Inside LoLA Experiences from building a State Space Tool for Place Transition Nets Karsten Wolf Universität Rostock

1. Introduction

History Started in 1998 - after some years experience with INA Goal: convincing performance for own reduction techniques 2000: First presented in PN Conference Since then: Integration (PNK, CPN-AMI, MC Kit) Applications

Started in 1998 - after some years experience with INA

Goal: convincing performance for own reduction

techniques

2000: First presented in PN Conference

Since then: Integration (PNK, CPN-AMI, MC Kit)

Applications

Properties & Reduction Techniques Boundedness Reachability EF  Deadlocks Dead transitions Liveness AG EF  Reversibility Home states Progress GF  Stability FG  Eventually F  CTL Model Checking Stubborn sets Symmetries Coverability Sweep-Line Cycle coverage State compression Goal-oriented execution Distributed version Abstraction refinement

Boundedness

Reachability EF 

Deadlocks

Dead transitions

Liveness AG EF 

Reversibility

Home states

Progress GF 

Stability FG 

Eventually F 

CTL Model Checking

Plan Applications Implementation of core functionality Reduction techniques

Applications

Implementation of core functionality

Reduction techniques

Application: GALS wrapper Background: Cooperation with semiconductor institute in Frankfurt/O Chip for coding/decoding 802.11 signals GALS technology (globally asynchronous/locally synchronous) Synchr. components embedded in asynchronous wrapper Goal: Search for hazards in wrapper

Background:

Cooperation with semiconductor institute in Frankfurt/O

Chip for coding/decoding 802.11 signals

GALS technology (globally asynchronous/locally synchronous)

Synchr. components embedded in asynchronous wrapper

Goal: Search for hazards in wrapper

Hazard AND a b c 0 1 P(b) = 0 P(a) = 1 P(c) = 0 1 1 0 0 1 0 1 0  T 1 0 P(a): P(b): P(c): Hazard

The Wrapper

Size of wrapper 5 Components 5 Gate types AND, OR, NOR Muller-C Element FlipFlop Counter Mutex 28 Gates 28 Signals

5 Components

5 Gate types

AND, OR, NOR

Muller-C Element

FlipFlop

Counter

Mutex

28 Gates

28 Signals

Model: AND

Hazard is Marking! P(a) = 1 P(b) = 0 P(c) = 0 E(a) E(b)

Verification Reachability problem (EF Hazard_Marking)  LoLA 286 Places + 466 Transitions State explosion (2 P )

Reachability problem (EF Hazard_Marking)

 LoLA

286 Places + 466 Transitions

State explosion (2 P )

Reduction Check hazards gate by gate, assume absence of hazards in remaining gates Abstract other components AND AND OR a b c d e a b c d e

Check hazards gate by gate, assume absence of hazards in remaining gates

Abstract other components

LoLA Clock Control: 26 states Pausable Clock Generator: 17 states Timeout Generator: 100 states Input Port: 10232 states Output Port: 201 states Reduction techniques: Stubborn sets, Sweep-Line

Clock Control: 26 states

Pausable Clock Generator: 17 states

Timeout Generator: 100 states

Input Port: 10232 states

Output Port: 201 states

Reduction techniques: Stubborn sets, Sweep-Line

Results 2 real Hazards found 6 further hazards in the model, excluded by engineers, due to timing constraints

2 real Hazards found

6 further hazards in the model, excluded by engineers, due to timing constraints

Application: Validation of PN Semantics for BPEL BPEL: modelling language for business processes BPEL process can be huge  formal verification of BPEL processes needed problems: BPEL is specified informally formal verification of BPEL processes not possible

BPEL:

modelling language for business processes

BPEL process can be huge

 formal verification of BPEL processes needed

problems:

BPEL is specified informally

formal verification of BPEL processes not possible

Process Sequence Flow A C D Switch B E Fault Handler Compensation Handler

Idea of the Petri net semantics Complete Petri net semantics for BPEL v1.1 Sequence A E Flow Petri net patterns interface

Complete Petri net semantics for BPEL v1.1

Petri net patterns

interface

Example: receive (cont.)

Analysis results Stubborn sets, Sweep-line 6,300,000 10,000 states 440,000 1,300 red. states 1,069 249 transitions 410 158 places 53 17 activities Online Shop Purchase Order

Application: H. Garavel‘s challenge Petri net distributed in PN mailing list (4 responses) 485 Places, 776 Transitions, almost 10 22 states Example stems from LOTOS specification Problem: Quasi-Liveness LoLA solution: 776 state spaces, each checking whether one single transition is dead most state spaces trivial, due to goal orientation, 2 state spaces out of memory, but solved through goal-oriented execution Longest trace: almost 6000 transitions

Petri net distributed in PN mailing list (4 responses)

485 Places, 776 Transitions, almost 10 22 states

Example stems from LOTOS specification

Problem: Quasi-Liveness

LoLA solution: 776 state spaces, each checking

whether one single transition is dead

most state spaces trivial, due to goal orientation,

2 state spaces out of memory, but solved through

goal-oriented execution

Longest trace: almost 6000 transitions

Conclusion, Part I easy to integrate, easy to use LoLA broad range of application areas competitive run-time + reduction power Most reliable reduction techniques: stubborn sets + sweep-line method Divide specification into as many as possible calls to LoLA abstract

easy to integrate, easy to use LoLA

broad range of application areas

competitive run-time + reduction power

Most reliable reduction techniques: stubborn sets + sweep-line method

Divide specification into as many as possible calls to LoLA

abstract

2. Implementation of core units

Core units Unfolding HL nets Firing a transition Evaluating a state predicate Managing the state space Organizing search Detecting strongly connected components

Unfolding HL nets

Firing a transition

Evaluating a state predicate

Managing the state space

Organizing search

Detecting strongly connected components

1. Unfolding HL nets Problem: An LL net stemming from an HL net contains many spurious elements. Example: mailbox Proc x Proc tokens actually only for [x,y] with x N y Solutions: Maria: unfold HL net on-the-fly LoLA: propose redundant guards x N y x y mailbox

Problem: An LL net stemming from an HL net contains many spurious elements.

Example:

2. Firing transitions Marking changed via list of pre-, list of post-places  effort does not depend on size of net After firing, only some transitions are checked for enabledness previously enabled transitions that lost tokens previously disabled transitions that gained tokens ... managed through explicitly stored lists For nets exhibiting locality, only „constant“ effort for firing

Marking changed via list of pre-, list of post-places  effort does not depend on size of net

After firing, only some transitions are checked for enabledness

previously enabled transitions that lost tokens

previously disabled transitions that gained tokens

... managed through explicitly stored lists

3. Checking state predicates predicate = boolean combination of p {><= ≤≥≠} k stored in negation-free normal form   1  2  3  n ...  „ constant“ effort AND/OR true false

predicate = boolean combination of p {><= ≤≥≠} k

stored in negation-free normal form

4. Managing the state space 1st state = bit vector other states = bit vector +decision record decision records form tree ... p 1 p 2 p 3 p 4 p 5 p 6 ... ... nr: 6

1st state = bit vector

other states = bit vector +decision record

decision records form tree

4 .Managing the state space find/insert a marking: one integrated process dive done into decision tree on mismatch: at decision point: switch to next vector at end: found, no insert between decision points: insert at point of mismatch decision records form tree ... p 1 p 2 p 3 p 4 p 5 p 6 ... ... nr: 6

find/insert a marking: one integrated process

dive done into decision tree

on mismatch:

at decision point: switch to next vector

at end: found, no insert

between decision points: insert at point of mismatch

decision records form tree

5. Organizing search General remarks Search consists of - fire transitions ✔ - find/insert marking ✔ - backtracking: fire transition backwards  only „constant“ time  search stack consists of reference to transition + list of enabled transitions  state space is „write-only“ memory

General remarks

Search consists of

- fire transitions ✔

- find/insert marking ✔

- backtracking: fire transition backwards

 only „constant“ time

 search stack consists of reference to transition +

list of enabled transitions

 state space is „write-only“ memory

5. Organizing search b) Depth-first search: ability to detect SCC c) Breadth-first search: Simulated by bounded depth-first search with incrementally increased bound  Update of current marking, list of enabled transitions, etc. through sequence of transition occurrences

b) Depth-first search: ability to detect SCC

c) Breadth-first search:

Simulated by bounded depth-first search with incrementally increased bound

 Update of current marking, list of enabled transitions, etc. through sequence of transition occurrences

6. Detecting strongly connected components Traditional approach: Tarjan‘s algorithm Tree edge Forward edge Backward edge Cross edge consecutive dfs number v.lowlink = min {v‘.dfs | v  *v‘ via - arbitrarily many tree edges - + one other edge within same scc } roots of scc hold: dfs = lowlink implementation: second stack 0 3 2 6 1 5 4 0 1 1 3 4 4 4

Traditional approach: Tarjan‘s algorithm

consecutive dfs number

v.lowlink = min {v‘.dfs | v  *v‘ via

- arbitrarily many tree edges

- + one other edge within same scc }

roots of scc hold: dfs = lowlink

implementation: second stack

6. Detecting strongly connected components LoLA approach: simplified lowlink Tree edge Forward edge Backward edge Cross edge consecutive dfs number v.lowlink = min {v‘.dfs | v  *v‘ via - arbitrarily many tree edges - + one other edge within same scc } roots of terminal scc hold: dfs = lowlink no second stack necessary terminal scc sufficient for liveness, reversibility, ... 0 3 2 6 1 5 4 0 1 1 1 1 4 4

LoLA approach: simplified lowlink

consecutive dfs number

v.lowlink = min {v‘.dfs | v  *v‘ via

- arbitrarily many tree edges

- + one other edge within same scc }

roots of terminal scc hold: dfs = lowlink

no second stack necessary

terminal scc sufficient for liveness,

reversibility, ...

Conclusion, Part II LoLA is a Petri net tool Locality: „constant“ effort for many core tasks Linearity: Backtracking through backward firing Monotonicity: narrowed set of transitions to be checked for enabledness

LoLA is a Petri net tool

Locality: „constant“ effort for many core tasks

Linearity: Backtracking through backward firing

Monotonicity: narrowed set of transitions to be checked for enabledness

Conclusion, Part II LoLA is a Place Transition net tool simple data structures, just numbers Backtracking through backward firing only few sources for automated abstraction some nets cannot be handled due to size of net

LoLA is a Place Transition net tool

simple data structures, just numbers

Backtracking through backward firing

only few sources for automated abstraction

some nets cannot be handled due to size of net

Reduction techniques

1. Linear algebra The invariant calculus originally invented for replacing state spaces in LoLA: used for optimizing state spaces Place invariant: token weights attached to places, weighted sum constant for all reachable markings Transition invariant: firing vector of a potential cycle

The invariant calculus

originally invented for replacing state spaces

in LoLA: used for optimizing state spaces

1. Linear algebra Place invariants  linear dependancy between places Knowing invariants, marking of some places can be expressed in terms of other places  those places need not be stored  search/insert can be restricted to significant places reduction 30-70% of space and time

Place invariants

 linear dependancy between places

Knowing invariants, marking of some places can be expressed in terms of other places

 those places need not be stored

 search/insert can be restricted to significant places

reduction 30-70% of space and time

1. Linear algebra Transition invariants for termination sufficient: store one state per cycle of occurrence graph implementation in LoLA: transition invariants  set of transitions that occur in every cycle  store states where those transitions enabled saves space, if applied in connection with stubborn sets, costs time

Transition invariants

for termination sufficient: store one state per cycle of occurrence graph

implementation in LoLA:

transition invariants  set of transitions that occur in every cycle  store states where those transitions enabled

saves space, if applied in connection with stubborn sets, costs time

2. The sweep-line method Relies on progress measure LoLA computes measure automatically, based on transition invariants Idea: - Every transition changes progress value by constant - Sum of changes must be 0 on every transition invariant  simple system of linear equations

Relies on progress measure

LoLA computes measure automatically, based on

transition invariants

Idea: - Every transition changes progress value by constant

- Sum of changes must be 0 on every transition invariant

 simple system of linear equations

2. The sweep-line method constant change  successors lie in a small window of progress values current state - + load persistent states from previous sweep store states marked persistent

constant change  successors lie in a small window of progress values

3. The symmetry method LoLA: A symmetry = a graph automorphism of the PT-Net All graph automorphisms = a group (up to exponentially many members)  stored in LoLA: polynomial generating set A marking class: all markings that can be transformed into each other by symmetry  executed in LoLA: polynomial time approximation

LoLA: A symmetry = a graph automorphism of the PT-Net

All graph automorphisms = a group (up to exponentially many members)

 stored in LoLA: polynomial generating set

A marking class: all markings that can be transformed into each other by symmetry

 executed in LoLA: polynomial time approximation

3. The symmetry method Generating set: 1 2 3 4 5 6 7 8 1st part: for every possibility to move node 1, insert one automorphism: (1 2 3 4) (5 6 7 8) (1 3) (2 4) (5 7) (6 8) (1 4 3 2) (5 8 7 6) (1 5 8 4) (2 6 7 3) (1 6) (2 5) (3 8) (4 7) (1 7) (2 8) (3 5) (4 6) (1 8) (2 7) (3 6) (4 5) 2nd part: fix 1, try to move node 2: (1) (2 4 5) (3 8 6) (7) (1) (2 5 4) (3 6 8) (7) 3rd part: fix 1,2, try to move node 3: (1) (2) (3 6) (4 5) (7) (8)

Generating set:

3. The symmetry method compute canonical representative Canonical representative = lexicographically smallest member of marking class Approximation: Use 1st part to sort smallest value to 1st component Use 2nd part to sort smallest value to 2nd component ...

compute canonical representative

Canonical representative = lexicographically smallest

member of marking class

Approximation:

Use 1st part to sort smallest value to 1st component

Use 2nd part to sort smallest value to 2nd component

...

4. Stubborn set method Dedicated method for each property traditional LTL-preserving method: - one enabled transition - the basic stubborness principal (  next slide) - only invisible transitions - at least once, on every cycle, all enabled transitions LoLA: - can avoid some of the criteria, depending on property

Dedicated method for each property

traditional LTL-preserving method:

- one enabled transition

- the basic stubborness principal (  next slide)

- only invisible transitions

- at least once, on every cycle, all enabled transitions

LoLA:

- can avoid some of the criteria, depending on property

4. The stubborn set method The basic stubborness principal If t activated, insert all conflicting transitions If t deactivated, insert all pre-transitions of an insufficiently marked place (the scapegoat) LoLA: Every transition object holds list of all conflicting t Every place holds list of all pre-transitions Every transition holds reference to one of the lists, updated during enabledness check Prod has more sophisticated, but slower techniques

The basic stubborness principal

If t activated, insert all conflicting transitions

If t deactivated, insert all pre-transitions of an insufficiently marked place (the scapegoat)

LoLA: Every transition object holds list of all conflicting t

Every place holds list of all pre-transitions

Every transition holds reference to one of the lists,

updated during enabledness check

Combination of techniques currentmarking := initial marking compute firing list do if firing list empty then take care of scc check property backtrack else fire element of firing list search & insert if new check property compute firing list else backtrack Symmetries Stubborn sets Linear algebra

Conclusion Part III PT approach  automatic computation of structural information necessary + possible Most techniques compatible with each other Dedicated methods for particular properties beat generic approaches

PT approach  automatic computation of structural information necessary + possible

Most techniques compatible with each other

Dedicated methods for particular properties beat generic approaches

PTN versus CPN verification with significant knowledge of the model verification with little knowledge of the model Target group easier difficult Abstraction difficult to use easy to use Linear algebra manual or user-assisted automatic Additional information CPN PTN

General conclusion For success abstract split into many verification tasks use dedicated techniques insert structural information trade space (explicit information about net) for run time (state space)

For success

abstract

split into many verification tasks

use dedicated techniques

insert structural information

trade space (explicit information about net) for run time (state space)

Future of LoLA Counterexample guided abstraction refinement decolouring of HL nets on the coverability graph Distributed version Modular state spaces Support of more properties Fiona: Operating guidelines for services

Counterexample guided abstraction refinement

decolouring of HL nets

on the coverability graph

Distributed version

Modular state spaces

Support of more properties

Fiona: Operating guidelines for services

More information LoLA: ICATPN 2000 Fiona: BPM 2006 Stubborn sets: ICATPN 1999, Fundamenta Informaticae 2000 Symmetries: Acta Informatica 2000, TACAS 2000 Linear Algebra: TACAS 2003 Sweep-Line: TACAS 2004+STTT Coverability graphs: FMSD 1999 Distributed verification: Fundamenta Informaticae 2003 Services: BPM 2005 GALS: ASYNC 2005

LoLA: ICATPN 2000

Fiona: BPM 2006

Stubborn sets: ICATPN 1999, Fundamenta Informaticae 2000

Symmetries: Acta Informatica 2000, TACAS 2000

Linear Algebra: TACAS 2003

Sweep-Line: TACAS 2004+STTT

Coverability graphs: FMSD 1999

Distributed verification: Fundamenta Informaticae 2003

Services: BPM 2005

GALS: ASYNC 2005