Analysis of Petri nets by ordering relations in reduced unfoldings

Formal Methods in System Design, 12, 5–38 (1998)c© 1998 Kluwer Academic Publishers. Manufactured in The Netherlands.

Analysis of Petri Nets by Ordering Relations inReduced Unfoldings

ALEX KONDRATYEV [email protected]

MICHAEL KISHINEVSKY [email protected]

ALEXANDER TAUBIN [email protected]

SERGEI TEN [email protected]

The University of Aizu, Aizu-Wakamatsu, 965-80, Japan

Received June 12, 1995; Revised June 28, 1996

Editor: L. Lavagno

Abstract. This paper suggests a way for Petri Net analysis by checking the ordering relations between placesand transitions. The method is based on unfolding the original net into an equivalent acyclic description. Weimproved on the previously known cutoff criterion for truncating unfoldings [13]. No restrictions are imposedon the class of general PNs. The new criterion significantly reduces the size of an unfolding obtained by a PN.The properties of PNs for analysis can be various: boundedness, safety, persistency etc. A practical example ofthe suggested approach is given in an application to asynchronous design. Circuit behavior is specified by aninterpreted Petri net, called a Signal Transition Graph (STG) which is then analyzed for implementability by anasynchronous hazard-free circuit. The implementability conditions are formulated in such a way that they canbe checked by analysis of ordering relations between signal transitions rather than by traversal of states. Thisallows us to avoid the state explosion problem for highly parallel specifications. The experimental results showthat for highly parallel STGs checking their implementability by an unfolding is one to two orders of magnitudeless time-consuming than checking it by symbolic BDD traversal of the corresponding State Graph.

Keywords: Petri net, unfolding, ordering relations, asynchronous design, speed-independence

1. Introduction

There are several well-known techniques to avoid the “state explosion problem” in behav-ioral analysis of Petri Nets (PN). Stubborn sets and methods based on partial orders helpto reduce redundancy of a reachability graph which occurs due to concurrency betweentransitions [25, 5]. Symbolic Binary Decision Diagram (BDD) traversal of a reachabilitygraph allows its implicit representation which is more compact than an explicit enumera-tion of states [20]. Another group of methods avoids the generation of the correspondingreachability graph [13, 3, 6] by consideration of a finite prefix (called an unfolding) of theequivalent occurrence net (an acyclic net where all places have no more than one inputtransition).

These methods cover different areas of application and demonstrate results that are oftenincomparable for certain properties and subclasses of PNs. For example, the symbolicmodel checking technique based on BDDs is useful [20], but the size of BDDs might stillbe exponential to the size of the original PN. Also, the BDD traversal performs efficientlyonly if the property can be formulated through a characteristic predicate, which can berepresented by a BDD concisely. This allows us to manipulate the subsets of states rather

6 KONDRATYEV, KISHINEVSKY, TAUBIN AND TEN

than individual markings. A check for boundedness is problematic since one needs to guesswhat is the upper bound for the token count in a place in order to efficiently decide on whento terminate the traversal. The stubborn sets approach and partial order techniques areintended for checking a limited set of properties (e.g., deadlocks). They can be applied forverifying properties that are invariant to the order of interleaved transitions. However thisis not the case in asynchronous circuit design. For asynchronous design the key property ofcorrectness is speed-independence, which ensures the correct functioning of a circuit underthe arbitrary gate delays. To check speed-independence, different interleavings need to beconsidered and therefore stubborn sets and partial orders techniques cannot be used withoutsupplementing methods. On the other hand using unfoldings might be less efficient forchecking deadlocks. Hence, these should be viewed as complementary techniques, ratherthan completely separate methods.

This paper concentrates on using ordering relations in the unfoldings for checking prop-erties of PNs. To justify the use of unfoldings an efficient method for the generation ofunfoldings is given. This method improves the technique developed in [13] and resultsin the significant reduction of the size of an unfolding (see Section 7). It is shown how toanalyze safeness, boundedness and persistency on-the-fly while an unfolding is generated,and the ordering relations (precedence, concurrency and conflict) are iteratively calculated.

We further apply the verification by unfoldings to asynchronous designs specified withSignal Transition Graphs (STGs) [1, 11, 14]. STGs are PNs whose transitions are labeledwith falling and rising signal transitions. It is shown how to check the implementability ofSTGs by speed-independent circuits based on the ordering relations.

The experimental results demonstrate that for highly parallel PNs checking their propertiesby unfoldings is one or two orders of magnitude less time-consuming than checking themby symbolic BDD traversal of the corresponding State Graphs.

The paper is further organized as follows. We present basic definitions and terminologyin Section 2. In Section 3, the theory of unfoldings is given. We prove the soundnessof the enhanced cutoff criterion for general PNs. In Section 4, it is shown how to checksafeness, boundedness, and persistency based on ordering relations between the places andthe transitions of any given unfolding. Application to asynchronous design is discussed inSection 5. First, we present Signal Transition Graphs (STGs) and define the implementabil-ity conditions for STGs in terms of states (Sections 5). Checking the STG implementabilityconditions by unfolding is discussed in Section 6. Then we develop algorithms (Section 7)and present experimental results on using the unfolding technique (Section 8).

2. Basic Notions

LetN = 〈P, T, F,m0〉 be a Petri net (PN) [17], whereP is the set of places,T is the setof transitions,F ⊆ (P × T ) ∪ (T × P ) is the flow relation, andm0 is the initial marking.

A transitiont ∈ T is enabled at markingm1 if all its input places are marked. An enabledtransitiont may fire, producing a new markingm2 with one less token in each input place

and one more token in each output place (this is denoted bym1t→ m2 orm1 → m2). The

new markingm2 can again make some transitions enabled. We can therefore talk aboutsequences of transitions that fire under the markings reachable from the initial markingm0.Such sequences of transitions will be calledfeasible tracesor simply traces. The set of

ANALYSIS OF PETRI NETS 7

t1

p2

t2

p3

t3

p4

t4

p5

p6

p7

t5 t6

t7

t8

t9

p1

p8

t10a)

t1

p2

t2

p3

t3

p4

t4

p5

p6

p7

t5 t6

t7

t8

p1

p8

b)

Figure 1. Cyclic (a) and acyclic PNs (b).

input places of transitiont is denoted by•t and the set of output places byt•. Similarly,•p andp• stand for the sets of input and output transitions of placep. A placep is calleda choice placeif it has more than one output transition. A PN isfree-choiceif any outputtransition of a choice place has only one input place (this place is called a free-choice place).

The set of all markings reachable inN from the initial markingm0 is called the Reacha-bility Set ofN . Its graphical representation is called the Reachability Graph (RG).

A PN is acyclic if there are no cycles in the graph of the PN. In an acyclic PN there aresome places without input transitions. We assume that all these places are initially markedwith one token and no other places are initially marked. Therefore, the initial markingfor an acyclic PN is given by default and one does not need to define it explicitly. Underthe default initial marking agreement, all the properties of an acyclic net are completelydetermined by the net structure. Note that we do not allow transitions without input placesin acyclic PNs. Examples of cyclic and acyclic PNs are shown in Figure 1,a,b. There aretwo choice places in the cyclic PN,p1 andp5, both of them are free-choice places andconsequently the PN is free-choice.

A PN is called:

• k-bounded, if for every reachable marking the number of tokens in any place is notgreater thank (the place is calledk-bounded if for every reachable marking the numberof tokens in it is not greater thank),

• bounded, if there is a finitek for which it isk-bounded,

• safe, if it is 1-bounded (a1-bounded place is called a safe place),

Figure 2,a shows an example of an unbounded PN. The placep3 is unbounded becausethe tracet1, t2, t1, . . . can generate an unbounded number of tokens inp3.

A transitionti is callednon-persistentif ti is enabled in a reachable markingm togetherwith another transitiontj andti becomes disabled after firingtj . Non-persistency ofti


p3

... ...

p4p1

p2

(p2’p3’p4’)

(p1’’p3’p4’)

(p2’’p3’p3’’p4’)

(p1’’’p3’p3’’p4’)

(p1’p5’)

(p2’p4’’)

(p2’p5’’)

p1’

p2’p3’

p3’’p2’’

p1’’

(p2’’p4’’’)

D: D’: p4’

p5’

p4’’

p5’’

t1

t2

t3

t4

p5

t1’ t3’

t2’ t4’

t1’’

t2’’ t4’’

t3’’

(a)

(b)

Figure 2. An unbounded PN (a) and its occurrence net (b).

with respect totj is also calleda direct conflictbetweenti andtj . A PN ispersistentif itcontains no non-persistent transitions.

In the PN in Figure 1,a transitionst1 andt2 are both enabled in the initial marking. Firingeach of them disables the other, hence this PN is non-persistent.

Since we will use equivalent transformations for PNs an equivalence notion must bedefined. The behaviors of PNs can be compared by their languages, where a language of aPN is a set of its traces.

Definition 1. [Strong Equivalence] PNN1 is strongly equivalent to PNN2 if:(1) there is a one-to-one correspondence between transitionsT1 of N1 andT2 of N2,

and(2) for each trace of transitions inN1 there is an equivalent trace of transitions inN2 and

vice versa.

Strong equivalence requires two PNs to have isomorphic sets of transitions. A weakernotion of equivalence is useful when several transitions in one PN can be mapped onto onetransition in the other.

Definition 2. [Trace equivalence] [22] PNsN1 andN2 with sets of transitionsT1andT2 are trace equivalent with respect to partitionr = {T1} × {T2} iff for any traces = t1, . . . , tk, . . . feasible inN1 there exists a tracep = t′1, . . . , t

′k, . . ., feasible inN2

such thatt′i r ti for everyi = 1, . . . , k, . . .

Although traces are convenient for defining properties of PNs they are impractical forchecking these properties due to the explosion in the number of states for parallel PNs. Ouraim is to define the ordering relations between places and transitions in acyclic PNs andto use these ordering relations for checking properties of PNs, in particular for checkingequivalence, without extracting traces.


Definition 3. [Ordering relations] LetN = 〈P, T, F 〉 be an acyclic PN andx1, x2 ∈P ∪ T .

• x1 precedesx2 (denoted byx1 ⇒ x2) if (x1, x2) belongs to the reflexive transitiveclosure ofF , i.e., there is a path in the graph of a PN betweenx1 andx2.

• x1 andx2 are inconflict(denoted byx1#x2), if there exist distinct transitionst1, t2 ∈ Tsuch that•t1 ∩ •t2 6= ∅, andt1 ⇒ x1, andt2 ⇒ x2. If x#x (wherex ∈ P ∪ T ), thenx is in self-conflict.

• x1 andx2 areconcurrent(denoted byx1||x2), if they neither in precedence, nor inconflict.

Let us consider the introduced relations for the example of an acyclic PN in Figure 1,b.Directly by Definition 3 one can find thatt1⇒ t4⇒ t5, t2⇒ t3⇒ t6, t1#t2, t1#t3, . . ..There are no concurrent places and transitions in this example.

Cyclic dependencies between transitions never occur in acyclic PNs and this allows us toavoid changing ordering relations for different occurrences of the same places and transi-tions. The concurrency relation is defined to be disjoint with the conflict and precedencerelations. However, conflict and precedence relations are not disjoint. Consider for exam-ple, the transitionst7 andt8 shown in Figure 1,b. A path between them does exist and thust7⇒ t8, yet they are successors of the conflict transitionst1, t2 and thereforet7#t8. Thetransitionst7 andt8 are simultaneously in conflict and in precedence. Furthermore, by thesame argument it might be shown that the transitiont7 is in self-precedence (due to thereflexivity of⇒) and in self-conflict.

We will further restrict acyclic nets making conflict and precedence relations disjoint.

Definition 4. [Occurrence net] An occurrence net is an acyclic netN = 〈P, T, F 〉 inwhich every placep ∈ P has at most one input transition| • p| ≤ 1

This definition corresponds to the definition of occurrence nets given in [18, 3]. Notethat we consider occurrence nets as a particular case of acyclic PNs. Therefore, the initialmarking for occurrence nets is uniquely defined by the places having no input transitions.

In occurrence nets, all three types of ordering relations are disjoint [18]. It gives theopportunity to compare nets by the ordering relations between transitions rather than bytraces.

Given a cyclic PN, we proceed with analysis in three stages.

• The original PN is transformed into its equivalentunfoldingwhich is a finite prefix ofthe corresponding occurrence net.

• The ordering relations between transitions and places are derived for the unfolding.These relations fully characterize the behavior of the unfolding and therefore the be-havior of the original net.

• The properties of the PN are checked by the derived ordering relations.


We will first show that the ordering relations determine the properties of occurrence netsand, therefore, unfoldings.

Proposition 1 Two occurrence netsN1 = 〈P1, T1, F1〉 andN2 = 〈P2, T2, F2〉withisomorphic sets of transitionsT1 andT2 are strongly equivalent iff the ordering relationsbetween the corresponding reachable transitions inN1 andN2 coincide.

Proof:⇒ .LetN1 andN2 be strongly equivalent occurrence nets and transitionst1i , t

1j ∈ T1 be in one-

to-one correspondence witht2i , t2j ∈ T2. Let us assume that the ordering relations betweent1i , t

1j and

t2i , t2j are different. Four major different cases are possible:

• t1i ⇒ t1j andt2i ||t2j ,• t1i ⇒ t1j andt2i ⇐ t2j ,

• t1i ⇒ t1j andt2i#t2j ,

• t1i#t1j andt2i ||t2j .

All other cases are reduced to the four basic cases above. Let us resume by cases. The proof of thefirst three cases is actually the same and therefore these cases can be combined together.

Case 1,2 and 3.t1i ⇒ t1j andt2i 6⇒ t2j .If t1i ⇒ t1j , then there exists a paths betweent1i andt1j . Let us show thatt1j cannot fire withoutt1i .

The proof will be given by induction on the number of transitions,k, in the paths.Base.Let us assume thatk = 0 and thereforet1i andt1j are “mediated” only by one placep, i.e.,

s = p and the placep ∈ t1i • ∩ • t1j . By the definition of the occurrence net,t1i is the only inputtransition for the placep and thereforet1j cannot be fired without firingt1i .

Step. Any paths = t1i , . . . , t1j with k + 1 transitions can be split into two parts: a paths′ from

t1i to t (with k transitions) and an elementary path fromt to t1j through one placep. According tothe induction hypothesis,t cannot fire withoutt1i . By induction base,t1j cannot fire withoutt. Thisimplies thatt1j cannot fire withoutt1i . This concludes the proof of the induction.

Let us inhibit the firing of transitiont2i in N2 and construct all traces that do not containt2i . Thetransitiont2i does not precedet2j and therefore there exists a traceq2 such thatt2j ∈ q2, while t2i 6∈ q2.The strong equivalence ofN1 andN2 implies that the equivalent traceq1 is feasible inN1 andt1j ∈ q1, while t1i 6∈ q1. We reached a contradiction witht1i ⇒ t1j .

Case 4.t1i#t1j andt2i ||t2j .

Clearly, a sequenceq2 is feasible inN2 such thatt2j , t2i ∈ q2. From the conflict betweent1i and

t1j it follows that one can findt11, t12 ∈ T1 such that•t11 ∩ •t12 = p, andt11 ⇒ t1i , andt12 ⇒ t1j . Any

occurrence net is safe. The initial marking is safe in an acyclic net and since each place can have onlyone input transition all the reachable markings are also safe. Safeness and absence of cycles inN1imply that the placep can be marked only once and thus only one of the transitionst11 or t12 can fire.Therefore, inN1, no trace can contain botht1i andt1j . This contradicts the strong equivalence ofN1andN2.

⇐ .Let us assume that the ordering relations coincide for equivalent reachable transitions inN1 andN2, but the nets are not strongly equivalent. Then, inN1 e.g., must be a traceq1 that has no equivalenttrace inN2. Suppose thatq1 has the minimal length among all such traces, i.e.,q1 = r1, t1i , wheretracer1 has the equivalent tracer2 inN2. Let us consider the input places of the transitiont2i ∈ T2(which corresponds tot1i ∈ T1). Traceq1 has no equivalent trace inN2 and thereforet2i cannotfire afterr2. This means that either some transitiont2 ∈ r2 already consumed a token from one ofthe input places oft2i or some transitiont2 6∈ r2 needs to fire to produce a token in one of the inputplaces oft2i . In the first case the following condition is satisfied:t2#t2i , in the second:t2 ⇒ t2i .


...

......

p1’

t1’

p2’

t4’

p5’

t9’ t5’

t2’

p3’

t3’

p4’

t6’

p6’

t7’

p7’

t10’’

p6’’

t7’’

p7’’

t8’’

p8’’’

t10’’’

p8’

p14

Reducedunfolding

t10’

p1’’’

p8’’

t8’

p1’’

unfoldingOrdinary

Figure 3. Unfolding of a cyclic PN into an occurrence net

Let t1 ∈ T1 correspond tot2 ∈ T2. Then in both the above cases the ordering relations betweent1

andt1i in N1 differ from the relations betweent2 andt2i in N2. We have reached the contradiction.

3. Unfolding

This section presents the basic theory of unfoldings and gives an enhanced criterion totruncate the occurrence net into an unfolding. Figure 3 shows an occurrence net for the PNfrom Figure 1,a. Each transitionti of an initial PN has a set of corresponding transitionsin its occurrence netti′, ti′′, ti′′′, . . ., which are calledinstantiationsof ti. Similarly, foreach placepj of an initial PN there are corresponding instantiationspj′, pj′′, pj′′′, . . . in theoccurrence net. It can be shown that under the partitionr that associates each transitiont ofPN with its instantiationst′, t′′, . . ., the original PN is trace equivalent to its occurrence net.Further we will refer to any object in the occurrence net which is equivalent to an object inthe original cyclic PN by adding one or more apostrophes (or by adding a superscript) toits name. Correspondingly, for any given object in the unfolding the corresponding objectin the cyclic PN is denoted with the same name without apostrophes. For example,t′ andt are the corresponding transitions in an occurrence net and a PN,m′ is a marking in theoccurrence net andm is the corresponding marking in the PN,s′ is a trace in the occurrencenet with the equivalent traces in the PN.

For the analysis of a cyclic PN an equivalent occurrence net is used. Although, theoccurrence net for a cyclic PN can be infinite it is always possible for a bounded PNto truncate the occurrence net up to a finite “complete” subgraph which possesses all theinformation about the original PN (e.g., it contains all the reachable markings of the originalnet). This complete subgraph is called anunfolding. The criteria to generate unfoldings


for different classes of PNs were suggested in [13, 10, 23]. We will present notions relatedto the unfolding and discuss two criteria to generate unfoldings for general PNs.

To truncate an occurrence net let us introduce several notions.

Definition 5. [Configurations][13].

• A set of transitionsC ′ ⊂ T ′ is a configurationin an occurrence net if: (1) for eacht′ ∈ C ′ the configurationC ′ containst′ together with all its predecessors; (2)C ′

contains no transitions in mutual conflict.

• The minimal configuration that containst′ and all the transitions precedingt′ is calleda local configurationof the transitiont′ (denoted{⇒ t′})

Each configurationC ′ corresponds to a marking that is reachable fromm0 after all thetransitions fromC ′ have been fired. This marking is called thefinal markingof C ′ and isdenoted byFM(C ′)′ [13] (following our notation the corresponding PN marking will bedepicted by omitting the apostrophe –FM(C ′)).

Definition 6. [Final and basic markings] LetC ′ be a configuration of an occurrence net.A final markingof C ′, denotedFM(C ′)′, is a marking reachable from the initial markingafter all transitions fromC ′ and only those transitions are fired. A final marking of a localconfiguration oft′ is called abasic markingof t′ and denotedBM(t′)′.

In the occurrence net a configuration exists for any reachable marking. In other words,each marking serves as a final marking to some configurations. A basic markingBM(t′)′

is a marking reachable aftert′ and all its predecessors have been fired.In the occurrence net of the unbounded PN from Fig. 2,b, the local configuration{⇒ t4′}

for transition t4′ is equal to{t1′, t3′, t4′}. The basic marking fort4′ is BM(t4′)′ ={p2′, p4′′}. It indicates thatp2′||p4′′, since all the places of a marking are concurrent. Themarking{p1′′, p4′′} does not correspond to any local configuration, but it does correspondto the configuration{t1′, t2′, t3′, t4′}.

The size of a local configuration plays an important role in the construction of an unfolding.It defines the order in which different transitions are generated. To fix the metrics in theorder of transition generation let us introduce several notions.

Let C ′ be a configuration in an occurrence net, then|C ′| stands for thesize(number oftransitions) of the configurationC ′. | ⇒ t′| stands for the size of a local configuration{⇒ t′} and is also called adepthof transitiont′. A depth for a set of transitionsT ′

(denoted by||T ′||) is defined as the maximal depth among the transitions inT ′, i.e. ||T ′|| =max∀t′∈T ′ | ⇒ t′|. A set of transitions of a occurrence net with the same depth will becalled atier of the occurrence net. As will be shown in Section 7 the occurrence net isgenerated following an increasing depth of transitions, tier by tier.

A cutoff criterion is needed for truncating an occurrence net. Such a criterion wasintroduced in [13].


Definition 7. A transition t′i of an occurrence net is acutoff transition, if anothertransitiont′j exists such that (1)BM(t′i) = BM(t′j) and (2)| ⇒ t′i| > | ⇒ t′j |, i.e., thesize of{⇒ t′i} is greater than the size of{⇒ t′j}.

Definition 8. [Unfolding] An unfoldingis obtained from an occurrence net by removingall the places and transitions which succeed cutoffs.

For a bounded PN an unfolding is a finite acyclic PN. It was shown in [13] that noreachable marking of the original PN is lost in the unfolding. The cutoff criterion introducedby Definition 7 works for any general PN. However, it cannot guarantee that the size ofthe unfolding is less than the size of the RG [10]. For some PNs the size of the unfoldingis greater than the RG size and therefore the usage of unfoldings for analysis might beinefficient. To overcome this problem a new enhanced cutoff criterion is suggested whichallows the size of an unfolding to be reduced. Further cutoffs obtained by Definition 7 willbe calledGT-cutoffs1 to distinguish them from theEQ-cutoffs2, which are obtained by ourenhanced criterion (Definition 9).

Definition 9. [EQ-cutoff] A transitiont′i of an occurrence net is an EQ-cutoff transitionif it is not a GT-cutoff transition and another transitiont′j exists such that (1)BM(t′i) =BM(t′j), (2) | ⇒ t′i| = | ⇒ t′j |, (3) t′i is not parallel tot′j , (4) there are no EQ-cutoffs amongtransitionst′k such thatt′k||t′j and| ⇒ t′k| ≤ | ⇒ t′j |.

If a transition is either a GT-cutoff or a EQ-cutoff, then it is called anenhanced cutofforsimply acutoff. Transitiont′j from Definitions 7 and 9 is called animageof cutoff t′i. TheGT-cutoff definition allows only transitions with a smaller size of local configuration to bechosen as a cutoff image. In this way it completely coincides with the cutoff definition from[13]. The enhanced cutoff definition relaxes this condition and allows us to choose anothertransitiont′j , with a local configuration size equal tot′i as a cutoff image. It can be doneif every previously generated parallel tot′j enhanced cutofft′k has an image with a smallersize of local configuration and thust′k is a GT-cutoff. Therefore, a transition might or mightnot be a EQ-cutoff depending of the order in which the transitions of the occurrence net aregenerated. We will further show that there is an order of generation of the unfolding whichallows us to use EQ-cutoffs without ambiguity. An unfolding generated on the basis of theenhanced cutoff criterion will be calleda reduced unfolding, while McMillan’s unfoldingwill be calledan ordinary.

The enhanced cutoff criterion always improves McMillan’s cutoffs because in the case ofequal size configurations it still allows under certain conditions (namely conditions for EQ-cutoff) the unfolding to be truncated. The idea of the enhancement by EQ-cutoffs comesfrom the way of finding the configuration foranyreachable marking in a reduced unfolding.To illustrate it let us consider a markingm reachable from the initial markingm0 through afiring of traces. In an occurrence net there will be a configurationC ′ that corresponds tosand its final markingFM(C ′) is equal tom. If in a reduced unfolding no transition ofC ′ isa cutoff thenC ′ belongs to an unfolding and the necessary configuration corresponding tomis found. IfC ′ has a cutoff transition then we can “switch” fromC ′ to another configurationC1′ that contains the image of the cutoff and continue the consideration. If by “switching”


... ...

...

... ...... ......

p1

t1 t2

p2

t3 t4

p4

pn

tk

t1’ t2’

p1’

p2’ p2’’

t3’ t4’ t4’’

p3’ p3’’ p3’’’

pn’ pn’ pn’

tk’... ...

pn’

tk’ tk’ tk’

pn’ pn’

tk’

p1’ p1’ p1’p1’ p1’ p1’...

(p2’) (p2’’)

(p3’) (p3’’) (p3’’’)

(p1’’)...

... ... ...

......

...

... ...

... ......

...

a) b)

Reduced unfolding

tk’(p1’ )

Ordinaryunfolding

Figure 4. A PN with sequential choices (a) and its unfolding (b)

configurations the same configuration is never visited twice then sooner or later we arriveat a configuration that contains no cutoffs and represents the considered markingm ina reduced unfolding. Now it is easy to understand the conditions for EQ-cutoff. Theyguide a proper “switching” of configurations and ensure that we never return to the sameconfiguration.

The major advantage of the enhanced cutoff criterion is the typically much smaller sizeof the reduced unfolding in comparison with the size of the RG for a PN. For example, forthe 60-users distributed mutually exclusive (DME) arbiter (see Section 7) the RG containsapproximately7.0 × 1019 markings, while the reduced unfolding contains only 240 tran-sitions. The reduced and ordinary [13] unfoldings for the PN from Figure 1 are shown inFigure 3 by dashed and dotted lines correspondingly.

By comparing the size of ordinary and reduced unfoldings we can conclude that they aresignificantly different for PNs with several sequential conflicts. For such nets the size of theirordinary unfoldings truncated by the GT-cutoffs can grow exponentially to the number ofconflicts, while the reduced unfoldings grow linearly. The latter is demonstrated by Figure4,a,b, where all the placesp1, . . . , pn−1 make free-choices between alternative trajectoriesof equal length and therefore the ordinary unfolding will contain2n−1 instantiations ofthe placepn, while in the reduced unfolding each place is represented only once. Basicmarkings used for cutoffs are shown in brackets for some of the transitions in Figure 4,b.

An indication of how often such specifications occur in practice is given in the experi-mental Section 8. In practical examples we got an improvement in the size of the reducedunfoldings compared to the ordinary ones in about half the cases. The reduction ratios weredifferent, the maximum achieving the factor of 30.

A reduced unfolding contains all the information about its original PN. To prove this,let us show that a reduced unfolding presents complete information on the reachability ofmarkings for a general PN. A similar proposition for ordinary unfoldings was proved in[13].


Proposition 2 Let C ′ be a configuration in an occurrence net andFM(C ′)′ be itsfinal marking. Then there is a configurationC1′ in the reduced unfoldingN ′ such thatFM(C1′) = FM(C ′). 3

Proof: If configurationC′ contains no cutoffs, thenC′ ⊂ N ′ and the proposition is trivial.Else, letC′1, ..., C

′m be all configurations in the occurrence net such that: 1.FM(C′) =

FM(C′1) = ... = FM(C′m) and 2. C′1, ..., C′m are of minimal size. This set is always finite.

Assume that neither of them is included in the reduced unfoldingN ′. Let us seek for a contradiction.The only reason whyC′i 6⊂ N ′ is that it contains at least one cutoff. LetCut(C′i) = {t′i1, ..., t′ik}

be a set of cutoffs for eachC′i. LetC′j be a configuration fromC′1, ..., C′m with a maximal depth for

the set of cutoffs, i.e., for any otherC′i: ||Cut(C′j)|| ≥ ||Cut(C′i)||. Assume thatt1′ ∈ C′j is thecutoff with the maximal depth. Assume also thatt2′ ∈ N ′ is an image for cutofft1′, and thereforeBM(t1′) = BM(t2′).

Two cases are possible:Case 1.| ⇒ t1′| > | ⇒ t2′|, i.e.,t1′ is a GT-cutoff. MarkingFM(C′j)

′ is reached fromBM(t1′)′

in |C′j | − | ⇒ t1′| steps. Therefore, in the original PNFM(C′j) is also reached fromBM(t1′) in|C′j | − | ⇒ t1′| steps. SinceBM(t1′) = BM(t2′), in the occurrence net there is another markingcorresponding toFM(C′j) which is reached fromBM(t2′)′ in the same|C′j | − | ⇒ t1′| steps.Therefore, in the occurrence net there is another configurationC∗′ with a final markingFM(C∗′)′,such thatt2′ ∈ C∗′ andFM(C∗′) = FM(C′j) = FM(C′). ConfigurationC∗′ differs fromC′j

4. Since| ⇒ t2′| < | ⇒ t1′|, the following condition for the sizes of configurations holds:|C ∗′ | < |C′j |. This contradicts the assumption thatC ′j is of minimal size.

Case 2. | ⇒ t2′| = | ⇒ t1′|, i.e., t1′ is a EQ-cutoff. Let us choose amongC′1, . . . , C′m

configurationC′k which contains transitiont2′. Such configurationC′k exists in the occurrence netbecause ifFM(C′j)

′ is reached fromBM(t1′)′ in |C′j |−| ⇒ t1′|steps then by making|C′j |−| ⇒ t1′|steps fromBM(t2′)′ (BM(t2′) = BM(t1′)) one will reach the final markingFM(C′k)′ such thatFM(C′k) = FM(C′j). Since by condition 3 of Definition 9t2′ is not parallel tot1′, the followingcondition is met:t1′ 6∈ C′k and thereforeC′k 6= C′j .

Consider configurationC′k more carefully.C′k contains no cutoffs with the depthn, n > | ⇒ t1′|.If the opposite holds, then||Cut(C′k)|| > ||Cut(C′j)|| which contradicts the choice ofC′j as theconfiguration with the maximal possible depth of cutoffs. That is, all cutoffs inC′k have a depth lessor equal to| ⇒ t1′|.

Also,C′k contains no cutoffs precedingt2′. If the opposite holds,t2′ would not be generated in thereduced unfolding and could not serve as an image for the cutofft1′. That is, all cutoffs inC′k mustbe concurrent tot2′.

Sincet2′ is an image of the EQ-cutofft1′ then by Condition 4 of Definition 9 every concurrent tot2′

cutofft3′ inC′k is a GT-cutoff and hence its imaget4′ has a depth smaller thant3′, | ⇒ t4′| < | ⇒ t3′|.By applying the consideration of Case 1 to the configurationC′k we will come to the contradiction

with the minimal size ofC′k. This completes the proof.

Corollary 1 For a general PN the reachability of a marking, a transition, or a placecan be determined by a reduced unfolding.

From Corollary 1, it follows that all problems related to the marking reachability in aPN can be solved directly by an unfolding. However, the information on the reachabilityof markings is implicitly stored in an unfolding since each place of a PN has many corre-sponding instantiations in its unfolding. Hence, it is not easy to find a configuration for aparticular marking. A more promising approach is to analyze a PN based on the orderingrelations in the unfolding.


4. Checking the properties of PNs

In this Section we will show how to analyze PNs by checking the ordering relations intheir unfoldings. The properties chosen for analysis are:

• Safeness,

• Boundedness,

• Persistency.

These are the key properties for applying PNs to the specification of asynchronous circuits.Boundedness guarantees finiteness of the specification and therefore confirms that the

specification might be implemented with a finite circuit. Safeness and persistency simplifythe implementation of a PN with a circuit significantly. For example, a direct translationof safe and persistent PNs into self-timed circuits is proposed in [21]. This method givescorrect-by-construction implementations, that need not be verified afterwards. Persistencyis also related to the hazard-freedom of asynchronous circuits. Section 5 shows how PNslabeled with signal transitions can be used for specifying asynchronous circuits.

4.1. Safeness and boundedness

Safeness is checked on the basis of the following Proposition.

Proposition 3 A PN is safe, if and only if, each placep has no concurrent instantiationsin its reduced unfolding.

Proof: =⇒ Clearly, if the reduced unfolding contains a pair of concurrent instantiationsp′ andp′′ of the placep, thenp′ andp′′ both belong to the same configurationC′. Therefore, under themarkingFM(C′) corresponding toC′ the PN is unsafe.⇐= Suppose the original PN contains markingm that is unsafe for some placep, for example,m

contains two tokens inp. Then by Proposition 2 in the reduced unfolding the configurationC ′ willbe found such thatFM(C′) = m. From the definition of a final marking, it follows directly thatthere are two instantiations of placep – p′, p′′ ∈ C′ andp′||p′′.

Proposition 3 implies that checking the safeness property of a cyclic PN can be reducedto the analysis of the concurrency relation between the places in its reduced unfolding. Forexample, in the reduced unfolding in Figure 2,b instantiationsp3′ andp3′′ are concurrent.This allows us to conclude that the PN in Figure 2,a is unsafe.

The following proposition extends the results of [10] to the class of general PNs.

Proposition 4 [9] Let N ′ be the reduced unfolding of PNN . N is unbounded if andonly if there is a transitiont ∈ T that has two instantiations inN ′, t′ and t′′, such thatt′ ⇒ t′′ andBM(t′) < BM(t′′).

According to Proposition 4 checking the boundedness of a PN can be reduced to theanalysis of the precedence relation between the transitions in its reduced unfolding.


b)

t1

p1

a)

p2

t2

p1

t1

p3

t2

p3N1:

N2:

Figure 5. Two equivalent PNs: with structure conflict (a) without conflicts (b)

t2’

p4’

t4’

p1’ p2’

p3’

t1’

t3’

p5’ p5’’

Figure 6. PN with direct and non-direct conflicts

Let us return to our example of Figure 2. As soon as the transitiont1′′ is generated in theunfolding one can conclude that the original PN is unbounded. Indeed, botht1′ andt1′′

are the instantiations of the same transitiont1, andt1′ ⇒ t1′′. BM(t1′′) = p2p3p3p4 >BM(t1′) = p2p3p4, so the markings of placep3 can grow infinitely and this place isunbounded.

4.2. Persistency

The persistency property (see Section 2) is defined in terms of markings but it is closelyrelated to the conflict relations between transitions.

An unfolding gives an explicit representation of conflicts contrary to a PN, where conflictscannot be defined only by the structure of its graph. The latter is illustrated in Figure 5,a.In a PNN1 transitionst1 andt2 share the common input placep2 but they actually fire insequence (N1 is trace equivalent toN2 in Figure 5,b. This can be justified by the strongequivalence of the unfoldings forN1 andN2.)

However, even in unfoldings, a finer consideration of conflict relations is needed fordetermining the non-persistency of transitions. Not every pair of conflict transitions are indirect conflict. For example, conflict transitionst3′, t4′ from PN in Figure 6 do not shareany input place and thus cannot disable each other. Conflict transitionst1′, t4′ are alsonot in direct conflict (although they share the input placep2′), because both transitions arenever enabled simultaneously.

The structural properties of direct conflicts in a reduced unfolding are given by the fol-lowing Proposition.


Proposition 5 Let the set of transitionsI(t) = •(•t) be called the set of direct prede-cessors oft. (I(t) contains all transitions whose output places are input fort). Transitionst1′ andt2′ of an unfolding are in direct conflict iff they share the same input place and theconflict pair{t′i, t′j}, ({t′i, t′j} 6= {t1′, t2′}), such thatt′i ∈ I(t1′)∪ t1′ andt′j ∈ I(t2′)∪ t2′does not exist.

Proof: ⇐=Suppose both conditions of Proposition 5 are satisfied. Clearly, if two transitionst1′

andt2′ in the unfolding share the same input placep′ they cannot be in a precedence (otherwisep′

will be an input place only for one of them). Also,t′i • ∩t′j• = ∅, since no places in the unfoldinghave more than one input transition. Thus, no transition inI(t1′) precedes any transition inI(t2′)and vice versa. According to Condition 2 no transitions inI(t1′) andI(t2′) are in conflict so all ofthem belong to some configurationC′ in the unfolding.

Let us imagine the iterative procedure for deriving the configurationC′. We will start from aconfigurationC1′ corresponding to the set of transitionsI(t1′) and add toC1′ transitions fromI(t2′)one by one. This requires adding the local configuration for a transition fromI(t2′) toC1′. In markingFM(C1′)′ corresponding toC1′, transitiont1′ is enabled. In markingFM(C′)′ corresponding toC′, after all transitions fromI(t2′) are added,t2′ is enabled andt1′ remains enabled, too. Otherwise,if in FM(C′)′ t1′ became disabled, then on some step of the construction of configurationC′, addinga transitiont′i ∈ I(t2′) would disablet2′, thust′i andt2 would have to be in conflict which wouldcontradict Condition 2 of Proposition 5. Firing eithert1′ or t2′ from M ′ disables the other (bothshare the same input place) and thust1′ andt2′ are in direct conflict.

=⇒Let t1′ andt2′ be in direct conflict. Then they definitely have a common input place (otherwisethere is no way to disable each other). Condition 2 is also ensured because the configuration forM ′

in which botht1′ andt2′ are enabled must contain all transitions fromI(t1′) ∪ I(t2′).

According to Proposition 5, a persistency check can be reduced to the analysis of theconflict relations between transitions in a reduced unfolding.

For example, in the PN in Figure 6 transitionst1′ andt4′ are not in direct conflict becauset2′ is the direct predecessor oft4′ and t2′ is in conflict with t1′. However, for the pair{t1′, t2′} all the conditions of Proposition 5 are satisfied and therefore{t1′, t2′} are indirect conflict.

Proposition 6 Safeness, boundedness and persistency of a PN can be analyzed on thebasis of the ordering relations in its unfolding.

5. Application to asynchronous design

To show the capabilities of the analysis based on the ordering relations in PN unfoldings wewill consider the signal interpretation of PNs called Signal Transition Graphs. This modelis one of the most popular in asynchronous design for specifying control circuits[1, 11, 14].

Signal Transition Graphs (STGs) are PNs whose transitions are interpreted as changes ofcircuit signal levels. A signal transition can be represented byaj+ for the j-th transition ofsignala from 0 to 1 oraj− for its j-th transition from 1 to 0, whileaj∗ is a generic name foreither a rising or falling transition ofa. SA denotes the set of all signals of an STG that canbe divided into three non-intersecting subsets:SI , SO andSH of input, output and internal(hidden) signals respectively.


p1

p2 p3

p4p5

p6

p7p8

q-

q1+

s1+

s2+

m1+

q2+

s2-

m-

m2+s1-

a)

weak

s

m

q

b)

Figure 7. STG for a SM-latch a) and its implementation b)

Definition 10. An STGD is a triple〈N,SA, λ〉, whereN is a PN,SA is the set ofsignals andλ : T → SA × {1, 2, . . .} × {+,−} is thepartially defined labeling function.Transitiont with an undefined label,λ(t), is called adummytransition.

This definition of an STG differs from the classical definition [1] in two ways. We do notlimit the class of PNs to free-choice PNs and we allow dummy transitions.

An example of an STG specifying the behavior of a SM-latch is shown in Figure 7,a. ThisSTG is obtained by labeling transitions of the PN from Figure 1,a with signal transitions.STGs are often drawn in their shorthand form, where transitions are denoted by their labels(instead of bars) and places with only one input and output transition are omitted. Thecircuit implementation for the SM-latch is presented in Figure 7,b.

When talking about an STG and the circuit which implements it we will compare thebehavior of these two objects by the languages they realize. The languages are characterizedby a set of traces of signal transitions. Similar to Section 2 we can define the notion of traceequivalence between an STG and a circuit. In this way the equivalence relation betweensignal transitions in an STG and a circuit is given by the relationship between any transitionai+ (ai−) in the STG and any rising (falling) transition of signala in the circuit.

Definition 11. An STGD is called: SI-implementableif there is a speed-independentlogic circuitC trace equivalent toD.

A circuit is called speed-independent if its behavior does not depend on the gate de-lays [11, 6]. If an STG is SI-implementable, then one can derive from it logic equations forcircuit gates if it satisfies the Complete State Coding (CSC) requirement [1, 26, 11, 6]. Ifthe CSC requirement is not met, then in the SI-implementable specification CSC violationscan always be removed by inserting additional internal or input signals into the STG spec-


1b +2b + 1b +

2b +

00* 0*1 11 1?... ab:

(b)(a)(s1) (s2)

a+a+

Figure 8. Violations of state assignment consistency

ification [11, 6]. Since the CSC problem has been very well studied we will concentrateonly on the conditions of the SI-implementability itself.

In this section we define three conditions that are necessary and sufficient for the SI-implementability of STGs. One of these conditions is defined in terms of a State Graphcorresponding to a STG. This is done only for convenience because it is formulated interms of SGs in a clear and natural form. Further in Section 6 it is shown how to check theimplementability conditions by the analysis of ordering relations between signal transitions.This allows us to check the implementation conditions by STG unfolding without thetraversal of the reachable states.

A State Graph (SG)is a directed graph whose vertices correspond to the markings ofthe Reachability Graph. An SG vertex is labeled with a boolean vectors = 〈s1, . . . , sn〉,representing the value of the STG signals (n is the number of signals in the STG). Thisvector is called astate. Two statess1 ands2 corresponding to markingsm1 andm2 areconnected with an edge in the SG ifm2 is reachable fromm1 by the firing of some eventai∗ of the STG (s1

ai∗→ s2). This transitionai∗ is calledenabledin states1. Signala iscalled enabled in states if some transitionai∗ is enabled ins, otherwisea is calledstableor disabled.

There are three implementation conditions that guarantee SI-implementability of an STG.

1. Boundedness

To be implementable the STG and the corresponding SG must have a finite number ofstates. This is guaranteed by theboundednessof the underlying Petri net.

2. Consistency

The rising and falling transitions at the output of a circuit gate must alternate. In the STGshown in Figure 8,a the following trace is feasible:b1+, a+, b2+, . . .. After firing b1+signalb is at logical1, and therefore the next transition of signalb should be negative.However, the trace contains a positive transitionb2+. The required implementationcondition can be formalized in SG terms bythe consistency of state assignment.

Definition 12. An STG has aconsistent state assignment(we call such an STGconsistent) iff in the corresponding SG for each pair of statess1 ands2 connected withthe edge (s1 → s2) the following conditions are met:

(1) if the edge is labeleda+ transition, then signala is equal to 0 ins1 and to 1 ins2;

(2) if the edge is labeleda− transition, then signala is equal to 1 ins1 and to 0 ins2;

(3) in all other cases the value of signala in s1 ands2 is the same.


In the SG corresponding to the STG of Figure 8,b no encoding for statess1 ands2

satisfies the consistency requirement, therefore this STG is inconsistent.

Boundedness and consistency reflect the finite and binary nature of a circuit imple-mentation but not its speed-independence. The specific feature of speed-independentimplementation is captured bysignal persistency.

3. Signal persistency

Signal persistency is closely related to the persistency of transitions in a PN.

Intuitively signal persistency means that if a circuit signal is enabled, then it cannotbe disabled by the transition of another signal [16, 7, 6]. However, one should dis-tinguish between input and non-input signals. For inputs, which are controlled by theenvironment, it is possible to have a non-deterministic choice, which is represented inSTG and SG models by conflicts, i.e., disabling of one input signal by another inputsignal. Such conflicts in this paper arealwaysinterpreted as choice and therefore donot lead to hazardous behavior.5 For non-input signals, which are produced by circuitgates, the disabling of a signal transition may lead to a hazardous spike at the outputof the gate, making the circuit behavior dependent on the gate delays. In cases whenthe “input is disabled by the output”, we assume that these two signals are controlledindependently, one by the environment and the other by the circuit. If the environmentis ready to change the input while the circuit is ready to change the output of a gate,then these two processes, under a speed-independent interaction, cannot influence eachother. Therefore this is also a potential source of hazards and delay-dependence.

Definition 13. An STG ispersistentif in the corresponding SG: (1) anynon-inputsignal cannot be disabled by another signal6 and (2) anyinputsignal cannot be disabledby a non-input signal.

Although the input signalm might be disabled by another input signals in the stateinitial state 0*0*0 of the STG Fig. 7,a, this is persistent according to the definition.

The following proposition shows that the above introduced implementation conditionsare necessary and sufficient for the SI-implementability of STGs.

Proposition 7 [8] An STG is SI-implementable iff it is bounded, consistent, and per-sistent.

6. Verifying implementability conditions

In this section we will show how to analyze the STG SI-implementability in terms ofunfoldings. The method of boundedness verification by unfolding was already discussedin Section 3.

The other two conditions – consistency and signal persistency are not always simple tocheck by unfoldings for the general class of STGs. Therefore, we will define a class ofwell-formedSTGs for which it can be done easier. We do not compromise the completeness


p1’

p2’

(p2’’)

b)

(p2’)

(p1’’)

a)

p2

p1

a+ b+

a-

a’+

a’-

b’+- cutoff

- cutoff

Figure 9. An STG with an inconsistent state assignment (a) and its reduced unfolding (b)

of the model, since non-well-formed STGs are almost never used in practice [12] and everySTG can be equivalently transformed to a well-formed STG.

Two groups of properties need to be verified on-the-fly during the unfolding generation:

• Conditions for well-formedness, for checking that the implementability conditions canbe verified by unfolding without generation of the reachable state space.

• The implementability conditions, for checking that speed-independent implementationof an STG is possible.

6.1. Consistency

In [6] two conditions for the consistency of STGs without choice places were given.These conditions are also necessary for STGs with choices. The first condition is anon-autoconcurrency, and the second is asign alternation.

Definition 14. (1) Signala ∈ SA is autoconcurrentif in the reduced unfolding there aretwo concurrent transitionst1 andt2 labelled by signala, i.e., λ(t1) = ai∗ andλ(t2) =aj∗. A reduced unfolding of an STG is called autoconcurrent if it contains at least oneautoconcurrent signal.

(2) A reduced unfolding of an STG issign alternativeif rising and falling transitions foreach signal alternate, i.e., for any pair of rising signal transitionsai+ ⇒ aj+ there existsa falling transitionak− such thatai+ ⇒ ak− ⇒ aj+. A similar property must hold forpairs of falling transitions.

These two properties allows us to check consistency for all signal transitions except thelast instantiations of signal transitions in the reduced unfolding. A simple example is shownin Fig. 9. The reduced unfolding is both non-autoconcurrent and sign alternative, but theSTG has an inconsistent state assignment. This fact cannot be observed in the reducedunfolding, since there is no information relating to what is the next transition of signalbafterb′+. Therefore, these properties are not sufficient for checking the consistency of thestate assignment for STGs with choice places.

One way to solve this problem would be to generate an unfolding further until for eachsignal the next transition outside the reduced unfolding is generated. A more elegant way


is to compare binary states of transitions with equal basic markings. Before we describethis method let us define the conditions under which only one binary state corresponds toa marking of an STG.

Each markingm′ in the reduced unfolding of an STG is mapped to one binary states(m′).Values of all the signals ins(m′) might be obtained by firing all the transitions from theconfigurationC ′ that corresponds to the markingm′.

Definition 15. An STGD satisfies theproper state assignmentif two conditions aremet:

(1) a reduced unfoldingD′ has the unique states(m′0) and for each transitiont′ of D′ ifBM(t′) = m0, thens(BM(t′)) = s(m′0) and

(2) for any transitionst1′, t2′ with equal basic markings the corresponding binary statescoincide.

If the proper state assignment is satisfied, then each marking of the STG corresponds toone binary state.

The following proposition formally states the relation between Definition 12 of consis-tency and the properties of an unfolding.

Proposition 8 LetD be a bounded STG andD′ be a reduced unfolding ofD. If D′

is non-autoconcurrent, sign alternative and has the proper state assignment, thenD isconsistent.

Proof:SupposeD is inconsistent at markingsm1 andm2, such thatm1

t′→ m2, t′ = a+ but a = 1

already in binary states1 that corresponds tom1 (similar thea− transition can be considered).1. Letm′1 andm′2 belong to the same configurationC′ in unfoldingD′ and there is no inconsistency

by the markings that precedem1. Consider the last transitiont′1 of signala in the sequenceq,m0

q⇒ m1. t′1 = a+ becausea = 1 in states1. Clearlyt′1 is not in conflict witht′ because theybelong to the same configurationC′. If t′1 ⇒ t′ then we have a violation of switchover correctness(a+ ⇒ a+ without thea− transition in between). Ift′1||t′ then we have autoconcurrency inconfigurationC′. These contradictions do not follow the assumption thatm′1 andm′2 are present inthe same configurationC′.

2. Letm′1 but notm′2 belong to configurationC′. m′2 is not inC′ only if t′ is cut off by some

other transitiont′j . Consider the marking directly precedingBM(t′) (m′,m′t′→ BM(t′)). It is

easy to see that by each sequenceq′ we can construct the sequencer′ such thatr′ passes throughm′,contains the same transitions asq′ and differs fromq′ only in the order of its concurrent transitions

(r′ = r1′r2′,m′0r1′⇒ m′

r2′⇒ m′1).a) If r2′ contains no transition of signala then the consistency of an STG is violated at the markings

m′ → BM(t′). While determiningt′ as a cutoff point the binary state oft′ has to be calculated andcompared (to check the proper assignment). However due to inconsistency the value of signala isundefined inBM(t′) and the checking of the proper state assignment can never be positive. Thiscontradicts the conditions of Proposition 8.

b) Let r2′ contain transitiont′i of signala. Thent′i 6⇒ t′ becauset′ is ready to fire afterr1′,t′ 6⇒ t′i becauset′i fires without firing oft′ in r′ and t′i not in conflict with t′ because they bothbelong to the same configuration. Thust′i||t′ which contradicts the non-autoconcurrency ofN ′.


Let us show how the check for consistency can be done by ordering relations in unfolding.• Autoconcurrency and sign alternation

It is easy to see that autoconcurrency is a particular case of concurrency between transitionswith the same signal name. This check is trivial by examining the concurrency relations inan unfolding.

To check the sign alternation one has to find, for any two rising (falling) transitions, afalling (rising) transition “in between”. This is the particular case of precedence analysis.Let us denote{⇒ a′i∗} the set of transitions that precedea′i∗ in a reduced unfolding and{a′i∗ ⇒} the set of transitions whicha′i∗ precedes. Then checking the sign alternation canbe reduced to the following simple procedure:

For each pair(a′i+, a′j+) such thata′i+ ⇒ a′j+ check that there is a transitiona′k− for

which the following property is met:a′k− ∈ {⇒ a′j+} ∩ {a′i+ ⇒}. Do a similar checkfor each pair(a′i−, a′j−).

• Proper state assignment

We will assume for simplicity that, together with the initial markingm0, the initial binarystates(m0) is given in a STG. (In fact, states(m0) can be easily calculated by observingfirst transitions for each signal reachable from the initial marking [6].) Lett′ be a transitionin the unfolding anda be a signal. Then two cases are possible when evaluating the valueof the signala in the basic markingBM(t′).

1. Signala never changes in the local configuration oft′ and therefore the value ofa inthe basic markingBM(a) coincides with that ins(m0).

2. a changes inside the local configuration oft′ and therefore the value ofa is determinedby the closest transitiona′i∗ precedingt′.

The closest transitiona′i∗ precedingt′ is defined by the following condition:

a′i∗ ∈ {⇒ t′} & 6 ∃a′j∗ : a′j∗ ∈ ({⇒ t′} ∩ {a′i∗ ⇒})

Repeating this for each STG signal, the binary state corresponding to the basic markingof the transitiont′ is derived. Hence, for the calculation of binary states corresponding tothe basic markings we use the precedence relation for transitions. After that, the properstate assignment is checked simply by comparing binary states for transitions with equalbasic markings.

Proposition 9 The consistency of state assignment in an STG can be checked by theordering relations in its unfolding.

6.2. Well-formed STGs and persistency

The reason for the STG persistency violation is a non-persistency of signals. We willdiscuss the conditions for reducing the analysis of signal persistency (that requires binarystate traversal) to the transition persistency in PNs (that might be done on-the-fly whilegenerating an unfolding). We will start with labeled STGs without dummy transitions andthen will discuss partially labelled STGs with dummy transitions.


STGs without dummy transitions

Definition 16. [Signal persistency] Signala is non-persistentin the STGD if a, enabled

in some reachable stateS of the corresponding SG becomes disabled after the firing ofanother signalb enabled ins.

Signal persistency and transition persistency are closely related. Clearly, the only sourceof non-persistency of a signala is the non-persistency of some transition labelledai∗. Yetnon-persistency ofai∗ does not necessarily lead to the violation of persistency by signala. In Figure 10,a the transitions labelleda1+ andb2+ are both non-persistent. However,signalsa andb are persistent in the corresponding SG in Figure 10,c. Although the firingof, e.g.,a1+ disablesb2+ it also enables transitionb1+. So both before and after the firingof a1+ signalb remains enabled. By the trace equivalence such behavior of signalsa andb is equivalent to the concurrent firing ofa+ andb+[11]. Therefore, both STGD1 andD2 have the same SG (Figure 10,c). One can conclude that for signalb the conflict of thetransitionb2+ is “fake”.

Definition 17. [Fake conflict] [10] A direct conflict between two transitions labeled withai∗ andbj∗ is calledfakeif the firing of one of them does not disable the signal of the other.

Figures 10,d,e show two types of fake conflicts: asymmetric and symmetric. It was shownin [8] that under certain conditions eachsymmetricfake conflict can be transformed to theequivalent parallel subgraph of the STG (and SG) as exemplified in Figures10,b,c.

Asymmetricfake conflicts involving at least onenon-input signalalways contradictone of the persistency conditions in Definition 13 and therefore lead to violations of SI-implementability. Asymmetric fake conflicts between twoinputsignals are not dangerous,since they are interpreted as a choice between two alternative traces rather than parallelismof one signal transition disabled by another [7].

An STG is calleda fake-freeSTG if there are no symmetric fake conflicts and there areno asymmetric fake conflicts involving a non-input signal.

The following properties [8] illustrate the use of fake conflicts:(1) If an STG is persistent then it can always be transformed to the equivalent fake-free

STG.

...

p1

1

1 2

2

p2

D1:

(a)

a

b

c+

b

a+ +

++

...

D2:

(b)

c+

a+ b+

...

0*0*0

10*0 0*10

110*

abc

(c)

c+

a+

a+

b+

b+

m

m m

mm

2

i

r

1

43

j

k

m

m m

mm

2

i

r

3 4

1

k

j

(d) (e)

a*

b*

b*

a* b*

a* b*

a*

Figure 10.Transition and signal non-persistency and fake conflicts


dummy2dummy1

c+b+ d+ e+

a+

a)

s1

s2

a / z

bc / x de / y

a+

z+

dummy1 dummy2

b+ c+ d+ e+

y+x+

FSM STG

b)

Figure 11.Dummy usage: for complex causal relations a) and for the burst mode b)

(2) A fake-free STG is persistent iff (a) all transitions labeled with non-input signals arepersistent and (b) all transitions labeled with input signals are persistent with respect totransitions labeled with non-input signals.

Fake conflicts can be either excluded from an STG by an equivalent transformation orthe STG (and its SG) is not persistent and hence not SI-implementable. Therefore, in theanalysis of implementability we always reject non fake-free STG specifications.

For a fake-free STG any non-persistency between transitionsti, and tj labeled withλ(ti) = ak∗ andλ(tj) = bn∗ leads to the non-persistency between signalsa andb. Thisfact suggests a simple way for the non-persistency analysis in an STG.

• Check STG for being fake-free (if it is not, reject the STG).

• Find all direct conflicts between transitions.

• Check whether there is a direct conflict involving a non-input signal (if this is the case,the STG is non-persistent in accordance to Property 2 above).

STGs with dummy transitions

Reducing the signal persistency to the transition persistency becomes more complex forSTGs with a partially defined labeling function. Figure 11 shows that the dummy transitionscan be used as follows:

(1) for decomposing the complex causal dependencies between signal transitions intosimpler ones.

E.g., if the firing of the transitiona happens after the firing of transitionsb andc or dande it might be expressed with two dummy transitions without duplicating labels fora(Figure 11,a);

(2) for specifying non-deterministic input bursts.

Figure 11,b demonstrates an example of the equivalent transformation of the burst modeFSM [19] into the STG specification.

To simplify the analysis of partially labeled STGs we will restrict the use of dummytransitions by formulating the rules of STG well-formedness.


Rule 1. There are no adjacentdummy transitions in STG (i.e.dummy1 6∈ •(•dummy2)).Rule 2. For every signal transitiona∗ ∈ (dummy•)• this dummy transition is the only

direct predecessor (i.e.,|•(•a∗)| = 1). In other words, we require signal transitions directlysucceeding a dummy transition to fire in a burst mode [19] and therefore the set of signaltransitions(dummy•)• is called adummy burst.

These restrictions do not confine the class of STGs that are used in practice (both STGsfrom Figure 11 satisfy them). For the partially labeled STGs both the dummy transitionsand the signal transitions can be in direct conflict. However, no signal transitions areassociated with a dummy and therefore the direct conflict between dummy transitions hasto be “translated” on their output signal transitions.

Definition 18. [Generalized direct conflict] Signal transitionsti and tj are in directconflict in PNN if:

(1) ti is non-persistent with respect totj (or vice versa) or(2) a dummy transition,dummy1 exists, such thatti is non-persistent with respect to

dummy1 andtj belongs to thedummy1 burst (tj ∈ (dummy1•)•) or(3) two dummy transitions,dummy1 anddummy2 exist, such thatdummy1 is non-

persistent with respect todummy2 andti belongs to thedummy1 burst whiletj belongsto thedummy2 burst (ti ∈ (dummy1•)• andtj ∈ (dummy2•)•)

The generalized direct conflicts allow us to apply Definition 17 for finding fake conflictsin STGs with dummy transitions. Therefore the following definition of a well-formed STGcan be given.

Definition 19. [Well-formed STGs] An STG is called well-formed if(1) It is fake-free and(2) It satisfies the Rules 1 and 2 for dummy transitions.

The non-persistency of well-formed STGs with dummy transitions can be checked byDefinition 18 in the same way as for the completely labeled STGs: each direct conflictinvolving a non-input signal leads to a persistency violation. This reduces the signal persis-tency to the transition persistency for the STGs with a partially defined labeling function.

Note that all the properties of well-formedness are locally defined in terms of transitionsand therefore can be simply checked by the unfolding of an STG.

For the analysis of transition persistency by an unfolding see Section 3.

7. Generating unfoldings and ordering relations

An unfolding is constructed by a breadth-first traversal, tier by tier. A tier contains transitioninstantiations of the same depth, i.e., tiers are ordered by the size of local configurations forincluded transitions. Only two tiers need to be stored: 1) aCurrent-tierwhich is used forthe generation of 2) aNew-tier. Each tier contains a set of transitions,Current-T-tier, anda set of output places from these transitions,Current-P-tier. All the transitions which are


ready to be fired are collected in aT-Fired. Those transitions which have the minimal sizeof local configuration are moved fromT-Fired to aNew-tier.

An initial tier (with number 0) has no transitions and contains all the placesp′ thatrepresent the initial markingm0 in PNN . Figures 12,a,b describe algorithms for generatingan unfolding and for constructing a tier.

generateunfolding(D′) {Reached= ∅; T-Fired= ∅;Current-T-tier= ∅;Current-P-tier= {M ′0};do{

Reached= Reached∪ Current-tier;generateNew-tier;Current-T-tier= New-T-tier− Cutoffs;Current-P-tier= New-P-tier;is unfoldingcorrect(Current-tier)

while (Current-P-tier 6= ∅);}return Reached; }

(a)generateNew-tier{

New-T-tier= ∅; New-P-tier= ∅;for eachp′ ∈ Current-P-tierdo {

for each ti ∈ p• doif Ready(t′i) then T-Fired= T-Fired∪ t′i;

/* T-Fired is kept sorted or a hash-table by| ⇒ t′i|*/}New-T-tier= {t′j ∈ T-Fired:∀t′k ∈ T-Fired| ⇒ t′j | ≤ | ⇒ t′k|};T-Fired= T-Fired− New-T-tier;for each t′i ∈ New-T-tierdo UpdateRelations-T(t′i);Checkcutoff(New-T-tier);for each t′i ∈ New-T-tier− Cutoffsdo {

New-P-tier= New-P-tier∪ t′i•;UpdateRelations-P(t′i) }

}

(b)

Figure 12.Algorithms for generating unfolding (a) and unfolding tier (b)

Two matrices of the ordering relations between places and transitions,Relations-TandRelations-Pare constructed on-the-fly, while the unfolding is being generated. Thesematrices contain information about the precedence, conflict and concurrency relations inthe part of the unfolding which has been already generated. They play the major rolein checking whether the transitiont′i can be included into the unfolding (a subroutineReady(t′i)). Due to the symmetry of the conflict and concurrency relations and asymmetryof the precedence relation the matrices can be kept triangular.


After a new transitiont′i (or placep′j) is included in the unfolding the matrix of relationsis updated by adding the ordering relations oft′i ( p′j) with all the other transitions (places)generated before. This can be done by simply inheriting these relations from the transitions(places) that serve as direct predecessors oft′i (p′j). Consider this inheritance by an exampleof the ordering relations for transitions:

Precedence –t′j ⇒ t′i if:

1. t′j ∈ •(•t′i) (t′j is a direct predecessor oft′i)2. t′j ⇒ t′k andt′k ∈ •(•t′i) (inheriting of⇒ from the direct predecessors)

Conflict – t′j#t′i if:

1. •t′i ∩ •t′j 6= ∅ (direct conflict:t′i andt′j share an input place)2. t′j#t

′k andt′k ∈ •(•t′i) (inheriting of conflicts from the direct predecessors)

3. t′k ⇒ t′j andt′k is in direct conflict witht′i (conflicts spread over transitions succeedinga direct conflict).

Similar conditions can be given for places. ProceduresUpdateRelations-Tand Up-dateRelations-Pfor generating the ordering relations are given in Figure 13.

A new transitiont′i can be included in theT-Firedafter a placep′ from theCurrent-P-tierif, in the generated part of the unfolding, a set of places that can be matched as input placesto t′i exists. This set cannot be used in the earlier stages for the generation of anotherinstantiation ofti. The concurrency relation allows one to reduce significantly the size ofthe setCandidates that is used as a search space for the input places fort′i. Indeed, inputplaces fort′i must be pairwise concurrent and thus to obtain theCandidates it is sufficientto choose the places that are concurrent top′ and are matched with•ti. In most cases,Candidates contains one copy for each place from•ti. However, sometimes (e.g., forunsafe PNs) there can be several placesp′j , p

′′j , . . . that can be matched with the input oft′i.

In these cases we need to check all the possible combinationsInputs for •t′i. The numberof these combinations grows exponentially from the size of theCandidates set. However,typically the number of instantiations of a place concurrent to an input place of a transitionis small so this exponential dependency can be neglected. FunctionReadytests conditionsfor t′i to be fired.

After a new tier is generated in the unfolding, one has to check: (1) The cutoff conditions,(2) The correctness of the unfolding (boundedness, safeness, non-autoconcurrency).

For these checks, the basic markings are constructed for each of the transitions. Theycan be constructed by iterative formulas using basic markings for the direct predecessors.Assume thatConsumed(t′i) is the set of places in the unfolding that precede the transitiont′i. Then the following iterative formulas are valid.

(1) The set of consumed places is equal to that of the places consumed by the directlypreceding transitions plus the input places oft′i:Consumed(t′i) =

∑t′j∈•(•t′

i) Consumed(t′j) + •t′i

(2) The basic marking is given by the basic markings of the directly preceding transitionsthat are not consumed byt′i plus the output places oft′i:BM(t′i) =

∑t′j∈•(•t′

i)BM(t′j)− Consumed(t′i) + t′i•.


UpdateRelations-T(t′i) {for each t′j ∈ N ′ do

Write “t′j ||t′i” in Relations-T;for each t′j ∈ •(•t′i) do

Write “t′j ⇒ t′i” in Relations-T;for each t′k ⇒ t′j do

Write “t′k ⇒ t′i” in Relations-T;for each t′k#t′j do

Write “t′k#t′i” in Relations-Tend for;for each t′j , •t′j ∩ •t′i 6= ∅ & tj 6=′ t′i do

Write “t′j#t′i” in Relations-T;

for each t′k, t′j ⇒ t′k do

Write “t′k#t′i” in Relations-Tend for }

(a)UpdateRelations-P(t′i) {

for eachp′j ∈ N ′ doWrite “p′j ||p′r” in Relations-P;

for eachp′r ∈ t′i• dofor eachp′j ∈ •t′i do

Write “p′j ⇒ p′r” in Relations-P;for eachp′k ⇒ p′j do

Write “p′k ⇒ p′r” in Relations-P;for eachp′k#p′j do

Write “p′k#p′r” in Relations-Pfor eachp′k, p

′j ⇒ p′k do

if p′k 6∈ t′i•Write “p′k#p′r” in Relations-P;

end forend for }

(b)

Figure 13.Algorithms to update Relations-T (a) and Relations-P (b)

The proceduresReadyandIs unfoldingcorrectare given in Figure 14a,b. The procedureCheckcutoffs, for detecting GT-cutoffs and EQ-cutoffs is given in Figure 15. This detectionis made following Definitions 7, 9 of GT- and EQ-cutoffs.

Let us evaluate the complexity of the suggested algorithm for an unfolding generationand construction of the ordering relations. LetNT andNP be the number of transitionsand places in the unfolding andOp be the maximum fan-out for a place.

The proceduregenerateNew-tierchecks the possibility to add a new transitiont′i foreach placep′ in the unfolding for whichp′ ∈ •t′i. For the same placep′, there can beseveral patterns ofInputs that can be matched witht′i. Assume thatr is the upper bound


Ready(t′i) {Candidates =p′;for eachp′j ||p′ & pj ∈ •ti do

Candidates = Candidates∪ p′j ;for eachpj ∈ •ti do

if p′j 6∈ Candidatesreturn false;repeat

Create new Inputs⊆ Candidates;/* Inputs contains instantiations of all places from•ti*//* And these instantiations are pairwise concurrent */Used = false;for each t′′i ∈ T-Fired /*t′′i instantiation ofti*/ do

if •t′′i = Inputs then Used =true;if not(Used) then {•t′i = Inputs;CalculateBM(t′i);return true

}until No newInputs ⊆ Candidates;return false }

(a)Is unfoldingcorrect(Current-tier){

for each t′i ∈ Current-T-tierdo {/* boundedness check */

for each t′′i ∈ Reached /*t′′i instantiation ofti*/ do {if BM(t′′i ) < BM(t′i) then unbounded;

/* transition autoconcurrency check */if t′i||t′′i then autoconcurrent

}}for eachp′ ∈ Current-P-tierdo {/* safeness of placep′ ∈ Current-P-tier */

for eachp′′ ∈ Reached /*p′′ instantiation ofp*/if p′||p′′ then unsafe

}}

(b)

Figure 14.Analysis of transition readiness (a) and unfolding correctness (b).

for the number of instantiations of one place from•t′i concurrent top′. Then the numberof differentInputs patterns cannot exceedR ≡ r|•ti|. Thus ingenerateNew-tierfor oneplacep′ we performReady(t′i) –O(R ∗ Op) times, and for all places –O(R ∗ Op ∗NP )times.


Checkcutoffs(New-T-tier){/* GT-cutoffs */for each t′i ∈ New-T-tierdo {

for each t′j ∈ Reacheddoif BM(t′′j ) = BM(t′i) thenGT-cutoffs= GT-cutoffs∪ t′i;

}/*EQ-cutoffs*/Cutoffs=Cutoffs∪ GT-cutoffs;for each t′i ∈ New-T-tier− Cutoffsdo

repeatFind t′j ∈ New-T-tier− Cutoffs such thatt′j#t

′i & BM(t′j) = BM(t′i);

if there is sucht′j then {Is Image =true;if there ist′k ∈ EQ-Cutoffs& t′k||t′j then Is Image =false;if Is Imagethen {Create Readycut⊆ New-T-Tier− Cutoffs;/* Readycut contains allt′m: t′m#t′j & BM(t′j) = BM(t′m)*//* In particular,t′i ∈ Readycut*/for each t′m ∈ Readycutdo {

if there are not′r ∈ EQ-cutoff-images∩ New-T-tier& t′r||t′m then {EQ-cutoffs= EQ-cutoffs∪ t′m;Cutoffs= Cutoffs∪ t′m; }

Mark t′j as image for all EQ-cutoffst′m;}

}until t′i ∈ Cutoffs∨ (No newt′j found);

}

Figure 15.Detecting cutoffs.

All the properties in the procedureIs unfoldingcorrectare analyzed by a linear searchover the transitions (or places) in the unfolding, the complexity of this procedure isO(NT ).The complexity for detecting cutoffs does not exceedO(N2

T ).It gives the overall complexity of the unfolding generation and ordering relations con-

struction asO(R ∗Op ∗NP ∗NT +N2T ). If NT ≤ NP ,R is small andOp << NT (which

is reasonable for typical PNs) we arrive to the simplified estimation for the upper bound asO(NP ∗NT ). Note that our algorithm compares quite favorably with the results reportedin [3], where unfoldings for a much more restricted class of PNs, safe Marked Graphs7 areconstructed inO(N2

P ∗N2T ). It is also worth noting that similar to [3], our approach allows

checking the reachability of a certain state in the polynomial time for pipeline PNs, whilethe stubborn sets approach [25] does not solve this problem in the polynomial time.

In Sections 3 and 5, it was shown how the properties of PNs and STGs can be analyzedby checking the ordering relations in their unfoldings. It follows that the complexity of


C

C

C

C

a)

z1

z2

z3

z4

z1+

z2+

z3+

z4+

z3-

z4-

z1-

z2-

b)

Figure 16.4-stage Muller pipeline: circuit (a), corresponding STG (b)

the analysis of PNs is the same as for generating an unfolding, i.e.,O(NP ∗ NT ). Thecomplexity of checking the correctness of STGs is, therefore,O(NP ∗NT ∗ |SA|).

8. Experimental results

We have implemented a method for the unfolding of PNs and STGs presented in this paperinside the SIS tool [24]. This allows us to combine the verification method with the synthesismethods for STGs implemented in the SIS. The efficiency of the presented approach wasevaluated in comparison to the efficient technique of a PN traversal based on BDDs [8]. Theresults for three examples are presented in this paper: a PN for the dining philosophers [13],ann-stage Muller pipeline [15] withn/3 portions of information moving concurrently (seeFigure 16,a,b, where the 4-stage pipeline and its STG specification are shown) and annuser distributed mutual exclusion (DME) arbiter [8] (see Figure 17, where the STG for athree-user arbiter is shown). All the examples are scalable, in such a way that the number oftheir reachable states can be exponentially increased by iteratively repeating a basic pattern.In the case of the dining philosophers, the check was done for boundedness and safety only,while for the Muller pipeline and DME arbiter the implementability of the correspondingSTGs was analyzed as well.

Table 1 shows the results of experiments. The run-time is given for a Sparc 10 workstation.The table gives the size of the initial PN (STG) specification, the number of markings inthe Reachability Graph, the number of nodes for the peak and the final reduced and orderedBDD representation of the reachable marking space and the size of the reduced unfolding(the number of places and transitions). The numbers for the BDD traversal are partlyborrowed from [8].8 From the comparison it follows that analysis by the ordering relationsin the unfolding is more efficient than by the BDD traversal method.

The unfolding method and the BDD traversal method should be viewed as complemen-tary techniques. Some of the properties for checking the specifications (like Complete StateCoding (CSC) violations and CSC reducibility [8]) are difficult to express in terms of order-


r1+

a1+

a1-

r1-

r2+

a2+

r2-

a2-

p0

r3+

a3+

r3-

a3-

Figure 17.A three-user mutual exclusion element

Table 1.Experimental results

# of # of # of BDD UnfoldingExample n places trans. markings size size CPU # of # of CPU

peak final (sec.) places trans. (sec.)ndining

20 140 100 2.2× 1013 – 3091 10 140 100 1

phil. 40 280 200 2.9× 1019 – 251839 455 280 200 150 350 250 – – 1870847 > 4 h. 350 250 160 420 300 – – – – 420 300 1

n-stage

30 120 60 6.0× 107 7897 4784 132 490 240 1

Muller’s 45 180 90 6.9× 1011 23590 10634 740 1035 510 2pipeline 60 240 120 8.4× 1015 53446 18788 3210 1780 880 4n-user 20 81 80 2.2× 107 1688 1688 11 81 80 1DME 40 161 160 4.5× 1013 6568 6568 101 161 160 1arbiter 60 241 240 7.0× 1019 14648 14648 342 241 240 1

ing relations between transitions and are naturally formulated in terms of states. Therefore,it is better to check these properties by the symbolic BDD traversal. For some other proper-ties, like boundedness, the unfolding technique is very efficient while the BDD-based oneis not.

Table 2 shows the results on unfoldings using different cutoff criteria for the STGs from theknown set of benchmarks [24]. This experiment allows to conclude that EQ-cutoffs reducethe size of unfoldings compared to GT-cutoffs if the choice and concurrency structure isrelatively complex. The third column of the table presents the size of the initial specification(the number of places, transitions and places plus transitions). The fourth column presentsthe size of the unfoldings using the following cutoff criteria.

1. A simple cutoff criterion, which totally ignores the comparison of configuration sizes.The algorithm cuts the constructing of an unfolding each time a transition with an alreadygenerated basic marking occurs. Although, this criterion is not correct in general, itgives a useful lower bound on the size of any correct unfolding which loses no reachablemarkings of the initial PN.


Table 2.Experimental results

2. The enhanced cutoff criterion for generating a reduced unfolding. Both GT-cutoffs andEQ-cutoffs are used.

3. The GT-cutoff criterion for generating McMillan’s unfolding.

This column also includes a run-time if it was more than one second. The next columnpresents cutoff counts. In the column labeled “Note” marks “!” and “!!” indicate thoseexamples where the size of the reduced unfolding is smaller than the size of McMillan’sunfolding. If this difference is significant we put an approximate size ratio in this column.If the program ran out of time for a selected time-out a cell of the table contains “–”.

For checking how possible equivalent transformations of a PN can influence the size of theunfolding we have used the toolpetrify [2] for generating different PNs/STGs for the sameinitial PN/STG. For example,slave-j25is the initial specification from the SIS benchmark


of asynchronous circuits,slav-j25.ois its minimized version obtained withpetrify, slav-j25.p is an equivalent pure net9, sl-j25.fc is an equivalent free-choice PN, andsl-j25er.pis a pure net in which all excitation regions are split. One can observe that forslave-j25andsl-j25.fc the size of the reduced unfolding is significantly smaller than the size of theMcMillan’s unfolding, however forslav-j25.o, slav-j25.p, andsl-j25er.pboth methods giveequal size unfoldings.

In [4] Esparza et. al. suggested another refinement of McMillan’s criteria for cut-offs.This refinement is in some sense optimal because it allows us to get the total order betweenthe transitions with the same basic markings, i.e. each time two transitions with the samebasic marking are met in an unfolding one of them will be defined as a cut-off. Theunfoldings obtained by method [4] have a minimal size (similar to those obtained by simplecut-offs). The shortcoming of the approach [4] is the restriction to the class of safe PNs.Enhanced cut-offs can work for general PNs though they cannot guarantee minimal sizeunfoldings.

The slotted ring protocol example considered in [4] was checked for the enhanced cut-offcriteria. As expected the size of the obtained unfolding was in between the criteria by[4] and McMillan’s. However an ability to handle the unsafe specifications seems ratherimportant for the asynchronous design because the OR-causality can be modeled only byunsafe PNs [27]. It is worth mentioning that from the 40 examples in Table 2, 7 weredetected to be unsafe (the examples from 19 to 26).

9. Conclusion

We have presented an approach for checking the properties of a PN on the basis of theordering relations for transitions and places in the unfolding equivalent to the original PN.The unfolding is a finite prefix of the occurrence net. To truncate the occurrence net, weuse the so-called, enhanced cutoff criterion. Contrary to the cutoff criterion presentedin [13], our criterion allows us to truncate occurrence net using cutoffs with images of localconfigurations of equal size, i.e., the occurrence net is truncated earlier in the generationprocess. Therefore, the size of the reduced unfolding is typically much smaller than thesize of the reachability graph of the PN. We further applied this theory to asynchronousdesign. Implementability of Signal Transition Graphs (signal interpreted PNs) might beefficiently checked with the unfolding method. The experimental results show that forsafeness, boundedness, persistency and implementability conditions our method comparesfavorably with the symbolic BDD traversal of the PNs [20, 8]. We have implemented themethod of PN and STG unfolding as a new command in the SIS tool [24].

Checking deadlocks by an unfolding is exponential in general. However, McMillansuggested a practically efficient algorithm for this problem [13]. Using the enhanced cutoffcriterion will further improve the efficiency of checking deadlocks.

Acknowledgments We are greatly indebted to Javier Esparza for his successful effortsin finding flaws in the earlier versions of our cutoff criterion. We are also grateful to AlexYakovlev and Alex Semenov for fruitful discussions on the early stage of this work. Wehighly appreciate the work on PN unfolding by Ken McMillan that was the impact for our


research. We thank Luciano Lavagno for helping us to understand the SIS tool and forproviding us with a set of benchmarks for checking the verification methods.

Notes

1. GT stands for “greater than” and refers to the size of local configuration for a cutoff and its image.

2. EQ stands for “equal” and again refers to the size of local configuration.

3. FM(C1′) andFM(C′) are PN markings corresponding toFM(C1′)′ andFM(C′)′.

4. cf. the proof of Lemma 5 in [13]

5. In [7] both choice and parallel interpretations are allowed.

6. This is not the case for the circuits with arbiters. To deal with such non-deterministic circuits we can softenthe requirement and allow the disabling of non-input signals in arbitration points.

7. A Marked Graph is a Petri Net whose places have at most one input and at most one output transition.

8. The data on the dining philosophers were kindly provided by Oriol Roig.

9. A PN is called pure if it contains no loops between a place and a transition.

References

1. T.-A. Chu, ”Synthesis of Self-timed VLSI Circuits from Graph-theoretic Specifications,” PhD thesis, MIT,June 1987.

2. J. Cortadella, M. Kishinevsky, L. Lavagno, and A. Yakovlev, ”Synthesizing Petri nets from state-basedmodels,”Proceedings of the International Conference on Computer-Aided Design, November 1995.

3. J. Esparza, ”Model checking using net unfoldings,” In M.-C. Gaudel and J.-P. Jouannaud, editors,TAP-SOFT’93: Theory and Practice of Software Development. 4th Int. Joint Conference CAAP/FASE, LectureNotes in Computer Science 668, Springer-Verlag, 1993, pp. 613–628.

4. T. Esparza, S. Romer, and W. Vogler, ”An improvement of mcmillan’s unfolding algorithm,” TechnicalReport TUM: 19599, Technische Universitat Munchen, August 1995.

5. P. Godefroid, ”Using partial orders to improve automatic verification methods,” In E.M Clarke and R.P.Kurshan, editors,Proc. International Workshop on Computer Aided Verification, DIMACS Series in DiscreteMathematica and Theoretical Computer Science, 1991, pp. 321-340.

6. M. A. Kishinevsky, A. Y. Kondratyev, A. R. Taubin, and V. I. Varshavsky,Concurrent Hardware. The Theoryand Practice of Self-Timed Design, John Wiley and Sons Ltd., 1994.

7. Michael Kishinevsky and Jørgen Staunstrup, ”Characterizing speed-independence of high-level designs,”In Proceedings of the Symposium on Advanced Reserch in Asynchronous Cirsuits and Systems, Utah, USA,November 1994, pages 44 –53.

8. A. Kondratyev, J. Cortadella, M. Kishinevsky, E. Pastor, O. Roig, and A. Yakovlev, ”Checking SignalTransition Graph implementability by symbolic BDD traversal,” InProceedings of the European Designand Test Conference (ED&TC), Paris, France, March 1995, pp. 325–332

9. A. Kondratyev, M. Kishinevsky, A. Taubin, and S. Ten, ”Analysis of petri nets by ordering relations inreduced unfoldings,” Technical Report TR:95-2-002, The University of Aizu, June 1995.

10. A. Kondratyev and A. Taubin, ”Verification of speed-independent circuits by STG unfoldings,” InProceed-ings of the Symposium on Advanced Reserch in Asynchronous Cirsuits and Systems, Utah, USA, November1994, pp. 64–75.

11. L. Lavagno and A. Sangiovanni-Vincentelli,Algorithms for synthesis and testing of asynchronous circuits,Kluwer Academic Publishers, Boston/Dordrecht/London, 1993.

12. Luciano Lavagno, ”Set of input-choice benchmarks,” InPrivate Communication, 1994.13. K. McMillan, ”A technique of state space search based on unfolding,”Formal Methods in System Design,

6:45–65, 1995.14. T. H.-Y. Meng, Synchronization Design for Digital Systems. Kluwer Academic Publishers,

Boston/Dordrecht/London,1991, contributions by David Messerschmitt,Steven Nowick, and David Dill.


15. D. E. Muller, ”Asynchronous logics and application to information processing,” InProc. Symp. on Appli-cation of Switching Theory in Space Technology, Stanford University Press, 1963, pp. 289–297.

16. D. E. Muller and W. C. Bartky, ”A theory of asynchronous circuits,” InAnnals of Computing Laboratory ofHarvard University, 1959, pp. 204–243.

17. T. Murata, ”Petri nets: Properties, analysis and applications,”Proceedings of IEEE, 77:541–580,1989.18. M. Nielsen, G. Plotkin, and G. Winskel, ”Events structures and domains,”Theoretical Computer Science,

13:85–108, 1980.19. S. M. Nowick and D. L. Dill, ”Automatic synthesis of locally-clocked asynchronous state machines,” In

Proceedings of the International Conference on Computer-Aided Design, November 1991.20. E. Pastor, O. Roig, J. Cortadella, and R. Badia, ”Petri net analysis using boolean manipulation,” In15th

International Conference on Application and Theory of Petri Nets, Zaragoza, Spain, June 1994, pp. 416–435.21. S. Patil and J. Dennis, ”The description and realization of digital systems,” InProceedings of the IEEE

COMPCON, New York, 1972, pp. 223–226.22. L. Pomello, G. Rozenberg, and C. Simone, ”A survey of equivalence notions for net based systems,”Lecture

Notes in Computer Science, 609:410–472, 1993.23. A. Semenov and A. Yakovlev, ”Event-based framework for verifying high-level models of asynchronous

circuits,” Technical Report TR No.487, Computing Science, University of Newcastle upon Tyne, June 1994.24. E. M. Sentovich, K. J. Singh, L. Lavagno, C. Moon, R. Murgai, A. Saldanha, H. Savoj, P. R. Stephan, R. K.

Brayton, and A. Sangiovanni-Vincentelli, ”SIS: A system for sequential circuit synthesis,” Technical ReportUCB/ERL M92/41, U.C. Berkeley, May 1992.

25. A. Valmari, ”State of the art report: Stubborn sets,”Petri Nets Newsletter, 46:6–14, 1994.26. P. Vanbekbergen, F. Catthoor, G. Goossens, and H. De Man,” Optimized synthesis of asynchronous control

circuits from graph-theoretic specifications,”IEEE Transactions on Computer-Aided Design, November1992.

27. A. Yakovlev, M. Kishinevsky, A. Kondratyev, and L. Lavagno, ”OR causality: modelling and hardwareimplementation,” InProceedings of the 15th International Conference on Application and Theory of PetriNets, Lecture Notes in Computer Science 815, Zaragosa, Spain, Springer-Verlag, June 1994, pp. 568–587.

Documents

Analysis of Petri nets by ordering relations in reduced unfoldings