A False History of True Concurrency: From Petri to Tools

I briefly review the history of the unfolding approach to model checking. Carl Adam Petri passed away on July 2, 2010. I learnt about his death three days later, a few hours after finishing this text. He was a very profound and highly original thinker, and will be sadly missed. This note is dedicated to his memory. In some papers and talks, Moshe Vardi has described the history of the automatatheoretic approach to model checking, the verification technique that inspired the SPIN model checker and other tools. He traces it back to the work of theoreticians like Büchi, Prior, Trakhtenbrot and others, whose motivations were surprisingly far away from the applications that their ideas found down the line. Inspired by this work, in this note I briefly present the origins of the unfolding approach to model checking [21], a branch of the automata-theoretic approach that alleviates the state-explosion problem caused by concurrency. Since the unfolding approach is based on the theory of true concurrency, describing its origins requires to speak about the origin of true concurrency itself. However, here I only touch upon those aspects of the theory that directly inspired the unfolding approach. This leaves many important works out, and so this is a very partial and “false” history of true concurrency. The theory of true concurrency starts with two fundamental contributions by Carl Adam Petri, described in detail by Brauer and Reisig in an excellent article [11]. Both were a result of Petri’s interest in analyzing the connection between mathematical, abstract computing machines, and their physical realizations. In his dissertation “Kommunikation mit Automaten”, defended in 1962, Petri observes that the performance of a physically implemented Turing machine will degrade over time if the machine uses more and more storage space, because in this case signals have to travel longer and longer distances over longer and longer wires. To solve this problem he proposes an asynchronous architecture in which the storage space can be extended while the machine continues to operate. In the dissertation this abstract machine is described with the help of several semi-formal representations, but three years later Petri has already distilled the first mathematical formalism for asynchronous computation, and, arguably, the beginning of concurrency theory: Petri nets. Petri’s second contribution is an analysis of the notion of execution of a machine as a sequence of global states, or as a sequence of events ordered by their occurrence times with respect to some global clock. He observes that global states or global clocks are again a mathematical construct that cannot be “implemented”: since information can only travel at finite speed, no part of a system can know the state of all its components at a certain moment in time. He proposes to replace executions by nonsequential processes, sets of events ordered not by the time at which they occur, but by the causality relation, which is independent of the observer. The theory of nonsequential processes, subsequently developed by Goltz, Reisig, Best, Devillers, and Fernández, among others [26, 8, 9], distinguishes a system that concurrently executes two events a and b (usually denoted by a ‖ b in process algebra) from a system that chooses between executing a and then b, or b and then a, (usually denoted by a.b + b.a): they have the same executions, namely ab and ba, but different nonsequential processes. In fact, a ‖ b is not equivalent to any sequential system, and hence the name “truly concurrent semantics” or “true concurrency.” The next important step was due to Nielsen, Plotkin, and Winskel [51] in the early 80s. Recall that the executions of a system can be bundled together into a computation tree: the tree of events in which the nodes are the global states, and the children of a state are the states that the system may possibly reach next (where “next” implicitly assumes a global clock). Similarly, Nielsen, Plotkin, and Winskel showed how to bundle the nonsequential processes of the system into the unfolding of the system, a truly-concurrent branching-time semantics. Incidentally, their motivation was to extend Scott’s thesis (stating that the functions between datatypes computable by sequential programs are the continuous functions) to concurrent programs. The theory of unfoldings was further developed by Engelfriet, Nielsen, Rozenberg, Thiagarajan, Winskel, and others in [52, 53, 60, 61, 18]. All this research was taking place in the area of semantics, with semantic goals: to provide a precise, formal definition of the behaviour of a concurrent system that could be used as a reference object to prove the correctness of, for instance, proof systems à la Hoare. The success of model checking introduced a new way of looking at semantics: semantical objects were not only mathematical objects that allowed to formally prove the correctness or completeness of proof systems; they could also be constructed and stored in a computer, and used to automatically check behavioural properties. More precisely, model checking suggested to construct and store an increasingly larger part of the (usually infinite) computation tree until all global states have been visited (which was bound to happen for systems with finitely many global states). By the end of the 80s model checking had already achieved significant success. However, it faced the stateexplosion problem: the number of states of the system could grow very quickly 1 This can be taken a bit further: relativity theory shows that if the parts of a system move with respect to each other there is no physical notion of a global moment in time. 2 “Unfolding” is not the term used in [51]. as a function of the size of the system itself. One of the causes of the problem was concurrency: the number of global states of a system with n concurrent components, each of them with m local states, can be as large as m. The state-explosion problem was attacked by Ken McMillan in his PhD Thesis “Symbolic Model Checking”, where he famously proposed the use of Binary Decision Diagrams as a data structure for storing and manipulating sets of states. But the thesis also contains a second idea: instead of computing an initial part of the computation tree containing all global states (a complete prefix), McMillan suggests to construct a complete prefix of the unfolding. The unfolding of a concurrent system contains the same information as the computation tree, but encoded in a different way: where the computation tree represents all global states explicitly, as different nodes of a graph, the unfolding represents them implicitly, as the tuples of local states satisfying a certain condition. McMillan was the first to observe that this implicit representation provided a line of attack on the state-explosion problem, due to the smaller size of the implicit representation [45–47]. He showed how to algorithmically construct a complete prefix of the unfolding, and provided convincing experimental evidence that this approach contributed to solving the state-explosion problem. Thanks to McMillan’s ideas, the unfolding moved from being a mathematical object, born out of abstract work on the nature of concurrency, into a data structure for compactly representing the set of global states of a concurrent system. McMillan’s approach, however, still faced two problems. First, while the complete prefix of the unfolding constructed by his algorithm was usually much more compact than a complete prefix of the computation tree, it could also be exponentially bigger in the worst case. Second, McMillan’s algorithms could only check specific problems, like deadlock freedom or conformance. Both problems were overcome in the next years. Improved algorithms for constructing complete prefixes were described in [49, 22, 23, 31, 32, 35, 36, 38, 24], and extensions to (almost) arbitrary properties expressible in Linear Temporal Logic (LTL) were presented in [16, 19, 20]. Since 2000 the algorithms for constructing complete prefixes have been parallelized [33, 55] and distributed [5]. Initially developed for systems modeled as “plain” Petri nets, the unfolding approach has been extended to high-level Petri nets [37, 55], symmetrical Petri nets [17], unbounded Petri nets [1], nets with read arcs [59, 4], time Petri nets [25, 14, 15, 58],products of transition systems [22] automata communicating through queues [44], networks of timed automata [10, 12], process algebras [43], and graph transformation systems [3, 2]. It has been implemented many times [55, 56, 33, 42, 50, 29, 31, 20] and applied, among other problems, to conformance checking [48], analysis and synthesis of asynchronous circuits [39, 41, 40], monitoring and diagnose of discrete event systems [7, 6, 13, 27], and analysis of asynchronous communication protocols [44]. Two unfolders available online are Mole and PUNF, developed and maintained by Stefan Schwoon and Victor Khomenko, respectively [57, 34]. The unfolding approach to model checking is another example of how theoretical considerations about the nature of computation, and the relation between ideal and physical machines, have evolved into a pragmatic technique for the automatic verification of concurrent systems.

[1]  Wenhui Zhang,et al.  Automated Technology for Verification and Analysis, 4th International Symposium, ATVA 2006, Beijing, China, October 23-26, 2006 , 2006, ATVA.

[2]  Javier Esparza,et al.  The Model-Checking Kit , 2003, ICATPN.

[3]  Albert Benveniste,et al.  Distributed Monitoring of Concurrent and Asynchronous Systems , 2003, CONCUR.

[4]  Didier Lime,et al.  Symbolic Unfolding of Parametric Stopwatch Petri Nets , 2010, ATVA.

[5]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[6]  Eike Best,et al.  Nonsequential Processes , 1988, EATCS Monographs on Theoretical Computer Science.

[7]  Albert Benveniste,et al.  Diagnosis of asynchronous discrete event systems, a net unfolding approach , 2002, Sixth International Workshop on Discrete Event Systems, 2002. Proceedings..

[8]  Glynn Winskel,et al.  Event Structures , 1986, Advances in Petri Nets.

[9]  Thomas Chatain,et al.  Time Supervision of Concurrent Systems Using Symbolic Unfoldings of Time Petri Nets , 2005, FORMATS.

[10]  Patricia Bouyer,et al.  Timed Unfoldings for Networks of Timed Automata , 2006, ATVA.

[11]  Walter Vogler,et al.  An Improvement of McMillan's Unfolding Algorithm , 2002, Formal Methods Syst. Des..

[12]  Glynn Winskel,et al.  An introduction to event structures , 1988, REX Workshop.

[13]  Ed Brinksma,et al.  A Complete Finite Prefix for Process Algebra , 1999, CAV.

[14]  Andrea Corradini,et al.  McMillan's Complete Prefix for Contextual Nets , 2008, Trans. Petri Nets Other Model. Concurr..

[15]  Alexandre Yakovlev,et al.  Resolution of Encoding Conflicts by Signal Insertion and Concurrency Reduction Based on STG Unfoldings , 2006, Sixth International Conference on Application of Concurrency to System Design (ACSD'06).

[16]  Maciej Koutny,et al.  Canonical prefixes of Petri net unfoldings , 2002, Acta Informatica.

[17]  Alexandre Yakovlev,et al.  Unfolding and Finite Prefix for Nets with Read Arcs , 1998, CONCUR.

[18]  Grzegorz Rozenberg,et al.  Behavioural notions for elementary net systems , 1989, Distributed Computing.

[19]  Javier Esparza,et al.  Unfoldings - A Partial-Order Approach to Model Checking , 2008, Monographs in Theoretical Computer Science. An EATCS Series.

[20]  Denis Poitrenaud,et al.  Designing a LTL Model-Checker Based on Unfolding Graphs , 2000, ICATPN.

[21]  Thomas Chatain,et al.  Symbolic Diagnosis of Partially Observable Concurrent Systems , 2004, FORTE.

[22]  Bernd Grahlmann,et al.  The PEP Tool , 1997, CAV.

[23]  Kenneth L. McMillan,et al.  Using Unfoldings to Avoid the State Explosion Problem in the Verification of Asynchronous Circuits , 1992, CAV.

[24]  Raymond R. Devillers,et al.  Sequential and Concurrent Behaviour in Petri Net Theory , 1987, Theor. Comput. Sci..

[25]  Maciej Koutny,et al.  Towards an Efficient Algorithm for Unfolding Petri Nets , 2001, CONCUR.

[26]  Grzegorz Rozenberg,et al.  Transition Systems, Event Structures and Unfoldings , 1991 .

[27]  Maciej Koutny,et al.  Detecting state coding conflicts in STG unfoldings using SAT , 2003, Third International Conference on Application of Concurrency to System Design, 2003. Proceedings..

[28]  Maciej Koutny,et al.  Parallelisation of the Petri Net Unfolding Algorithm , 2002, TACAS.

[29]  Hans Fleischhack,et al.  Computing a Finite Prefix of a Time Petri Net , 2002, ICATPN.

[30]  D. Galloway Should surgeons still sit an exit examination , 2005 .

[31]  Maciej Koutny,et al.  Branching Processes of High-Level Petri Nets , 2003, TACAS.

[32]  Keijo Heljanko,et al.  Model Checking with Finite Complete Prefixes Is PSPACE-Complete , 2000, CONCUR.

[33]  Glynn Winskel,et al.  Petri Nets, Event Structures and Domains , 1979, Semantics of Concurrent Computation.

[34]  Glynn Winskel,et al.  Petri Nets, Event Structures and Domains, Part I , 1981, Theor. Comput. Sci..

[35]  Javier Esparza,et al.  An Unfolding Algorithm for Synchronous Products of Transition Systems , 1999, CONCUR.

[36]  Wolfgang Reisig,et al.  Carl Adam Petri and "Petri Nets" , 2007 .

[37]  Barbara König,et al.  Augur - A Tool for the Analysis of Graph Transformation Systems , 2005, Bull. EATCS.

[38]  Thomas Chatain,et al.  Symbolic Unfoldings for Networks of Timed Automata , 2006, ATVA.

[39]  Javier Esparza,et al.  Reachability Analysis Using Net Unfoldings , 2000 .

[40]  Thomas Chatain,et al.  Complete Finite Prefixes of Symbolic Unfoldings of Safe Time Petri Nets , 2006, ICATPN.

[41]  Javier Esparza,et al.  Verification Using PEP , 1996, AMAST.

[42]  Maciej Koutny,et al.  LP Deadlock Checking Using Partial Order Dependencies , 2000, CONCUR.

[43]  Kenneth L. McMillan,et al.  Trace Theoretic Verification of Asynchronous Circuits Using Unfoldings , 1995, CAV.

[44]  Keijo Heljanko Using Logic Programs with Stable Model Semantics to Solve Deadlock and Reachability Problems for 1-Safe Petri Nets , 1999, Fundam. Informaticae.

[45]  Didier Lime,et al.  Diagnosis Using Unfoldings of Parametric Time Petri Nets , 2010, FORMATS.

[46]  Stephan Melzer,et al.  Deadlock Checking Using Net Unfoldings , 1997, CAV.

[47]  Joost Engelfriet,et al.  Branching processes of Petri nets , 1991, Acta Informatica.

[48]  Denis Poitrenaud,et al.  Unfolding of Products of Symmetrical Petri Nets , 2001, ICATPN.

[49]  Javier Esparza,et al.  A New Unfolding Approach to LTL Model Checking , 2000, ICALP.

[50]  Paolo Baldan,et al.  Distributed Unfolding of Petri Nets , 2006, FoSSaCS.

[51]  Wolfgang Reisig,et al.  The Non-sequential Behavior of Petri Nets , 1983, Inf. Control..

[52]  Parosh Aziz Abdulla,et al.  Unfoldings of Unbounded Petri Nets , 2000, CAV.

[53]  Javier Esparza,et al.  Implementing LTL model checking with net unfoldings , 2001, SPIN '01.

[54]  Maciej Koutny,et al.  Logic Synthesis for Asynchronous Circuits Based on STG Unfoldings and Incremental SAT , 2006, Fundam. Informaticae.

[55]  Victor Khomenko,et al.  Parallel LTL-X Model Checking of High-Level Petri Nets Based on Unfoldings , 2004, CAV.

[56]  B. König,et al.  Verifying Finite-State Graph Grammars: An Unfolding-Based Approach , 2004, CONCUR.

[57]  Abteilung Für Informatik Und,et al.  Unfolding-based Diagnosis of Systems with an Evolving Topology , 2008 .

[58]  Yu Lei,et al.  An Approach to Unfolding Asynchronous Communication Protocols , 2005, FM.

[59]  Kenneth L. McMillan,et al.  A technique of state space search based on unfolding , 1995, Formal Methods Syst. Des..