behaviour of the server system modelled with this net ... nets (CPNs)[3J (or high-level Petri nets) are used in ... of applying conventional PNs and CPNs to system ...
Editors: Farn Wang
Insup Lee
Automated Technology for Verification and Analysis ATVA2003 Dept. of Electrical Engineering,National Taiwan University 1 ,Sec. 4, Roosevelt Rd., Taipei, Taiwan, R.O.C. 10-13 December 2003
Proceedings
Sponsored by Center for Infonnation and Electronics Technologies,NTU MinistIy of Education, TAIWAN, R.O.C. National Science Council, TAIWAN, R.O.C. Dept. of Electrical Engineering, NTIJ, TAIWAN, RO.C.
.I
r
Verification and Realization for the Distributed Parallel Systems based on An Extended Petri Net and XML/Java Executor Shin'nosuke Yamaguchi Katsumi Wasaki Yasunari Shidama Faculty of Engineering, Shinshu University 4-17-1 Wakasato Nagano-city, Nagano 380-8553, Japan [ xrei,wasaki,shidama ] @cs.shinshu-u.ac.jp
Abstract In this paper, we propose a new method for parallel system design based on an expanded Logical Coloured Petri Net (LCPN). An LCPN is an extended Petri net that solves the problem of system description in the previously proposed place/transition nets and coloured Petri nets. This extension of Petri nets is suitable for designing complex control systems and for discussing methods of realistically evaluating such systems. To study the behaviour of the server system modelled with this net we simulated a Java program. This program confirmed that this extended Petri net is an effective tool for modelling parallel systems.
1
Introduction
As a system becomes more complex, there are more system design costs associated with the platforms because any of the following problems may occur: (1) introduction of various programming errors, or bugs (2) difficulty of verification of compliance with specifications (3) difficulty of tracing control flow / software for anyone other than the original programmers
Using descriptive models of the sequence control by Petri nets has become desirable because of their simplicity [1 J [2J. A Petri net is a graphical model that facilitates understanding of control flows. The mathematical nature of the Petri net can be used to obtain behavioural information of systems that operate in a dynamic environment, especially if the time, or safety factors, make simulation of a system impracticable. A study of the relationships among the mathematical objects of a Petri net can resolve conditions, such as deadlocks, traps, reachability of marking states etc, that aid the verification of . the system operations. Petri nets have been used in many modelling techniques for the design of parallel systems. A Petri net is suitable for describing the characteristics of a parallel system and, once a Petri net model has been created, it can be easily analysed. When designing time invariant systems, an effective approach is the use of place/transition nets (PNs) . As the degree of complexity of the target system increases, coloured Petri nets (CPNs)[3J (or high-level Petri nets) are used in the design. There are examples of applying conventional PNs and CPNs to system design and analysis in many areas, such as Jensen's hardware design [3], Murata et aI's deadlock verification of Ada programs [4], , and Nagao et aI's Factory
157
I
Automation (FA) control [5][6][7][8] and Miller's computer system models [9]. Problems occur when PNs and CPNs are applied to describing control systems, as the operation of these nets (firing conditions of transition and movement of tokens) is uniquely fixed. It is therefore necessary to use many transitions and place elements to represent branching of the conditions in processing; as a result, the net size increases. We propose a Logical Coloured Petri Net (LCPN) [10] with the following improvements. Marks have data (colours), and firing conditions are given by an arbitrary logical expression, which is written in terms of the presence of marks in the input places, and the data values of the marks. The mark output at firing is decided using a function based on the data values of the marks in the input places. Therefore, transitions and places added as a result of condition branching are reduced and the net scale is also reduced [11]. Moreover, we propose a new method for implementing a parallel system with the engine program reading data of the net model based on an expanded Petri Net and XML. We used this technique to develop the software for a Triple Data Encryption Standard (3DES) accumulator based on LCPN to estimate the effectiveness of the method. The advantage of this new distributed Extended PN is that we can reduce the cost of design, programming, and testing on site to less than that of conventional methods.
2
Outline of the design of a .parallel system
Figure i shows the outline of a parallel system design. First, we designed a net model based on the specifications using an LCPN. In this development method, we chose to design the LCPN net model using a Petri net design tool named "Renew" (The Ref- .
Petri Net Modeling Tool
XML Data Transfer
~~ --XMLD.ta
XMLDabi
forEnainc
forEn&inc
program
prognm
Figure 1: Outline of parallel system design. erence Net Workshop) [12] based on Java technology. This tool can. develop the connectivity from a net model to a Java class that is called to evaluate its transitions and generate the net structure of the XML format files. We checked the errors in the net model for this structure (e.g., deadlock and trap) by simulation using" Renew" . Next, we transferred the net model to an XML file. The" Renew" tool can convert the net model into an XML file based on the Petri net Marking Language (PNML) [13]. However, we consider tlie structure of XML to be inefficient for the program to obtain information about the net because a transition has information about the firing logic or task, an arc has information about input or output data for the transition, and a place has information about the mark and the mark's colour. Therefore, we defined the structure of XML for LCPN to simplify the engine program. In our structure, a transition has information about the input place, output place, and firing logic. The engine program can check efficiently whether a transition is able to fire. The detail of this structure is described in Section 4. We then transferred the XML .
158
file converted by the "Renew" tool to an XML data file, based on our structure. Finally, we checked these XML files on the engine program. This engine program is described in the Java2 language, and operates based on the structure of the net model by reading the net structure file. This is where we check that the net model satisfies the specification. Using this method we can design a parallel system ef. ficiently.
3
Logical Coloured Net (LCPN)
(2) The marking of each Si E SE (i = 1,2, . .. , nj n =1 SE I) can take the value of a natural number from 0 to N. This is denoted by J1.(Si). We assume J1.(Si) = if there is no (empty) marking on Si. Here, we define the function J1. as J1. : SE ---* {a, 1, 2" " , N}.
°
(3) The capacity (maximum number of marks) of each Si is 1. The set of all possible marking from (1) and (2) is represented as a mapping from SE to {a, 1,2", . , N}. Therefore, we define the Cartesian product set ME as ME={O,I,2, ... ,N} S E .
Petri
In this section, we define a logical coloured Petri net (LCPN) that can be used to improve the descriptive capabilities of conventional Petri nets and coloured Petri nets. Specifically, marks in the LCPN have data (colours) and firing conditions given by an arbitrary logical expression that is written in terms of the presence of marks in the input places and the data values of these marks. A coloured Petri net has the same functional description, but we are unable to apply "OR" and "NOT" to a transition as its firing condition. This feature greatly simplifies the expression of diverging conditions in a system. After an LCPN model is developed, it ·can be analysed us..../ ing reachability trees and simulation [14]
[15]. Definition LCPN: A logical coloured Petri net is a tuple of sets NE (SE, TE, FE, ME) that satisfies each of the following conditions:
., I', I' I
,,I (4) *tj represents the set of all places (input places) that have an arc extending to tj E TE (j = 1,2"" ,mjm =ITEI). Similarly, tj' represents the set of all places (output places) with an arc extending from tj. ·tj =
{s E SE : (31)(1 E FE, f = (s, tj))}
t/=
{SESE:
(31)(1
E FE,
f
= (tj, s))}.
(5) The firing evaluation of a transition tj for an arbitrary marking J1. E ME examines the firing condition ~j . ~j (J1.I· tj) that is described by a logical expression in terms of the state J1.1· tj of the places that belong to ·tj and is used to determine the next marking J1.' E ME. tj is called firable if ~j is evaluated and found to be true. If tj is fired, a marking is removed from each place in ·tj -t/. Places in t/ depend on the state of ·tj and are modified by the following oj.
(1) Let SE = {Sl,S2,···,Sn} andTE = {t ll t2, ... , t m } be the sets of the place and transition elements, respectively. Let FE = {h,h,"',fl} ~ (SE x TE) U (TE x BE) be the set of arcs from places to transitions and transitions to places.
1 , 2 ... , N} ·tj OJ .. {O" t ---* {a, 1, 2, ... , N} j
159
.
Lc'Iransition This element contains information about a transition. It has the then : on ·tj - t/ : on t/ : otherwise
element fire, which shows the firing condition and the operations of transition, and connection, which shows the arc to connect with the transition. The element fire has two parts named condition and work. The
However, tj is notfimble if~j isfalse. Then the state J.L' = J.L is unchanged. •
We can show the next marking resulting from a transition evaluation as a mapping fj from state J.L E ME of the places to J.L' E ME.
4
~
Implementation by Java and XML
In this section, we describe the XML structure for LCPN, and an engine program to evaluate the net model.
4.1
t- •
t
•t t
Structure of LCPN by XML
Figure 2 shows the tree .of the structure of LCPN for XML. We used RELAX to describe this structure. RELAX [16] is one of the schema languages for XML, which defines the structure of XML. We used Relaxer to easily create the source code, which is a Java program that uses an XML file, defined by RELAX. We used this source code for the engine program to produce the program code efficiently. This net structure is composed of LcPlace, Lc Transition, Mark, and LcArc. All elements have a unique ID as a distinguishing attribute for the engine program. We describe each element as follows: LcPlace This element contains information about a place. It has the inMark element that shows the ID of a mark ·in the place. The attribute shows that the place can be connected to a place in another net model.
~I id:string [required] ~I maxMarkCountlnt [required] • ~I id:string [required] ~I attribute:string • • ~I id:string [required] • • ~ ~I logic:string [required] ~I lype:string '[required] ~I inputlndex:string • ~ ~I aetion:string [required] [ ~I netld:string [required] ~I targetlndex:string • • ~ ~I id:int [required] L ~I index:string [required) • ~I Id:string [reqUired] • L ~I netld:string [required] • L ~I netld:string [required]
t- •
f
Figure 2: The structure of XML for LCPN condition contains information about the firing condition using an attribute named
160
logic. The logic attribute has a number of values. These include: a mark exists in the place (exists), two values in some marks are equal (equality), and the program compares two values (larger, smaller). The condition contains the element named InputPlace. The InputPlace shows a place of the value ·or a value by type and InputIndex. These values are used when the engine program checks the firing condition of a transition. For example, when the logic in a transition is "exists" the transition can fire when the place shown by InputPlace has a mark. The firing conditions shown by the element of condition are simple. If we need to design a complex firing condition in a net, we express this by using a condition in one of the fires. The work contains information for firing the transition. The work contains an attribute named action that shows the work when the transition fires. The work contains two parts named SourceData and TargetPlace. SourceData shows a place or value. These values are used when the transition fires. The TargetPlace shows a point where the transition outputs a mark. The NetId attribute in TargetPlace shows the net the output place; usually it is "root". The firing operation, shown by the element of work, is simple. For example, a mark can move to another place (move), the program can copy a mark to a place (copy), the program can remove a mark ( remove), and the program can add to the value in some marks (adli). We use work to express any complex operation in the net model. Because we use the Java .language to describe the source of the engine program, the engine program is able to call Java's class file. Therefore, we can describe a complex operation in the XML file of the net model. Mark The mark element has MarkData which shows the colour and structure of the mark. Each MarkData is distinguished
p2
Figure 3: A sample net model. by an attribute of MarkData called index. Sourcelndex in SourceData, TargetIndex in TargetPlace and InputIndex in InputPlace show the index of MarkData for the engine program to use in cheCking the condition or firing. LcArc This element has information concerning an arc. The elements in and out show the input place or transition, or their output. The NetId attribute shows the net the transition or place; usually it is "root" . As an example, Figure 3 describes the Boolean marking of a Petri net. We show the XML documents of this net model in Figure 4. By using this XML-formatted data, which is designed by the system specification, the engine program can easily process this firing logic information. A net model designed by the "Renew" tool is converted to XML data with a structure based on PNML. We transferred this structure of the XML data to our structure using the transfer program. In this transfer, ID, basic logic for transition (exists, remove), and no coloured mark in the net model are generated automatically. However, we have to show other logic for transition and data structure of a mark in the transfer program. We describe some logic and mark's colour to some element of the net model as strings, using a function of the "Renew" tool in the design net model, when required. The transfer program describes other logic and mark's colour in the XML file by reading some strings in the net
161
I
175 r-in l-in l-in 13 r-in tl
Figure 8: XML example of DES Accumulator( subnet).
165
netld="ldes-start" 96
o
l O
