Abstract
Brute-force model-checking consists in exhaustive exploration of the state-space of a Petri net, and meets the dreaded state-space explosion problem. In contrast, this paper shows how to solve model-checking problems using a combination of techniques that stay in complexity proportional to the size of the net structure rather than to the state-space size. We combine an SMT based over-approximation to prove that some behaviors are unfeasible, an under-approximation using memory-less sampling of runs to find witness traces or counter-examples, and a set of structural reduction rules that can simplify both the system and the property. This approach was able to win by a clear margin the model-checking contest 2020 for reachability queries as well as deadlock detection, thus demonstrating the practical effectiveness and general applicability of the system of rules presented in this paper.
Highlights
Given a Petri net and an assertion on markings of places of the net, we consider the problem of proving that the assertion is an invariant that holds in all reachable markings
We introduce a combination of three solution strategies: 1. we try to prove the invariant holds using a system of Satisfiability Modulo Theory (SMT) constraints to symbolically over-approximate reachable states 2. we try to disprove the invariant by using a memory-less exploration that can randomly or with guidance encounter counter-example states under-approximate the behavior, and 3. we use structural reduction rules that preserve the properties
SMT solvers are a modern technology that offer the benefits of both Integer Linear Programming (ILP) solvers and SAT solvers for more flexibility in the expression of constraints
Summary
Given a Petri net and an assertion on markings of places of the net, we consider the problem of proving that the assertion is an invariant that holds in all reachable markings. We try to prove the invariant holds using a system of SMT constraints to symbolically over-approximate reachable states 2. [2]) and SAT solvers for more flexibility in the expression of constraints We use this SMT based over-approximation of reachable markings to detect unfeasible behavior. If it can find a reachable marking that does not satisfy the target assertion, the invariant is disproved We combine these solutions with a set of structural reduction rules, that can simplify the net by examining its structure, and provide a smaller net where parts of the behavior are removed or accelerated over while preserving properties of interest. Reducing the size of the net considerably helps both the SMT based solutions because there are less variables and constraints and the pseudo-random sampling as it is more likely to find counter-examples if the state space is small.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have