An Improvement of McMillan's Unfolding Algorithm
Javier Esparza and Stefan Romer (fesparza|roemerg@in.tum.de)
Institut fur Informatik, Technische Universitat Munchen, Arcisstr. 21, D{80333 Munchen, Germany
Walter Voglery (walter.vogler@informatik.uni-augsburg.de)
Institut fur Informatik, Universitat Augsburg, Universitatsstr. 14, D{86159 Augsburg, Germany
Abstract. McMillan has recently proposed a new technique to avoid the state explosion problem in the verication of systems modelled with nite-state Petri nets. The technique requires to construct a nite initial part of the unfolding of the net. McMillan's algorithm for this task may yield initial parts that are larger than necessary (exponentially larger in the worst case). We present a renement of the algorithm which overcomes this problem.
Keywords:unfolding, partial-order semantics, Petri nets
1. Introduction
In a seminal paper [12], McMillan has proposed a new technique to avoid the state explosion problem in the verication of systems mod- elled with nite-state Petri nets. The technique is based on the concept of net unfoldings, a well known partial-order semantics of Petri nets introduced in [15], and later described in more detail in [4] under the name of branching processes. The unfolding of a net is another net, usually innite but with a simpler structure. McMillan proposes an algorithm for the construction of a nite initial part of the unfolding which contains full information about the reachable states. We call such an initial part a nite complete prex. He then shows how to use these prexes for deadlock detection.
The unfolding technique has later been applied to other verica- tion problems. In [8, 9, 13] it is used to check relevant properties of speed independent circuits. In [5], an unfolding-based model checking algorithm for a simple branching time logic is proposed.
Although McMillan's algorithm is simple and elegant, it sometimes generates prexes much larger than necessary. In some cases a minimal complete prex has size
O
(n
) (wheren
is the size of the Petri net),Partially supported by the Teilprojekt A3 SAM of the Sonderforschungsbereich 342 \Werkzeuge und Methoden fur die Nutzung paralleler Rechnerarchitekturen".
y Work on this paper was partially supported by the DFG (Project \Halbord- nungstesten").
c
2000 Kluwer Academic Publishers. Printed in the Netherlands.
while the algorithm generates a prex of size
O
(2n). In this paper we provide an algorithm which generates a minimal complete prex (in a certain sense to be dened). The prex is always smaller than or as large as the prex generated with the old algorithm, and it is never larger (up to small constant) than the state space of the Petri net.The paper is organised as follows. Section 2 and 3 contain basic denitions about Petri nets and branching processes, respectively. In Section 4 we show that McMillan's algorithm is just an element of a whole family of algorithms for the construction of nite complete prexes. The algorithms of this family depend on the choice of a so- called adequate order; this is a partial order on the congurations of a branching process. In Section 5 we improve McMillan's algorithm by exhibiting a ner adequate order. In Section 6 we dene for 1-safe net systems an adequate order which is total. Section 7 extends this idea to
n
-bounded systems; for the representation of the process net another partial-order semantics is used, so-called executions. Finally, in Section 8 we present aspects of an ecient implementation of the algorithms, accompanied by experimental results.2. Petri nets
A net is a triple (
S;T;W
), whereS
andT
are disjoint sets of places (Stellen in Petri's original notation) and transitions, respectively, andW
is a function (S
T
)[(T
S
)!f0;
1g. Places and transitions are generically called nodes. IfW
(x;y
) = 1 then we say that there is an arc fromx
toy
. Thus, a net can be considered as a directed graph. A path in such a graph is { as usual { a nonempty sequence of nodes without repetitions such there is an arc from each node to the following (if there is one).The preset of a node
x
, denoted byx
, is the set fy
2S
[T
jW
(y;x
) = 1g. The postset ofx
, denoted byx
, is the set fy
2S
[T
jW
(x;y
) = 1g.A marking of a net (
S;T;W
) is a mappingM
:S
!IN
(whereIN
denotes the natural numbers including 0). We identifyM
with the multiset containingM
(s
) copies ofs
for everys
2S
. For instance, ifS
=fs
1;s
2g andM
(s
1) = 1,M
(s
2) = 2, we writeM
=fs
1;s
2;s
2g.A 4-tuple = (
S;T;W;M
0) is a net system if (S;T;W
) is a net andM
0 is a marking of (S;T;W
) (called the initial marking of ).General assumptions In this paper we consider only nets in which every transition has a nonempty preset and a nonempty postset. We further assume that all net systems are nite.
A marking
M
enablesa transitiont
if it marks each places
2t
with a token, i.e. ifM
(s
)>
0 for eachs
2t
. Ift
is enabled atM
, then it can reor occur, and its occurrence leads to a new markingM
0, obtained by removing a token from each place in the preset oft
, and adding a token to each place in its poset; formally,M
0(s
) =M
(s
)W
(s;t
) +W
(t;s
) for every places
. For each transitiont
the relation !t is dened as follows:M
!tM
0 ift
is enabled atM
and its occurrence leads toM
0. A sequence of transitions=t
1t
2:::t
n is an occurrence sequence if there exist markingsM
1,M
2, ...,M
n such thatM
0 t1!
M
1 t2!
:::M
n 1 t!nM
nM
n is the marking reached by the occurrence of , also denoted byM
0 !M
n.M
is a reachable marking if there exists an occurrence sequencesuch thatM
0 !M
. The reachability graph of a net system is the labelled graph having the reachable markings of the system as nodes, and the !t relations (more precisely, their restriction to the set of reachable markings) as arcs.A marking
M
of a net isn
-safe ifM
(s
)n
for every places
. A net system isn
-safe if all its reachable markings aren
-safe, and safe if it isn
-safe for some numbern
.Labelled nets A labelled net is a pair (
N;l
) (also represented as a 4- tuple (S;T;W;l
)), whereN
is a net andl
is a labelling function that assigns to each nodex
ofN
a labell
(x
) taken from some set. Notice that dierent nodes can carry the same label. For each labela
we dene the relation a! between markings as follows:M
a!M
0 ifM
!tM
0 for some transitiont
such thatl
(t
) =a
. The reachability graph of a labelled net system is the labelled graph having the reachable markings of the system as nodes, and the a!relations (more precisely, their restriction to the set of reachable markings) as arcs.3. Branching processes
In this section we describe branching processes, a partial-order seman- tics of Petri nets. Before giving any formal denitions, we give some intuitive ideas.
Consider a directed graph
G
with a root node. It is well-known that such a graph can be \unfolded" into a labelled tree (whose nodes are the paths inG
starting at the root). The nodes of the tree are labelled with the nodes of the graph (i.e. with the last node of the respective path). The unfolding process can be stopped at dierenttimes yielding dierent trees, but there is a unique labelled tree, usually innite, obtained by unfolding \as much as possible". This labelled tree is called the unfolding of the graph.
In the same way, net systems can be \unfolded" into labelled occur- rence nets, a subclass of nets with a particularly simple, tree-like struc- ture. The nodes of the occurrence net are labelled with the places and transitions of the net. The labelled occurrence nets obtained through unfolding of a net are called branching processes. The unfolding process can be stopped at dierent times yielding dierent branching processes, but there is a unique, usually innite, branching process obtained by unfolding \as much as possible". This branching process is called the unfolding of the net system.
In the next two subsections we formally dene occurrence nets, branching processes and the unfolding.
3.1. Occurrence nets
First of all, we need to dene the causal, conict, and concurrency relations between nodes of a net.
Two nodes
x
andy
are in causal relation, denoted byx < y
, if the net contains a path with at least one arc leading fromx
toy
.x
andy
are in conict relation, or just in conict, denoted byx
#y
, if the net contains two pathsst
1:::x
1 andst
2:::x
2 starting at the same places
, and such thatt
1 6=t
2. In words,x
1 andx
2 are in conict if the net contains two paths leading tox
1 andx
2 which start at the same place and immediately diverge (although later on they can converge again).x
andy
are in concurrency relation, denoted byx
coy
, if neitherx < y
nory < x
norx
#y
.An occurrence net is a net
O
= (B;E;F
) such that:(1) j
b
j1 for everyb
2B
;(2)
O
is acyclic, or, equivalently, the causal relation is a partial order;(3)
O
is nitely preceded, i.e., for everyx
2B
[E
, the set of elementsy
2B
[E
such thaty < x
is nite;(4) no element is in conict with itself.
It is easy to see that any two nodes of an occurrence net are either in causal, conict, or concurrency relation.
The elements of
B
andE
are usually called conditions (Bedingungen in Petri's original notation) and events, respectively.Min(
O
) denotes the set of minimal elements ofB
[E
with respect to the causal relation, i.e., the elements that have an empty preset. Since we only consider nets in which every transition has a nonempty preset, the elements of Min(O
) are conditions.3.2. Branching processes
Those labelled occurrence nets obtained from net systems by \un- folding" are called branching processes, and have the following formal denition:
A branching process of a net system = (
S;T;W;M
0) is a labelled occurrence net = (O;p
) = (B;E;F;p
) where the labelling functionp
satises the following properties:(i)
p
(B
)S
andp
(E
)T
(
p
preserves the nature of nodes);(ii) for every
e
2E
, the restriction ofp
toe
is a bijection betweene
(in ) andp
(e
) (in), and similarly fore
andp
(e
)(
p
preserves the environments of transitions);(iii) the restriction of
p
to Min(O
) is a bijection between Min(O
) andM
0(
\starts" atM
0);(iv) for every
e
1;e
22E
, ife
1=e
2 andp
(e
1) =p
(e
2) thene
1 =e
2(
does not duplicate the transitions of ).Figure 1 shows a 1-safe net system (part (a)), and two of its branch- ing processes (parts (b) and (c)).
Branching processes dier on \how much they unfold". It is natural to introduce a prex relation formalising the idea \a branching process unfolds less than another".
Let
0 = (O
0;p
0) and = (O;p
) be two branching processes of a net system. 0 is a prex of ifO
0 is a subnet ofO
satisfyingMin(
O
) belongs toO
0;if a condition
b
belongs toO
0, then its input evente
2b
inO
also belongs toO
0 (if it exists); andif an event
e
belongs toO
0, then its input and output conditionse
[e
inO
also belong toO
0,s1 s2
t1 t2 t3
t6 s3 s4 s5 t7
t4 t5
s5
s5
(a)
s1 s2
t1
1 2 t2 3 t3
s3 s4 s5
t4
4 5 t5
s6 s7 s6 s7
t6
6 7 t7 8 t6 9 t7
s1 s2 s1 s2
(b)
s1 s2
t1
1 2 t2 3 t3
s3 s4 s5
t4
4 5 t5
s6 s7 s6 s7
t6
6 7 t7 8 t6 9 t7
s1 s2 s1 s2
t1
10 11t2 12t3 13t1 14t2 15t3
s3 s4 s5 s3 s4 s5
t4
16 17t5 18 t4 19t5
s6 s7 s6 s7 s6 s7 s6 s7
... ... ... ... ... ... ... ...
Figure 1. A net system (a) and two of its branching processes (b,c)(c)
and
p
0 is the restriction ofp
toO
0.It is shown in [4] that a net system has a unique maximal branching process with respect to the prex relation. To be precise, this process is unique up to isomorphism, i.e., up to renaming of the conditions and the events. This is the branching process that \unfolds as much as possible". We call it the unfolding of the system. The unfolding of the 1-safe system of Figure 1 is innite.
A branching process has a natural initial marking, namely the mark- ing that puts one token in each minimal condition, and no tokens anywhere else. When we talk of the reachable markings and the reach- ability graph of a branching process, we refer to the natural initial marking.
With this, we can formulate how an unfolding describes the be- haviour of a net as follows: Let be a net system, and let
be its unfolding. The reachability graphs of and have isomorphic un- foldings (as graphs as described above). More in detail, the reachablemarkings of are those
p
(M
) whereM
is a reachable marking of ; for a reachable markingM
of and a markingM
00 and a transitiont
of , there areM
0 ande
withp
(M
0) =M
00,p
(e
) =t
andM
e!M
0 in if and only ifp
(M
) !tM
00 in .3.3. Configurations and cuts
In order to work with branching processes we need the notions of conguration and cut.
A conguration
C
of a branching process is a set of events satisfying the following two conditions:e
2C
) 8e
0e
:e
0 2C
(C
is causally closed).8
e;e
0 2C
::(e
#e
0) (C
is conict-free).The set of events f1
;
3;
4;
6g in Figure 1(b) is a conguration, but the sets f3;
4g (not causally closed) and f1;
2g (non conict-free) are not. Intuitively, a conguration is a set of events `rable' from the natural initial marking, i.e., there is a ring sequence from the natural initial marking in which each event of the set occurs exactly once. Forf1
;
3;
4;
6gwe can rst re 1 and 3, then 4 and then 6, but neitherf3;
4g norf1;
2g are rable from the natural initial marking.A set of conditions of a branching process is a co-set if its elements are pairwise in co relation. A maximal co-set with respect to set in- clusion is called a cut. In Figure 1(b), the set containing the (unique) output condition of event 6 and the output condition of event 4 labelled by
s
7 is a cut.A marking
M
of a system is represented in a branching process = (O;p
) of if contains a cutc
such that, for each places
of ,c
contains exactlyM
(s
) conditionsb
withp
(b
) =s
. For instance, the markingfs
1;s
7gis represented in the branching process of Figure 1(b) because of the cut mentioned above. It is easy to prove using results of [1, 4] that every marking represented in a branching process is reach- able, and that every reachable marking is represented in the unfolding of the net system. Observe in particular that fs
1;s
7g is reachable.Finite congurations and cuts are tightly related. Let
C
be a - nite conguration of a branching process = (O;p
). Then the co-set Cut(C
), dened below, is a cut:Cut(
C
) = (Min(O
)[C
)nC:
In particular, given a conguration
C
the set of places Cut(C
) rep- resents a reachable marking, which we denote by Mark(C
). Loosely speaking, Mark(C
) is the marking we reach by ring the congurationC
. In the branching process of Figure 1(b) we have Mark(f1;
3;
4;
6g) =f
s
1;s
7g.4. An algorithm for the construction of a complete nite prex
4.1. Constructing the unfolding
We give an algorithm for the construction of the unfolding of a net system. First of all, let us describe a suitable data structure for the representation of branching processes.
We implement a branching process of a net system as a set
f
n
1;:::;n
kg of nodes. A node is either a condition or an event. A condition is a record containing two elds: a place of , and a pointer to an event (the unique input event of the condition), or to NIL, in case the condition has an empty preset. In the pseudocode description of our algorithms we represent a condition as a pair (s;e
) or (s;
;). An event is also a record with two elds: a transition of , and a list of pointers to conditions (the input conditions of the event). In pseudocode we represent an event as a pair (t;X
).Notice that the ow relation and the labelling function of a branch- ing process are already encoded in its set of nodes. How to express the notions of causal relation, conguration or cut in terms of this data structure is left to the reader.
We need the notion of \events that can be added to a given branch- ing process". Let
t
be a transition of with output placess
1;:::;s
n. Formally, a paire
= (t;X
) is a possible extension of a branching pro- cessfn
1;:::;n
kgiffn
1;:::;n
k;e;
(s
1;e
);::: ;
(s
n;e
)gis also a branching process. PE() denotes the set of possible extensions of a branching process.The following characterisation follows easily from the denitions:
PROPOSITION 4.1.
Let
be a branching process of a net system . The possible ex- tensions of are the pairs(t;X
), whereX
is a co-set of conditions of andt
is a transition of such thatp
(X
) =t
, and(
t;X
) does not already belong to . 4.1 The algorithm for the construction of the unfolding starts with the branching process having the conditions corresponding to the initialmarking of and no events. New events are added one at a time together with their output conditions. Observe that the initial marking
M
0 is a multiset, and so a place can appear several times in it. IfM
0(s
) =k
, then Unf containsk
minimal conditions labelled bys
, i.e.,k
elements (s;
;).ALGORITHM 4.2. The unfolding algorithm
input
: A net system = (N;M
0), whereM
0 =fs
1;:::;s
ng: output
: The unfolding Unf of .begin
Unf :=f(
s
1;
;);::: ;
(s
n;
;)g;pe
:= PE(Unf );while pe
6=;do
add to Unf an event
e
= (t;X
) ofpe
and a condition (s;e
) for every output places
oft
;pe
:= PE(Unf )endwhile
end
4.2The algorithm does not necessarily terminate. In fact, it terminates if and only if the input system does not have any innite occurrence sequence. It is correct only under the fairness assumption that every event added to
pe
is eventually chosen to extend Unf (the correctness proof follows easily from the denitions and from the results of [4]).Constructing a finite complete prefix
We say that a branching process
of a net system is complete if for every reachable markingM
there exists a congurationC
in such that:Mark(
C
) =M
(i.e.,M
is represented in ), andfor every transition
t
enabled byM
there exists a congurationC
[fe
g such thate =
2C
ande
is labelled byt
.The unfolding of a net system is always complete. A complete prex contains as much information as the unfolding, in the sense that we can construct the unfolding from it as the least xpoint of a suitable oper- ation. This property does not hold if we only require every reachable marking to be represented. For instance, the net system of Figure 2(a) has Figure 2(b) as unfolding. Figure 2(c) shows a prex of the unfolding in which every reachable marking is represented. The prex has lost the information indicating that
t
2 can occur from the initial marking.Observe that the prex is not complete.
s1
t1 t2
s2
(a)
s1
t1 t2
s2 s2
(b)
s1
t1
s2
Figure 2. A 1{safe net system (a), its unfolding (b), and a prex (c)(c)
Since an
n
-safe net system has only nitely many reachable mark- ings, its unfolding contains at least one complete nite prex. We transform the algorithm above into a new one whose output is such a prex. The key idea (due to McMillan) is to identify certain events, called cut-o events, at which the construction can be stopped without losing information; stopped means that no new events causally related to the cut-o event are added.We start with some Given a conguration
C
of a branching process = (O;p
), we dene *C
as the pair (O
0;p
0), whereO
0 is the unique subnet ofO
whose set of nodes isfx
jx
62C
[C
^8y
2C
::(x
#y
)g andp
0 is the restriction ofp
to the nodes ofO
0. Loosely speaking,*C
is the part of lying \after"C
.The following result can be easily proved, directly from the deni- tions:
PROPOSITION 4.3.
If
is a branching process of(N;M
0) andC
is a conguration of, then *C
is a branching process of (N;
Mark(C
)). Moreover, if is the unfolding of(N;M
0), then*C
is the unfolding of(N;
Mark(C
))(up to isomorphism). 4.3
Given a conguration
C
, we denote byC
E
the fact thatC
[E
is a conguration such thatC
\E
=;. We say thatC
E
is an extension ofC
, and thatE
is a sux ofC
. Obviously, for a congurationC
0, ifC
C
0 then there is a nonempty suxE
ofC
such thatC
E
=C
0. Now, letC
1 andC
2 be two nite congurations leading to the same marking, i.e. Mark(C
1)=
M
= Mark(C
2). By Proposition 4.3*C
1 and*C
2 are isomorphic to the unfolding of (N;M
), and so they are isomorphic to each other. LetI
21be an isomorphism between*C
1and*C
2. This isomorphism induces a mapping from the nite extensions ofC
1 onto the nite extensions ofC
2: it mapsC
1E
ontoC
2I
21(E
).s1
t1 t2
s2 s3 s4 s5
t3 t4 t5 t6
s6 s7 s8 s9
t7 t8
s10 s11
t9
s12
(a)
s1
t1
1 2 t2
s2 s3 s4 s5
t3
3 4 t5 5 t4 6 t6
s6 s7 s8 s9 s6 s7 s8 s9
t7
7 10t8 8 t7 9 t8
s10 s11 s10 s11
Figure 3. A 1{safe net system (a) and a prex of its unfolding (b)(b)
We can now introduce the three basic notions needed by the al- gorithm: adequate order, local conguration, and cut-o event. We present the formal denitions together with the intuition behing them.
McMillan's idea [12] is to attach to each event
e
added by the un- folding algorithm a reachable marking of . For this, we rst compute the local conguration [e
] ofe
, dened below, and then we associate toe
the marking Mark([e
]).DEFINITION 4.4. Local conguration
The local conguration [
e
] of an evente
of a branching process is the set of eventse
0 such thate
0e
.1 4.4 Now, assume that a new evente
is added to the current branching process, such that some evente
0 added before satises Mark([e
]) = Mark([e
0]). We know that *[e
] and *[e
0] are isomorphic, and so it is sucient to pursue the construction of one of the two. Intuitively, it seems possible to marke
as \cut-o" event, and so stop the construc- tion of *[e
]. However, the following example (independently found by McMillan and one of the authors) shows that this strategy is incorrect.Consider the 1-safe net system of Figure 3(a).
The markingf
s
12gis reachable. However, we can generate the prex of Figure 3(b), in which this marking is not represented. The names1 It is immediate to prove that [e] is a conguration.
of the events are numbers which indicate the order in which they are added to the prex. The events 8 and 10 are marked as \cut-o" events, because their corresponding markingsf
s
7;s
9;s
10g and fs
6;s
8;s
11g are also the markings corresponding to the events 7 and 9, respectively.Although no events can be added, the prex is not complete, because
f
s
12g is not represented in it.The choice between [
e
] and [e
0] is made on the basis of a partial order. We show below that all orders satisfying three properties make the correctness proof work, i.e., lead to nite complete prexes. We call these orders adequate.DEFINITION 4.5. Adequate order
A partial orderon the nite congurations of the unfolding of a net system is an adequate order if:
is well-founded,
C
1C
2 impliesC
1C
2, andis preserved by nite extensions; if
C
1C
2and Mark(C
1) = Mark(C
2), then the isomorphismI
21 from above satisesC
1E
C
2I
21(E
) for all nite extensionsC
1E
ofC
1. 4.5 In [12] [e
0] is smaller than [e
] if it contains less events, i.e. ifj[e
0]j<
j[
e
]j. It is easy to see that this order is adequate. We can now formally dene cut-o events with respect to an adequate order.DEFINITION 4.6. Cut-o event
Letbe an adequate order on the congurations of the unfolding of a net system. Let
be a prex of the unfolding containing an evente
. The evente
is a cut-o event of (with respect to) if contains a local conguration [e
0] such that(a) Mark([
e
]) = Mark([e
0]), and(b) [
e
0][e
]. 4.6The new algorithm is in fact a family of algorithms: each adequate order leads to a dierent algorithm. Events are respecting the order, and cut-os are identied and marked. The algorithm terminates when no event can be added.
ALGORITHM 4.7. The complete nite prex algorithm
input
: Ann
-safe net system = (N;M
0), whereM
0=fs
1;:::;s
kg.output
: A complete nite prex Fin of Unf.begin
Fin := (
s
1;
;);::: ;
(s
k;
;);pe
:= PE(Fin);cut-o:=;;
while pe
6=;do
choose an event
e
= (t;X
) inpe
such that [e
] is minimal with respect to ;if
[e
]\ cut-o=;then
append to Fin the event
e
and a condition (s;e
) for every output places
oft
;pe
:= PE(Fin);if e
is a cut-o event of Finthen
cut-o:= cut-o [f
e
gendif
else pe
:=pe
nfe
gendif
endwhile
end
4.7The correctness of Algorithm 4.7 is proved in the next two proposi- tions.
PROPOSITION 4.8.
Fin is nite.
Proof: Given an event
e
of Fin, dene the depth ofe
as the length of a longest chain of eventse
1< e
2< ::: < e
; the depth ofe
is denoted byd
(e
). We prove the following results:(1) For every event
e
of Fin,d
(e
)n
+ 1, wheren
is the number of reachable markings of .Since cuts correspond to reachable markings, every chain of events
e
1< e
2< ::: < e
n< e
n+1 of Unf contains two eventse
i,e
j,i < j
, such that Mark([e
i]) = Mark([e
j]).Since [
e
i][e
j], we have [e
i][e
j], and therefore [e
j] is a cut-o event of Unf. Should the nite prex algorithm gen- eratee
j, then it has generatede
i before ande
j is recognized as a cut-o event of Fin, too.(2) For every event
e
of Fin, the setse
ande
are nite.By the denition of prex, there is a bijection between
e
andp
(e
), wherep
denotes the labelling function of Fin, and similarly fore
andp
(e
). The result follows from the niteness ofN
.(3) For every
k
0, Fin contains only nitely many eventse
such thatd
(e
)k
.By complete induction on
k
. The base case,k
= 0, is trivial.Let
E
k be the set of events of depth at mostk
. We prove that ifE
k is nite thenE
k+1 is nite.By (2) and the induction hypothesis,
E
k is nite. SinceE
k+1E
k [Min(Fin
), we get by property (iv) in the denition of a branching process thatE
k+1 is nite.It follows from (1) and (3) that Fin only contains nitely many events. By (2) it contains only nitely many conditions.
4.8 PROPOSITION 4.9.
Fin is complete.
Proof: (a) Every reachable marking of is represented in Fin.
Let
M
be an arbitrary reachable marking of . There exists a congurationC
1 of Unf such that Mark(C
1) =M
. IfC
1 is not a conguration of Fin, then it contains some cut-o evente
1, and soC
1 = [e
1]E
1 for some set of eventsE
1. By the denition of a cut-o event, there exists a local conguration [e
2] such that [e
2][e
1] and Mark([e
2]) = Mark([e
1]).Consider the conguration
C
2 = [e
2]I
21(E
1). Since is pre- served by nite extensions, we haveC
2C
1. Morever, Mark(C
2)=
M
. IfC
2 is not a conguration of Fin, then we can iterate the procedure and nd a congurationC
3 such thatC
3C
2 and Mark(C
3) =M
. The procedure cannot be iterated innitely often because is well-founded. Therefore, it terminates in a conguration of Fin.(b) If a transition
t
can occur in , then Fin contains an event labelled byt
.If
t
occurs in , then some reachable markingM
enablest
. The markingM
is represented in Fin. LetC
be a minimal conguration with respect to such that Mark(C
) =M
. Ifs0
t1 t2
s1
t3 t4
s2
...
sn
s0
t1 t2
s1 s1
t3 t4 t3 t4
s2 s2 s2 s2
... ... ... ...
sn sn
sn sn
2n copies of
s
nMinimal complete prex
Figure 4. A Petri net and its unfolding
C
contains some cut-o event, then we can apply the arguments of (a) to conclude that Fin contains a congurationC
0C
such that Mark(C
0) =M
. This contradicts the minimality ofC
. SoC
contains no cut-o events, and therefore Fin also contains a congurationC
fe
gsuch thate
is labelled byt
. 4.9 Notice that the adequacy of an order is a sucient but not necessary condition for the correctness of Algorithm 4.7. For example, a look at the proof of Proposition 4.9 reveals that the preservation of the order by nite extensions is only applied to local congurations. So in the third property of Denition 4.5C
1 andC
2 could be replaced by [e
1] and [e
2].5. An adequate order for arbitrary net systems
As we mentioned in the introduction, McMillan's algorithm may be inecient in some cases. An extreme example due to Kishinevsky and Taubin is the family of systems on the left of Figure 4. While a minimal complete prex has size
O
(n
) in the size of the system (see the dashed line on the right of the gure), the branching process generated by McMillan's algorithm has sizeO
(2n). The reason is that for every markingM
all the local congurations [e
] satisfying Mark([e
]) =M
have the same size, and therefore there exist no cut-o events with respect to McMillan's order. 22 It is not important that the nets in Figure 4 are not simple, i.e. have transitions with the same pre- and postset; we could also replace each transition by a sequence of two transitions to obtain a suitable family of simple nets.
Our parametric presentation of Algorithm 4.7 suggests how to im- prove this: we nd a new adequate order that renes McMillan's order.
Such an order induces a weaker notion of cut-o event. More precisely, every cut-o event with respect to McMillan's order is also a cut-o event with respect to the new order, but maybe not the other way round. Therefore, the instance of Algorithm 4.7 which uses the new order generates at least as many cut-o events as McMillan's instance, and maybe more. In the latter case, Algorithm 4.7 generates a smaller prex.
Let = (
N;M
0) be a net system, and let be an arbitrary total order on the transitions of . Given a setE
of events, let'
(E
) be that sequence of transitions which is ordered according to , and contains each transitiont
as often as there are events inE
with labelt
. For instance, if we havet
1t
2t
3t
4, and the setE
contains four events labelled byt
1,t
2,t
2, andt
3, then'
(E
) =t
1t
2t
2t
3. ('
is somewhat similar to a Parikh-vector.) We say'
(E
1)'
(E
2) if'
(E
1) is lexicographically smaller than'
(E
2) with respect to the order. DEFINITION 5.1. Partial order ELet
C
1 andC
2 be two congurations of the unfolding of a net system.C
1EC
2 holds ifj
C
1j<
jC
2j, orj
C
1j=jC
2j, and'
(C
1)'
(C
2). 5.1 THEOREM 5.2.Let
be the unfolding of a net system. E is an adequate order on the nite congurations of.Proof: It is easy to show thatEis a well-founded partial order implied by inclusion. To show thatE is preserved by nite extensions, assume
C
1 EC
2. For every nite extensionC
1E
ofC
1we have j
E
j = jI
21(E
)j, sinceI
21 is a bijection, and'
(E
) ='
(I
21(E
)), sinceI
21 preserves the labelling of events. If jC
1j<
j
C
2j, thenjC
1E
j<
jC
2I
CC12(E
)j. If'
(C
1)'
(C
2), then by the properties of the lexicographic order'
(C
1E
)'
(C
2I
21(E
)). 5.2If we take E as adequate order, the complete prex generated by Algorithm 4.7 for the net system of Figure 4 is the minimal one corresponding to the dotted line.
s1 s2 s3
t1 t2
(a)
s1 s2 s3
t1
e1 e2 t2
s2 s2
t2
e3 e4 t1
s2 s2
Figure 5. A 1{safe net system (a) and its unfolding (b) (b)
The question is whether there can be other examples in which E
performs poorly. We would like to have an adequate order which guar- antees that the complete prex is at most as large as the reachability graph. A slightly weaker guarantee is provided by total adequate orders.
In this case, whenever an event
e
is generated after some other evente
0 such that Mark([e
]) = Mark([e
0]), we have [e
0][e
] (because events are generated in accordance with the total order ), and soe
is marked as a cut-o event. So total adequate orders have the following important property:PROPOSITION 5.3. A property of total adequate orders
Let be an adequate total order, and let Fin be the output of Algorithm 4.7 on input. The number of non-cut-o events of Fin does not exceed the number of reachable markings of . 5.3 Unfortunately,E is not total. Consider the net system on the left of Figure 5, and its unfolding on the right of the same gure. The congurations
C
1 = fe
1;e
3g andC
2 = fe
2;e
4g have size 2, and we have'
(C
1) =t
1t
2 ='
(C
2) (assumingt
1t
2). So neitherC
1 EC
2nor
C
2 EC
1.The existence of a total adequate order for arbitrary net systems is an open problem. However, in the next section we provide a total ade- quate order F for 1-safe systems, the most relevant case in practice.
Moreover, in Section 7 we show that the unfolding of a net system can also be dened in another way; with this new denition the order F
is total for arbitrary net systems, and Theorem 5.3 holds.
6. A total order for
1-safe systems
In the sequel, let = (
N;M
0) be a xed net system, and let be an arbitrary total order on the transitions of . We rst introduce the Foata normal form of a conguration. Given a nite congurationC
, its Foata normal formFC
is the list of sets of events constructed by the following algorithm [3]:ALGORITHM 6.1. Foata normal form of a conguration
input
: A congurationC
of a branching processoutput
: The Foata normal formFC
ofC
.begin FC
:=;;while C
6=;do
append Min(
C
) toFC
;C
:=C
nMin(C
)endwhile
end
6.1Loosely speaking, the Foata normal form is obtained by repeatedly slicing out the set of minimal events.
Given two congurations
C
1 andC
2, we can compare their Foata normal formsFC
1 =C
11:::C
1n1 andFC
2 =C
21:::C
2n2 with respect to the order : we sayFC
1FC
2 if there exists 1i
n
1 such that'
(C
1j) ='
(C
2j) for every 1j < i
, and'
(C
1i)'
(C
2i).Now, we dene
DEFINITION 6.2. Order F
Let
C
1 andC
2 be two congurations of the unfolding of a net system.C
1FC
2 holds ifj
C
1j<
jC
2j, orj
C
1j=jC
2jand'
(C
1)'
(C
2), or'
(C
1) ='
(C
2) andFC
1FC
2. 6.2 In other words, in order to decide ifC
1 FC
2 we compare rst the sizes ofC
1 andC
2; if they are equal, we compare'
(C
1) and'
(C
2); if they are equal, we compareFC
1 andFC
2.Observe that F is a renement of E. We now prove that F is indeed adequate and total. The key property of 1-safe systems that yields to this result is:
PROPOSITION 6.3.
Any two concurrent conditions of the branching process of a 1-safe net system carry dierent labels.
Proof: Assume that two concurrent conditions
b
1andb
2carry the same labels
. Sincefb
1;b
2gis a co-set, there is a cutc
containing bothb
1andb
2. This cut corresponds to a reachable marking that puts at least two tokens on the places
, which violates 1-safeness.6.3 THEOREM 6.4.
Let
= (O;p
) be the unfolding of a 1-safe net system. F is an adequate total order on the congurations of .Proof: a) F is a well-founded partial order.
This follows immediately from the fact thatEis a well-founded partial order as is the lexicographic order on transition sequences of some xed length.
b)
C
1C
2 impliesC
1FC
2.This is obvious, since
C
1C
2 impliesjC
1j<
jC
2j. c)F is total.Assume that
C
1 andC
2 are two incomparable congurations under F, i.e. jC
1j = jC
2j,'
(C
1) ='
(C
2), and'
(FC
1) ='
(FC
2). We proveC
1 =C
2 by induction on the common sizek
=jC
1j=jC
2j.The base case
k
= 0 givesC
1 =C
2=;, so assumek >
0.We rst prove Min(
C
1) = Min(C
2). Assume without loss of generality thate
1 2 Min(C
1)nMin(C
2). Since'
(Min(C
1)) ='
(Min(C
2)), Min(C
2) contains an evente
2 such thatp
(e
1) =p
(e
2). SinceMin(C
1) andMin(C
2) are subsets of Min(O
), and all the conditions of Min(O
) carry dierent labels by Proposition 6.3, we havee
1 =e
2. This contradicts condition (iv) of the denition of branching process.Since Min(
C
1) = Min(C
2), bothC
1nMin(C
1) andC
2nMin(C
2) are congurations of the branching process *Min(C
1) of (N;
Mark(Min(
C
1))) (Proposition 4.3), and they are incompara- ble under F by construction. Since the common size ofC
1nMin(
C
1) andC
2 nMin(C
2) is strictly smaller thank
, we can apply the induction hypothesis and concludeC
1 =C
2.d) F is preserved by nite extensions.
Take
C
1 FC
2 with Mark(C
1) = Mark(C
2). We have to show thatC
1E
FC
2I
21(E
). We can assume thatE
=fe
g and apply induction afterwards. (Notice that Mark(C
1) = Mark(C
2) implies Mark(C
1fe
g) = Mark(C
2I
21(fe
g).) The casesjC
1j<
j
C
2j andC
1 EC
2 are easy. Hence assume jC
1j = jC
2j and'
(C
1) ='
(C
2). We show rst thate
is a minimal event ofC
10 =C
1[fe
g if and only ifI
21(e
) is a minimal event ofC
20 =C
2[fI
21(e
)g.So let
e
be minimal inC
10, i.e. the transitionp
(e
) is enabled under the initial marking. Lets
2p
(e
); then no condition inC
1 [C
1 is labelleds
, since these conditions would be in co relation with thes
-labelled condition ine
, contradicting Proposition 6.3. Thus,C
1 contains no evente
0 withs
2p
(e
0), and the same holds forC
2 since'
(C
1) ='
(C
2). Therefore, the conditions in Cut(C
2) with label inp
(e
) are minimal conditions of , andI
21(e
) =e
is minimal inC
20. The reverse implication holds analogously, since aboutC
1andC
2 we have only used the hypothesis'
(C
1) ='
(C
2).With this knowledge about the positions of
e
inC
10 andI
21(e
) inC
20, we proceed as follows. If Min(C
1)E Min(C
2), then we now see that Min(C
10) E Min(C
20), hence'
(FC
10)'
(FC
20) and so we are done. If'
(Min(C
1)) ='
(Min(C
2)) ande
2Min(C
10), thenC
10nMin(C
10) =C
1nMin(C
1)FC
2nMin(C
2) =C
20 nMin(C
20) henceC
10 FC
20. Finally, if'
(Min(C
1)) ='
(Min(C
2)) ande
62 Min(C
10), we again argue that Min(C
1) = Min(C
2) and that, hence,C
1nMin(C
1) andC
2nMin(C
2) are congurations of the branching process*Min(C
1) of (N;
Mark(Min(C
1))); with an inductive argument we getC
10 nMin(C
10) FC
20 nMin(C
20)and are also done in this case. 6.4
7. The n -safe case
In this section we study the problem of computing a complete nite prex for an
n
-safe but not necessarily 1-safe-system.In the case of