Abstract not found

Spot is a C++ library offering model checking bricks that can be combined and interfaced with third party tools to build a model checker. It relies on Transition-based Generalized B uchi Automata (TGBA) and does not need to degeneralize these automata to check their emptiness. We motivate the choice of TGBA by illustrating a very simple (yet efficient) translation of LTL into TGBA. We then show how it supports on-the-fly computations, and how it can be extended or integrated in other tools.

. Colored nets have been recognized as a powerful modelling paradigm for the validation and evaluation of systems, both in terms of compact representation and aggregate state space generation. In this paper we discuss the issue of adding compositionality to a class of stochastic colored nets named Stochastic Well-formed Nets, in order to increase modularity and reuse of the modelling efforts. This requires the notion of Parametric Stochastic Well-formed net: nets in which a certain amount of information is left unspecified, and is instantiated only upon model composition. The choice of the compositional rule has been based on previous work on layered models for integrated hardware and software systems (the processes, services and resources methodology), and an example of layered modelling with Parametric Stochastic Well-formed net is presented to show the efficacy of the proposed formalism. 1 Introduction and motivations Petri nets have been accepted in the industrial wor...

Abstract. Formal verification of complex systems using high-level Petri Nets faces the so-called state-space explosion problem. In the context of Petri nets generated from a higher level specification, this problem is particularly acute due to the inherent size of the considered models. A solution is to perform a symbolic analysis of the reachability graph, which exploits the symmetry of a model. Well-Formed Nets (WN) are a class of high-level Petri nets, developed specifically to allow automatic construction of a symbolic reachability graph (SRG), that represents equivalence classes of states. This relies on the definition by the modeler of the symmetries of the model, through the definition of “static sub-classes”. Since a model is self-contained, these (a)symmetries are actually defined by the model itself. This paper presents an algorithm capable of automatically extracting the symmetries inherent to a model, thus allowing its symbolic study by translating it to WN. The computation starts from the assumption that the model is entirely symmetric, then examines each component of a net to deduce the symmetry break it induces. This translation is transparent to the end-user, and is implemented as a service for the AMI-Net package. It is particularly adapted to models containing large value domains, yielding combinatorial gain in the size of the reachability graph. 1

: Distributed Shared Memory (DSM) systems provide the abstraction of a common virtual address space across a network of processors. Such systems employ a variety of protocols to maintain a consistent view of data across all local memories. Li and Hudak proposed several of the pioneering protocols for DSM [LH 89]. We have used both Petri net modelling and model checking to explore some of their protocols. Our work has detected inefficiencies, unstated assumptions, and errors in the original protocol descriptions. This paper presents Petri net models for one protocol at two layers of abstraction. For each model, we describe corresponding specifications for model checking and provide verification statistics. This combination of models and specifications gives different views of the protocol, inspiring greater confidence in the correctness of our analysis than if we had used only one approach. Keywords: Protocol design and verification, distributed shared memory, memory consistency, model...

An implementation of compositionality for Generalized Stochastic Petri Nets (GSPN) and for Stochastic Well-formed Nets (SWN) has been recently included in the GreatSPN tool. Given two GSPNs (or SWNs), and a labelling function for places and transitions, it is possible to produce a third one as superposition of places and transitions of equal label, for SWN color domains and arc functions have to be treated appropriately.

Abstract. An implementation of compositionality for stochastic well-formed nets (SWN) and, consequently, for generalized stochastic Petri nets (GSPN) has been recently included in the GreatSPN tool. Given two SWNs and a labelling function for places and transitions, it is possible to produce a third one as a superposition of places and transitions of equal label. Colour domains and arc functions of SWNs have to be treated appropriately. The main motivation for this extension was the need to evaluate a library of fault-tolerant “mechanisms ” that have been recently defined, and are now under implementation, in a European project called TIRAN. The goal of the TIRAN project is to devise a portable software solution to the problem of fault tolerance in embedded systems, while the goal of the evaluation is to provide evidence of the efficacy of the proposed solution. Modularity being a natural “must ” for the project, we have tried to reflect it in our modelling effort. In this paper, we discuss the implementation of compositionality in the GreatSPN tool, and we show its use for the modelling of one of the TIRAN mechanisms, the so-called local voter.

Abstract. Modelling and analysis of dynamic multi-threaded state systems often encounters obstacles when one wants to use automated verification methods, such as model checking. Our aim in this paper is to develop a technical device for coping with one such obstacle, namely that caused by dynamic process creation. We first introduce a general class of coloured Petri nets—not tied to any particular syntax or approach—allowing one to capture systems with dynamic (and concurrent) process creation as well as capable of manipulating data. Following this, we introduce the central notion of our method which is a marking equivalence that can be efficiently computed and then used, for instance, to aggregate markings in a reachability graph. In some situations, such an aggregation may produce a finite representation of an infinite state system which still allows one to establish the relevant behavioural properties. We show feasibility of the method on an example and provide initial experimental results.

Abstract. In this work, we propose two high-level formalisms, Markov Decision Petri Nets (MDPNs) and Markov Decision Well-formed Nets (MDWNs), useful for the modeling and analysis of distributed systems with probabilistic and non deterministic features: these formalisms allow a high level representation of Markov Decision Processes. The main advantages of both formalisms are: a macroscopic point of view of the alternation between the probabilistic and the non deterministic behaviour of the system and a syntactical way to define the switch between the two behaviours. Furthermore, MDWNs enable the modeller to specify in a concise way similar components. We have also adapted the technique of the symbolic reachability graph, originally designed for Well-formed Nets, producing a reduced Markov decision process w.r.t. the original one, on which the analysis may be performed more efficiently. Our new formalisms and analysis methods are already implemented and partially integrated in the GreatSPN tool, so we also describe some experimental results. 1

. The problem of nding symmetry information from algebraic system nets prior to the reachability graph generation is studied. The approach presented is based on wellformedness of transition descriptions, meaning that some data types in a net may be used in a symmetric way. Permutations on the domains of such data types produce symmetries on the state space level of the net, which in turn can be exploited during the reachability analysis. To ensure that the transitions behave symmetrically with respect to the chosen data domain permutations, a suÆcient compatibility condition between data domain permutations and the algebraic terms used as transition guards and arc annotations is proposed. The solution is a general and exible one as it does not x the set of applicable operations, enabling the design of customized net classes. To help the process of deciding whether a term is compatible with a data domain permutation, an approximation rule for the compatibility condition is given. Key...