each marking Mi is unequivocally associated to a state of B, and the whole sequence to a computation. The state associated to the markings succeeding an occurrence of ft; ug is a nal state of B ; so B accepts . The condition on B of Lemma 4.4 was shown to be decidable by Jantzen and Valk [4]. Yen shows in [17] that it is decidable within exponential space. 01

02

02

02

1

2

02

Lemma 4.5

[17] Let be a Petri net with n nodes, and let T be a set of transitions of . It can be decided in O(2cnlogn ) space, for some constant c, if some in nite occurrence sequence of contains in nitely many occurrences of some transition of T .

Proof:

There exists such an in nite occurrence sequence i there exists a nite occurrence 1 2 sequence M ?! M ?! M such that M M and contains some occurrence of transition of T (then M enables the sequence ! ). This can be expressed as a formula on paths of Petri nets which belongs to the class of formulas de ned by Yen in [17]. Yen shows that any of these formulas can be decided using the space indicated in the lemma. L() \ L(A) 6= ; can also be reduced to a suitable property of A . 0

1

2

1

1

2

2

2

7

Lemma 4.6

L() \ L(A) 6= ; i there exists a reachable dead marking of A which puts one token in some nal state of A.

Proof:

()): Let be a word of L() \ L(A). Then, M ?! M in and M ?! M in A of , and M puts a token in some nal state of ; moreover, M is a dead marking A. By Lemma 4.3, (M ; M ) ?! (M ; M ) is an occurrence sequence of A . Since M is a dead marking of , (M ; M ) is a dead marking of A . ((): Let (M ; M ) ?! (M ; M ) be an occurrence sequence of such that (M ; M ) is a dead marking, and M puts a token in some nal state of A. By Lemma 4.3, M ?! M is an occurrence sequence of A , and therefore 2 L(A). M is a It remains to prove that belongs to the language of , i.e., that M ?! maximal occurrence sequence of . Assume this is not the case. Then there exists an occurrence sequence M ?! a M ?! M 0 . Let t be the transition underlying the occurrence of a. By the de nition of A, a belongs to the alphabet of A, and therefore to the alphabet of A as well. So A contains a transition (q; a; q0), where q is the nal state marked at M . This transition is enabled at M . By Lemma 4.3, ft; (q; a; q0)g is enabled at (M ; M ), which contradicts that (M ; M ) is a dead marking. The existence of the dead marking of lemma 4.6 can be decided by solving an exponential number of instances of the submarking reachability problem [5]. Given a net with a set of places S , a submarking of the net is a partial mapping from S onto IN . The submarking reachability problem is the problem of deciding, given a Petri net = (N; M ) and a submarking P of N , if some reachable marking coincides with P on all the places where P is de ned. The submarking reachability problem is reducible (in polynomial time) to the reachability problem [5]. 01

1

02

2

2

01

02

1

1

1

01

1

02

1

2

2

2

1

2

2

02

2

01

1

01

1

1

2

1

2

2

1

2

0

Lemma 4.7

Let be a Petri net, and let S be a subset of places of . It is decidable if some dead marking of puts a token on some place of S .

Proof:

If M is a dead marking, then for every transition t some input place of t is unmarked at M . The set of submarkings which specify that, for every transition t, some input place of t is unmarked, and moreover that some place of S contains one token, is nite: it contains at most 2jT j jS j elements, where T is the set of transitions of the net. The property of the lemma can then be decided by solving the submarking reachability problem for these sets. The complexity of the reachability problem is still open. The most ecient algorithm is not primitive recursive, while the best known lower bound is exponential space [11]. If exponential space suces, then the complexities of deciding L() \ L(B) = ; and L() \ L(A) = ; are similar. Otherwise, deciding the second property is more involved. 8

Theorem 4.8

Let be a labelled Petri net, and let be a closed formula of the linear time -calculus. It is decidable if satis es .

Proof:

satis es i L() kk, or, by the semantics of negation, i L() \ k:k = ;. By Proposition 4.2, L() \ k:k = ; i L() \ L(A:) = ; and L() \ L(B:) = ;. Use then Lemmas 4.4, 4.5, 4.6 and 4.7.

5 Adding atomic sentences It is well known that Petri nets have less computing power than Turing machines. In particular, it is impossible to construct a Petri net model of a counter. Crudely speaking, the reason why is that Petri nets cannot `test for zero', meaning that there is no way to enable a transition exactly when a place is not marked. If Petri nets are enriched with inhibitor arcs, which add this functionality, they become Turing powerful [14]. Instead of enriching Petri nets, we can enrich the linear time -calculus, and allow it to `test for zero': it suces to supplement the logic with atomic sentences of the form A = 0, meaning `the place A contains no tokens at the current marking'. We show that this addition makes the model checking problem undecidable, even for formulas with one single xpoint and a very small class of unlabelled Petri nets. The proof is by reduction from the halting problem for register machines; it is a modi cation of Brad eld's construction in [1]. Let us start by giving the semantics of the extended logic. We interpret the sentence A = 0 on Petri nets = (N; M ) having a place A. We then extend valuations in the following way: V (A = 0) = f 2 L((N; M )) j M (A) = 0g A register machine R is a tuple 0

(fq ; : : :; qn g; fR ; : : :; Rmg; f ; : : :; n? g) 0

+1

1

0

1

where Ri are the registers, qi are the states with q being the initial state and qn the unique halting state, and i is the transition rule for state qi (0 i n): i is either (i) `Rj := Rj + 1; goto qk ' for some j , k, or (ii) `if Rj = 0' then goto qk else (Rj := Rj ? 1; goto qk0 )' for some j , k, k0. The halting problem for register machines is de ned thus: given a register machine R and a set v ; : : :; vm of nonnegative integers, to decide if the computation of R with the registers initialised to v ; : : :; vm ever reaches the halting state. This problem is known to be undecidable [13]. We de ne a labelled net NR as follows: the places of NR are q ; : : :; qn; R ; : : :; Rm. For every register Ri the net contains two transitions inci, deci, such that inci = 0

+1

1

1

0

9

1

deci = ; and inci = dec = fRi g. The rest of the transitions and the ow relation are determined by the i: if i is of the form (i), then there is a transition i with = fq g and = fq g; and if is of form (ii), then there are transitions i k i i i i ? ? and i such that i = i = fqig, i = fqk g and i? = fqk0 g. Finally, there is a transition halt, such that halt = fqn g and halt = ;. Observe that every transition of NR has at most one input place and at most one +

+

+

0

0

0

output place.

De ne the formula halt(R) as:

Z: Ohalt tt _

i=0:::n j =1:::m

_

j =1:::m

(Oi+ Oincj Z _ Oi? Odecj Z ) (Rj = 0 ^ Oj0 Z )

Theorem 5.1

Let R be a register machine, and let v1 ; : : :; vm be initial values for the registers of R. Let R = (NR; M ) be a Petri net, where M is the marking that puts vi tokens on the place Ri . R halts for these initial values i R does not satisfy :halt(R).

Proof:

R satis es :halt(R) i L(R) k:halt(R)k i L(R) \ khalt(R)k = ;. Let be a sequence of khalt(R)k. It follows from the semantics of the linear time -calculus that = : : :k halt, where every i is of the form i incj , i? decj or i . Moreover, i0 M along the occurrence sequence corresponding to , M (A) = 0. whenever M ?! Such an occurrence sequence simulates a halting computation of the register machine. Conversely, from a halting computation of the register machine we can easily obtain a sequence of halt(R). So L(R ) \khalt(R)k 6= ; i R halts with input v ; : : :; vm. As mentioned above, the transitions of the Petri nets derived from register machines have at most one input place and at most one output place. In particular, they are Petri net representations of Basic Parallel Processes [2]. It seems dicult to nd an interesting class of Petri nets with in nite state spaces, and properly included in the class derived from register machines. Since the formula halt(R) is also rather simple, this undecidability result seems to determine the decidability border rather neatly. +

1

1

0

2

1

1

6 Branching time logics The modal -calculus, has the same syntax as the linear time -calculus (although Oa is usually replaced by hai), but is interpreted on labelled transition systems. Let 10

a T = (S ; ?! a2Act ) be a labelled transition system. Given a valuation V that assigns to each variable a subset of S , the denotation of a formula is de ned by the following

rules:

kZ kV k:kV k ^ kV khaikV kZ:kV

= V (Z ) = S ? kkV = k kV \ k kV a 0 = f[s 2 S j 9s0 2 S :s ?! s ^ s0 2 kkV g = fA S j A kkV A=Z g As in the case of the linear time -calculus, the denotation of a closed formula is independent of the valuation. Given a labelled Petri net = (N; M ), the transition system associated to , denoted by T (), has the set of reachable markings as states; there is a transition labelled by a a between two markings M , M if M ?! M . We say that satis es a formula of the -calculus if M 2 kkV . It is undecidable if a Petri net satis es a formula. It suces to proceed as for the linear time -calculus, but change Rj = 0 into :hdecj itt, where tt is true of every state. To prove it, observe that khdecj ittk are the markings which enable the transition decj , which are exactly the markings that put no tokens on Rj . So, in fact, in the modal -calculus we can `test for zero' without having to add atomic sentences. 1

2

1

2

[

]

0

1

2

1

2

0

In spite of its simplicity, this undecidability result has a consequence which may be a little bit surprising. For the class of Basic Parallel Processes (BPPs), bisimulation equivalence has been shown to be decidable [2]; moreover, since BPPs are image nite, two Basic Parallel Processes are bisimilar if and only if they satisfy the same properties of the modal -calculus. So it is decidable if two BPPs satisfy the same properties. However, the model checking problem is undecidable. The -calculus is known to be an extremely powerful logic. The question arises if some weaker but interesting branching time logic could be decidable. Unfortunately, there is little hope of obtaining such a result: we now show that a very weak branching time logic is undecidable. The logic extends propositional logic with an operator a for each action a of the set Act. The syntax is thus:

::= tt j : j ^ j a a a Formulas are interpreted on a transition system T = (S ; ?! a2Act ). De ne =) as the b ? a relation (Sb2Act?fag ?! ) ?!. The denotation of a formula is a set of states kk 1

2

de ned according to the following rules: kttk = S k:k = S ? kk k ^ k = k k \ k kV kak = fs 2 S j 9s0 2 S :s =a) s0g 1

2

1

2

11

So a means that it is possible to do an action a, and the state reached after that satis es . We prove undecidability by a reduction from the containment problem. An instance of the problem consists of two Petri nets , with the same number of places, and a bijection f between the sets of places of and . f can be extended to a bijection between markings in the obvious way. The question to decide is if for every reachable marking M of , f (M ) is a reachable marking of . Rabin showed that this problem is undecidable; the proof can be found in [5]. Let , and f be an instance of the containment problem; assume without loss of generality that the sets of nodes of and are disjoint. We construct an unlabelled Petri net = (N; M ) in several stages. At each stage we add some places and transitions. For transitions we use the notation X ! Y , meaning that the transition t has the sets X and Y of places as preset and postset, respectively; thus, the ow relation is speci ed at the same time as the set of transitions. If we want to give the transition the name t, we write t: X ! Y . 1

2

1

2

1

1

2

2

1

2

0

Add [ . Add three places A, B , C , and two transitions tAB : fAg [ S ! fB g [ S and tBC : fB g [ S ! fC g [ S . Put one token on A, and no tokens on B and C . For every place s of , add a transition fs; f (s); C g ! fC g. For every place s added so far, with the exception of C , add a transition fsg ! fsg. 1

2

1

2

1

2

1

Every marking M of projects onto a marking M of , a marking M of , and a marking M of the three places A, B and C ; moreover, these three projections determine M . Making use of this property, we write M = (M ; M ; M ); also, we write M as a string of three numbers representing the number of tokens in A, B , and C . Finally, the null marking, i.e., the marking that puts no token in any place, is denoted by 0. The following lemma follows easily from the de nition of . 1

1

2

2

3

1

2

3

3

Lemma 6.1

If (M01; M02; 100) ?! (M1; M2; 001) is an occurrence sequence of , then there exist sequences 1; 2; 3 such that = 1 tAB 2 tBC 3.

We can now characterise the `yes' instances of the containment problem in terms of occurrence sequences of .

12

Lemma 6.2

, , f is a `yes' instance of the containment problem i every occurrence tAB (M ; M ; 010) can be extended to a maximal ocsequence (M ; M ; 100) ??! tAB currence sequence (M ; M ; 100) ???! (0; 0; 001). 1

2

01

1

02

01

02

02

Proof:

()): M is a reachable marking of . Since M is reachable in as well, there exists a sequence tBC such that 1

1

1

2

2

t

2 BC (M ; M ; 001) (M ; M ; 010) ???! Let be a sequence which contains each transition of the form fs; f (s); C g ! fC g 3 M (s) times, and no occurrence of any other transition. We have (M ; M ; 001) ?! (0; 0; 001). By the de nition of , no transition is enabled at the marking (0; 0; 001), and therefore tAB 2 tBC 3 (M ; M ; 100) ????????! (0; 0; 001) is maximal. ((): Let M be a reachable marking of . Then, we have 1

1

02

1

3

1

0

1

0

1

1

tAB 1 (M ; M ; 100) ?! (M ; M ; 100) ?! (M ; M ; 010) for some sequence . So there exists a sequence such that 01

02

1

02

1

02

1

t

AB (M ; M ; 010) ???! (0; 0; 001) is a maximal occurrence sequence. By Lemma 6.1, = tBC for some sequences and . Let 01

02

2

2

3

3

t

2 BC 3 (M 0 ; M ; 010) ?! (M ; M ; 010) ??! (0; 0; 100) We show M 0 = M = M , which proves that M is reachable in . Since occurs after tAB has occurred, no transition of occurs in . So M 0 = M . Since occurs after tBC , only transitions of the form fsg ! fsg for some place s can occur in . Since these transitions remove one token from s and one from f (s), we have M 0 ? 0 = M ? 0. So M 0 = M . To nish the undecidability proof, it suces to encode the characterisation of Lemma 6.2 into the temporal logic de ned above. 1

1

1

02

1

2

2

1

2

2

1

2

1

1

3

3

2

1

1

2

Theorem 6.3

, , f is a `yes' instance of the containment problem i satis es the formula _ ^ :u) tAB (t 1

2

t2T

where T is the set of transitions of .

13

u2T

Proof:

The formula states that every occurrence sequence tAB can be extended to an occurrence sequence tAB leading to a marking at which no transition of is enabled. By the de nition of , this marking can only be (0; 0; 001). Apply then Lemma 6.2. 1

1

7 Conclusions We have examined the decidability of the model checking problem for several -calculi and Petri nets. The decidability border turns out to be rather neat: if we consider only `pure' -calculi, i.e., without atomic sentences, the whole linear time -calculus is decidable, while one of the weakest branching time subsets of the modal -calculus is undecidable. Also, we have seen that the addition of very simple atomic sentences makes the linear time -calculus undecidable, even for formulas with one xpoint and Petri nets in which every transition has at most one input and at most one output place.

Acknowledgements I thank Julian Brad eld, Mads Dam and Colin Stirling for very helpful discussions.

References [1] J. C. Brad eld: Verifying Temporal Properties of Systems. Birkhauser, Boston, Mass. ISBN 0-8176-3625-0 (1991). [2] Soren Christensen, Yoram Hirshfeld and Faron Moller: Bisimulation Equivalence is Decidable for basic Parallel Processes. Proceedings of CONCUR'93, LNCS 715, 143{157 (1993). [3] M. Dam: Fixpoints of Buchi automata. LFCS Report ECS-LFCS-92-224, University of Edinburgh (1992). [4] M. Jantzen and R. Valk: The Residue of Vector Sets with Applications to Decidability Problems in Petri Nets. Acta Informatica 21, 643{674 (1985) [5] M.H.T. Hack: Decidability questions for Petri nets. Ph. D. Thesis, MIT (1976). [6] R.R. Howell and L.E. Rosier: Problems concerning fairness and temporal logic for con ict-free Petri nets. Theoretical Computer Science 64, 305{329 (1989). [7] R.R.Howell, L.E. Rosier and H. Yen: A taxonomy of fairness and temporal logic problems for Petri nets. Theoretical Computer Science 82, 341{372 (1991). 14

[8] P. Jancar: Decidability of a temporal logic problem for Petri nets. Theoretical Computer Science 74, 71{93 (1990). [9] R.M. Karp and R.E. Miller: Parallel Program Schemata. Journal of Computer and System Sciences 3, 147{195 (1969). [10] S.R. Kosaraju: Decidability of reachability in vector addition systems. Proceedings of the 6th Annual ACM Symposium on the Theory of Computing, 267{281 (1982). [11] R. Lipton: The Reachability Problem Requires Exponential Space. Technical Report 62, Yale University (1976). [12] E.W. Mayr: An algorithm for the general Petri net reachability problem. SIAM Journal of Computing 13, 441-460 (1984). [13] M. Minsky: Computation: Finite and In nite Machines. Prentice-Hall (1967). [14] J.L. Peterson: Petri Net Theory and the Modelling of Systems. Prentice-Hall (1981). [15] C. Stirling: Modal and Temporal Logics. In S. Abramsky, D. Gabbay and T. Maibaun (eds.) Handbook of Logic in Computer Science. Oxford University Press (1991) [16] M.Y. Vardi and P. Wolper: Automata Theoretic Techniques for Modal Logics of Programs. Journal of Computer and System Sciences 32, 183{221 (1986). [17] H. Yen: A Uni ed Approach for Deciding the Existence of Certain Petri Net Paths. Information and Computation 96(1), 119{137 (1992).

15