LoLA is an explicit-state model checker for Petri nets that focuses on standard properties and uses many reduction techniques such as stubborn sets, symmetries, and sweep-line heuristics to efficiently analyze large state spaces. It takes Petri nets as input in the form of place/transition nets or high-level algebraic nets and allows users to specify verification tasks involving properties such as boundedness, reachability, and temporal logics. LoLA is open source and has been used in several case studies to generate experimental results tables exploring the impact of basic design decisions.

1. Verification with LoLA
Niels Lohmann and Karsten Wolf
The Blue Angel
Germany, 1930
Run Lola Run
Germany,1998

2. What is LoLA?
• Explicit state space generation
• Place/Transition nets
• Focus on standard properties
• Many reduction techniques, unique features
• Stream based interface
• Open source

3. Where does it come
from?
• INA - Integrated Net Analyzer by Peter Starke
• grown for long time
• state space and structural techniques
• several net classes
• suboptimal design decisions
• MODULA 2
• Papers needed tables with absolute run times

4. Purpose
• Generate competitive “experimental results”
tables
• Explore impact of basic design decisions
• ... Ship as tool

5. Milestones
• 1998: 1st release
• 1998-2005: State space reduction techniques
• 2000: Presentation at Petri Nets
• 2005-: Case studies, integration
• 2007: Invited talk at Petri Nets
• since 2008: Implementation of software
development processes

6. Basic Design Decisions
• No GUI
• Realistic nets are generated, not
painted
• GUI blocks portability
• Many GUIs available, simple
connection possible
• Do not want user interaction
during verification

7. Basic Design Decisions
• One property, one state space
• as opposed to query languages on state
spaces
• One property, one dedicated reduction
• Benefit from on-the-fly verification
• Generation faster than loading

8. Basic Design Decisions
• Configuration at compile time
• property class, search strategy, reductions
• #define instead of if()
• repeated runs in same configuration

9. Featured Properties
• Boundedness (place) • Reversibility
• Boundedness • Home states
• Reachability (marking) • LTL properties F φ,
GF φ, FG φ (predicate)
• Reachability (predicate)
• CTL (formula)
• Deadlocks
• Death (transition)
• Liveness (predicate)

10. Featured Reductions
• Stubborn Sets • Reduction based on S/T
invariants
• unique: dedicated
techniques for standard
properties
• unique.
• Symmetries • Coverability graphs
• unique: automated
• unique: combination with
other reductions
determination of
symmetries in low level
net
• Sweep-Line
• unique: automated
calculation of a progress
measure

11. Goal of Tutorial
• Can LoLA help you?
• Where (and why) does it perform well?
• How to (optimally) use it, to integrate it

12. Outline
• Introduction • Input Language
• Motivation, • State Space
background, Techniques
history
• Using LoLA
• Preview and
outline • Case Studies
• Basic notions • Integrating LoLA
• First demo • Implementation

13. Basic notions: net
• Net: [P,T,F,W,m0]
• P,T finite, nonempty, disjoint
• F ⊆(P x T) ∪ (T x P)
• W: F →N+
• m0: P →N
• Firing
• t activated in m: (p,t) ∈ F m(p) ≥ W(p,t)
• firing; m [t> m’: m’(p) = m(p) - W(p,t) + W(t,p)
• State space:
• states: reachable markings
• edges: m[t>m’

14. Basic notions: properties
• Place p is ...
• bounded iff there is a k such that, for all reachable m, m(p) < k
• Transition t is ...
• dead iff it is not activated in any reachable marking
• State predicate φ (p <>≤≥=≠ k, φ∧φ, φ∨φ,¬φ) is ...
• reachable iff some reachable marking satisfies v
• live iff, from every reachable marking, a marking is reachable that satisfies φ
• Net ...
• is bounded iff all places are
• is reversible iff the initial marking is reachable from all reachable marking
• has home states iff some marking is reachable from all reachable markings
• is deadlock-free iff every reachable marking activates at least one transition

15. Basic notions: Temporal Logic
• LTL: infinite path (starting in m0) satisfies ...
• F φ : is satisfied at least once
• GF φ: φ is satisfied in infinitely many markings
• FG φ: φ is satisfied forever from some marking on
• CTL: marking m satisfies ...
• AX (EX) φ: φ holds in all (some) immediate successor marking
• AF (EF) φ: every (some) path from m contains a marking satisfying φ
• AG (EG) φ: on every (some) path from m, φ holds in all markings
• A(E) φ U ψ: on every (some) path starting in m, there is a marking that satisfies
ψ such that all preceding markings satisfy φ

16. Basic notions: State Space
• Strongly connected component (scc)
• max set of mutually reachable states
• partitions state space
• form acyclic graph, maximal elements: terminal scc (tscc)
• Properties vs scc:
• reversible: net has one scc
• home states: net has one tscc
• live: satisfiable in all tscc

17. Basic notions: Search
• Depth first
• can be extended easily for detecting cycles and scc
• tends to yield long paths
• Breadth first
• difficult to detect cycles and scc
• yields shortest path

18. 2. The LoLA Input Language

19. Plan
• Place/Transition nets
• Verification task
• High-Level nets
• Demo

20. Place/Transition Nets
N = [P,T,F,W,m0] treated as variables
PLACE p1, p2, p3, p4;
can be replaced as a whole
MARKING p1:2, p3:1, p1:1;
compatible with computed
markings
{ this is a comment }
TRANSITION t1
CONSUME p1:3, p2: 1;
PRODUCE p3: 2, p1 : 2;
treated as procedures
TRANSITION t2
CONSUME p3 : 1;
PRODUCE ;
only one reference per arc

21. Identifiers
Many special characters permitted, eg.
p4 23 message[x=13,from=”bla”]
Reason: easier for tools to generate such
names

22. Storage directives
If bounds for some places are known:
PLACE
default, #CAPACITY in
p0;
userconfig.H
SAFE 3: p1, p2;
SAFE 7: p3, p4;
SAFE: p5; = SAFE 1
Only for internal memory allocation, no
capacity!

23. Fairness Constraints
needed for the LTL properties only
(fair CTL is not supported so far)
TRANSITION t1 STRONG FAIR
...
TRANSITION t2 WEAK FAIR
...
TRANSITION t3
...

24. Verification Task Input
• Can be specified inline or as separate file
• For boundedness of places: ANALYSE PLACE p1
• For dead transitions: ANALYSE TRANSITION t2
• For all properties involving state predicate:
FORMULA (p1 > 3 OR p2 <= 7) AND NOT p6 = 1
• For CTL model checking:
• FORMULA EXPATH ALWAYS ALLPATH EVENTUALLY p1 > 3
• FORMULA EXPATH (p1 > 7 UNTIL p2 < 3)

25. High Level Net Input
• Main purpose: To obtain scalable sequences of models
• Deprecated for translation from other formalisms
(problem: semantic conformance)
• Will be unfolded into place/transition net anyway
• Experience: Parsing from UNIX pipe no time issue
• Style: algebraic Petri nets with explicit interpretation

26. Algebraic Petri Nets
• Signature: sorts + sorted operation symbols
• Interpretation: sets of values, n-ary functions
• Places: annotated with sort (type) symbol
• interpretation: set of values (colors)
• Transitions: annotated with set of variables, guard
expression
• interpretation: every valid assignment is firing mode
• Arcs: annotated with terms over the transition variables
• interpretation: map from firing mode of transition into color set of place
• Marking: written as multiset of terms

27. Signature: Sorts and
their interpretation
SORT
a = [ 1 , 5 ]; { 1,2,3,4,5 }
b = BOOLEAN; { TRUE, FALSE }
c = ENUMERATE red blue green END; { red, blue, green }
“successor” canonically defined on each value set
scalar arbitrary each value has
unique text
d = ARRAY [1,3] OF BOOLEAN;
representation
{ [FALSE|FALSE|FALSE], ... , [TRUE|TRUE|TRUE] }
e = RECORD
receiver : a;
sender : b;
END ; { <1|FALSE>, ...., <3|TRUE> }

28. Signature: operations
and their interpretation
SORT phils = [1 , 5 ]; forks = [1 , 5];
FUNCTION leftfork (x : phils) : forks signature
BEGIN
RETURN x
END interpretation
FUNCTION rightfork(x : phils): forks
BEGIN
RETURN x + 1
expressions evaluate
END on all integers,
FUNCTION allthinking () : phils assignments align to
VAR x : phils;
BEGIN
value set (modulo
FOR ALL x DO arithmetic)
RETURN x
END
END result is multiset

29. Statements in function body
EXIT
leave function
RETURN E
add value of E to return multiset, continue
L = E
assignment
S1 ; S2
sequential composition
WHILE E DO S END
while loop
REPEAT S UNTIL E END
until loop
FOR x := E1 TO E2 DO S END
for loop in canonical order of values
FOR ALL x DO S END
for loop through all elements of sort of x
IF E THEN s1 [ELSE S2] END
branch statement
SWITCH E
CASE E1: S1 ... CASE En: Sn
ELSE S
END
multibranch statement

30. Expressions in function body
pointwise for
X X[a + b] X.c[a + b]
arrays and
records
645 TRUE FALSE
A <-> B A -> B A AND B A OR B NOT A
A<B A <= B A>B A >= B A=B A <> B A#B
A+B A*B A-B A/B A MOD B
(E)
[ E1 | E2 | .... | En ] no modulo
bla ( E1, ...., En)
before
function must assignment
return exactly
one value

31. Example: Network
SORT dimensions = [ 1 , 3 ]; row = [ 1 , 3 ]; agent = ARRAY dimensions OF row ;
message = RECORD receiver : agent; sender : agent; END;
FUNCTION X (a:agent;b:agent):message
VAR m : message;
BEGIN
m . receiver = a; m . sender = b; RETURN m
END
FUNCTION N(z:agent):agent
VAR l : dimensions; low : row; high : row;
BEGIN
low = 1; high = low - 1; { remind canonical order }
FOR ALL l DO
IF z [ l ] > 1ow THEN z [ l ] = z [ l ] - 1; RETURN z; z[l]=z[l]+1 END;
IF z [ l ] < high THEN z [ l ] = z [ l ] + 1; RETURN z; z[l]=z[l]-1 END
END
END

32. per value HL Places
tokens of sort forks
PLACE
SAFE p1 : phils, p2 : forks , p3 ;
...
tokens of sort phils low level place
unfolded to:
PLACE SAFE
p1.1, p1.2, p1.3, p1.4, p1.5, p2.1, p2.2, p2.3, p2.4, p2.5, p3;

33. HL Initial Marking
multiterm
without variable
sorts must fit
MARKING th : allphilosophers(),
fo : L(allphilosophers()), unfolded name
th.2 : 3,
p3 : 5;
low level place

34. HL Transitions
valid for all
TRANSITION receive WEAK FAIR instances
VAR sender , receiver : agent;
GUARD is_neighbour( sender , receiver) firing mode
CONSUME channe1 : X ( sender, receiver )
PRODUCE channel : X (N(sender),sender), internal :
receiver
multiterms
unfolded to
TRANSITION receive.[sender=1,receiver=2] WEAK FAIR
CONSUME ....
Only instances with satisfied guards are generated
Isolated places are finally removed

35. HL Verification tasks
parentheses
compulsory
EXISTS x : phils : ( eating . ( x ) > 0 ) AND thinking.1 = 0
ALL y : phils : ( [y = 1] OR fo . ( L(y) ) = 0 )
any expression

36. 3. State Space Reduction

37. Plan
• Stubborn sets [Petri Nets 1999]
• Symmetry [Acta Informatica 2000]
• Invariants [TACAS 2003]
• Sweep-Line [TACAS 2004]

38. The Stubborn Set Method
38

39. Diamonds from concurrency
a b
b
a
39

40. Diamonds from concurrency
s1
a b
s s’
b
s2 a
39

41. State Explosion by Concurrency
Process A Process B Process C
internal internal 1
internal
internal internal 2
internal
sync sync sync 3
4
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
444 40

42. Stubborn Sets
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

43. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

44. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
reduced transition system:
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

45. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
reduced transition system:
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

46. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
reduced transition system:
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

47. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
reduced transition system:
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

48. Stubborn Sets
In every marking m:
stubborn(m) ⊆ T
fire only activated transitions in stubborn(m)
reduced transition system:
111
211 121 112
311 221 131 212 122 113
312 321 231 222 132 213 123
322 331 232 313 133 223
332 323 233
333
41
444

49. Reduced Transition System
111
121
122
222
223
323
333
42
444

50. How to Preserve Properties
Core principle:
outside stubborn(m)
m2 implies
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
43

51. How to Preserve Properties
Core principle:
outside stubborn(m)
m w1 m1 t m2 implies
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
43

52. How to Preserve Properties
Core principle:
outside stubborn(m)
m w1 m1 t m2 implies m t m1 ’ w1 m2
in stubborn(m)
plus property specific requirements
presence of right path justifies absence of left path
43

53. Preservation of Deadlocks
Core principle +
implies
Proof:
44

54. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
44

55. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
44

56. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d
44

57. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d
m t m1 ’ w1 m2 w2 d
44

58. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
44

59. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
44

60. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
44

61. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t 44

62. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t t 44

63. Preservation of Deadlocks
Core principle +
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 44
deadlock!

64. Preservation of Deadlocks
Core principle + m w m’
implies
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 44
deadlock!

65. Preservation of Deadlocks
Core principle + m w m’
implies
t
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 44
deadlock!

66. Preservation of Deadlocks
Core principle + m w m’
implies t
t
Proof:
Let m w d length(w) = min
1st case: some t of stubborn(m) occurs in w
m w1 s1 t m2 w2 d m1’ in red. TS,
m t m1 ’ w1 m2 w2 d closer to d!
2nd case: no t of stubborn(m) occurs in w
m w d
t d not a
t 44
deadlock!

67. Preservation of LTL/CTL
LTLX:
Core principle
+Visibility: all transitions in stubborn(m) invisible to φ or
stubborn(m) = T
+Proviso: Once in every cycle: stubborn(m) = T
CTLX:
LTL
+ |stubborn(m)| = 1 or stubborn(m) = T
Consequences:
- only local properties yield reduction
- Proviso avoids infinite stuttering
- Proviso known to cause explosion
- Proviso requires cycle detection (e.g. depth first)
- CTL only performant when number of conflicts is small

68. LoLA’s Approaches
Let φ be state predicate Assume m does not satisfy φ
wrup(m, φ ) = some set of transitions such that every path
to an m’ that satisfies φ contains at least
one transition of wrup(m, φ ).
Examples:
wrup(m, “m* reached”) = •p, for some p with m(p) < m*(p)
= p•, for some p with m(p) > m*(p)
wrup(m,p>k) = wrup(m,p≥k) = •p
wrup(m,p<k) = wrup(m,p≤k) = p•
wrup(m, φ1 ∧φ2) = wrup(m, φ1) if m does not satisfy φ1
= wrup(m, φ2) if m does not satisfy φ2
wrup(m, φ1 ∨φ2) = wrup(m, φ1)∪ wrup(m, φ2)
wrup(m, t not dead) = {t} 46

69. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
m
m0 47

70. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
m
m0 47

71. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
m
m0 47

72. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
t 1st in ample(m)
m
m0 47

73. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
m1
t 1st in ample(m)
m
m0 47

74. Theorem
Reachability of φ:
core principle
+ wrup(m, φ) ⊆ stubborn(m)
orig. φ
red.
in wrup(m, φ)
m1
t 1st in ample(m)
m
m1 closer to m’ than m
m0 47

75. Effect
• Can be applied to global predicates
• Astonishing goal-orientation
• Has been relaxed by Kristensen/Valmari (wrup must
be contained only once in an scc)
• They perform better if predicate unreachable
• Unrelaxed method better if predicate reachable
• Can be extended to boundedness:
• Bounded net: wrup(m) = {t : |t•|>|•t|}
• Bounded place: wrup(m,p) = •p
relaxed

76. TSCC based properties
Valmari:
core principle
+ weak proviso: Every transition in stubborn(m) at
least once in every tscc of reduced system:
every tscc of original state space visited in reduced
state space

77. TSCC based properties
Idea:
- Construct Valmari’s tscc-preserving state space
- Pick one element of each tscc of reduced state space
- check mutual reachability for home state
- check reachability of m0 for reversibility
- check rechability of φ for liveness of φ
userconfig.H:
twophase TWOPHASE

78. CTL/LTL properties
• CTL: Separate search space for each subformula
• Use wrup for EF and AG
• Use traditional CTL method for other
operators
• LTL: search counterexample path: F φ ➪ G¬φ,
GF φ ➪ FG¬φ, FGφ ➪ GF¬φ
• G ¬φ LTL preserving, but drop Proviso
• FG¬φ,GF¬φ:
• drop Proviso if m satisfies ¬φ
• wrup(m,¬φ) if m satisfies φ

79. Symmetries

80. Symmetric Behavior
Goal: symmetry in transition system
σ is symmetry if: ΣTS: set of all
σ is bijection R(m0)  R(m0) symmetries in R(m0)
m [t> m’ iff ex. t’: σ(m) t’> σ(m’)
σ(m0) = m0
by induction:
m0 m1 m2 ... path 
σ(m0) σ(m1) σ(m2) ... path as well
-Id is always symmetry [ΣTS,o] is
-If σ symmetry, so is σ-1 group
-If σ1 and σ2 symmetries, so is σ1 o σ2
53

81. Equivalence of States
54

82. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
54

83. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
54

84. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
m ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’
54

85. Equivalence of States
Have to detect symmetries prior to state space generation,
typically cannot deduce all of them
but: can always close under inversion and composition
fix some subgroup Σ ⊆ ΣTS
m ~ m’ iff ex. σ ∈ Σ such that σ(m) = m’
~ is equivalence relation
54

86. Reduced Transition System
TSΣ = [R(m0)/~ , EΣ , [m0]Σ]
EΣ = { [ [s],[s’] ] | ex. s ∈ [s], ex. s’ ∈ [s’] : [s,s’] ∈ E}
Size of reduced system:
| R(m0)/~ | ≥ | R(m0) | / | Σ |
|Σ | can be exponential in size of Petri net
55

87. Σ = { Id, σ}
Example
σ([x,y,z]) =
[y,x,z]
(i,i,1)
(r,i,1) (i,r,1)
g1
(c,i,0) (r,r,1) (i,c,0)
(c,r,0) (r,c,0)
56

88. Example
Σ = { Id, σ} σ([x,y,z]) =
[y,x,z]
(i,i,1)
(r,i,1)
(c,i,0) (r,r,1)
(c,r,0)
57

89. Construction of reduced
R := E := ø; dfs(m0);
dfs(m) Approximation
R := R ∪ {m};
FOR ALL t: activated in m DO
m’ = m + Δt;
IF can find σ with σ(m’)∈ R THEN
E := E ∪{[m, t, σ(m’) ]}; The “Orbit-
ELSE Problem”
E := E ∪{[m,t, m’ ]};
dfs(m’);
END
END
58

90. “Traditional” Symmetry
Tools
• Depend on “scalar set” data type
• =, ≠, arrays, for each, no constant
• Cannot model networks other than cliques
• LoLA: can handle all kinds of symmetry in
the net structure

91. PN automorphisms
Bijection σ: P∪T → P∪T is PN automorphism,
iff, for all x,y ∈ P∪T:
- m0(x) = m0(σ(x))
- If [x,y] ∈ F then [σ(x),σ(y)] ∈ F and W([x,y]) = W([σ(x),σ(y)])
Every PN automorphism induces symmetry in state space:
σ(m)(σ(p)) = m(p)
60

92. Example
2 3
1 4
11 11 12 12 13 13 14 14
22 24 21 23 22 24 21 23
33 33 34 34 31 31 32 32
44 42 43 41 44 42 43 41
id
61

93. Schreier-Sims generating set
U1
U2
U3 subgroup induces partition of whole group
pick one element of each class (“orbit”)
Group: all automorphisms
U1: all automorphisms that map p1 to p1
U2: all automorphisms that map p1 to p1, p2 to p2
...
Un: Id
has O(n^2) elements

94. Example
2 3
1 4
11 11 12 12 13 13 14 14
22 24 21 23 22 24 21 23
33 33 34 34 31 31 32 32
44 42 43 41 44 42 43 41
id
U1
U2 63

95. 2 3
Example
1 4
E={2 id, 3 2 ,3 2 3, 2 3
;
id, }
1 g1 4 1 g2 4 1 g3 4 1 g4 4
id o id = id g2 o id =
id o g4 = g2 o g4 =
g1 o id = g3 o id =
g1 o g4 = g3 o g4 =
64

96. Another Example
8 7
5 6
4 3 g = g1 o g2 o g3
1 2
1. Layer: 1 →1 ... 8
2. Layer 1 → 1, 2 → 2,4,5
3. Layer 1 → 1, 2 → 2, 3 → 3,6
7 + 2 + 1 = 10 generators for
8 x 3 x 2 = 48 automorphisms
65

97. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
66

98. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
66

99. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
2. m2 := MIN{g2i-1(m1), i = ...}
66

100. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...}
2. m2 := MIN{g2i-1(m1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...}
66

101. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...} ........
2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...}
66

102. Orbit Problem: Approximation
id id
g11 g12 g13
g14-1 g21 g22 g23 g31 g32
g14
given: m searched: canonical representative(m)
1. m1 := MIN{g1i-1(m), i = ...} ........
2. m2 := MIN{g2i-1(m1), i = ...} n. mn := MIN{gni-1(mn-1), i = ...}
3. m3 := MIN{g3i-1(m2), i = ...} canrep(m) := mn
66

103. 2 3
Example
2 2 2
2 3 3 3 3
1 4
E={ , , ; }
1 4 1 4 1 4 1 4
g12 g13 g14 g22
3 2
2 3
m 32 32
id-1(m) = id(m) =
1 4 11 41
1 1 12 31
-1(m) = (m) =
31 42
32 31
-1(m) = (m) =
21 41
12 33
-1(m) = (m) =
11 4 2
67

104. 2 3
Example
2 2 2
2 3 3 3 3
1 4
E={ , , ; }
1 4 1 4 1 4 1 4
g12 g13 g14 g22
3 2
2 3
m 32 32
id-1(m) = id(m) =
1 4 11 41
1 1 12 31
-1(m) = (m) =
31 42
32 31
-1(m) = (m) =
21 41
12 33
-1(m) = (m) = ≠ m1
11 4 2
67

105. 2 3
2
Example
2 2 2
3 3 3 3
1 4
E={ , , ; }
1 4 1 4 1 4 1 4
g12 g13 g14 g22
3 2
2 3
s 12 33
id-1(m1) = id(m1) =
1 4 11 42
1 1
x = 12 3x = 3 22 33
s1 -1(m) = (m) =
x=11 4x = 2 11 41
12 32
Result ≠ canrep(m) = (m) =
1 1 43

106. 2 3
2
Example
2 2 2
3 3 3 3
1 4
E={ , , ; }
1 4 1 4 1 4 1 4
g12 g13 g14 g22
3 2
2 3
s 12 33
id-1(m1) = id(m1) = Result
1 4 11 42
1 1
x = 12 3x = 3 22 33
s1 -1(m) = (m) =
x=11 4x = 2 11 41
12 32
Result ≠ canrep(m) = (m) =
1 1 43

107. Summary Symmetries
symmetries 69

108. Summary Symmetries
calculation of symmetries, exact solution of orbit problem:
equivalent to graph isomorphism (NP)
symmetries 69

109. Summary Symmetries
calculation of symmetries, exact solution of orbit problem:
equivalent to graph isomorphism (NP)
Many other orbit algorithms available in LoLA, even more by
Tommi Junttila
best choice depends on structure of symmetry group
symmetries 69

110. Using Petri net invariants
in state space

111. Two approaches
compress states (use place invariants)
save space and time
exempt states from storage (use transition invariants)
space/time tradeoff
71

112. First approach: use place invariants
72

113. First approach: use place invariants
Let i be place invariant:.
For all reachable m:
i • m = i • m0
72

114. First approach: use place invariants
Let i be place invariant:.
For all reachable m:
i • m = i • m0
i • m0 – Σp’≠p i(p’) • m(p’)
.... and, for a place p with i(p) ≠ 0: m(p) = i(p)
72

115. Example
3 2
invariant 1: [ 1 1 0 0 0 ] invariant 2: [ 0 0 0 1 1 ]
that is, for all reachable markings m:
m(p1) = 1 – m(p2) m(p5) = 2 – m(p4)
only p2,p3,p4 need to be stored (40 % compression)
73

116. Overhead
preprocessing
- time
- space
state space
construction
- time
74

117. Overhead
appears to be:
preprocessing
- time compute invariants
- space |inv| • |places|
state space
construction
- time recover saved
components
74

118. Overhead
appears to be: actually is:
preprocessing
- time compute invariants compute upper triangular
form
- space |inv| • |places| 1bit • |places|
state space
construction
- time recover saved search, insert performed
components on smaller vectors
74

119. State space construction
state
yes/no state
pointer depository
(short
vectors)
state (recover
removed components)
1 0 1
0 0 0
= 1
0 - -2
-1 = 3
1
2 1 1
75

120. State space construction
state
yes/no state
pointer depository
(short
vectors)
state (recover
removed components)
1 0 1 Observe:
0 0 0
= 1
0 - -2
-1 = 3
1
values of i
irrelevant,
2 1 1
supp(i) sufficient!
75

121. Upper triangular form
1 -1 0 0 1 0 0 0 . .
-1 1 0 0 -1 0 0 0 0 1
0 3 -2 0 0 1 0 0 . .
0 0 -1 1 0 0 -1 0 . .
0 0 1 -1 0 0 1 0 1 0
incidence matrix triangular form invariants
m(p2),m(p5) can be calculated from m(p1), m(p3), m(p4)
76

122. Results
1. Space reduction 30% - 55%
2. Preprocessing time insignificant
3. Run time reduction proportional to space reduction
Reason: search and insert operations take
80 – 95 % of overall run time
... are now performed on shorter vectors
4. combination with most other reduction techniques
possible
preduction 77

123. Second approach:
78

124. Second approach:
what happens if some states are
removed from the depository?
78

125. Second approach:
what happens if some states are
removed from the depository?
78

126. Second approach:
what happens if some states are
removed from the depository?
construction still terminates as long as
removed states do not form cycles!
78

127. Second approach:
what happens if some states are
removed from the depository?
construction still terminates as long as
removed states do not form cycles!
use structural knowledge about cycles
78

128. Transition invariants
cycle in state space corresponds to transition
invariant
79

129. Transition invariants
cycle in state space corresponds to transition
invariant
Assume: Set U of transitions s.t. for every transition
invariant i:
U ∩ supp(i) ≠∅
Then: store states that enable transitions in U
do not store other states
U can be determined from triangular form
79

130. Example
3 2
transition invariant: [2,2,3,3]
 U = {t}
store only states where t is enabled
80

131. Problems:
1. Too many states enable transitions in U
Solution: combine with partial order reduction
2. Unacceptable run time overhead
Solution 1: heuristically store additional states
Solution 2: remove only non-branching states
81

132. Ad 1: Full vs. Partial
full state space
82

133. Ad 1: Full vs. Partial
stubborn set reduced state space
83

134. Ad 2: store additional states
k
k
84

135. Results
1. Controllable space/time trade-off
2. Combination with partial order reduction compulsory
3. Combination with a few other reduction techniques
possible
4. Only simple properties can be verified (no access to
graph structure of the state space)
85

136. The Sweep-Line Method

137. Road map
The sweep-line method (basic/extended)
Calculation of a progress measure
Discussion
- Combination with other reduction techniques

138. The sweep-line method (Basic)
Idea: state s → progress value p(s)
with
s [t> s‘ p(s) > p(s’)
Unprocessed
sweep-line

139. The sweep-line method (Basic)
Idea: state s → progress value p(s)
with
s [t> s‘ p(s) > p(s’)
Unprocessed
sweep-line p

140. The sweep-line method (Basic)
Idea: state s → progress value p(s)
with
s [t> s‘ p(s) > p(s’)
Unprocessed
Processed
sweep-line p

141. The sweep-line method (Basic)
Idea: state s → progress value p(s)
with
s [t> s‘ p(s) > p(s’)
Unprocessed
Not yet seen
Processed
sweep-line p

142. The sweep-line method (Basic)
Idea: state s → progress value p(s)
with
s [t> s‘ p(s) > p(s’)
Unprocessed
 Not yet seen
Processed
sweep-line p

143. The sweep-line method (extended)
If p is not monotonous:
t
s’
s p(s’) < p(s)

144. The sweep-line method (extended)
If p is not monotonous:
t
s’
s p(s’) < p(s)
-mark s’ “persistent”
-start new sweep from s’

145. The sweep-line method (extended)
If p is not monotonous:
t
s’
s p(s’) < p(s)
-mark s’ “persistent”
-start new sweep from s’
Consequently: not too often p(s’) < p(s)

146. Setting for LoLA’s measure
-incremental: “transition offsets”
Δ p(t) : m [t> m‘ p(m’) = p(m) + Δ p(t)
-not necessarily monotonous
(in every cycle: one negative Δ p or all Δ p = 0)

147. The measure
partition T into U and TU
in U: all transitions linear independent
in TU: all transitions linear dependent of U
i.e. |U| = rank(C)
-for t in U: Δ p (t) := 1
-for t in TU: Δ p(t) determined by (unique) lin. combination of U
(for t in TU: Δ p(t) >0, =0, <0 )
typical size: |U| 60% - 100% of |T|

148. U
Examples
TU
1 1 1
2 -2 1
1 1 0

149. Geometric interpretation
p2
s
p3
p1
sweep

150. Geometric interpretation
p2
s
p3
U
p1
sweep

151. Geometric interpretation
p2
s
p3
U
p1
sweep

152. Geometric interpretation
progress
p2
s
p3
U
p1
sweep

153. Geometric interpretation
progress
p2
s
p(s)
p3
U
p1
sweep

154. Geometric interpretation
progress
p2
s
p(s)
p3
1
U
p1
sweep

155. 4. Using LoLA

156. You will learn how
• to choose and manage LoLA configurations
• to ask the right verification questions
• to optimally model a Petri net
• to employ scripts, makefiles, etc.
• to call LoLA from another tool

157. LoLA Configurations
• Get LoLA:
• http://service-technology.org/files/lola
• Standard Workflow:
• edit userconfig.H
• compile LoLA
setup

158. userconfig.H
• What to check?
• Which reduction
techniques to use?
• Other parameters

159. The optimal configuration
1. Know your net!
• Is it bounded? Do you know the bound? Is it safe?
• Do you have a feeling on the outcome?
• Is the net made of several components?
• Does the net have a lot of concurrency?
2. Experiment!

160. Analysis Tasks
• DEADLOCK
• REACHABILITY, FINDPATH, STATEPREDICATE
• BOUNDEDPLACE, BOUNDEDNET
• DEADTRANSITION
• REVERSIBILITY, HOME
• LIVEPROP, FAIRPROP, STABLEPROP, EVENTUALLYPROP
• MODELCHECKING
• FULL, NONE

161. Reduction Techniques
• STUBBORN - stubborn sets
• PREDUCTION - invariant-based compression
• SYMMETRY - symmetry reduction
• COVER - coverability graph
• CYCLE - cycle coverage
• SWEEP - sweep-line method
• SMALLSTATE - internal representation

162. Stubborn Sets
• STUBBORN
• when to use: always
• compatibility: all other techniques
• switch RELAXED to chose more efficient
technique if state/predicate is unreachable

163. Invariant-based Compression
• PREDUCTION
• when to use: always
• compatibility: not with sweep-line method
preduction

164. Symmetries
• SYMMETRY
• when to use: net is made of several
symmetric components
• runtime overhead
• compatibility: not with sweep-line method
• switch SYMMINTEGRATION and
MAXATTEMPT to control time/memory
trade-off

165. Coverability Graph
• COVER
• when to use: mostly clear from the context
• compatibility: stubborn sets and symmetry
• use with BREADTH_FIRST to have
shorter paths to check

166. Cycle Coverage
• CYCLE
• when to use: can help sometimes
• runtime overhead
• use with stubborn sets to reduce number
of successors
• Switches NONBRANCHINGONLY and
MAXUNSAVED to control memory/time
tradeoff

167. Sweep-line
• SWEEP
• when to use: behavior has several acyclic
stages - always worth a try
• compatibility: stubborn set method
• in fact: only use with stubborn set method
to avoid a lot of regress transitions

168. Small State Representation
• SMALLSTATE
• when to use: only for simple reachability
questions
• compatibility: all other techniques

169. Reduction techniques
Not all
combinations
make sense!
LoLA takes
care about
this.

170. Other parameters
• BREADTH_FIRST: search strategy
• CAPACITY: fix a maximal number of tokens per place
• CHECKCAPACITY: check capacity and abort
• MAXPATH: maximal length of paths for FINDPATH
• REPORTFREQUENCY: report firing of transitions
• HASHSIZE: number of hash buckets
• MAXIMALSTATES: maximal size of the statespace
maximalstates

171. Manage configurations
• one binary for each configuration
• fight complexity:
• ask LoLA for its configuration
• predefined standard configurations
• offspring generation
configurations

172. Ask LoLA

173. Predefined configurations
several reasonable
standard
configurations

174. Generate offspring
generate a userconfig.H
for the given binary

175. Build script
downloads the sources
and generate a configured
binary with random name

176. You will learn how
• to choose and manage LoLA configurations ✔
• to ask the right verification questions
• to optimally model a Petri net
• to employ scripts, makefiles, etc.
• to call LoLA from another tool

177. Ask the right questions
• be as specific as possible
• ask one aspect at a time
• exploit all knowledge
• transform complex questions

178. Be specific!
• most questions can be formulated with CTL
• LoLA has dedicated routines:
• EF φ - use STATEPREDICATE
• AG EF φ - use LIVEPROP
• yields more efficient reduction
specific

179. Ask one aspect at a time!
• Garavel’s challenge: check quasiliveness of a
net with 776 transitions
• naive way: build one statespace and check each
transition
• Problem: 9794739147610899087361 states
• clever way: build 776 statespaces and check each
transition independently
• all but two state spaces have < 20000 states

180. Use all knowledge!
end of a procedure, see Figure 1. The tasks are modeled by transit
ordering of tasks is modeled by places connecting these transitions.
• original question:
soundness of workflow nets
• naive: AG EF φ i
WF-net
o
• Petri-netty: liveness and Fig. 1. A procedure modeled by a W F-net.
boundedness of short-circuited net
The processing of a case starts the moment we put a token in plac
• Knowledge: net is free-choice and built from
the moment a token appears in place o. One of the main properties
should satisfy is the following:
standard patterns For any case, the procedure will terminate eventually, and at t
• boundedness boils down to 1-safeness
procedure terminates there is a token in place o and all the ot
empty.
This property is called the soundness property. In this paper we p
• clever way: two checks: liveness and 1-safeness
to verify this property using standard Petri-net tools. If we restric
choice Petri nets (cf. Best [8], Desel and Esparza [12]), this propert
polynomial time.
W F-nets have some interesting properties. For example, it turns ou

181. Transform your problem!
• original question: relaxed soundness (every
transition fires in at least one terminating run)
• standard algorithm: build statespace, remove
nonterminating behavior and check transitions
t
• clever way: create special net for each transition t
and check for reachability of marking [o, pt]

182. Problem hierarchy
• MODELCHECKING (CTL algorithms, hardly any reduction possible)
• BOUNDEDNET (coverability graph)
• STABLEPROP, EVENTUALLYPROP, FAIRPROP (strongly connected sets)
• HOMESTATE (mutual reachability of TSCCs)
• LIVEPROP, REVERSIBILITY (reachability within TSCC)
• REACHABILITY (global property)
• BOUNDEDPLACE (overhead for coverability check)
• STATEPREDICATE (possibly local property)
• DEADTRANSITION (local property)
• DEADLOCK (best stubborn sets available)
• FINDPATH (memoryless exploration)

183. You will learn how
• to choose and manage LoLA configurations ✔
• to ask the right verification questions ✔
• to optimally model a Petri net
• to employ scripts, makefiles, etc.
• to call LoLA from another tool

184. “optimal” Petri nets
• have verification in mind
• don’t use expensive constructs (reset arcs)
• don’t spoil the reduction techniques
• help LoLA help you

185. High-level guards
• use guards to exclude implausible transition bindings
• results in quicker unfolding
TRANSITION ManInTheMiddle
VAR
bob : bobAgents;
alice : aliceAgents;
bobKey : bobKeys;
aliceKey : aliceKeys;
GUARD
alice <> getMaliceAlice() AND
bob <> getMaliceBob() AND
isSessionKeyForAlice(alice,bob,aliceKey) AND
isSessionKeyForBob(bob,alice,bobKey)
CONSUME
connStateAlice : makeConnectionState(alice,bob,aliceKey,bobKey),
mGoalBobKeys : bobKey;
PRODUCE
goal : 1;

186. Concurrency
• use concurrency where possible
• avoid unnecessary ordering of events
• makes symmetry/stubborn sets applicable
...
initialize initialize initialize
component 1 component 2 component 3

187. erformed only if scope Q is allowed to continue its normal p
Avoid global states
op, the core action of X is bypassed, as captured by the τ -tr
bypassing a normal event can be defined in a similar way.
•
n a fault occurs in scope Q,synchronization changes from to co
avoid excessive the status of Q or “global
state places” rX
X
to_stopQ
X sX
to_continueQ
"bypass" X C
cX
fX
• such nets13. Terminationconcurrency
Figure have no real of a basic activity.

188. Flexible model generation
• model with verification question in mind
• for each question have a dedicated model
with proper abstractions
• implemented in compiler BPEL2oWFN
flexible

189. Scale by structure
• when possible, scale model by structure,
not by the number of tokens
• in LoLA: just increase sort
• rationale: symmetry and stubborn sets
SORT
dimensions = [ 1 , 3 ];
row = [ 1 , 3 ];

190. You will learn how
• to choose and manage LoLA configurations ✔
• to ask the right verification questions ✔
• to optimally model a Petri net ✔
• to employ scripts, makefiles, etc.
• to call LoLA from another tool

191. Script LoLA
• LoLA follows the UNIX philosophy
• every tool does one thing
(and that thing right)
• tools communicate with files/streams
• exit codes tell about outcome of LoLA
• this all allows to quickly build powerful tool chains

192. LoLA’s exit codes
• 0: specified state or deadlock found/net or place
unbounded/home marking exists/net is reversible/
predicate is live/CTL formula true/transition not
dead/liveness property does not hold
• 1: the opposite verification result
• rule of thumb, if the outcome of a verification result
can be supported by a counterexample or witness
path, that case corresponds to return value 0
exit

193. LoLA’s exit codes
• exit code allow for simple workflows in the shell
• (lola1 net.lola && lola2 net.lola && echo
“OK”) || echo “not OK”)
• translation:
• execute lola1
• if the exit code is 0, execute lola2
• if the exit code is again 0, print “OK”
• otherwise, print “not OK”

194. Example: Scripting
• Garavel’s challenge
• quasiliveness of 776 transitions checked in 776 runs
• shell script:
1. extract transitions from net
2. generate analysis task for DEADTRANSITION
("ANALYZE TRANSITION t1")
3. call LoLA
4. evaluate exit code
• DEADTRANSITION succeeds in all but 2 cases
• then use FINDPATH
garavel

195. Example: Makefile
• check for relaxed soundness
• for each transition:
1. create manipulated net
2. generate analysis task
for STATEPREDICATE
("FORMULA (pt = 1 AND o = 1)")
3. call LoLA
4. evaluate exit code
• use Makefile to collect the results
• benefit: parallel execution
relaxed

196. You will learn how
• to choose and manage LoLA configurations ✔
• to ask the right verification questions ✔
• to optimally model a Petri net ✔
• to employ scripts, makefiles, etc. ✔
• to call LoLA from another tool

197. Integrating LoLA into Wendy
• Wendy: a tool to synthesize partners for services
• algorithm needs a lot of small state spaces
• before: calculate them on-the-fly
• now: calculate one big one in advance and
preprocess - helps to avoid “bad” states
• tool of choice for this: LoLA (lola-full)
• benefits:
• modularity
• get Tarjan numbers for free
• interprocess concurrency
wendy

198. Integrating LoLA
• integration is easy when using C:
const char *c = "lola-full tempfile.lola -M";
FILE *pipe = popen(c, "r");
parse_pipe();
pclose(pipe);
• UNIX streams allow parallel generation and parsing of
the state space

199. You will learn how
• to choose and manage LoLA configurations ✔
• to ask the right verification questions ✔
• to optimally model a Petri net ✔
• to employ scripts, makefiles, etc. ✔
• to call LoLA from another tool ✔

200. 5. Case Studies
Niels Lohmann

201. Exploring biochemical
The ErbB Network
(CARTOON FORM)
reaction chains

202. Reaction chains
• Domain: symbolic system biology
• “Symbolic systems biology is the
qualitative and quantitative study of
biological processes as integrated
systems rather than as isolated parts.”
• Property: reachability

203. Mcf2-act Rhob-GDP Ngef-reloc Trio-act
221-2 798-2 807-2
Cit Prkcl1 Rhob-GTP Diaph1 Rock1 Ktn1
591-2 581-2 680-2 679-4 700-2
f1-act Crkl-reloc Erk2 Prkcl1-act Diaph1-act Diaph1-act Limk1 Myl9 Rock1-act PP1 Ktn1-
03 672 238 671 697
Actin-mono Pfn1 Arp23-act Srf Limk1-act Myl9-phos PP1-inhib
11 732 58
Pxn Vasp Actinin Tns1 Tln-act Integrins-clustered Actin-poly Srf-act Vcl Zyx Ilk:
165 764 713 601 813 1076 1075
Pxn Vasp Src-act Actinin Ptk2-act Tns1 Vcl Zyx Ilk:Lims1:Parva
434

205. Reaction chains
• “For reachability queries on our nets,
answering a reachability query that would
have taken hours using a general purpose
model-checking tool takes on the order of
a second in LoLA — fast enough to permit
interactive use.”

206. Finding Hazards in
GALS Circuits

207. GALS circuits
• Domain: asynchronous/
synchronous hardware design
• prototype for IEEE-802.11 chip
• asynchronous hardware is not
clocked - order/timing of events
makes a difference
• problem: glitch

208. Glitch
P(a) = 1
a AND P(c) = 0
c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
147

209. Glitch
P(a) = 1
0
a AND P(c) = 0
c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
147

210. Glitch
P(a) = 1 0
0
a AND P(c) = 0 0
c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
147

211. Glitch
P(a) = 1 0
0
a AND P(c) = 0 0
1 c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
147

212. Glitch
P(a) = 1 0
0
a AND P(c) = 0 0 0
1 c
b Gate
P(b) = 0 1
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
147

213. Glitch
P(a) = 1
a AND P(c) = 0
c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

214. Glitch
P(a) = 1
a AND P(c) = 0
1 c
b Gate
P(b) = 0
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

215. Glitch
P(a) = 1
a AND P(c) = 0 1
1 c
b Gate
P(b) = 0 1
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

216. Glitch
P(a) = 1
0
a AND P(c) = 0 1
1 c
b Gate
P(b) = 0 1
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

217. Glitch
P(a) = 1 0
0
a AND P(c) = 0 1 0
1 c
b Gate
P(b) = 0 1
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

218. Glitch
P(a) = 1 0
0
a AND P(c) = 0 1 0
1 c
b Gate
P(b) = 0 1 Hazard
1
P(a): 0 1
P(c): 0
P(b): 1
0
ΔT
148

219. Petri Net Model of AND

220. Petri Net Model of AND
a
• Events c
• Level
• Logics
b

221. Petri Net Model of AND
(P(a),P(b))
a 01
• Events 11
c
• Level
• Logics
00
b
10

222. Petri Net Model of AND
(P(a),P(b))
a 01
• Events 11
c
• Level
• Logics
00
b
10

223. Petri Net Model of AND
(P(a),P(b))
a 01
• Events 11
c
• Level
• Logics
00
b
10

224. Petri Net Model of AND

225. Petri Net Model of AND

226. Petri Net Model of AND

227. Petri Net Model of AND

228. Petri Net Model of AND

229. Petri Net Model of AND

230. Petri Net Model of AND

231. GALS circuits
• Property: reachability
• Problem:
• partial order reduction not effective
enough in isolation
• sweep line helped
• initial model: 204 places/368 transitions;
manual abstractions necessary
• found 8 hazards,
2 were actual problems
gals

232. Verifying Service
Choreographies

233. Service Choreography
• Domain: service-oriented
architectures
• Original model: BPEL4Chor
• translation: compiler
BPEL2oWFN
• Design flaw in chorgrography
model.
• Property: deadlock freedom

234. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

235. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

236. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

237. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

238. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

239. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

240. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

241. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

242. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

243. Service Choreography
• ein Reisenderer, ein Reisebüro, mehrere
Fluglinien

244. Service Choreography
bpel4chor

245. Service Choreography
• Komposition kann verklemmen!
bpel4chor

246. Service Choreography
• Komposition kann verklemmen!
bpel4chor

247. Service Choreography
• Komposition kann verklemmen!
bpel4chor

248. Service Choreography
• Komposition kann verklemmen!
bpel4chor

249. Service Choreography
• Komposition kann verklemmen!
bpel4chor

250. Service Choreography
• Komposition kann verklemmen!
bpel4chor

251. Service Choreography
• Komposition kann verklemmen!
bpel4chor

252. Service Choreography
• Komposition kann verklemmen!
bpel4chor

253. Service Choreography
• Komposition kann verklemmen!
bpel4chor

254. Service Choreography
• Komposition kann verklemmen!
bpel4chor

255. Service Choreography
• Komposition kann verklemmen!
bpel4chor

256. Service Choreography
• Komposition kann verklemmen!
bpel4chor

257. Service Choreography
Case Study
airline instances
Analyzing BPEL4Chor - Verification and Partner Synthesis
1 5 10 100 1000
places 20 63 113 1013 10013
transitions 10 41 76 706 7006
states 14 3483 9806583
states 14 561 378096
states 11 86 261 18061 1752867
states 11 30 50 410 4010
 complete
complete/unreduced
 symmetries
 stubbornreduction
symmetry sets
 symmetriesreduction
partial order and stubborn sets
 overflow reduction and partial order reduction
symmetry (>2 GB)

258. Service Choreography
Case Study
airline instances
Analyzing BPEL4Chor - Verification and Partner Synthesis
1 5 10 100 1000
places 20 63 113 1013 10013
transitions 10 41 76 706 7006
states 14 3483 9806583 exponential
states 14 561 378096 growth 
states 11 86 261 18061 1752867
states 11 30 50 410 4010
 complete
complete/unreduced
 symmetries
 stubbornreduction
symmetry sets
 symmetriesreduction
partial order and stubborn sets
 overflow reduction and partial order reduction
symmetry (>2 GB)

259. Service Choreography
Case Study
airline instances
Analyzing BPEL4Chor - Verification and Partner Synthesis
1 5 10 100 1000
places 20 63 113 1013 10013
transitions 10 41 76 706 7006
states 14 3483 9806583 exponential
states 14 561 378096 growth 
states 11 86 261 18061 1752867
states 11 30 50 410 4010
 complete linear
complete/unreduced
 symmetries
symmetry reduction growth 
 stubborn sets
 symmetriesreduction
partial order and stubborn sets
 overflow reduction and partial order reduction
symmetry (>2 GB)

260. Soundness of
Business Processes
M2
M1
J1
F1

261. Soundness
• 735 real-world business processes
from IBM customers
• original formalism: UML dialect
from the IBM Websphere Business
Modeler
• translation: compiler UML2oWFN
• original question: can soundness
be verified using model checking
techniques

262. Soundness

263. Soundness
• “IBM Soundness” = absence of
• lack of synchronization (= unsafe marking)
• deadlock (= deadlock)
• + certain assumptions on the structure
• for LoLA: two checks
• Is the final marking life?
• Is the net safe?

264. Soundness
for each SESE fragment
choice depends on SESE fragment
always perform both checks
choice depends on net structure

265. Soundness
• execution scheduled and optimized using
Makefiles
• max. 50 ms per check
• “analysis on demand”
• observed effect: structural reduction
techniques do not pay off when using
stubborn sets
soundness

266. Verification of
Concurrent Programs

267. Concurrent Programs
• concurrent processes
• shared and global variables
• goal: find Aa. small-model roening, and T . Wahl
650 K aiser, D . K
property
to make a statement on the correctness of
an arbitrary number of instances
|R n |
|R| |R|
(a) (b)
n
m c

268. Concurrent Programs
• problem can be solved by checking for
reachable states in a coverability graph
• challenge: number of places = number of
states of a process
• concurrency only through tokens
• it took a while to beat LoLA
concurrent

269. Solving AI Planning Problems

270. AI Planning
• setting: smart conference room
• several projectors, canvases, documents,
and lamps
• AI planning problem: Configure the room to
display document A on that canvas.
• original formalism: proprietary
planning language; manually translated

271. AI Planning
• straightforward translation to state predicate
Goals: FORMULA
( LightOn 1 Lamp1 ); LightOn.<Lamp1|TRUE> = 1 AND
( LightOn 1 Lamp2 ); LightOn.<Lamp2|TRUE> = 1 AND
( DocShown 1 Doc1 LW3 ); DocShown.<Doc1|LW3|TRUE> = 1 AND
( DocShown 1 Doc2 LW1 ); DocShown.<Doc2|LW1|TRUE> = 1 AND
( CanvasDown 1 VD1 ); CanvasDown.<VD1|TRUE> = 1
• system is extremely concurrent
• depth-first search actually finds shortest path
planner

272. 6. Integrating LoLA

273. • soundness checks:
• classical soundness
• weak soundness
• relaxed soundness
• integration as Web service

274. • http://oryx-project.org/oryx/editor;petrinet
• http://esla.informatik.uni-rostock.de/
service-tech/.lola

283. • generic plugin for standard Petri net
properties
• nets are translated from PNML to LoLA
format
• LoLA is called as system call

290. 7. Implementation

291. Plan
• Firing a transition
• Evaluating a state predicate
• Managing the state space
• Organizing search
• Detecting strongly connected components

292. Firing transitions
Marking changed via list of pre-, list of post-places
 effort does not depend on size of net
After firing, only some transitions are checked for
enabledness
previously enabled transitions that lost tokens
previously disabled transitions that gained tokens
... managed through explicitly stored lists

293. Checking state predicates
• predicate = boolean combination of
• p {><=≤≥≠} k
• stored in negation-free normal form
φ
φ φ
φ φ


294. Managing the state space
1st state = bit vector
other states = bit vector +decision record

295. Managing the state space
find/insert a marking: one integrated process
dive down into decision tree
on mismatch:
at decision point: switch to next vector
at end: found, no insert
between decision points: insert at point of mismatch
decision records form tree

296. Organizing search
General remarks
Search consists of
- fire transitions ✔
- find/insert marking ✔
- backtracking: fire transition backwards
 only „constant“ time
search stack consists of reference to
transition +
list of enabled transitions
 state space is „write-only“ memory

297. Organizing search
b) Depth-first search: ability to detect SCC
c) Breadth-first search:
Simulated by bounded depth-first search with
incrementally increased bound
 Update of current marking, list of enabled
transitions, etc. through sequence of transition
occurrences

298. Detecting strongly connected
components
• Traditional approach: Tarjan‘s algorithm
4
4 6 21 
5
44
33 11
00

299. Detecting strongly connected
components
• LoLA approach: simplified lowlink
4
4 6 21 
5
41
31 11
00

300. Reduction techniques

301. Stubborn Sets
• Crucial: Core principle
• Simple method:
–If t enabled, add conflicting transitions
–If t disabled, add pre-transitions of some
unmarked pre-place
place pre-transitions
must be included
transition conflicting
updated at enabledness check

302. The sweep-line method
• constant change  successors lie in a small window of
progress values

303. Calculation of Symmetries
7 5 0 2 A1 ∪.... ∪ An = V
A1 B1
9 4 B1 ∪....∪ Bn = V
A2 4 3
1 2 6 B2 σ satisfies C iff
6 9 8
σ(Ai) = Bi (for all i)
07
3 7 B3 13
A3 0 29
5 35
48
..... 50
66
An Bn 74
8 1 81
92
C

304. Abstract Permutation – Examples

305. Abstract Permutation – Examples
PP all permutations that
TT respect node type

306. Abstract Permutation – Examples
PP all permutations that
TT respect node type
{p1}  {p1}
...... Elements of some orbit
{pi-1}  {pi-1} wrt. Ui in Ui-1
{pi}  {pk}
others1  others2

307. Abstract Permutation – Examples
PP all permutations that
TT respect node type
{p1}  {p1}
...... Elements of some orbit
{pi-1}  {pi-1} wrt. Ui in Ui-1
{pi}  {pk}
others1  others2
New problem: given.: abstract permutation C
compute an automorphism that satisfies C
... equivalent to graph isomorphism

308. REFINE
Choose A-B, A’-B’ and arc multiplicity c
# c-neighbors in A’ #c-neighbors in B’
3 2 1 0 0 1 2 3
A B
8 9 8 6
6 1
0 5 4 2
1 2 4 3 7 0
8 7
A’ 2 5 4 B’
1 0
3