Synthesizing Petri Nets from State-Based Models - CiteSeerX

Synthesizing Petri Nets from State-Based Models

Jordi Cortadella, Michael Kishinevsky, Luciano Lavagno and Alexandre Yakovlev 12 April 1995

Technical Report UPC-DAC-95-09

Synthesizing Petri Nets from State-Based Models Jordi Cortadella

Department of Computer Architecture Universitat Politecnica de Catalunya Campus Nord. Modul D6 08071 Barcelona, Spain Phone/Fax: +34-3-401-6978 / 7055 email: [email protected]

Michael Kishinevsky

Computer Architecture Laboratory The University of Aizu Tsuruga, Ikki-machi, Aizu-Wakamatsu City Fukushima, 965-80 Japan Phone/Fax: +81-242-37-2617 / 2744 email: [email protected]

Luciano Lavagno

Alexandre Yakovlev

Dipartimento di Elettronica Politecnico di Torino Corso Duca degli Abruzzi 24 10129 Torino, Italy Phone/Fax: +39-11-564-4150 / 4099 email: [email protected]

Department of Computing Science University of Newcastle upon Tyne Newcastle upon Tyne NE1 7RU, UK Phone/Fax: +44-191-222-8184 / 8232 email: [email protected]

Abstract This paper presents a method to synthesize labeled Petri nets from state-based models. Although state-based models (such as Finite State Machines) are a powerful formalism to describe the behavior of sequential systems, they cannot explicitly express the notions of concurrency, causality and con ict. Petri nets can naturally capture these notions. The proposed method in based on deriving an Elementary Transition System (ETS) from a speci cation model that can be mapped into a state-based representation. Previous work has shown that for any ETS there exists a Petri net with minimum transition count (one transition for each label) with a reachability graph isomorphic to the original Transition System. This paper presents the rst known approach to obtain an ETS from a non-elementary TS and derive a place-irredundant Petri net. Furthermore, by imposing constraints on the synthesis method, dierent classes of Petri nets can be derived from the same reachability graph (pure, free choice, unique choice). This method has been implemented and applied in dierent frameworks: Petri net composition, synthesis of Petri nets from TSs generated by asynchronous circuits, and resynthesis of Petri nets. The results obtained from the experiments have demonstrated the wide applicability of the method. This work has been supported in part by CICYT (grant TIC94-0531-E), by EPSRC (visiting fellowship grants GR/J72486 and GR/J78334, and research grant GR/J52327), and MURST (project \VLSI Architectures").

1 Introduction Petri Nets ([32, 26], PNs) with transitions labeled by symbols from a given alphabet (so called labeled Petri Nets) have been widely used in numerous applications: design and speci cations of asynchronous circuits [35, 8, 21, 19], resource allocation problem in operating systems and distributed computation [38], performance analysis and timing veri cation [17, 34], high-level design [13]. Petri Nets are popular due to their inherent ability to express both concurrent and non-deterministic behavior. Although checking properties and verifying Petri Nets could be dicult in general, for some subclasses of Petri Nets there are ecient veri cation algorithms. In this paper we will mainly deal with safe Petri Nets (a place cannot contain more than one token). Safe nets have high expressive power, in particular every nite state system can be expressed as a safe labeled PN. On the other hand, safe nets are also well suited for veri cation. State-based models are popular for formal speci cation and veri cation of complex systems (CSP [16], CCS [23, 24], FSMs [12, 20], Burst mode automata [29]). Even the formal semantics for most of the event-based models is given via states. The drawback of state-based models is that they represent in the very same way dierent notions such as causality, concurrency and con ict. On the other hand, it is very important to identify, starting from a at state-based representation, the set of causality relations, concurrent events and con ict conditions implicit in the representation itself, because they carry useful information for the designer or/and design algorithms. In this paper we present a method which given a nite state model, called Transition System (TS) in the following, synthesizes a safe Petri Net with a reachability graph that is either isomorphic to the original TS or isomorphic to a minimized version of the original TS. The synthesized PN is always place-irredundant, i.e., it is not possible to remove any place from the net without violating its behavior. The synthesis method provides us with a technique for transforming speci cations. Given a model which can be mapped into a TS, we can derive a PN which is equivalent to the initial model of the process. In such a way we can create a tool which automatically translates CSP, CCS, FSM, Burst Mode machines and other models into labeled Petri Nets. Also, we can use this tool for transformation of Petri Nets aimed at optimality under some criterion (place count, transition count, number of places, PN graph complexity, etc) or for deriving a net belonging to a given class (safe, free choice, unique choice, etc). This opens up an avenue for building interactive tools where a designer has the possibility to play with a PN-like speci cation, performing equivalent transformations of PNs, and/or transformations of other speci cations into PNs under dierent design constraints and optimization criteria. Figure 1 shows our framework for synthesizing PNs and transforming speci cations. There are well-known algorithms (see, e.g., [11], [19] or [2]) to extract a nite-state representation of the sequential behavior of a synchronous or asynchronous circuit. But a really user-friendly interaction can be achieved only by presenting the designer with a timing diagram -like PN that represents the same behavior, with explicit causality. In the same vein, FSM-based formal veri cation systems ([9, 12, 20]) provide information about property check failures in the form of one speci c execution path in a nite state representation. This may not always be meaningful, as it may contain redundant information. Explicitly extracting a set of such paths (in the form of a nite state system) and presenting a Petri Net-like representation for it would greatly help the designer in the dicult task of nding out where really the problem lies. Apart from interaction with the designer, which is a major motivation for this work, we also address the issue of extracting explicit causal relations in order to be able to apply analysis and synthesis techniques which rely on explicit causality and concurrency information ([30], [17]). Moreover, classical techniques for Petri net composition ([33]) are based on the creation of a \cross-product" between transitions with the same label. Suppose that two PNs N1 and N2 , with n and m transitions labeled with the same name respectively, are composed. The resulting net has 2

FSM PN synthesis CSP CCS

Transition Safe Petri Net System

State Graphs Petri Nets Burst-mode automata Model transformation

Figure 1: A framework for synthesizing PNs and transforming speci cations

m n transitions with the same label, even though some of these are not really needed (i.e., there exists a smaller PN representing the same composed behavior). On the other hand, building the reachability graphs of N1 and N2 and then obtaining back the product net would provide a much easier and intuitive practical method for composition. The notion of regions was introduced by Nielsen et al.[28] (and developed in [3], [5], [25]) as a basic intermediate object between state-based and event-based speci cations. \State" in safe Petri nets is distributed among places: each state is a set of marked places, and each place is marked in a set of states. A region in a Transition System is exactly a set of states, such that transitions in and out of it \mimic" the PN ring behavior (which un-marks predecessor places and marks successor places of a transition). In this way, it is possible to identify regions with places, and construct a PN which has exactly the same behavior (set of labeled ring sequences) as the TS. These papers provide the formal framework for our contribution, but suer from a series of problems: Their contribution was mainly theoretical, aimed at obtaining a canonical representation of the PN, with many places (actually, as many places as could be added without changing the behavior of the net). On the other hand, we strive to minimize the number of places, in order to make the nal Petri Net more understandable by the designer. They did not address the problem of merging and splitting \equivalent" labels (i.e., those labels which model the same event, but must be split in order to yield a valid Petri Net). We for the rst time provide a method for label splitting (after a complete merging step) which seems to satisfactorily solve the problem. They were limited to elementary TS, which are quite restricted, while we can handle the full class of TS by means of transition splitting. In this paper, we present an algorithm for generating a complete set of minimal regions (which are analogues to prime implicants in Boolean minimization) and further for removing redundant regions (this is similar to generating a prime irredundant cover in the minimization). We can either generate all irredundant nets and take minimal among them (an exact minimization of places in PNs) or we can end up with one of the prime place-irredundant nets if searching for a minimal one is too time consuming. 3

The paper is organized as follows. Sections 2 and 3 formally introduce Transition Systems, Petri nets and regions. Section 4 describes the synthesis algorithms in detail, and Section 5 formally proves their correctness. Section 6 proposes extensions of the basic method to cope with a broader class of speci cations. Section 7 shows the experimental results obtained by a practical application of the proposed methodology. Section 8 concludes the paper.

2 Models

2.1 Transition systems

A transition system (TS) is a quadruple [28] TS = (S; E; T; sin), where S is a nite non-empty set of states , E is a set of events , T S E S is a transition relation, and sin is an initial state . The elements of T are called the transitions of TS and will be often denoted by s !e s0 instead of (s; e; s0). The transitive closure of the transition relation T is called the reachability relation between states and is denoted by R = T . In other words, state s0 is reachable from state s if there is a (possibly empty) sequence of transitions from T : = (s; e1; s1); :::; (sk; ek ; s0 ). This is denoted by s ! s0 or simply by s ! s0 , if ethe sequence is not important. We also write s !e and s ! if there 0 0 0 is a state s 2 S such that s ! s or s ! s , correspondingly. Each state is reachable from itself, since we allow empty sequences in the de nition. Furthermore, to be a TS a quadruple TS = (S; E; T; sin) must satisfy the following four basic axioms: A1. No self-loops: 8(s; e; s0) 2 T : s 6= s0 ; A2. No multiple arcs between a pair of states: 8(s; e1; s1); (s; e2; s2) 2 T : [s1 = s2 ) e1 = e2 ] A3. Every event has an occurrence: 8e 2 E : 9(s; e; s0) 2 T ; A4. Every state is reachable from the initial state: 8s 2 S : sin ! s. p1

p2

s1

a

b s3 a

s2

c

c

s4

s5 p4

b

p3

(a)

p1p2 a

b

p2p3 c

p1p3 c p1p6

p2p3 c

p1p3 a c

p2p4

p1p4

p3

p2p6

a

c

b

b c

s6

p2

b

p5

a

b

p1

p1p2p4 a

b

p3

(b)

(c)

p6 (d)

a p3p6 (e)

Figure 2: An example of Transition System (a), the corresponding PN (b), its labeled RG (c), the corresponding EN (d) and its labeled RG (e) A TS can be represented as a arc-labeled directed graph. A simple example of a TS without cycles is shown in Figure 2,a. A TS is called deterministic if for each state s and each label a there can be at most one state s0 such that s !a s0. Otherwise, a TS is called non-deterministic .

4

2.2 Petri Nets

In this section we give a de nition of Petri Nets and Elementary Nets and compare their expressive power. A Petri Net [32, 27] is a quadruple N = (P; T; F; m0), where P is a nite set of places, T is a nite set of transitions, F (P T ) [ (T P ) is the ow relation, and m0 is the initial marking. A transition t 2 T is enabled at marking m1 if all its input places are marked. An enabled transition t may re, producing a new marking m2 with one less token in each input place and one more token in each output place (m1 !t m2 ). A PN expressing the same behavior as the TS from Figure 2,a is shown in Figure 2,b. The sets of input and output places of transition t are denoted by t and t. The sets of input and output transitions of place p are denoted by p and p. The set of all markings reachable in N from the initial marking m0 is called its Reachability Set. The graph with vertices corresponding to markings of a PN and with an arc (m1; m2) in the graph if and only if m1 ! m2 is called its Reachability Graph (RG). A labeled PN is a PN with a labeling function : T ?! A which puts into correspondence every transition of the net with a symbol (called label) from the alphabet A. If no two transitions have the same label (unique labeling), then each transition in the net can be uniquely identi ed by its label. In such case we can use the label as the name of the transition. In the RG of a labeled PN, an arc between markings m1 and m2 is labeled by the label (t) of the transition t, which res between markings m1 and m2 . Such RG is called a labeled RG. One can easily check that the labeled RG Figure 2,c derived for the PN from Figure 2,b is isomorphic to the TS (Figure 2,a). A net is called safe if no more than one token can appear in a place. Safe nets are especially widely used in many applications, since they have simple veri cation algorithms [15] and simple semantics. A net is called a pure net if (p; t) 2 F implies that (t; p) 62 F , i.e., for each transition t the following condition is satis ed: t \ t = ;. A net is called simple if no two transitions t1 and t2 have the same sets of input and output places (i.e., 8t1 ; t2 t1 6= t1 or t1 6= t2 ).

2.3 Elementary Nets

An Elementary Net (EN) is exactly the same as a PN, except that it has a dierent rule for enabling a transition. A transition is enabled at marking m1 if all its input places are marked and no output places are marked. Therefore, a transition observes not only its input but also its output places. If there is at least one output place with a token a transition will wait until all such tokens disappear before it can re (under the condition that input places will have tokens). By complicating an enabling rule it is sometimes possible to get a more compact representation of the same behavior. Figure 2,d shows an EN that represents the same behavior as the PN from Figure 2,b. This EN contains one place and three arcs less than the PN. A labeled RG for the EN is shown in Figure 2,e. It is isomorphic to the TS from Figure 2,a. An EN (or a PN) is called contact-free if for all reachable markings, if a transition t is enabled, then t contains no tokens. Each safe and pure PN is also an EN, since it is never possible for a transition of a safe pure PN to re if the output place already contains a token. Otherwise, there would be two tokens immediately after transition ring. Also, a contact-free EN can be viewed as a safe PN, since in such nets input places alone determine behavior of each transition and the enabling rules of ENs and PNs coincide. A non-contact-free EN can be always transformed to an equivalent safe PN. Such classical transformation is based on including into the net complementary places . A place p1 is complementary to place p2 if p1 = p2, p2 = p1 and the place p1 is marked in the initial marking if and only if p2 is not marked. In the example (Figure 2,b,c) place p4 of the PN is complementary to place p3 of the PN. 5

We can conclude that the place count and the arc count of a safe PN is never more than twice as big as the number of places and arcs in the EN which is equivalent to this PN. Typically, the dierence in size is much smaller. For this reason, and also because safe PNs are used in the applications much often than ENs, we will focus our net synthesis procedure towards safe PNs rather than ENs.

2.4 Equivalence

This paper presents an algorithm for transforming TSs into PNs. The notion of equivalence in such transformation is based on isomorphism of labeled graphs and variations of such isomorphism. Two TSs TS1 = (S1 ; E1; T1; sin1 ) and TS2 = (S2; E2; T2; sin2 ) are isomorphic if there exists two bijections fS : S1 ?! S2 and fE : E1 ?! E2 such that sin2 = fS (sin1 ) and (s; e; s0) 2 T1 if and only if (fS (s); fE (e); fS (s0 )) 2 T2 . A RG of a labeled PN can be always interpreted as a TS and therefore the equivalence of a TS and the corresponding PN can be viewed as an isomorphism of a TS and a RG of the corresponding PN. Often we will consider isomorphism of a TS and a minimized version of another TS. For comparing two TSs with dierent event counts a split-isomorphism is used. Two TS TS1 and TS2 are split-isomorphic if there is another TS TS such that: 1. the underlying graphs of these three TSs are isomorphic, and 2. labels on arcs in TS1 and TS2 can be viewed as two dierent enumerations of events from TS . This enumeration corresponds to assigning instance numbers to the events. For example, if in TS there are three arcs labeled with the same event a, then in TS1 one of these arcs can be labeled with a1, and two others with a2, while in TS2 all three arcs can be assigned dierent instance numbers: a1; a2; a3; : : :. This procedure of assigning instance numbers to dierent occurrences of labels in TS is called splitting . All three notions of equivalence (isomorphism of TSs, isomorphism with a minimized TS, and split-isomorphism) guarantee that two equivalent TSs are bi-similar , which is a stronger condition than language equivalence in general ([23]). This implies, for example, that deadlock and liveness properties are preserved for a PN generated from the TS.

3 Regions

Leta S1 be a subset of the states of a TS, S1 S . If s 62 S1 anda s0 2 S1 , then we say that transition s !a s0 enters S1. If s 2 S1 and s0 62 S1 , then transition s ! s0 exits S1 . Otherwise, transition s ! s0 does not cross S1 . In particular, if s 2 S1 and s0 2 S1 , then the transition is said to be internal to S1 , and if s 62 S1 and s0 62 S1 , then the transition is external to S1 . The notion of a region is central for the synthesis of PNs. Intuitively, each region corresponds to a place in the synthesized PN, so that there is a 1-1 correspondence between states of the region and markings of the PN in which this place has a token. A region is a subset of states with which all transitions labeled with the same event e have exactly the same \entry/exit" relation. This relation will become the predecessor/successor relation in the Petri net. The event may either be always an exit event for the region (case (i) in the following de nition), or always an entry event (case (ii)), or never \cross" the region's boundaries (each transition labeled with e is either internal or external to the region) (the antecedents of neither (i) nor (ii) hold). The transition corresponding to the event will be successor, predecessor or unrelated with the corresponding place respectively. More rigorously, a set of states r S in TS = (S; E; T; sin) is called a region of TS i the following two conditions are satis ed: 6

(i) s !e s0 2 T ^ s 2 r ^ s0 62 r ) 8s1 !e s01 2 T : [s1 2 r ^ s01 62 r], (ii) s !e s0 2 T ^ s 62 r ^ s0 2 r ) 8s1 !e s01 62 T : [s1 62 r ^ s01 2 r]. Let us consider the TS shown in Figure 2. The set of states r3 = fs2 ; s3; s6g is a region, since all transitions labeled with a and with b enter r3, and all transitions labeled with c exit r3. On the other hand, fs2 ; s3g is not a region since transition s1 !b s3 enters this set, while another transition also labeled with b, s4 !b s6 , does not. Similar violations of the region conditions exist for two transitions labeled with a. However, there are no violations for c since both transitions labeled with c exit this set of states. Each TS has two trivial regions: the set of all states, S , and the empty set. Further on we will always consider only non-trivial regions. Let r and r0 be regions of a TS. A region r0 is said to be a subregion of r i r0 r. A region r0 is a minimal region i r0 is not a subregion of any other region of the TS.

3.1 Properties of regions

The following propositions state a few important properties of regions. Property 3.1 If r and r0 are two dierent regions such that r0 is a subregion of r, then r ? r0 is a region.

Property 3.2 [28] A set of states, r, is a region, if and only if its coset r = S ? r is a region, where S is a set of all states of the TS.

Property 3.3 Every region can be represented as a union of disjoint minimal regions. Property 3.1 has been mentioned in [5] for the subclass of elementary TS. We generalize it for the complete class of elementary TS. Property 3.2 was given in [28]. Property 3.3 is a stronger re nement of the corresponding property from [5], which shows that any region can be viewed as a linear combination of the minimal regions. The proofs are given in the Appendix (section A.1). For each state s 2 S we de ne the set of non-trivial regions containing s, denoted by Rs . A region r is a pre-region of event e if there is a transition labeled with e which exits r. A region r is a post-region of event e if there is a transition labeled with e which enters r. The set of all pre-regions and post-regions of e is denoted with e and e respectively. By de nition it follows that if r 2 e, then all transitions labeled with e enter r. Similarly, if r 2 e , then all transitions labeled with e exit r. There are eight non-trivial regions in the TS from Figure 2: r1 = fs1 ; s3; s5g; r2 = fs1; s2 ; s4g; r3 = fs2; s3; s6g; r4 = fs1; s4; s5g; r5 = fs1; s2; s3g; r6 = fs4; s5; s6g; r7 = fs2; s4; s6g; r8 = fs3; s5; s6g. All of these regions are minimal. Pre-regions and post-regions are de ned as follows: a = fr1; r4g; b = fr2; r4g; c = fr3; r5g; a = fr3; r7g; b = fr3; r8g; c = fr4; r6g.

3.2 Excitation regions and switching regions

While regions in a TS are related to places in the corresponding PN, an excitation region [19] for event a is a maximal set of states in which transition a is enabled. Therefore, excitation regions are related to transitions of the PN. A set of states S1 is called a generalized excitation region for event a, denoted by GER(a), if it is a maximal set of states such that for every state s 2 S1 there is a transition s !a . A set of states S1 is called an elementary excitation region or simply an excitation region for event a (denoted by ERj (a)) if it is a maximal connected set of states such that for every state s 2 S1 there is a transition s !a . 7

Since any event a can have several separated ERs, an index j is used for the distinction between dierent connected occurrences of a in the TS. Obviously, the GER for a is the union of all elementary ERs for a. In the TS from Figure 2,a there are two excitation regions for event a: ER1(a) = fs1 g and ER2(a) = fs5g. The corresponding GER for event a is GER(a) = fs1 ; s5g. Similarly to ERs, we de ne switching regions as sets of states reached immediately after the occurrence of an event. A set of states S1 is called a generalized switching region for event a, GSR(a), if it is a maximal a set of states such that for every state s 2 S1 there is a transition ! s. A subset of states S1 is called an elementary switching region or simply a switching region (SR) for event a (denoted by SRj (a)), if it is a maximal connected set of states such that for every state s 2 S1 there is a transition s0 !a s. In the TS from Figure 2,a there are two switching regions for event a: SR1(a) = fs2 g and SR2(a) = fs6 g. The corresponding GSR for event a is GSR(a) = fs2 ; s6g.

3.3 Elementary Transition Systems

3.3.1 Axioms for Elementary Transition Systems

A TS TS = (S; E; T; sin) is called elementary [28] (ETS) if it satis es, in addition to (A1) { (A4), the following two axioms about regions: A5. State separation property: 8s; s0 2 S : [Rs = Rs0 ) s = s0 ]; A6. Forward closure property: 8s 2 S 8e 2 E : [ e Rs ) s !e ] Axiom 5 implies that two dierent states must belong to dierent sets of regions. Axiom 6 implies that if state s is included in all pre-regions of event e, then e must be enabled in s. It is easy to see that the TS shown in Figure 2 is elementary. The TS shown in Figure 3,a is a cyclic elementary TS, while Figure 3,b shows a non-elementary TS. The forward closure property is violated for events a and b. Let us consider event a. The only pre-region of a is region fs1 ; s3; s5; s7g. Therefore e Rs7 , but there is no transition labeled with a from s7 . s1

a

s1

b

s2

s3

b

a

b

b

a

s2

a

s3

s4

s4

c f

c

f

s5

d

s7

a

preregion(a)

s5

e

s6

a

b

d

e

s6

b

GER(a)

s7

s8

s8

(a)

(b)

Figure 3: Examples of elementary (a) and non-elementary (b) TSs It has been shown in [28] that if a TS is elementary, then an EN with a reachability graph isomorphic to the TS can be constructed. Vice-versa, a RG of an EN is always an elementary TS. A similar consideration is valid for safe PNs due to the correspondence between ENs and safe pure PNs which has been discussed in Section 2.3. Hence we can state that: Proposition 3.1 For each elementary TS there exists a safe, pure, and simple PN such that: 8

1. each PN transition is labeled with an event of the TS; 2. no two transitions are labeled with the same event; 3. the RG of the PN is isomorphic to the TS. The procedure given by [28] to synthesize a Petri net from an ETS is as follows: For each event a a transition labeled with a is generated in the PN; For each region ri a place pi is generated; Place pi contains a token in the initial marking m0 i the corresponding region ri contains the initial state of the ETS sin ; The ow relation is as follows: a 2 pi i ri is a pre-region of a and a 2 pi i ri is a post-region of a. A PN which is synthesized following this procedure is called a saturated net, since all regions are mapped into the corresponding places. A saturated net is canonical, however it has a lot of redundancy. As shown in [5], it is enough to consider only minimal regions. The net constructed from all minimal regions is also a canonical form and is called a minimal saturated net . Even a minimal saturated net can be redundant. Many places can still be removed from it while still preserving the required isomorphism between its RG and the ETS. By analogy with logic minimization, a saturated net is like the set of all implicants for a Boolean function, while a minimal saturated net is like the set of all prime implicants . Our goal is to provide a method for constructing an irredundant net with minimal regions , which is similar to an irredundant cover of prime implicants ([6]). Another important drawback of the described procedure is that axioms 5 and 6 do not provide an ecient algorithm for checking elementarity, since they require to derive all the regions and also to check elementarity conditions for each individual state . Our procedures is speci cally aimed at deriving minimal regions by using simpli ed elementarity checks, that admit an ecient implementation.

3.4 Elementary Transition Systems and minimal Transition Systems

In this section we show the relationship between the elementarity of a TS and its minimality. Let us rst recall a few useful de nitions. Two states s and s0 of a TS are equivalent if for every sequence of transitions : s ! if and only if s0 !. Equivalence of states is denoted via s = s0 . A TS is called minimal if it contains no equivalent states. We say that the con uence condition holds for states s and s0 if there is a state s00 which is reachable both from s and s0 [18]. Note that according to the de nition of reachability s00 can coincide with s or s0 . The relation between minimality and elementarity of TS is two-fold: If an elementary TS is not minimal, then for each pair of equivalent states the con uence condition does not hold. If a TS is not minimal and there is a pair of equivalent states for which the con uence condition is satis ed, then the TS is not elementary. This relationship is illustrated by Figure 4. The TS in Figure 4,a is elementary. However, it is not minimal since s4 = s5 and s6 = s7 . Obviously, the con uence condition for these two pairs of states is not satis ed. A safe PN with an RG isomorphic to this TS is shown in Figure 4,b. Places p6 and p7 corresponds to the minimal regions fs4 ; s6g and fs5 ; s7g. These places have no output 9

p1

s1

a

b

s2

a

a

b

s3

d

p2

p3

s4

s5

c

d

e s6

f s7

p6

p4

a

b s3

c

b

b

s5

p2 r1

s3

e

p7

a

s2

d s4

f

e

p1

s2

c

f

s1

s1

a

b r2

s4

e p5

(a)

(b)

(c)

(d)

(e)

f

Figure 4: Minimality and elementarity transitions (the corresponding regions do not serve as pre-regions to any events). Therefore, these places can be removed from the PN without changing its behavior. The RG of the PN without p6 and p7 is isomorphic to the TS shown in Figure 4,c, which is a minimized version of the initial TS (Figure 4,a). Another TS example is given by Figure 4,d. This TS is not minimal and also not elementary, since the state separation property A6 is not satis ed for equivalent states s1 = s3 and s2 = s4 : Rs1 = Rs3 = r1 = fs1; s3g and Rs2 = Rs4 = r2 = fs2 ; s4g. Note that the con uence conditions for equivalent states is satis ed. The PN from Figure 4,e contains two places which corresponds to regions r1 and r2 and two transitions labeled with a and b. Its RG is isomorphic to a minimized version of the initial non-elementary TS. After minimization, the TS from Figure 4 becomes elementary. The problem of minimizing a deterministic TS is equivalent to the state minimization problem for completely speci ed Finite State Machine. The complexity of this problem is O(ns log ns ), where ns is the number of blocks in the equivalent state partition [1]. One possible organization of the PN synthesis algorithm would be to minimize a TS at the rst step and then to work with a minimized version of the TS. However, as indicated by the two examples in Figure 4 we do not need an explicit minimization, because an implicit minimization occurs when regions which do not serve as pre-regions are removed (Figure 4,a-c) or while regions are generated (Figure 4,d,e). In the next section we will present conditions for elementarity which allow for ecient checking and forms the basis for an ecient PN synthesis procedure.

3.5 Elementarity conditions

We rst connect the notions of pre-regions and post-regions with those of excitation and switching regions.

Property 3.4

1. A region r is a pre-region of event a i GER(a) r and GSR(a) \ r = ;. 2. A region r is a post-region of event a i GSR(a) r and GER(a) \ r = ;.

The proof is trivial. This property allows to construct regions which serve as pre-regions starting with excitation regions. This allows for ecient BDD-based implementation (see Section 4.4). The following property helps in performing ecient PN synthesis. 10

Proposition 3.2 If a TS is elementary, then the following three conditions are satis ed: T 1. Excitation closure. For each event a: r2 a r = GER(a); 2. Event eectiveness. For each event a: a = 6 ;;

3. If the TS is not minimal, then for each pair of equivalent states the con uence condition does not hold. If a TS is minimal and the excitation closure and the event eectiveness conditions are satis ed, then the TS is elementary. The proof is given in the Appendix (section A.2). Let us consider again the non-elementary TS from Figure 3,b. This TS is non-elementary, because the excitation closure condition is violated for a and b. For example, ER(a) = fs1 ; s3; s5g, while the only pre-region of a, fs1 ; s3; s5; s7g, is a proper superset of ER(a). According to Proposition 3.2, if the generated PN has an RG which is minimal, then only the excitation closure and the event eectiveness conditions must be checked to verify the elementarity of a TS. The event eectiveness condition is trivial to check. The major new result, yielding our new synthesis procedure, is the excitation closure condition.

4 Petri net synthesis The skeleton of the algorithm for synthesis of a PN is given by the following pseudo-code.

begin repeat /* Generation of pre-regions and label splitting */ split := false; for each e 2 E do e = generate min pre-regions (e); if : excitation closure ( e) then split labels (e); split := true;

end if end for until : split; end

nd irredundant cover; map to PN;

The input of this algorithm is a TS. The output is a PN which is equivalent to the initial TS. The type of equivalence can dier depending on the properties of the TS. If the initial TS is elementary and minimal, then the RG of the PN is isomorphic to the TS. If the TS is elementary

and not minimal or it is not elementary, but becomes elementary after minimization, then the RG of the generated PN is isomorphic to the minimized TS. Finally, if the TS is not elementary after minimization, then the RG of the PN is split-isomorphic to the TS. The details of the actual implementation are given in Section 4.4. Here we only give a rough sketch of the procedures. The function generate min pre-regions generates all minimal regions which serve as preregions for one event. These minimal regions are called minimal pre-regions. Minimal regions which are not pre-regions are not needed, since a PN with a minimized RG is generated (see section 3.4). Also, non-minimal regions are not needed, since according to [5] a minimal saturated net has an RG which is isomorphic to the initial elementary TS. Although the original proof was given for a 11

subclass of ETS, called Condition Event Transition Systems, the result can be trivially generalized to the whole class of ETS. The function find irredundant cover produces an irredundant set of regions. From this set a place-irredundant net is generated. This function is discussed in section 4.2. The function split labels performs the splitting of labels if the minimized version of the initial TS has been found to be non-elementary. This function is discussed in section 4.3. Other means of handling non-elementary TSs, based on using self-loops and dummy transitions, are discussed in section 6. The function map to PN is the nal step for constructing a PN from the set of regions, which has been described in section 3.3.

4.1 Generation of minimal pre-regions

Informally, the function generate min pre-regions is as follows.

generate min pre-regions (e) begin e = ;; expand states (GER(e), e); end; expand states (r,R) begin

/* r is the set of states to be expanded */ /* R collects all regions generated */

if r is a region then R = R [frg; return; /* since any region expanded from r would not be minimal */ end if; nd e 2 E violating some region condition in r; r0 = r [ f1st. set of states to legalize eg; 0 expand states (r ,R);

end

/* For some conditions the set of states must be expanded in two directions (see appendix A.3) */ r0 = r [ f2nd. set of states to legalize eg; expand states (r0,R);

4.2 Irredundant regions

Once all minimal pre-regions have been calculated for all the events of the TS, a minimal saturated net can be derived directly (see section 3.3). However some of the regions may be redundant, i.e. the Petri net would have the same behavior even if the corresponding places were removed. The concept of minimal region in a TS plays the same role as prime implicants in Boolean minimization. Finding an optimal place-irredundant net is similar to nding a minimum-cost cover of prime implicants for a Boolean function. Let R be a set of regions such that both the excitation closure condition and the event eectiveness condition hold (the set of all minimal pre-regions of an elementary TS satis es these two conditions). Note that if R satis es the event eectiveness condition, and some regions are removed from R so that the excitation closure condition is still holds, then the event eectiveness condition 12

s1

a

b s5

s2 s3

e

f

d

b

a

b

r0

r2

r0

r2

d

c

c

d

c

a

r1

r3

r4

r6

s6

r5

d r1

r3

r4

r7

r7

c

s4

e

s7

f

r8

e

(b)

(a)

r8

f

(c)

Figure 5: (a) Transition system. (b) Minimal saturated net. (c) Place-irredundant net. pre-region

=f 2=f 4=f 6=f 8=f

r0 r r r r

g s 2 ; s3 ; s5 g s 3 ; s5 ; s7 g s 3 ; s4 ; s7 g s1 g s 2 ; s5 ; s6

events

pre-region

=f 3=f 5=f 7=f

c

r1

d

r

d; f

r

e; f

r

g s2 ; s 3 ; s4 g s5 ; s 6 ; s7 g s4 ; s 6 ; s7 g s2 ; s 4 ; s6

events c; e e f e; f

a; b

Table 1: All minimal pre-regions of the transition system depicted in Figure 5,a is remains satis ed. Therefore, we need to monitor only the excitation closure condition, while removing redundant regions. A set of regions R is called redundant if there is a region r 2 R such that set of regions R ? r still satis es the excitation closure (and therefore also the event eectiveness) condition. Otherwise R is called irredundant . A region is said to be essential when it cannot be removed from any set of regions without violating the excitation closure of some event. We will illustrate how an irredundant set of places can be calculated by means of the example of Figure 5. Table 1 presents all minimal pre-regions of the TS. As a preliminary step, essential regions are calculated. A region r is essential if there exists a state s and an event e such that r 2 e, s 62 GER(a) and for all r0 2 e, r0 6= r we have s 2 r0 (i.e., r is the only region that removes from the intersection of pre-regions a state in which e is not enabled). For example, for event c we have c = fr0; r1g; GER(c) = fs2 ; s6g = r0 \ r1 In this case, both r0 and r1 are essential, since none of them can removed from c without violating its excitation closure. Similarly we can deduce that r2, r4 and r8 are also essential (r2 and r4 are essential for d and r8 for a; b). Thus we have four non-essential regions: r3, r5 , r6 and r7. Next, for each event with non-essential pre-regions (e and f in the example), all minimal covers are implicitly generated. To reduce the complexity of the problem, essential regions are included in each cover. For event e, we have two minimal covers: fr6g and fr3; r7g. For event f we also have two minimal covers: fr7g and fr5; r6g. Finding a minimum cost cover can be posed as nding a minimum cost solution of a Boolean equation describing the covering conditions. The equation corresponding to the example is as follows: (r6 + r3 r7) (r7 + r5 r6) = 1 13

b

r1 a

r2

a

b

GER(a)

b"

b c

c

b

b’

a

b

c

b c

a c’

c

(a)

(b)

Figure 6: (a) Selection of a set of states to force the excitation closure. (b) Forcing a set of states to be a region by means of label splitting. A cost must be assigned to each region, according to the objective function to be minimized, which depends on the application. For example, if we want to minimize the total number of places and arcs (a heuristic measure of the \simplicity" of the PN), then we can assign to each place p a cost of j pj + jp j + 1 If we want to minimize only the number of places, then the cost of each place is 1. In our case, cost(r3) = cost(r5) = 3; cost(r6) = cost(r7) = 4 and two minimum-cost covers exist: fr3; r7g and fr5; r6g (the former is shown in Figure 5,c). There is another possible solution (fr6; r7g), but it has non-minimum cost. A BDD-based method similar to that of [22] has been implemented. When the number of non-essential regions is too large, some regions are greedily eliminated until the covering problem becomes manageable.

4.3 Label splitting

The set of minimal pre-regions of an event a is calculated by gradually expanding GER(a) to obtain sets of states that do not violate the \entry-exit" relationship. When the excitation closure is not ful lled (see proposition 3.2), i.e. \ r 6= GER(a) r2 a

some events must be split to make the TS elementary. This situation is illustrated in Figure 6,a. Event a has two minimal pre-regions (r1 and r2 ) and their intersection is larger than GER(a). The strategy to split events is as follows. During the expansion of GER(a) towards the preregions of a, several sets of states are explored. We focus our attention on those sets of states S such that \ r GER(a) S r2 a

For each of these sets of states, the number of events that violate the region conditions are calculated. Finally, the set that has the least number of \bad" events is selected. If several sets have the same number of \bad" events, the smallest one is selected. The selected set of states is then forced to be a region. Informally, this is done by splitting the labels of those events that do not ful ll the region conditions. An example is depicted in Figure 6,b. 14

4.4 Representation of a transition system and its regions

The proposed method requires a broad exploration of sets of states of a TS. Moreover, operations such as intersection, inclusion and equality among the explored sets must be executed often. An ecient representation of the TS and its states is thus crucial to cope with the complexity of such operations. Given an appropriate encoding of the states of the TS [31], we have chosen to use Ordered Binary Decision Diagrams [7] to represent sets of states (by means of characteristic functions) and the TS (by means of the disjunction of transition relations, one for each label). The algorithms to manipulate the sets of states of the TS are based on symbolic techniques for veri cation of sequential machines [11].

5 Correctness of the algorithms In this section we prove that our algorithm for synthesis of a PN from a TS is eective and correct, i.e., given a TS it always produces an equivalent place-irredundant safe Petri Net. The result is based on the following propositions (detailed proofs are given in the Appendix). First of all, we show that our algorithm will not miss any minimal pre-region. Proposition 5.1 The function generate min regions generates all minimal pre-regions of the elementary TS. The following statement shows that we will not miss any behavior (labeled ring sequence) of the net by removing redundant regions (and the corresponding places). Proposition 5.2 Let N and N 0 be two labeled PNs derived from0 the elementary TS such that N is a net corresponding to the set of all minimal pre-regions and N corresponds to a set of irredundant regions. Then labeled RGs for N and N 0 are isomorphic. Correctness of the splitting procedure is based on the following consideration. The strategy for splitting ensures that, with the new labeling, there will be one pre-region smaller than the intersection of the pre-regions with the former labeling. Next, pre-regions are re-computed, and excitation closure is veri ed. If the closure test fails, the procedure is executed again. This strategy converges monotonically, and in the worse case splits all the labels, so that each state of the TS trivially becomes a region. For practical examples, only one or two iterations are usually required to converge. Obviously, the PN obtained after any splitting is split-isomorphic to the initial TS. These arguments, together with the result from [5] on isomorphism between a minimal saturated net and an elementary TS, immediately imply the correctness of our algorithms.

6 Modi cations of the basic synthesis method In this section, we consider how our synthesis method can be modi ed in accordance with some practical modelling requirements that may be imposed by real-life design. Firstly, we look at the way the class of TSs and PNs is extended to include some non-elementary TSs without using the label splitting technique. Secondly, we demonstrate how our synthesis framework may be customized to satisfy the requirements of generating a speci c class of Petri nets. In particular, we are interested in synthesizing free-choice and unique-choice PNs, a class of nets allowing ecient algorithms for their veri cation and circuit implementation. As we have already noted, there are no principal limitations on our ability to derive a PN from a TS, even if the original TS is not elementary. Such a TS can always be made elementary by splitting labels (see Section 4.3). Splitting labels may however not be a satisfactory solution to the problem, especially when the designer wants to depict concurrency between events in explicit form. Indeed, in many cases, split labels eectively reduce concurrency between events to their 15

nondeterministic interleaving. The latter, from the practical point of view, can be rather obscuring and, in some cases, prevent further transformations of the PN model. In this section, we demonstrate how the TS elementarity conditions, presented in Section 3.3, can be extended to a wider class of synthesized models, e.g., non-pure PNs (i.e., PNs with self-loop places). Furthermore, it appears quite easy to relax one of the basic axioms of a TS, axiom A2 (no multiple arcs between state pairs). Such extensions allow us to preserve our region derivation techniques and therefore do not aect much the overall net synthesis process. Finally, introducing dummy events, i.e., events whose occurrence cannot be observed through the normal labeled trace equivalence (dummy events are equivalent to silent actions in [23]), presents a very ecient way to synthesize PNs with true concurrency. Further, in Section 7 we show the practical signi cance of these extensions { deriving a PN speci cation of a stage control circuit in a counter ow pipeline. The original description [36] of the stage control was a non-elementary TS. As a result of our PN synthesis, we obtain an implementation of the stage control, by means of syntactic transformation of the PN model to a two-phase [37] asynchronous circuit. Avoiding excessive formalism, our discussion will signi cantly rely on the use of some \real" design examples.

6.1 Non-pure nets

Consider the following example. A cell of a token-ring arbiter, together with its behavioral description, in the form of a TS, is shown in Figure 7,a,b. The meaning of this behavior should be obvious. Whenever token arrives in the cell (event Tin ), there is a check of whether the local request (event R) has been received or not. In the former case (state s4), a grant is issued (event G) and the token is locked in the cell until it is released by a done signal (event D), which allows it to propagate further (event Tout ). R Tin

G

D Tout

Token-ring arbiter cell

Tin

(a) Tout s2

R r3

r5

Tin

s4 G r1

ER(Tout)

Tin r3

R r3

G

Tout r4

r2

r5

r1

G

Tout

s3

R

R

r1

s1

Tin

r5

r4

r2

D

D

D s5

(c)

(d)

(b)

Figure 7: Synthesis of non-pure PNs: token-ring arbiter example. (a) Structural view. (b) Nonelementary transition system. (c) Net with a self-loop place. (d) Inhibitor net. This TS is not elementary. It does not satisfy the excitation closure condition for event Tout . Indeed, the only pre-region for this event is region r1, shown in Figure 7,b. It contains states s2 and s4 is therefore not equal to the excitation region for Tout : ER(Tout) = fs2g. Observe that the main reason for this problem is a con ict between events R and Tout , which is asymmetric. In this con ict, ring R in state s2 disables Tout (the latter is not enabled in s4 ), whereas ring Tout does not aect R, which remains enabled in s1. Intuitively, it is clear that such a con ict can be modelled at the PN level by a self-loop arc between the \con ict" place (the place which is predecessor to both R and Tout ) and the \disadvantaged" event (Tout). 16

More formally, to deal with such cases, we de ne the following new type of relationship between a region and an event. A region r is called a self-loop region for event a i r 62 a and GER(a) r. The set of self-loop regions for a is denoted by a . It is clear that a self-loop region does properly include all transitions of event a in the TS. Therefore it is most natural to associate such a region with a PN place which is connected to the transition labeled a by both incoming and outgoing arcs, depicted by a single bi-directional arc. Using such an arc makes the PN non-pure, according to the de nition given in Section 2.2. Since a self-loop region does not constrain the excitation condition more than it is necessary (the GER(a) is included in a ), it is possible to make the following modi cation (generalisation) of the excitation closure T condition: For each event a: r2( a[ a ) = GER(a). This new condition allows us to extend the class of TS that can be used for PN synthesis; the actual synthesis framework remains exactly the same. In the above example, we use the modi ed excitation closure condition for event Tout , for which r5 is a self-loop region. We thus obtain the non-pure PN shown in Figure 7,c. From the practical point of view, it is obvious that unrestrained use of self-loop regions may generate inecient solutions since the set of such regions for each event can be quite large. The synthesis procedure resorts to the generation of self-loop regions 1 and checking the modi ed excitation closure condition only if the ordinary excitation closure condition cannot be satis ed for an event. Furthermore, the actual process is essentially controlled by the designer, who might wish to avoid working with self-loop regions and prefer the label splitting option instead. The scope of the use of non-pure nets can be quite large, especially in speci cations of circuits with asymmetric con icts [10]. For instance, all con icts between input and non-input signal events are essentially asymmetric, since an input event, produced by the environment, cannot be disabled by a non-input one.

6.2 Inhibitor nets

The above idea of self-loop regions can also be applied 2 in its dual form, giving us a way to synthesize inhibitor nets. In an inhibitor net, a place can be connected to a transition by the so called inhibitor arc; the place itself is called an inhibitor place for the given transition. The enabling rule for such a transition changes in such a way that it is enabled only if none of its inhibitor places is marked with tokens. Such nets can often provide a more concise representation of behavior with conditional concurrency than ordinary PNs. Note, however, that any inhibitor net with bounded marking of its inhibitor places can always be transformed to an equivalent ordinary PN. Such transformation adds to the net the so called complementary places, thus increasing the net's size. Thus, the regions that are not pre-regions of an event can be used as inhibitor places for this event. Formally, a region r is called an inhibitor pre-region for event a i r \ GER(a) = ;. The set of inhibitor pre-regions for a is denoted by a^. In the above Figure 7,b, regions r2 and r3 are examples of the inhibitor pre-regions of Tout . Similar to self-loop regions, an inhibitor pre-region may help to satisfy the excitation closure condition, by \masking" the part of the pre-region intersection which excitation region T is not in the of the event. Formally, an inhibitor pre-region r is useful if r \ (( r2 a ) ? GER ( a )) 6= ;. Obviously, T it is better to select those of them that maximize the number of states in ( r2 a ) ? GER(a) covered by them. We can therefore apply T the generalized excitation closure in its modi ed form: For each event a: r2( a[ a [a^) = GER(a). In our example, region r3 is the only useful inhibitor pre-region for Tout . It should however be applied as an alternative to the self-loop r5. The synthesized inhibitor net is shown in Figure 7,d. 1 2

Note that in some cases such regions may not even be minimal regions. This was noticed by Maciej Koutny.

17

6.3 Non-simple nets

Another extension is concerned with the axiom A2 (Section 2.1) of a TS, which is directly related to the property of simplicity of a PN (see Section 2.2). Note that A2 can be violated with respect to some pair of events, e1 and e2 , in two cases. Case 1. Let the violation of A2 be \consistent". That is, if A2 is violated for some states s and s1: (s; e1; s1) and (s; e2; s1), then for any pairs of states with transitions labeled with e1 we have a corresponding transition labeled with s2 and vice versa. For this case, we can easily derive all pre- and post-regions for one of the two events, and then, by consistency, just copy them for the other event. Thus, both the elementarity check and our PN synthesis procedure remain the same. Case 2. Inconsistent violation of A2, that is under the condition that there exist s; s1 : (s; e1; s1) and (s; e2 ; s1), we have that there is also some transition in which only one of the events e1 and e2 (say, e1 ) is involved. It is quite obvious that Case 2 cannot be treated in the same way as Case 1, since it is not possible to construct regions and a PN according to our de nitions. Indeed, in a PN, two transitions whose ring changes marking m to marking m0 , regardless which transition res, must always have the same predecessor and successor places. This would contradict to the assumption Case 2. It is therefore possible to extend the class of synthesizable TS only to those in which events violating A2 are inseparable (it is most natural to call such events twins ), and hence generate non-simple PNs.

6.4 Dummy events

Dummy events, i.e., events whose ring produces no visible eect on the trace semantics (the language generated on non-dummy labels) of the speci cation, can be viewed as yet another (in addition to label splitting) way to reduce a non-elementary TS to elementary form. In this transformation we rely on the fact that the bi-simulation equivalence is preserved when a dummy event is introduced [23] into the TS. We illustrate the eect of introducing dummy events using another practical design example. The TS shown in Figure 8,b de nes the behavior of a cell of a cascaded \non-resetting" arbiter. A brief idea of the action of this arbiter, whose structural view is captured by Figure 8,a, is as follows. Whenever one of two requests, R1 or R2 arrives from the lower level cascade, a request is generated to the higher level. This request should eventually \bring" a grant to this level (both actions, which take place on handshake (R; G) are represented by a single compressed action RG+ for brevity). Then this grant is routed to either G1 or G2 depending on which of their requests has arrived rst (internal meta-stability would have been resolved if both requests arrived simultaneously). R1+

R1+

R2 G2

NR Arb Cell

(a)

G1+

R

R2+

s2

G

R1-

s3

R2+

G1+

R2+ R1-

G1- RGR2+

s5

G1-

s4

R1+ R2-

G2-

R2+ RG+

RG-

R2+

s5

R2-

G1-

R1+ RGR1+

s6

G1-

R1-

s3

R1+ G2+ RG+ s8 G2+

R2+

s2

R2+ R1+ s1 R2+ RG+

RG+

R1 G1

s0

s0

G2-

s7

s6’

G1R2+

G2-

s7

RG-

s1

G1+

G2+ dummy

R1-

G1-

s8

R2-

RGG1-

(c)

(b)

R1-

s6 dummy

R2+

G2-

(d)

Figure 8: Synthesis of PNs with dummy events: non-resetting arbiter example. (a) Structural view. (b) Non-elementary transition system. (c) Net with dummy event and inhibitor place. 18

Then, unlike in a \classical" cascaded arbiter cell, when a corresponding request from the lower level is reset (e.g., event R1? occurs), the arbiter checks if the opposite request has already arrived. If so (state s6), the request to the higher level remains set (this is why the arbiter is called \nonresetting"), keeping the token inside, and when the grant to the rst request is reset (event G1?), the arbiter is immediately ready to serve the second request (see transition from s6 to state s8). If, by the time of the occurrence of event R1?, the other request has not arrived (state s3) the handshake with the higher level must be reset, and the arbiter enters state s5, in which two actions G1? and R2+ can happen in any order. This TS is non-elementary. Consider the main sources of non-elementarity. For this, it would be convenient to focus on a fragment of the TS shown in Figure 8,c. There are two aspects of non-elementarity concerned with speci c events. One is due to RG?, which is enabled only in s3, whereas its pre-region includes also s6 (let alone two states in the right hand side of the TS, in a symmetric fragment). Hence, the excitation closure for RG? is violated. This can be resolved by the techniques described earlier, namely either self-loop or inhibitor regions. For example, as a useful inhibitor pre-region of RG? we can take the post-region of the events R1+ and R2+. The other problem is due to two dierent types of ordering involving events R2+ and G1? (similarly with R1+ and G2?). The TS puts them either in sequential order (sequence s3; s6; s7), or in parallel (the \diamond" formed by s5; s0; s7; s1). With this two types of ordering, it is impossible to derive a pre-region for G1? consistently legalized with respect to the other event R2+ without including both s3 and s6. This produces the excitation closure violation since the s3 does not belong to the ER(G1?). It can be observed without much diculty that neither of the above techniques, based on selfloop and inhibitor regions, can help here. Indeed, there is no inhibitor region r for G1? (i.e., such that r \ ER(G1?) = ;) that would have been useful for this violation. To be useful, r must include s3 and exclude s6. However, for that r must be an exit-crossing region for R2+. Hence it must also contain states s5 and s0. But s5 belongs to ER(G1?), which contradicts to the fact that r is an inhibitor region for G1?. We can now easily generalize that in any TS with the combination of ordering relations (e.g., \precedence" and \diamond"), the excitation closure violation cannot be resolved by any of the modi ed conditions. If we, however, split state s6 into two states s6 and s60 , as shown in Figure 8,c, with a dummy event in between, we obtain a TS in which the second excitation closure problem will no longer exist. Applying the approach of the preceding subsections, we can now derive an inhibitor net with a dummy event, which is shown in Figure 8,d3. A net with self-loop places could be derived alternatively.

6.5 Synthesis of unique-choice and free-choice Petri nets

Let N = (P; T; F; m0) be a Petri net. A place p 2 P is called free choice (FC) if

jp j > 1 ^ 8t 2 p : j tj = 1 which means that the enabling condition of successor transitions in con ict depends only on the marking of the place. A place p 2 P is called unique choice (UC) if [jp j > 1] ^ [8t1 ; t2 2 p; t1 [ t2 6= fpg : t1 and t2 cannot be enabled simultaneously] This net is actually more complex than may seem at rst. It is 2-safe with respect to the place which is successor for both R1+ and R2+, and some intuition has been used to build its upper part. With the techniques developed in this paper, the upper part, which models the so-called OR-causal behavior between events R1+, R2+ and RG+, would be synthesized by the event splitting mechanism. This example, therefore, has more potential for further research. 3

19

which means that con icts between successor transitions are not possible in any reachable marking. A Petri net is called free choice if 8p 2 P : jp j > 1 =) p is free choice A Petri net is called unique choice if 8p 2 P : jp j > 1 =) [p is free choice _ p is unique choice] In this section, and for the sake of brevity, we will indiscriminately use place/region and transition/event as equivalent concepts. We will also apply the concepts free-choice and unique-choice to regions.

Unique-choice nets

The strategy to generate a UC net consists of avoiding those situations in which a place p has more than two successor transitions, t1 and t2 simultaneously enabled, with j t1 j > 1 and j t2 j > 1. This is solved by forcing a unique predecessor for those transitions. Informally this is achieved as follows: for each pair of transitions t1 and t2 Calculate r = GER(t1 ) \ GER(t2 ) Force r to be a (free choice) region by means of label splitting After label splitting we have r = GER(t1 ) = GER(t2 ), r being a region and, therefore the only pre-region of t1 and t2 . This is done prior to the calculation of pre-regions for each event.

Free-choice nets

In the case of generating FC nets, we must pay attention to those pairs of transitions such that j t1j > 1 and j t2j > 1 with t1; t2 2 p. Two dierent cases can be distinguished: 1. GER(t1 ) \ GER(t2 ) 6= ;. 2. GER(t1 ) \ GER(t2 ) = ;. For the rst case, the same procedure as for UC nets must be applied. The second case is solved for each transition t1 and t2 (denoted as t below) as follows: Calculated S = T( t ? nfc(t)), nfc(t) being the set of minimal pre-regions of t that are not free choice. S is the intersection of all pre-regions with only one successor event. Consider S as the intersection of the pre-regions of t and perform label splitting if S 6= GER(t). In case S = ; (i.e. all pre-regions are non-free choice) GER(t) is forced to be a region. This strategy guarantees that the excitation closure will be always ful lled with all choices being free-choice. The rest of the synthesis method for UC and FC nets remains the same.

7 Applications Table 2 describes the results of the application of our algorithms to the synthesis of Petri nets from transition systems obtained from speed-independent circuits. This can be used to produce a userreadable description of the functionality of a circuit, in the form of a timing diagram-like labeled Petri net (a Signal Transition Graph, STG). All CPU times are in seconds on a SUN SPARC 10 workstation. Table 3 describes the results of the application of our algorithms to the minimization of a given labeled Petri net. P, T, F and M are the numbers of places, transitions, arcs and markings respectively. 20

circuit signals state places transitions arcs markings CPU unsafe 5 22 15 12 34 22 2.8 a4 t o1 8 20 18 16 40 20 3.3 a 10 dr2 50 9408 128 100 336 9408 6864.5 a 11 sen 19 85 44 38 93 85 31.2 dags55 19 130 43 38 342 130 9086.7 Table 2: Synthesis of Petri nets from speed-independent circuits. example

P alloc-outbound 17 clock 10 d 20 espinalt 27 fair arb 13 future 31 gcd-ra 66 intel div3 8 intel edge 28 isend 56 lin edac93 14 master-read 36 pe-rcv-ifc 43 pulse 12 rcv-setup 14 vme read 41 vme write 49

initial PN T F M 18 36 17 10 20 10 20 44 20 25 57 27 20 40 13 28 62 36 58 136 3240 8 16 8 36 72 28 44 116 53 12 28 20 26 72 8932 38 96 46 12 24 12 15 32 14 32 84 255 36 100 821

P 15 9 13 23 11 18 48 7 15 24 10 33 26 7 11 38 44

nal PN T F 14 37 7 27 11 44 20 52 10 33 16 38 42 114 5 20 16 132 19 105 8 22 26 66 21 118 6 20 12 26 27 114 32 139

CPU M 16 1.5 10 0.7 20 3.7 27 5.2 13 2.0 36 6.9 3190 109.0 8 0.3 26 16.2 36 41.4 20 1.1 8932 29.6 37 33.9 12 0.6 11 1.2 251 62.1 817 135.8

Table 3: Petri net minimization.

7.1 Translation of high-level speci cation by Petri net composition

This section presents an example that illustrates how this method can be useful for composition and for translation from high-level languages into Petri nets. The example is aimed at modelling circuits obtained from TANGRAM descriptions. TANGRAM is a CSP-like language [4] used for the synthesis of asynchronous circuits. Figure 9,a describes a 3-token FIFO in TANGRAM. By means of syntax-directed translation [4], a network of handshake elements is obtained (Figure 9,b). The behavior of each handshake element can be described by an STG. Figure 9,c depicts how the STG of the composition of two elements (a parallelizer and a sequencer) is obtained. From the STGs of each element, synchronization places between events with the same labels are inserted (dashed places and arcs). Each synchronization place receives arcs from the STG modelling the element that \produces" the event (output channel) and generates arcs towards the corresponding events at the input channel. After composing several STGs, the internal events can be removed (events for signals req 2 and ack 2 in the example). With our method, the elimination of the internal events is done at the TS level, thus obtaining a TS with less states. Finally, the STG of the whole circuit is derived by synthesis. 21

{Basic FIFO cell.} BFC(x,y)=( x,y : ~ act ) begin #[x~ ; y~] end | {A 3-token FIFO.} ( a:~ act & d:~ pas ) begin block b,c: chan action BFC(a,b) || BFC(b,c) || BFC(c,d) fblock end

|| ||

#

#

#

;

;

;

a

d Basic FIFO cell

(a) ack_1−

ack_0

;

req_2+

req_2+

req_1−

ack_2+

req_3+

ack_1+

ack_0+

ack_3+

req_1+

req_0−

req_0+

req_2−

req_1−

||

ack_1+ req_3+

req_4+

ack_3+

ack_4+

req_3−

req_4−

ack_3−

ack_4−

ack_4+

req_1+ req_3−

req_4−

req_0+ ack_3−

req_4 ack_3 ack_4

ack_1−

req_4+

req_2 ack_1 ack_2

req_3

skip

(b)

req_0

req_1

skip

skip

ack_4− ack_2+

ack_0−

req_2−

req_0−

ack_2− ack_0+

ack_0− ack_2−

(c) Figure 9: (a) Tangram description of a 3-token FIFO. (b) Handshake elements for the 3-token FIFO. (c) STG composition and synthesis of handshake elements. For the 3-token FIFO, the regularity of the circuit (see the dashed boxes) was exploited to reduce the number of STG compositions. After eliminating internal events, an STG with 6 signals, 18 places, 23 transitions, 71 arcs and 50 markings (states) was obtained for the circuit depicted in Figure 9,b.

7.2 Counter ow pipeline processor: stage control circuit

In this section, we brie y outline the process of deriving a PN speci cation and its circuit implementation for a stage control circuit in a counter ow pipeline processor (for a complete description of the architecture refer to [36]). Although some of the steps were assisted by hand, our net synthesis approach played a key methodological role. The original behavioral description of the stage control was given by Molnar in the form of a TS. It is shown in Figure 10, which also de nes the meaning of the main signals, the corresponding events and the states of the stage control. The two transformations performed at this level were reducing the model to asymmetric form, which would then allow to insert a (single) dummy transition (denoted by ). The legitimacy of this reduction was veri ed by means of TS composition. The latter proved that the reduced model preserved all the main functionalities: the counter ow pipe remained deadlock-free and guaranteed the propagation of instructions and results without missing their synchronisation in those stages where they may meet. The resulting TS is quasi-elementary in the sense that it satis es our extended conditions of elementarity. The subsequent synthesis of the PN was performed using the techniques described in 22

PI

AR

PR

G control

exec

R AI

E

E

PI

AR AI

PR I

R

AI AR

PR

G

PI

Events:

I

AI

F

Step 1: PR

"Asymmetrization"

PI

I

ε

AR F

Step 2: G

PI

AR AI

R

AI AR

F States:

AR AI

E

PR

PI

Adding dummy

R2

G

PI

(removing PR) E - Empty I - Instruction R - Result F - Full C - Complete

AI - accept instruction PI - pass instruction AR - accept result

C

C

C

Original Model

PR - pass result G - perform garnering

"Quasi-elementary" Transition System

Figure 10: Counter ow pipeline example: transition system transformations this paper, including operating with self-loop regions. This is shown in Figure 11, a and b. Region

r2 is a minimal region, which is a self-loop region for event AR. On the other hand, the other self-loop region r6 (for event PR) is not minimal; it is a union of minimal regions r2 and r4. AR?

PR?

C

PR!

AR! PR=AR

r1 E

PR

AR

r1

AI

R

I1 AI

r2

PI

r4

AR

r3 r6

G

r_i r_i

r5

G

r4

PI r3

AI ε

g_i

0 sel 1

skip

AI!

garnering

PI!

AI=PI

PI?

(a)

g_i

g2 d2

r2

r1

r5

rgd1 r2

I2 C

r6 = r2 U r4

PR

ε

F PI

AR

d1 g1

(b)

C

AI?

(c)

Figure 11: Counter ow pipeline example: (a) Quasi-elementary transition system. (b) Non-pure net. (c) Two-phase circuit implementation This example illustrates that the amount of search for a self-loop region can be signi cant, hence the complexity of synthesizing non-pure PNs can be much greater than for pure nets. In the net model of the stage control circuit all events are uniquely represented with true concurrency. It was then relatively straightforward to apply the technique of [10], which systematically adds semaphores for con ict places at the PN level. Finally, implementing semaphores by mutual exclusion elements we can obtain a circuit implementation (somewhat similar to a solution recently presented by Ebergen [14]) shown in Figure 11,c. A number of other PN solutions have been derived by our method for this example, including the symmetric one corresponding to the circuit described in Figure 10, but a discussion of these solutions goes beyond the scope of this paper.

8 Conclusions Petri nets have shown to be an appropriate formalism to describe the behavior of systems with concurrency, causality and con icts between events. For this type of systems, the method presented in this paper allows to transform dierent models (CSP, CCS, FSMs, PNs) into a unique formalism for which synthesis, analysis, composition and veri cation tools can be built. 23

Synthesizing Petri nets from state-based models is a task of reverse engineering that abstracts the temporal dimension from a at description of the sequences of events produced by the system. The synthesis method discovers the actual temporal relations among the events. The symbiosis among the notions of ETS, region and excitation region in the same method has been crucial to derive ecient algorithms. One can ask about the real need to generate a at description (a TS) from compact models (CSP,CCS, or even PNs) that can describe temporal relations in a natural way. An alternative way of doing so would be to obtain PNs by means of syntax-directed translation from those models. We have shown several experiments that illustrate the interest in going through transition systems. The results on synthesis from an STG into an STG showed how the behavioral descriptions proposed by the designers can be usually made more compact (some temporal relations are not easily to describe and designers are often tempted to derive an FSM-like description). The example on synthesis from TANGRAM clearly shows that PN composition methods can produce redundant speci cations. Much simpler descriptions can be obtained by rst generating a TS, removing internal events (not relevant to the external behavior of the system), and deriving a PN. Generating a TS from a high-level description (such as CSP) may suer from the state explosion problem, thus making manipulations at the TS level tedious or even impractical. For this reason, we have chosen to use a symbolic (BDD-based) representation of the TS. Even though BDDs do not always guarantee compactness, we have observed that the regular interleaving of events manifested by highly concurrent systems is well-captured by symbolic representations. This work has been mainly motivated by the activities carried out by the authors in the area of asynchronous circuits. The wide applicability of the method opens new possibilities to create a framework with tools for synthesis, analysis and veri cation, in which the designer can freely choose and mix dierent speci cation formalisms.

Acknowledgements

We are grateful to Marta and Maciej Koutny, who directed us towards the existing literature about regions, and to Marco Antonio Pe~na for performing the experiments with TANGRAM and PN composition.

24

References

[1] A.V. Aho, J.E. Hopcroft, and Ullman J.D. The design and analysis of Computer Algorithms. AddisonWesley, MA, 1974. [2] Rajeev Alur and David Dill. Automata for Modeling Real-Time Systems. In Automata, Languages and Programming: 17th Annual Colloquium, volume 443 of Lecture Notes in Computer Science, pages 322{335, 1990. Warwick University, July 16-20. [3] E. Badouel, L. Bernardinello, and Ph. Darondeau. Polynomial algorithms for the synthesis of bounded nets. Technical Report 2316, INRIA, RENNES Cedex, France, 1994. [4] K. van Berkel. Handshake circuits: an intermediary between communicating processes and VLSI. PhD thesis, Technical University of Eindhoven, 1992. [5] L. Bernardinello, G. De Michelis, K. Petruni, and S. Vigna. On synchronic structure of transition systems. Technical report, Universita di Milano, Milano, 1994. [6] R. Brayton et al. Logic Minimisation Algorithms for VLSI Synthesis. Kluwer Academic Publishers, Hingham, MA, 1984. [7] Randal Bryant. Symbolic boolean manipulation with ordered binary-decision diagrams. ACM Computing Surveys, 24(3):293{318, September 1992. [8] T.-A. Chu. Synthesis of Self-timed VLSI Circuits from Graph-theoretic Speci cations. PhD thesis, MIT, June 1987. [9] E. M. Clarke, D. E. Long, and K. L. McMillan. A language for compositional speci cation and veri cation of nite state hardware controllers. Proceedings of the IEEE, 79(9), September 1991. [10] J. Cortadella, L. Lavagno, P. Vanbekbergen, and A.Yakovlev. Designing asynchronous circuits from behavioural speci cations with internal con icts. In Proceedings of Int. Conf. on Adv. Res. in Asynch. Circ. and Syst., pages 106{115, Salt Lake City, Utah, November 1994. [11] O. Coudert, C. Berthet, and J. C. Madre. Veri cation of sequential machines using boolean functional vectors. In L. Claesen, editor, Proc. IFIP Int. Workshop on Applied Formal Methods for Correct VLSI Design, pages 111{128, Leuven, Belgium, November 1989. [12] D.L. Dill. Trace Theory for Automatic Hierarchical Veri cation of Speed-Independent Circuits. The MIT Press, Cambridge, Mass., 1988. An ACM Distinguished Dissertation 1988. [13] D. Drusinsky. Extended state diagrams and reactive systems. Dr.Dobb's Journal, pages 72{80,106{107, October 1994. [14] J. Ebergen. personal communication. March 1995. [15] J. Esparza and M. Nielsen. Decidability issues for petri nets. Petri Nets Newsletter, 94:5{23, 1994. [16] C. A. R. Hoare. Communicating Sequential Processes. In Communications of the ACM, pages 666{677, August 1978. [17] Henrik Hulgaard and Steven M. Burns. Bounded delay timing analysis of a class of CSP programs with choice. In Proc. International Symposium on Advanced Research in Asynchronous Circuits and Systems, pages 2{11, November 1994. [18] R.M. Keller. A fundamental theorem of asynchronous parallel computation. Lecture Notes in Computer Science, 24:103{112, 1975. [19] M. Kishinevsky, A. Kondratyev, A. Taubin, and V. Varshavsky. Concurrent Hardware: The Theory and Practice of Self-Timed Design. John Wiley and Sons, London, 1993. [20] R. P. Kurshan. Analysis of discrete event coordination. In Lecture Notes in Computer Science. SpringerVerlag, 1990. [21] L. Lavagno and A. Sangiovanni-Vincentelli. Algorithms for synthesis and testing of asynchronous circuits. Kluwer Academic Publishers, 1993. [22] B. Lin and F. Somenzi. Minimization of symbolic relations. In Proc. of the IEEE Int. Conf. on Computer-Aided Design, pages 88{91, Santa Clara, CA, November 1990.

25

[23] Robin Milner. A calculus of communication systems. In Lecture Notes in Computer Science, volume 92. Springer-Verlag, 1980. [24] Robin Milner. Communication and Concurrency. Prentice-Hall, 1989. [25] M. Mukund. Petri nets and step transition systems. Int. Journal of Foundations of Computer Science, 3(4):443{478, 1992. [26] T. Murata. Petri Nets: Properties, analysis and applications. Proceedings of the IEEE, pages 541{580, April 1989. [27] T. Murata. Petri nets: Properties, analysis and applications. Proceedings of IEEE, 77(4):541{580, April 1989. [28] M. Nielsen, G. Rozenberg, and P.S. Thiagarajan. Elementary transition systems. Theoretical Computer Science, 96:3{33, 1992. [29] S. M. Nowick and D. L. Dill. Automatic synthesis of locally-clocked asynchronous state machines. In Proceedings of the International Conference on Computer-Aided Design, November 1991. [30] E. Pastor and J. Cortadella. Polynomial algorithms for the synthesis of hazard-free circuits from signal transition graphs. In Proceedings of the International Conference on Computer-Aided Design, November 1993. [31] E. Pastor, O. Roig, J. Cortadella, and R. Badia. Petri net analysis using boolean manipulation. In 15th International Conference on Application and Theory of Petri Nets, Zaragoza, Spain, June 1994. [32] C. A. Petri. Kommunikation mit Automaten. PhD thesis, Bonn, Institut fur Instrumentelle Mathematik, 1962. (technical report Schriften des IIM Nr. 3). [33] I. Reicher and M. Yoeli. Net-based modeling of communicating parallel processes with applications to VLSI design. Technical Report 532, Technion, Haifa, 1988. [34] T. G. Rokicki. Representing and Modeling Digital Circuits. PhD thesis, Stanford University, 1993. [35] L. Y. Rosenblum and A. V. Yakovlev. Signal graphs: from self-timed to timed ones. In International Workshop on Timed Petri Nets, Torino, Italy, 1985. [36] R.F. Sproull, I.E. Sutherland, and C.E. Molnar. The counter ow pipeline processor architecture. IEEE Design and Test of Computers, pages 48{59, Fall 1994. [37] I. E. Sutherland. Micropipelines. Communications of the ACM, June 1989. Turing Award Lecture. [38] D.C. Tsichritzis and P.A. Bernstein. Operating Systems. Academic Press, London, 1974.

26

A Proofs of the main propositions The appendix contains proofs of the major statements of the paper.

A.1 Properties of subregions

Property 3.1 If r and r0 are two dierent regions such that r0 is a subregion of r, then r ? r0 is a

region.

Proof: Lete r = r ? r0. Let us resume by cases considering all possibilities for an arbitrary transition s ! s0 to cross the boundaries of the set of states r . 1. Let s !e s0 be such that it does not cross r . Let us prove that any other transition labeled 1

1

1

with the same label e does not cross r1, and therefore event e does not cross the boundaries of r1. By de nition, either s; s0 2 r1 or s; s0 62 r1. In the rst case s; s0 62 r0, and in the second s; s0 2 r0 . Since r0 is a region, this implies that e does not cross the boundaries of r0 . Let us e 0 consider another transition s1 ! s1 if any. The following ve cases are potentially possible: (a) s1 ; s01 2 r1, (b) s1 ; s01 2 r0, (c) s1 ; s01 62 r, (d) s1 2 r0; s01 2 r1, and (e) s1 2 r1; s01 2 r0.

In the rst three cases s1 !e s01 does not cross r1 . Let us consider case 1d. Since s1 !e s01 exits r0 and r0 is a region, transition s !e s0 also exits r0 . Since, s !e s0 does not cross r, the e following conditions are satis ed: s 2 r0 and s0 2 r1. Hence, s ! s0 enters r1 . This contradicts the assumption: s !e s0 does not cross r1. Therefore, this case is not possible. Similarly we can show that the case 1e is not possible. Therefore, if s !e s0 does not cross r1 then another transition s1 !e s01 also does not cross r1, and event e never cross r1. 2. Let s !e s0 enter r1. Two cases are possible: (a) s !e s0 does not cross r0 and enters r, and (b) s !e s0 exits r0 and does not cross r. In the rst case it immediately follows that for any other arc labeled with e two conditions must hold: s1 !e s01 enters r and does not cross r0. Therefore, s1 !e s01 enters r1. In the second case, s1 !e s01 exits r0 and does not cross r. Hence, again s1 !e s01 enters r1. That is, if s !e s0 enters r1, then e is an entry event for r1. 3. Let s !e s0 exit r1 . This case is symmetrical to case 2 . Therefore e is an exit event for r1. We have proved that any event e is either an entry event for r1 , or an exit event for r1, or never cross the boundaries of r1. Therefore r1 is a region. 2

Property 3.3 Every region can be represented as a union of disjoint minimal regions. 27

Proof: Assume that r is a region which is not minimal. Then there exists a subregion r1 of r. Hence r1 according to property 3.1 r2 = r ? r1 is also a region. If both r1 and r2 are minimal, then the property is proved. Otherwise, by the same argument non-minimal r1 and/or non-minimal r2 can also be decomposed into two disjoint regions. The procedure terminates with minimal regions due to its monotonicity and the niteness of S . 2

A.2 Elementarity conditions

Proposition 3.2 If a TS is elementary, then the following three conditions are satis ed: T 1. Excitation closure. For each event a: r2 a r = GER(a); 2. Event eectiveness. For each event a: a = 6 ;;

3. If the TS is not minimal, then for each pair of equivalent states the con uence condition does not hold. If a TS is minimal and the excitation closure and the event eectiveness conditions are satis ed, then the TS is elementary. The proof is based on a few useful lemmas. Lemma A.1 If the state separation property (axiom A5) is satis ed for a TS, then the event eectiveness property holds. Proof: Assume that the TS, TS = (S; E; T; sin) satis es all conditions (axioms A1-A4) imposed on TS but the event eectiveness does not hold. Hence, 9e 2 E : e = ;. We have two cases then: 1. 8s 2 S : [s 62 ER(e)]. This, however, contradicts axiom A3.

2

2. 9s : [s 2 ER(e)]. Hence, 9s0 2 S such that s !e s0 . However, since e = ;, then TS has no region r such that s 2 r ^ s0 62 r. Furthermore, by Property 3.2, it follows that for any event e 2 E : e = frjr 2 eg, where r stands for S ? r. Hence, if e = ;, then e = ;. Therefore, there is no region r such that s 62 r ^ s0 2 r. Therefore, Rs = Rs0 , which violates axiom A5.

Lemma A.2 If a TS is elementary, then the excitation closure condition holds. T Proof: By de nition of pre-region: Tr2 e r ER(e). Let us prove the opposite: ER(e) r2 e r. T Since axiom A5 is true, by Lemma A.1,T 8e 2 E an intersection r2 e r is not empty. Let e be an arbitrary event and state s belongs to r2 e r. Then for any region r 2 e: s 2 r. Hence, the left part of the implication of the axiom 6, e Rs , holds. By assumption the TS is elementary, hence the Tright part of the implication must hold and therefore, s !e . Hence, s 2 ER(e). Therefore, T s 2 r2 e r ) s 2 ER(e) and consequently ER(e) r2 e r. 2 Lemma A.3 Let the state separation property (axiom A5) be satis ed for a TS. Then, if the TS is not minimal, then for each pair of equivalent states the con uence condition does not hold.

28

s

s’ Region

r

s

e s

s

s’

3

3

2

σ’

4

1

σ

e 2 s’ 4

s’

1

e

σ

e s’ 1

s 1 2

2

s’’

Figure 12: Illustration to the proof of Lemma A.3

Proof:0 Assume the opposite, i.e., axiom A5 is satis ed and there is a pair of equivalent states s 0 and s , s = 6 s , for which the con uence condition is satis ed. It follows from A5 that there is a region r such that r 2 Rs and r 62 Rs0 . Due to the con uence condition the following condition holds: there is a state s00 2 S and two sequences of transitions 0 ; 0 2 T such that s ! s00 ^ s ! s00. Let s00 be the rst such con uence state, i.e., there is no 00 0 00 000 000 00 000 000 state s such that s = 6 s and s 2 s ! s ^ s 2 s ! s .

Two cases are possible: 1. s00 62 r, i.e., r intersects since one of the transitions from before s00 exits r. e1 Let e1 be a label of the rst transition s1 ! s2 that exits r along (see Figure 12), i.e., 0 s1 2 r and s2 62 r. Since s = s , there must be s0 ! . Then by the de nition of a region (r), e1 0 s2 2 s0 ! such that s01 2 r and s02 62 r. Since s00 is chosen to be the rst con uence 9s01 ! state, s01 6= s1 . e2 0 s4 , on the leading from s0 such that Since s0 62 r, there must be another transition s03 ! e2 s03 62 r and s04 2 r. Again, by the de nition of a region, for a similar transition, s3 ! s4 , labeled with the same event e2 on the leading from s the following condition holds: s3 62 r and s4 2 r. However then, since s 2 r, there should be another transition on the leading e2 from s, labeled, say, with e3, which exits region r. This transition musteoccur before s3 ! s4 , e1 1 an therefore before s1 ! s2 , which contradicts our assumption that s1 ! s2 was the rst exit transition for r on . 2. s00 2 r, i.e., r does not cross before s00. This case is easily reduced to the previous one. Indeed, since r 62 Rs0 then the boundaries of r must cross 0 , a sequence leading from s0 to s00. We can then use co-region r = S ? r (a region complementary to r). Region r crosses 0 and must include state s0 by the de nition of the complementary region. Thus, in both cases we have reached contradiction, and therefore s = s0 must be true. 2

Lemma A.4 If the excitation closure and event eectiveness conditions hold for a TS, then the forward closure property (axiom 6) is satis ed for the TS.

Proof: Since the excitation closure and event eectiveness conditions hold, the following condiT tions are true: e 6= ; and 8e 2 E 8s 2 S : s 2 r2 e r ) s 2 ER(e). Let us chose an arbitrary event e 2 E and a state s 2 S and let us assume that e Rs . Then, 8r 2 e ) r 2 Rs , and 29

T

hence 8r 2 e ) s 2 r. From the latter we deduce that s 2 r2 e . Then by the excitation closure condition we have s 2 ER(e), hence s !e . We have proved that the forward closure property (axiom 6) is satis ed. 2

Lemma A.5 If a TS is minimal and the excitation closure and the event eectiveness conditions

are satis ed, then the state separation property (axiom 5) is satis ed for the TS. Proof: Let the conditions of the lemma hold. Then by LemmaA.4 axiom A6 must be true. To seek for contradiction, assume that there is a pair of non-separated states: s 6= s0 and Rs = Rs0 . Three cases are possible. 1. There is no event e 2 E such that s !e or s0 !e , i.e. neither s nor s0 enable any event. This case contradicts minimality of the TS (deadlock states s and s0 are equivalent).

2. There is event e 2 E such that s !e ^s0 ! 6 e , i.e. s enables e while s0 does not. For any TS if s 2 ER(e) then e Rs , and since Rs = Rs0 , e Rs0 . But then, by axiom A6, s0 !e . The contradiction is reached. 3. The remaining option is the following. For each event e: s !e if and only if s0 !e . Two sub-cases are possible: (a) For each transition s !e s1 there is a corresponding transition s0 !e s1 and vice versa. Then s = s0 . This contradicts minimality of the TS. (b) Two transitions exist, s !e s1 and s0 !e s01 , such that s1 6= s01 . Let us now disprove that Rs1 6= Rs01 . From the event eectiveness condition it follows that e 6= ;. Since r 2 e if and only if r 2 e (where r = S ? r) one can conclude that e 6= ;. Since we assumed Rs1 6= Rs01 , there exists r 2 Rs1 such that r 62 Rs01 , which means that s1 2 r and s01 62 r. Now, we have three possibilities for transition s !e s1 with respect to r: (a) Transition s !e s1 , is internal for r. Hence, s 2 r. Since Rs = Rs0 , every region including s must also include s0 , so s0 2 r. Therefore, transition s0 !e s01 exits r and, hence, r cannot be a region. A contradiction. (b) Transition s !e s1 enters r. Then, by the de nition of a region, transition s0 !e s01 must enter r as well, so s01 2 r. Again, contradiction. (c) Transition s !e s1 , is external for r. We can now take region r, the complement of r, and reduce this case to item 1 Therefore Rs1 = Rs01 . We can now see that Case 3 either leads to contradiction or we can move one step forward and consider states s1 and s01 in place of s and s0, respectively. If we leave Case 3 with a new pair of states for which the set of regions are equal, we can reconsider our cases again. Thus, the overall situation can be generalized. Cases 1 and 2 always lead to contradiction, whereas Case 3 either leads to contradiction or returns a new pair of states for which the set of regions are equal. As a result, we have only two possibilities, for our original 0 0 pair of states s and s , either 8 2 T : [s !) s !], which means that s and s0 are equivalent, which contradicts minimality of the TS, or for some states sk and s0k we shall have Cases 1 or 2. Thus, we must have s = s0 , which ends the proof. 2 30

Proposition 3.2 If a TS is elementary, then the following three conditions are satis ed: T 1. Excitation closure. For each event a: r2 a r = GER); 2. Event eectiveness. For each event a: a = 6 ;;

3. If the TS is not minimal, then for each pair of equivalent states the con uence condition does not hold. If a TS is minimal and the excitation closure and the event eectiveness conditions are satis ed, then the TS is elementary.

Proof: The proof is straightforward.

Part A.2. Assume that a TS is elementary, then both axioms A5 and A6 hold. Therefore lemmas A.1, A.2 and A.3 can be directly applied. Lemma A.1 implies that the event eectiveness is satis ed, Lemma A.2 implies that the excitation closure holds. If the TS is not minimal, then, by lemma A.3, for each pair of equivalent states the con uence condition does not hold. Part A.2. Assume that a TS is minimal and the excitation closure and the event eectiveness conditions are satis ed. Then by lemma A.4 axiom A6 is satis ed for the TS and by lemma A.5 axiom A5 is satis ed. 2

A.3 Generation of minimal regions

De nition A.1 Let TS = (S; E; T; sin) be a TS. Let r S be a subset of states and e 2 E be an event. The following conditions (in the form of predicates) are de ned for r and e: 9(s; e; s0) 2 T : s; s0 2 r 9(s; e; s0) 2 T : s; s0 62 r 9(s; e; s0) 2 T : s 62 r ^ s0 2 r 9(s; e; s0) 2 T : s 2 r ^ s0 62 r Lemma A.6 (Violation of region conditions) Let TS = (S; E; T; sin) be a TS. Let r S be a subset of states such that r is not a region. Then there exists e 2 E such that at least one of the e; r) out(e; r) enter(e; r) exit(e; r) in(

= = = =

following predicates holds: 1. in(e; r) ^ [enter(e; r) _ exit(e; r)] 2. enter(e; r) ^ exit(e; r) 3. out(e; r) ^ enter(e; r) 4. out(e; r) ^ exit(e; r)

Proof: Clearly,

e; r) =) enter(e; r) _ exit(e; r)

in(

otherwise e would not violate the region conditions. Furthermore,

:in(e; r) =) enter(e; r) _ exit(e; r) for the same reason. In that case, for e to violate some region condition, at least one of the predicates 2-4 must hold. 2 31

Lemma A.7 (Essential states to become a region) Let TS = (S; E; T; sin) be a TS. Let r S be a set of states such that r is not a region. Let r0 S be a region such that r r0. Let e 2 E

be an event that violates some of the conditions for r to be a region. The following predicates hold: 1. in(e; r) ^ [enter(e; r) _ exit(e; r)] =) fsj9s0 2 r : (s; e; s0) 2 T _ (s0; e; s) 2 T g r0 2. enter(e; r) ^ exit(e; r) =) fsj9s0 2 r : (s; e; s0) 2 T _ (s0; e; s) 2 T g r0 3. out(e; r) ^ enter(e; r) =) [fsj9s0 2 r : (s; e; s0) 2 T g r0 ] _ [fsj9s0 62 r : (s0; e; s) 2 T g r0] 4. out(e; r) ^ exit(e; r) =) [fsj9s0 2 r : (s0 ; e; s) 2 T g r0 ] _ [fsj9s0 62 r : (s; e; s0) 2 T g r0]

Proof:

1. Since in(e; r) and r r0 then

2

:enter(e; r0) ^ :exit(e; r0)

Therefore, any state that is the source of sink of an arc crossing r must be inside r0 . 2. The only way for r0 to be a region is by making the entering and exiting transitions of r internal to r0. Therefore, any state source of sink of an arc crossing r must be inside r0. 3. Here there are only two possibilities to legalize the crossing relation of e in r0: Make the transitions entering r internal to r0 (states of the rst part of the disjunction), or Make the transitions external to r entering r0 (states of the second part of the disjunction) 4. Similar to predicate 3.

The algorithm to generate minimal pre-regions is based on the expansion of a set of states to become a region (see section 4.1). Lemma A.6 de nes all possible violations of the region conditions. Furthermore, lemma A.7 de nes the essential states that must be added to a set of states to become a region.

Proposition 5.1

The function generate min pre-regions generates all minimal pre-regions of the elementary TS. Proof: An informal and intuitive proof is next sketched. Completeness can be proved because of the following facts: (a) All sets of states are expanded from GER(e) and, thus are pre-regions of e. (b) The violations of the region conditions are detected according to the predicates of lemma A.6. Those predicates are complete (cover all possible violations). (c) The states de ned in lemma A.7 to expand a set of states are essential to legalize the event that violates some of the region conditions, i.e. any minimal region must contain them. The above facts guarantee that all minimal pre-regions are captured by the expansion of the excitation region of the events. 2

Note that for predicates 3 and 4 of lemma A.7, two expansions are possible. The algorithm the set of states in both directions, thus implicitly generating a binary exploration tree. Lemma A.7 determines how the algorithm can be eciently implemented. It is important that predicates 1 and 2 (more stringent) be considered before 2 and 4 (that may unnecessarily expand the search tree). Thus, an ecient strategy to minimize the depth of the search tree is the following: generate min pre-regions expands

32

1. Verify predicates 1 and 2 for all events. If not satis ed, add states to legalize (no need to expand the search tree). 2. Verify predicates 3 and 4. If not satis ed, expand the search tree and add states, for each branch, to legalize.

A.4 Removing redundant regions

Proposition 5.2 Let N and N 0 be two labeled PNs derived from0 the elementary TS such that N is

a net corresponding to the set of all minimal pre-regions and N corresponds to a set of irredundant regions. Then labeled RGs for N and N 0 are isomorphic. Proof: The rigorous proof can be given by induction on the length of the sequence of transitions in the Petri Nets and the corresponding RGs. Here we brie y sketch the proof. Let us assume that R is a set of minimal pre-regions and R0 is obtained from R by removing one redundant region. Let us consider two nets N and N 0 which are obtained for R and R0. We must show that for any reachable marking m in N the corresponding reachable marking m0 does exists for N 0 such that: 1. disabling is preserved, i.e., if transition a becomes disabled in m, then it will be disabled in m0 as well; 2. old enabling is preserved, i.e., if transition a was enabled in one of the predecessors-markings of m and still enabled in m, then it will be also enabled in m0 ; 3. new enabling is preserved, i.e., if transition a became enabled in m then it will also became enabled in m0. Note that since N is obtained from the elementary TS there is only one transition labeled with a. Therefore, one can use a label of a transition as its unique name. e1 Case 1. Disabling is preserved. In the RG of N there is a transition m ! m1 such that e is enabled in m and is not enabled in m1. Since the RG of N is isomorphic to the initial TS (or its minimized version), there is also a transition s !b s1 in the TS such that a is enabled in s and is not enabled in s1 . The following conditions hold: s 2 GER(a) and s1 62 GER(a). By construction, the excitation closure is satis ed for the set of regions R0 which corresponds to the reduced net N 0. Therefore, there is at least one pre-region r 2 (a) in R0 such that s1 62 r. Otherwise, for each r 2 (a) : s1 2 r and the excitation closure is not satis ed for R0 . Also, r is a pre-region for b, since s 2 r. By construction, in the net N 0 there is a place p corresponding to the region r such that a; b 2 p and for some marking m0 corresponding to the state s in the initial TS both transitions a and b are enabled. After b res, a token will disappear from p and therefore a will be disabled. Case 2. Old enabling is preserved. Let s; s1 be an arbitrary pair of states in the TS such a that: s !b s1 , s ! , and s1 !a . Obviously,s; s1 2 GER(a), and therefore every pre-region r 2 (a) contains states s and s1 . Since transition s !b s1 is internal for r, transition b cannot exit any of pre-regions for a. Therefore, when b res in the net N 0 it cannot remove a token from any input place of a. Case 3. New enabling is preserved. Assume that s; s1 are such states of the TS that: s !b s1 , a s1 !, and :(s !a ). Hence, s 62 GER(a) and s1 2 GER(a). In the set of minimal regions R corresponding to the net N there is at least one region r such that: r 2 (a), s 62 r, and s1 2 r. Since transition labeled with b enters r, r 2 (b). At least one region r satisfying the above conditions must be left in the set of regions R0 corresponding to N 0 since otherwise the excitation closure condition is not satis ed. Before b res in N 0 there will be no token in the place p corresponding to the region r. After b res a token will appear in p. Also, since s1 belongs to every other pre-region of a, ri, all other input places pi of a will contain a token after transition ring b which corresponds

33

to the transition s !b s1 . Therefore, all input places of a will contain tokens after ring of b corresponding to the transition s !b s1 , hence a becomes enabled. 2

34

petrify:

a tool for synthesizing Petri nets (manual page)

petrify(1cad)

petrify(1cad)

NAME

petrify - synthesize a Petri net SYNOPSIS

petrify [options]* [infile] DESCRIPTION

petrify reads a Signal Transition Graph (STG) and generates another STG which should be simpler than the original description. Initially, petrify performs a token flow analysis of the initial STG and produces a transition system (TS). In the initial TS, all transitions with the same label are considered as one event. The TS is then transformed and transitions relabeled to fulfil the conditions required to obtain an STG. petrify reads the input description from stdin unless infile is specified. OPTIONS

-h

Help mode, prints the usage

-d[n]

Debug mode. Prints runtime information. The maximum level of debugging is -d2. -d and -d1 are equivalent.

-nv

Do not check that the capacity of each place is exceeded during token flow analysis. This option is suitable to avoid overflow detection (and thus saving CPU time) if the input description is known to be bounded according to the capacity of each place. The results of petrify may be unpredictable if this option is used and the capacity of some place is exceeded.

-all

All minimal pre-regions are generated. If this option is not specified, pre-regions are generated only until their intersection is the excitation region of the event. The option -all is computationally more expensive, although it may allow to find optimal irredundant nets.

-min

The places of the resulting Petri net correspond to minimal regions. If this option is not specified, minimal regions can be merged and, thus, a smaller place count obtained. The option -r overrides -min.

-r

Generates a minimal satured (possibly place-redundant) Petri net. This option implicitly forces the option -all. If this option is not used, a place-irredundant Petri net is obtained (a Petri net is place-irredundant when none of its places can be removed without changing its behavior).

-mc[n]

Maximum number of non-essential places to obtain a minimal irredundant net. If n is not specified, an optimal solution is found, although it may be computionally very expensive if the number of non-essential places is large. The default is n=40. The current implementation eliminates non-essential places greedily until n places are left. Next, an optimal solution is found for the rest of places. The cost of each region is calculated as fi+fo+1, where fi and fo correspond to the number of fanin and fanout arcs respectively. With n=0, the elimination is completely greedy (and faster).

-cl[n]

Maximum size of the compatibility graph built to find a one-hot -> log reencoding. If n is not specified, no size limit is assumed. If n

Synthesizing Petri Nets from State-Based Models - CiteSeerX

Synthesizing Petri Nets from State-Based Models - CiteSeerX

Suggest Documents

Synthesizing Petri Nets from State-Based Models - CiteSeerX

Synthesizing Petri Nets from State-Based Models - CiteSeerX

Stochastic Petri Nets - CiteSeerX

From Coloured Petri Nets to Object Petri Nets

From AADL architectural models to Petri Nets : Checking model viability

mapping business processes models from petri nets ...

Functorial Models for Petri Nets - ePrints Soton

From Petri Nets to Guard-Stage-Milestone Models

Resource Equivalences in Petri Nets - Petri Nets 2017

Petri Nets 2000 - PURE

Petri Nets 2000 - PURE

Abridged Petri Nets

Stochastic Petri Nets

Petri Nets 2000 Conference

Controlled Petri Nets: A Tutorial Survey - CiteSeerX

verbal semantics via petri nets - CiteSeerX

Agents and Petri Nets 1 Introduction - CiteSeerX

On the Semantics of Petri Nets - CiteSeerX

Agents and Petri Nets 1 Introduction - CiteSeerX

Generalized stochastic Petri nets

Logic Programming Petri Nets

DECOMPOSITION OF PETRI NETS

Petri Nets and Marked Graphs - CiteSeerX

Towards Synthesis of Petri Nets from Scenarios - CiteSeerX