lecture notes - Concurrency Theory Group - University of ...

Roland MeyerConcurrency Theory– Lecture Notes –February 17, 2012University of Kaiserslautern

ContentsPart I Concurrent Programs and Petri Nets1 Introduction to Petri Nets . . . . . . . . . . . . . . . . 31.1 Syntax and Semantics . . . . . . . . . . . . . . . . 31.2 Boundedness . . . . . . . . . . . . . . . . . . . . . . . 92 Invariants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.1 Marking Equation . . . . . . . . . . . . . . . . . . . 232.2 Structural and Transition Invariants . . . . . 28

2.3 Traps and Siphons . . . . . . . . . . . . . . . . . . . 332.4 Verification by Linear Programming . . . . 393 Unfoldings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.1 Branching Processes . . . . . . . . . . . . . . . . . 563.2 Configurations and Cuts . . . . . . . . . . . . . . 613.3 Finite and Complete Prefixes . . . . . . . . . . 643.3.1 Constructing a finite andcomplete prefix . . . . . . . . . . . . . . . 674 Coverability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694.1 Coverability Graphs . . . . . . . . . . . . . . . . . 70Part II Network Protocols and Lossy ChannelSystems5 Introduction to Lossy Channel Systems . . . . 795.1 Syntax and Semantics . . . . . . . . . . . . . . . . 816 Well Structured Transition Systems . . . . . . . 856.1 Well Quasi Orderings . . . . . . . . . . . . . . . . 866.2 Upward and downward closed sets . . . . . 906.3 Constructing well quasi orderings . . . . . . 946.4 Well Structured Transition Systems . . . . 97

6.5 Abdulla’s Backwards Search . . . . . . . . . . 997 Simple Regularity and Symbolic ForwardAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1077.1 Simple Regular Expressions andLanguages . . . . . . . . . . . . . . . . . . . . . . . . . 1087.2 Inclusion among simple regularlanguages . . . . . . . . . . . . . . . . . . . . . . . . . . 1147.3 Computing the Effect of Transitions . . . . 1187.4 Computing the Effect of Loops . . . . . . . . 1207.5 A Symbolic Forward Algorithm forCoverability . . . . . . . . . . . . . . . . . . . . . . . . 1258 Undecidability Results for Lossy ChannelSystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1299 Expand, Enlarge, and Check . . . . . . . . . . . . . 1399.1 Domains of Limits . . . . . . . . . . . . . . . . . . 1419.2 Underapproximation . . . . . . . . . . . . . . . . . 1449.3 Overapproximation . . . . . . . . . . . . . . . . . . 1459.3.1 And-Or Graphs . . . . . . . . . . . . . . . 1479.3.2 Over(TS,Γ ′ ,L ′ ) . . . . . . . . . . . . . . 1489.4 Overall Algorithm . . . . . . . . . . . . . . . . . . . 153

Part III Dynamic Networks and π-Calculus10 Introduction to π-Calculus . . . . . . . . . . . . . . . 15910.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16210.2 Names and Substitutions . . . . . . . . . . . . . 16410.3 Structural Congruence . . . . . . . . . . . . . . . 16710.4 Transition Relation . . . . . . . . . . . . . . . . . . 17111 A Petri Net Translation of π-Calculus . . . . . 17511.1 Restricted Form . . . . . . . . . . . . . . . . . . . . . 17811.2 Structural Semantics . . . . . . . . . . . . . . . . . 18312 Structural Stationarity. . . . . . . . . . . . . . . . . . . 19512.1 Structural Stationarity and Finiteness . . . 19712.2 Derivatives . . . . . . . . . . . . . . . . . . . . . . . . . 19812.3 First Characterization of StructuralStationarity . . . . . . . . . . . . . . . . . . . . . . . . . 20112.4 Second Characterization of StructuralStationarity . . . . . . . . . . . . . . . . . . . . . . . . . 20613 Undecidability Results . . . . . . . . . . . . . . . . . . . 21713.1 Counter Machines . . . . . . . . . . . . . . . . . . . 218

13.2 From Counter Machines to BoundedBreadth . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22113.3 Undecidability of Structural Stationarity 22513.4 Undecidability of Reachability inDepth 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

List of Figures1.1 Tree computation in the decisionprocedure for boundedness. . . . . . . . . . . . . 151.2 Petri net N 0 computing A 0 (x) := x + 1. . . . 201.3 Petri net N n+1 computingA n+1 (x + 1) := A n (A n+1 (x)). . . . . . . . . . . . 213.1 Unfolding procedure. . . . . . . . . . . . . . . . . . 664.1 Coverability graph computation. . . . . . . . . 73

7.1 Symbolic forward algorithm forcoverability in LCS. . . . . . . . . . . . . . . . . . . 1278.1 Sketch of the lossy channel system inthe encoding of CPCP . . . . . . . . . . . . . . . . . 1328.2 Non-computability of channel contents . . 1389.1 Expand, Enlarge, and Check. . . . . . . . . . . 15511.1 Graph interpretation of a π-Calculusprocess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17711.2 Illustration of unnecessary transitions . . . . 18811.3 Structural semantics of an exampleprocess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19011.4 Illustration of the transition systemisomorphism in Theorem 11.1 . . . . . . . . . . 19312.1 Transition sequence illustratingunbounded breadth . . . . . . . . . . . . . . . . . . . 20712.2 Transition sequence illustratingunbounded depth . . . . . . . . . . . . . . . . . . . . . 20913.1 Proof of undecidability of structuralstationarity . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Part IConcurrent Programs andPetri Nets

Concurrent programs, communicating asynchronouslyover a shared memory or synchronously via remote methodinvocation, can be conveniently modelled in terms ofPetri nets. We introduce the basics of place/transitionPetri nets, discuss fundamental verification problems,and study related analysis algorithms.

Chapter 1Introduction to Petri NetsAbstract First definitions on Petri nets and the notion ofboundedness.1.1 Syntax and SemanticsWe present the basic concepts of Petri nets along thelines of [?, ?, ?]. Different from classical textbooks, we

put some emphasis verification problems like deadlockfreedom, reachability, coverability, and boundedness.Definition 1.1 (Petri net). A Petri net is a triple N =(S,T,W) where S is a finite set of so-called places, Ta finite set of transitions, and W : (S × T ) ∪ (T × S) →N a weight function. Places and transitions are disjoint,S ∩ T = /0.Graphically, we represent places by circles, transitionsby boxes, and the weight function by directed edges.More precisely, for W(s,t) = k with k ∈ N we draw anedge from s to t that is labelled by k, and similar foredges W(t,s) from t to s. We omit edges weighted zero,and draw unlabelled ones if the weight is one.The preset • s of a place s ∈ S contains the transitionswith an arc leading to this place, • s := {t ∈ T | W(t,s) >0}. Those transitions act productive on s. The transitionsthat consume from s are in the postset of s, s • := {t ∈T | W(s,t) > 0}. For transitions t ∈ T , the notions aresimilar. They operate upon the places in their preset • t :={s ∈ S | W(s,t) > 0} and in their postset t • := {s ∈ S |W(t,s) > 0}.

Petri nets are automata comparable to finite state automataor Turing machines. Like every automaton model,they come equipped with a notion of state — called amarking in Petri nets — that influences the actions takenalong a computation. What differentiates Petri nets fromthe remaining automata is the concurrency they reflect.A single Petri net typically captures the interaction ofseveral programs. Therefore, a marking has to determinethe next actions in all programs. The solution is to collectthe places the different programs are currently in.Definition 1.2 (Marking and marked Petri net). LetN = (S,T,W). A marking is a function M ∈ N S that assignsa natural number to every place. A marked Petrinet is a pair (N,M 0 ) of a Petri net and an initial markingM 0 . We also write N = (S,T,W,M 0 ) for a marked Petrinet.Markings are visualised by tokens, dots inserted into thecircles that represent the places of a Petri net. For M(s) =k with k ∈ N we put k dots into the corresponding circleand say that place s contains k tokens.

To assess the complexity of verification problems forPetri nets, we measure their size by counting the numberof places, transitions, arcs, and tokens.Definition 1.3 (Size of a Petri net). The size of N =(S,T,W,M 0 ) is ||N|| := |S| + |T | + ∑ s∈S ∑ t∈T (W(s,t) +W(t,s)) + ∑ s∈S M 0 (s).The execution of transitions, called firing and denotedby 1 M 1 [t〉M 2 , changes the token count. But as markingsare defined to be semi-positive, there is a restriction. Atransition can only be fired if the places in its preset containenough tokens.Definition 1.4 (Enabledness and deadlock). ConsiderN = (S,T,W) and M ∈ N S . Transition t ∈ T is enabledin M if M ≥ W(−,t). Marking M is a deadlock of N if itdoes not enable any transition.The detection of deadlocks in a concurrent program is afundamental problem in verification. Deadlocks point toincorrect assumptions on the synchronisation behaviourand thus to major flaws in the system of interest.1 Automata theory commonly uses the syntax M 1t→ M 2 for theexecution of transitions.

If transition t is enabled, its firing produces W(t,s) tokenson every place s in its postset and, at the same time,consumes W(s,t) tokens from the places in its preset.Definition 1.5 (Firing relation). Let N = (S,T,W). Bydefinition, the firing relation [〉 ⊆ N S × T × N S containsthe triple (M 1 ,t,M 2 ), denoted by M 1 [t〉M 2 , if t is enabledin M 1 and M 2 = M 1 −W(−,t) +W(t,−).We extend the firing relation to finite sequences of transitionsσ ∈ T ∗ inductively as follows. The empty word εdoes not change a marking, M[ε〉M for all M ∈ N S . Forany two markings M 1 ,M 2 ∈ N S we then have M 1 [σ.t〉M 2if there is M ∈ N S with M 1 [σ〉M and M[t〉M 2 . The syntaxM 1 [σ〉 indicates that transition sequence σ ∈ T ∗ is enabledin M 1 , which means there is a marking M 2 ∈ N S sothat M 1 [σ〉M 2 . An infinite transition sequence σ ∈ T ω isenabled in M 1 , if so are all its finite prefixes. This meansfor all σ a ∈ T ∗ and σ b ∈ T ω with σ = σ a .σ b we haveM 1 [σ a 〉.Definition 1.6 (Termination). A Petri net N = (S,T,W,M 0terminates if no infinite transition sequence is enabled inM 0 .

Termination is a second elementary problem in verification.Infinite transition sequences point to livelocks in aconcurrent program, where components fail to leave certaincommands.A marking M 2 is said to be reachable from markingM 1 , if there is a firing sequence leading from M 1 to M 2 .We denote the set of all markings reachable from M 1 byR(M 1 ) := {M 2 ∈ N S | M 1 [σ〉M 2 for some σ ∈ T ∗ }. Forthe initial marking, we typically write R(N) instead ofR(M 0 ) and call it the state space of Petri net N. Based onthese notions, we define the reachability graph that documentsthe full firing behaviour of a Petri net. Its set ofvertices is the state space of the Petri net, the edges correspondto the firing relation. More precisely, a t-labellededge from M 1 to M 2 represents the firing M 1 [t〉M 2 . Theinitial marking forms the initial vertex.Definition 1.7 (Reachability graph). Consider the Petrinet N = (S,T,W,M 0 ). The reachability graph of N isRG(N) := (R(N),[〉 ∩ (R(N) × T × R(N)),M 0 ).Mutual exclusion properties fail if at least two programsenter the critical section. Hence, in the correctness proofone ensures that no marking M ′ is reachable that domi-

nates marking M with two programs in the critical section.This weaker notion of reachability is called coverability.Definition 1.8 (Coverability). Consider the Petri net N =(S,T,W). Marking M 2 is coverable from M 1 , if there isM ∈ R(M 1 ) with M ≥ M 2 .We give a precise definition of the ordering among markings.Let M,M ′ ∈ N S . We write M ≥ M ′ for the fact thatM(s) ≥ M ′ (s) for all places s ∈ S. Syntax M ≩ M ′ indicatesthat M ≥ M ′ and additionally there is a place s ∈ Swith M(s) > M ′ (s).Not only is coverability often sufficient to ensure asystem’s correctness. As we shall see, it is also a propertythat remains decidable for infinite state models wherereachability is lost.1.2 BoundednessPetri nets may have an infinite state space. Equivalently,there is no bound on the number of tokens that a place

may contain. Amongst the bounded nets, safe nets whereplaces carry at most one token play an important role.Definition 1.9 (Boundedness). Consider Petri net N =(S,T,W,M 0 ). Place s ∈ S is called k-bounded with k ∈ Nif in every reachable marking M ∈ R(N) it carries at mostk tokens, M(s) ≤ k. The place is safe if it is 1-bounded,and it is bounded if it is k-bounded for some k ∈ N. ThePetri net is called k-bounded, safe, or bounded if all itsplaces satisfy the corresponding property.We restrict our attention to unbounded and to safePetri nets.As was indicated above, unbounded Petri nets are thosewith an infinite state space.Lemma 1.1 (Finiteness). Petri net N is bounded if andonly if R(N) is finite.One of the fascinating things about Petri nets is that importantverification problems remain decidable in the infinitestate case. In this section, we develop a decision

procedure for boundedness that may be applied, for example,to examine the number of threads a server maygenerate. The argumentation serves as an appetiser forthe proofs that are about to follow in this lecture. Inparticular, the idea of monotonicity appears in differentflavours. Technically, monotonicity states that largermarkings are able to imitate the behaviour of smallerones.Lemma 1.2 (Monotonicity). Consider a Petri net N =(S,T,W) and markings M,M 1 ,M 2 ∈ N S . If M 1 [σ〉M 2then (M 1 + M)[σ〉(M 2 + M).Monotonicity shows that sequences of increasing markingspoint to an infinite state space.Lemma 1.3 (From increasing markings to unboundedness).Consider some Petri net N. If there are M 1 ∈R(N) and M 2 ∈ R(M 1 ) with M 2 ≩ M 1 , then N is unbounded.Idea. By monotonicity, a transition sequence σ from M 1to M 2 with M 2 ≩ M 1 can be repeated in M 2 . It leads to amarking M 3 with M 3 ≩ M 2 for which the argumentationagain holds. We thus obtain

M 0 [τ〉M 1 [σ〉M 2 [σ〉M 3 [σ〉... with M 1 ≨ M 2 ≨The sequence adds an unbounded number of tokens to atleast one place.Proof. Assume M 0 [τ〉M 1 [σ〉M 2 with M 2 ≩ M 1 and σ,τ ∈T ∗ . Since M 2 ≩ M 1 , the difference M := M 2 − M 1 isgreater zero, M ≩ 0. The observation that M 2 = M 1 +M now justifies M 1 [σ〉(M 1 + M). With monotonicity inLemma 1.2, we add M to M 1 and have (M 1 +M)[σ〉(M 1 +2M). This means, sequence σ can also be fired in M 1 +M. Repeating the argumentation shows that M 1 [σ i 〉(M 1 +iM) for every i ∈ N.To establish unboundedness, we proceed by contradiction.Let k ∈ N bound the token count in all markingson all places. Since M ≩ 0, there is a place s ∈ S withM(s) > 0. We argued above that firing σ for (k + 1)-times is feasible and yields M 1 [σ k+1 〉(M 1 + (k + 1)M).In the resulting marking, place s carries (M 1 + (k +1)M)(s) = M 1 (s) + (k + 1)M(s) ≥ k + 1 tokens, whichcontradicts the boundedness assumption.⊓⊔Interestingly, also the reverse holds. If a Petri net is unbounded,one finds the token count increasing on some

path. The proof relies on the fact that N S is well-quasiordered.Every infinite sequence of markings (M i ) i∈Ncontains comparable elements i < j with M i ≤ M j . Wedevote the full Section ?? to well-quasi-orderings andtake this fact for granted.Lemma 1.4 (Comparable elements). Consider Petri netN. Every infinite sequence (M i ) i∈N of markings in R(N)contains indices i < j with M i ≤ M j .Lemma 1.5 (From unboundedness to increasing markings).If N is unbounded, then there are M 1 ∈ R(N) andM 2 ∈ R(M 1 ) with M 2 ≩ M 1 .Idea. We summarise all transition sequences that do notrepeat markings in a tree. To be precise, we say that atransition sequence M 0 [t 1 〉M 1 [t 2 〉...[t n 〉M n does not repeatmarkings, if M i ≠ M j for all i ≠ j. Note that everyreachable marking can be obtained without repetitions.Hence, as we have an infinite state space, the tree is infinite.The outdegree is bounded by the number of transitions.An application of König’s lemma 2 now shows2 König’s lemma states that every infinite tree of finite outdegreecontains an infinite path.

the existence of an infinite path (M i ) i∈N in this tree.Lemma 1.4 gives two comparable elements i < j withM i ≤ M j on the path. By construction, the markings aredistinct, M i ≨ M j , as required.Proof. Consider the unbounded Petri net N = (S,T,W,M 0 ).We construct a tree (Q,→,q 0 ,lab) with vertices Q, edges→ ⊆ Q×T ×Q, root q 0 , and vertex labelling lab that assignsto every q ∈ Q a marking M ∈ N S . The procedure,stated in pseudo code in Figure 1.1, works as follows.The root q 0 is labelled by the initial marking. For everyvertex q 1 ∈ Q labelled by M 1 and every transition t ∈ T ,compute M 2 with M 1 [t〉M 2 . If M 2 does not label a vertexon the path from q 0 to q 1 , add a new vertex q 2 to the treeand label it by M 2 . Add the edge (q 1 ,t,q 2 ). If transitiont is disabled in M 1 or M 2 has already been seen, considerthe next transition.Since N is unbounded, its state space is infinite accordingto Lemma 1.1. Every marking M ∈ R(N) isreachable without repetitions and thus labels some q ∈ Q.Therefore, the tree computed above is infinite. Its outdegreeis bounded by the number of transitions, hence finite.By König’s lemma, there is an infinite path q 0 ,t 1 ,q 1 ,t 2 ,in the tree with (q i ,t i+1 ,q i+1 ) ∈ → for all i ∈ N. Its ver-

lab(q 0 ) = M 0for all q 1 ∈ Q dofor all t ∈ T dolet lab(q 1 ) = M 1if M 1 [t〉M 2 and M 2 does not label a vertex on the path fromend ifend for allend for alladd new vertex q 2 to Q with lab(q 2 ) = M 2add edge (q 1 ,t,q 2 ) to →(♠) //decision procedure in Theorem 1.1(♣) //decision procedure in Theorem 1.1Fig. 1.1 Tree computation in the decision procedure for boundedness.tex labelling lab(q i ) = M i forms an infinite sequence ofmarkings (M i ) i∈N for which Lemma 1.4 finds two comparableelements M i ≤ M j with i < j. They are differentby construction, M i ≨ M j . The observation that edges

epresent transition firings yields M 0 [t 1 〉M 1 [t 2 〉M 2 [t 3 〉...and allows us to conclude M i ∈ R(M 0 ) and M j ∈ R(M i ).⊓⊔The proof of Lemma 1.5 suggests the following decisionprocedure for boundedness. Compute the tree of alltransition sequences and report unboundedness at (♠)when increasing markings are found. If no such markingsexist, the computation eventually stops and returnsboundedness at (♣). The procedure is correct for both,depth-first and breadth-first implementations of the treecomputation.Theorem 1.1 (Decidability of boundedness). It is decidable,whether a Petri net N is bounded.To turn the algorithm given in Figure 1.1 into a decisionprocedure for boundedness, add the following commandsat the points specified:(♠)(♣)if M 2 ≩ M for some M labelling a vertex on the pareturn unboundedend ifreturn bounded

Proof. To establish correctness, assume the decision procedureis applied to an unbounded Petri net. By Lemma 1.5,there are M 1 ∈ R(N) and M 2 ∈ R(M 1 ) with M 2 ≩ M 1 .Hence, a breadth-first implementation of the tree computationwill find vertices q 1 reachable from q 0 and labelledby M 1 as well as q 2 reachable from q 1 and labelledby M 2 . The if condition in (♠) applies and returnsunbounded.The proof of Lemma 1.5 actually shows that every infinitepath contains two comparable elements M 2 ≩ M 1 .Hence, a depth-first implementation either finds (♠) satisfiedor backtracks from a finite path. As the tree containsan infinite path, the search eventually returns thecorrect answer.If the algorithm is applied to a bounded Petri net, byLemma 1.3 (contraposition) there are no M 1 ∈ R(N) andM 2 ∈ R(M 1 ) with M 2 ≩ M 1 . Condition (♠) never applies.However, as the Petri net is bounded its state space isfinite by Lemma 1.1. The tree computation eventuallystops and returns bounded at (♣).⊓⊔For bounded Petri nets, the decision procedure determinesthe full state space. To demonstrate that this leadsto unacceptable runtimes, we present a construction by

Ernst Mayr ( ∗ 1950) and Albert Meyer ( ∗ 1941). It providesbounded Petri nets of size O(n) that generate theastronomic number of A(n) tokens. The Ackermann functionA(n) is well known to be not primitive recursive.Definition 1.10 (Ackermann function). Consider the functions A i ∈ N N defined byA 0 (x) := x + 1 A n+1 (0) := A n (1) A n+1 (x + 1) := A n (A nThe Ackermann function A ∈ N N is defined as A(n) :=A n (n).Theorem 1.2 (Mayr and Meyer [?]). For every n ∈ N,there is a bounded Petri net N n of size O(n) that generatesA(n) tokens on some place.As a consequence, there is no primitive recursive relationshipbetween the size of a bounded Petri net and thesize of its state space.Corollary 1.1. For bounded Petri nets N, the size ofR(N) and thus RG(N) is not bounded by a primitive recursivefunction in the size of N.

Proof (of Theorem 1.2). We follow the presentation in[?]. The sequence of Petri nets N n is constructed inductively.To this end, we equip them with four interfaceplaces. A starting and a halting place control the computationso that the Petri nets terminate when the haltingplace gets marked. The input place expects x ∈ N tokensand the transition sequences produce up to A n (x) tokenson the output place.Let N n (x) mean that the input of N n contains x ∈ Ntokens and the start place has a single token. The remainingplaces are unmarked. To make our statement precise,we require that N n (x) is bounded by A n (x). The Petrinet terminates. Moreover, M ∈ R(N n (x)) is a deadlockif and only if M(stop) = 1 and M(start) = 0. There issuch a deadlock with M(stop) = 1, M(out) = A n (x), andM(s) = 0 otherwise.Petri net N 0 is depicted in Figure 1.2. It moves all tokenson the input place to the output place, and finallyadds one token before halting. The conditions on boundednessand termination are readily checked.Petri net N n+1 extends N n by connecting to the interfaceplaces. The construction, given in Figure 1.3, exploitsthe equation

instartoutstopFig. 1.2 Petri net N 0 computing A 0 (x) := x + 1.A n+1 (x) = A n (...A n (A n (1))...).} {{ }(x+1)−timesTo compute A n+1 (x) with N n+1 (x), observe that by theinduction hypothesis N n (1) always terminates with a tokenon stop. Among the transition sequences there is onethat, upon halting, gives A n (1) tokens on the output placeand an otherwise (up to stop) empty net N n . We transferthe tokens back to the input place of N n , thereby decrementingx. This restarts N n with input A n (1), N n (A n (1)).We again apply the hypothesis to find a terminating runthat produces A n (A n (1)) tokens on the output place ofN n . This means, we have A n+1 (1) tokens on the outputplace of N n and still x − 1 tokens in the input placeof N n+1 . Repeating the computation and transfer of N nfor another (x−1)-times provides A n+1 (x) tokens on the

output place of N n . The Petri net cannot be restarted as notokens are left on the input of N n+1 . Instead the A n+1 (x)tokens on the output of N n are transferred to the outputof N n+1 . Petri net N n+1 (x) then halts with the requiredtoken count. In Figure 1.3, the start of N n on 1 as well asthe loop construction from the output place of N n backto its input place are highlighted in red and blue, respectively.instartin outNnstrt stpoutstopFig. 1.3 Petri net N n+1 computing A n+1 (x + 1) := A n (A n+1 (x)).

Petri net N n+1 (x) does not guarantee that all tokenson the output place of N n are transferred back to the input.This does not lead to a bound larger than A n+1 (x).Assume we transfer y tokens and x tokens remain in theoutput place of N n . After the computation of N n (y), wefind at best A n (y) + x tokens on the output of N n . ByA n (y)+x ≤ A n (y+x), keeping tokens in the output placeonly decreases the overall token count. Hence, A n+1 (x)in fact bounds the token count of N n+1 (x).The size of N 0 is 17. For N n , we add 33 items to thesize of N n−1 and obtain||N n || = 33 + ||N n−1 || = 33n + 17.Initially, the input place of N n carries n tokens and thestart place has a single token. The marked Petri net thushas a size of 34n + 18 ∈ O(n).⊓⊔

Chapter 2InvariantsAbstract Linear programming techniques for Petri netverification.2.1 Marking EquationOur goal is to exploit linear algebraic techniques for reasoningabout (un)reachability and (non)coverability of

markings. To this end, we rephrase the firing relation asa linear algebraic operation. As a first step, equip the setof places in N = (S,T,W,M 0 ) with a total ordering thatwe indicate by indices S = {s 1 ,...,s n }. It turns markingM ∈ N S into a vector M ∈ N |S| of dimension |S|.Similarly, for a fixed transition t ∈ T the weight functionW : (S × T ) ∪ (T × S) → N is expressed by the twovectors⎛ ⎞⎛ ⎞W(s 1 ,t)W(t,s 1 )⎜W(−,t) := ⎝ .⎟⎠⎜W(t,−) := ⎝ .W(s n ,t)W(t,s n )⎟⎠With an additional ordering on transitions, T = {t 1 ,...,t m },the weight function W yields two matrices. The forwardmatrix F ∈ N |S|×|T | contains the weights on arcs fromplaces to transitions, i.e., forward relative to the places.The backwards matrix B ∈ N |S|×|T | gives the arcs fromtransitions to places:F := ( W(−,t 1 ) ... W(−,t m ) ) B := ( W(t 1 ,−) ... W(

Together, forward and backward matrix contain full informationabout the weight function so that we may alternativelygive N = (S,T,W) as N = (S,T,F,B).Definition 2.1 (Connectivity matrix). Let N = (S,T,F,B)Its connectivity matrix is C := B − F ∈ Z |S|×|T | .The connectivity matrix does not indicate loops in thePetri net. If there are arcs from place s to transition tand vice versa, W(s,t) = 1 = W(t,s), we get C(s,t) = 0.Missing arcs with W(s,t) = 0 = W(t,s) have the sameentry.The i-th column of C gives the difference W(t i ,−) −W(−,t i ), which is precisely the vector added to a markingupon firing of t i . With this insight, we can determinethe goal marking M 2 reached from M 1 via a full transitionsequence σ directly from M 1 and σ, without intermediaryfirings. The key is that just the number oftransitions but not their ordering in a firing sequence isimportant.Definition 2.2 (Parikh image). Consider transitions T .The Parikh image of σ ∈ T ∗ is the function p(σ) ∈ N Twith (p(σ))(t) = number of occurrences of t in σ.

To illustrate the independence of the transition ordering,consider some sequence σ = t 1 .t 2 .t 1 over two transitions.If M 1 [σ〉M 2 by definition of firing M 2 satisfiesM 2 = M 1 + C(−,t 1 ) + C(−,t 2 ) + C(−,t 1 )= M 1 + C(−,t 1 )(p(σ)(t 1 )) + C(−,t 2 )(p(σ)(t 2 )).Taking the Parikh image as a vector, this sum is M 0 +C·p(σ).Lemma 2.1 (Marking equation). Consider N = (S,T,W)with connectivity matrix C ∈ N |S|×|T | , M 1 ,M 2 ∈ N |S| , andσ ∈ T ∗ . If M 1 [σ〉M 2 then M 2 = M 1 + C · p(σ).As an immediate consequence, if marking M 2 is reachablefrom M 1 the equation M 2 −M 1 = C·x has a solutionin N |T | . This can be applied in contraposition for verification.If the equation has no solution then M 2 is notreachable from M 1 .Vice versa, any vector K ∈ N |T | is the Parikh image ofa transition sequence, K = p(σ) for some σ ∈ T ∗ . Thisσ has an enabling marking, say M 1 ∈ N |S| . Hence, thefollowing weak reverse of the above holds. If M = C · x

has a natural solution, then there is a marking M 1 thatreaches M 1 + M. We summarise both arguments.Lemma 2.2. Consider N = (S,T,F,B) with connectivitymatrix C ∈ N |S|×|T | and let M ∈ N |S| . There is a markingM 1 ∈ N |S| with M 1 + M ∈ R(M 1 ) if and only if M = C · xhas a solution in N |T | .Interestingly, in combination with the statements on boundednessfrom Section 1.2, Lemma 2.2 provides a characterisationof structural boundedness, i.e., boundednessunder any initial marking.Proposition 2.1 (Characterisation of structural boundedness).Consider Petri net N = (S,T,F,B) with connectivitymatrix C ∈ N |S|×|T | . There is an initial marking M 0so that (N,M 0 ) is unbounded if and only if C · x ≩ 0 hasa solution in N |T | .Proof. For the direction from right to left, assume C·x ≩0 has a solution in N |T | . This means, there is a markingM ≩ 0 with C·x = M. By Lemma 2.2, we find a markingM 1 with M 1 + M ∈ R(M 1 ). We are thus in a position toapply Lemma 1.3 to the Petri net N with initial markingM 1 , which proves unboundedness.⊓⊔

Parametric verification considers families of systems wherethe instances differ only in certain parameters. A typicalexample are client server architectures that vary inthe number of threads. In this light, Proposition 2.1 canbe interpreted as follows. Solving C · x ≩ 0 checks forwhether the size, for example of buffers, is bounded inall instances of the architectural family.2.2 Structural and Transition InvariantsIn our running example, we noticed that always eitherthe semaphore or the critical section carries a token. Thiscan be formulated asM(pcs) + M(sem) = 1, (2.1)and the equation holds in every reachable marking. Structuralinvariants provide a means to derive such equations.Technically, a structural invariant is a vector I ∈ Z |S| withC T ·I = 0. Here, C T denotes the transpose of the connectivitymatrix, and therefore I is in fact an |S|-dimensional

vector. The intuition is that I gives a weight to the tokenson each place.Definition 2.3 (Structural invariant). Consider N = (S,T,with connectivity matrix C ∈ Z |S|×|T | . A structural invariantI ∈ Z |S| is a solution to C T · x = 0.The main property of structural invariants is that the I-weighted sum of tokens stays constant under transitionfirings. This follows, by a beautiful algebraic trick, fromthe marking equation and the requirement that C T ·I = 0.Theorem 2.1 (Invariance of structural invariants). LetI ∈ Z |S| be a structural invariant of N = (S,T,W,M 0 ).Then for all M ∈ R(N) we have I T · M = I T · M 0 .Before we turn to the proof, we show how to deriveEquation 2.1 in our example with the help of Theorem2.1. Note that I(pw) = 0 and I(pcs) = 1 = I(sem)is a structural invariant of N M+S . The initial marking isM 0 (pw) = 2, M 0 (sem) = 1, and M 0 (pcs) = 0. An applicationof Theorem 2.1 yieldsI T · M = 0M(pw) + 1M(pcs) + 1M(sem) = 1 = I T M 0 ,

as required. The equation holds for all markings reachablein N M+S .Idea (Theorem 2.1). The proof relies on the markingequation M = M 0 + C · p(σ). We multiply the invariantfrom the left and exploit the laws of transpositionI T · (C · p(σ)) = (C T · I) T · p(σ)to swap the positions of I and C. The definition of structuralinvariants concludes the proof.Proof. Let N = (S,T,W,M 0 ) be a Petri net with connectivitymatrix C ∈ Z |S|×|T | and structural invariant I ∈ Z |S| .Assume marking M ∈ R(N) is reachable by M 0 [σ〉Mfor some σ ∈ T ∗ . The marking equation yields M =M 0 + C · p(σ). We multiply the transposed of I to bothsides and obtain

I T · M{ Marking equation } = I T · (M 0 + C{ Distributivity } = I T · M 0 + I T{ Associativity, transposition self inverse } = I T · M 0 + (I T{ Transposition law B T · A T = (A · B) T } = I T · M 0 + (C{ Definition structural invariant } = I T · M 0 + 0 TThe latter is I T · M 0 which concludes the proof.Applied in contraposition, Theorem 2.1 yields a reachabilitycheck. If a marking does not satisfy the equalitystated above, it cannot be reachable.Corollary 2.1 (Unreachability via structural invariants).Let N = (S,T,W,M 0 ) with structural invariantI ∈ Z |S| and M ∈ N |S| . If I T ·M ≠ I T ·M 0 , then M /∈ R(N).Structural invariants can be computed in polynomial timeusing Gauss elimination with O(||N|| 3 ). Therefore, thistest can be performed efficiently prior to heavier reachabilityanalyses. To obtain more expressive structural invariants,they can be added up and scaled by a constant.Lemma 2.3. If I 1 and I 2 are structural invariants of N,so are I 1 + I 2 and kI 1 , k ∈ Z.⊓⊔

Invariants also yield bounds for the places that are weightedstrictly positive. The lemma follows from Theorem 2.1and only holds for non-negative invariants.Lemma 2.4 (Place boundedness from structural invariants).Let N = (S,T,W) with structural invariantI ∈ N |S| . Let s ∈ S with I(s) > 0. Then s is bounded underany initial marking M 0 ∈ N |S| .As a consequence, a Petri net N = (S,T,W) that has acovering structural invariant I ∈ N |S| with I(s) > 0 forall s ∈ S is bounded under any initial marking.Corollary 2.2 (Structural boundedness from structuralinvariants). If N has a covering structural invariant, itis structurally bounded.Definition 2.4 (Transition invariant). Consider N = (S,T,with connectivity matrix C ∈ Z |S|×|T | . A transition invariantJ ∈ N |T | is a solution to C · x = 0.Transition sequences with Parikh vector J do not changethe marking. Vice versa, if a transition sequence does notchange the marking, then its Parikh vector is a transitioninvariant.

Theorem 2.2 (Invariance of transition invariants). Considertransition sequence M[σ〉M ′ in a Petri net N =(S,T,W). Then M ′ = M if and only if p(σ) is a transitioninvariant of N.Transition invariants again can be added up and scaledby a constant. Reachability graphs of Petri nets withouttransition invariants are acyclic.2.3 Traps and SiphonsPetri nets are bipartite graphs. Up to now, we have usedthis fact only indirectly when we defined the connectivitymatrix. In this section, we explictily use the graphstructure to derive inequalities on the token count thatare invariant under firings. The corresponding notions ofsiphons and traps are classical in Petri net theory. Theydescribe regions of places in a Petri net that tokens cannever leave or enter.Traps and siphons can be defined for Petri nets withweighted arcs, but this causes a formal overhead. Wetherefore assume that transitions are weighted either zero

Y T · C Q ≥ 0 (2.2)Y ≥ 0whose rational solutions characterize traps. For the technicaldevelopment, we first introduce a variable Y (s) forevery place s ∈ S. By definition, traps Q ⊆ S satisfyQ • ⊆ • Q. For every place s 1 ∈ Q and every transitiont ∈ s • 1 some place s 2 ∈ t • belongs to Q. With place variables,we formulate the requirement equivalently asY (s 1 ) ≤∑s 2 ∈t • Y (s 2 ).Fix s 1 ∈ S and t ∈ s • 1 . To rephrase the above inequalitywith matrix multiplication, let E s1 denote the unit vectorfor dimension s 1 . Moreover, we set up the postset vectorV t • ∈ {0,1} |S| with V t •(s) = 1 iff s ∈ t • . The inequality isthen equivalent toE T s 1 ·Y ≤ V Tt • ·Y ⇔ Y T · (V t • − E s1 ) ≥ 0.To check the inclusion Q • ⊆ • Q on all places in a trapand all surrounding transitions, we summarize the abovevectors V t • − E s1 in a matrix.

Definition 2.7 (Trap matrix). The trap matrix C Q ∈Z |S|×|S||T | is defined by setting C Q (−,(s,t)) := V t • − E sif t ∈ s • and C Q (−,(s,t)) := 0 otherwise.In combination with the equivalences derived above, weobtain a linear algebraic characterization of traps. For aconcise statement, consider Q ⊆ S. The associated vectoris K Q ∈ Q |S| with K Q (s) := 1 if s ∈ Q and K Q (s) := 0otherwise. Vice versa, every vector K ∈ Q |S| describesthe set Q K := {s ∈ S | K(s) > 0}.Proposition 2.2. Consider Petri net N. If Q ⊆ S is a trap,then K Q ∈ Q |S| satisfies Inequality 2.2. In turn, if K ∈ Q |S|satisfies Inequality 2.2, then Q K ⊆ S is a trap.The concept dual to traps are so-called siphons. Theydescribe regions in a Petri net that cannot receive tokens.Technically, every transition that acts productive on theplaces in a siphon also consumes tokens from the siphon.Definition 2.8 (Siphon). A siphon of Petri net N is asubset D ⊆ S of places that satisfies • D ⊆ D • . A siphonis empty under M ∈ N |S| if M(s) = 0 for all s ∈ D.A siphon that is initially empty blocks all transitions thatproduce tokens on it.

Lemma 2.6 (Siphon property). Consider Petri net N =(S,T,W,M 0 ) with siphon D ⊆ S that is empty under theinitial marking M 0 ∈ N |S| . Then ∑ s∈D M(s) = 0 holds forall M ∈ R(N).Like for traps, a union of siphons again yields a siphon.Moreover, empty siphons characterize deadlock situationsin a Petri net. The statement only holds for Petrinets where every transition depends on a place, i.e., inthe following we assume that for each t ∈ T there is s ∈ Swith s ∈ • t.Lemma 2.7 (Deadlocks and empty siphons). If M ∈N |S| is a deadlock of N then there is a siphon D ⊆ S thatis empty under M.Set D := {s ∈ S | M(s) = 0} to contain the places thatare empty in M. Consider t ∈ • D. Since t is dead, thereis s ∈ • t with M(s) = 0. This means t ∈ D • .

2.4 Verification by Linear ProgrammingWe develop a powerful constraint-based verification algorithmfor Petri nets that is based on the linear algebraicinsights obtained so far. Instead of constructing thePetri net’s state space, the algorithm sets up a system ofinequalities whose infeasibility proves correctness. As aconsequence, the approach circumvents the state spaceexplosion problem and is rather fast. Moreover, it is notrestricted to finite state systems. On the downside, thealgorithm is only sound but not complete. If it finds theconstraint system infeasible, it concludes correctness ofthe Petri net. In turn, although the Petri net is correct thealgorithm may find the constraint system feasible. In thiscase it returns unknown. To begin with, we make the notionof correctness precise.Definition 2.9 (Property). A property is a function P :N |S| −→ B that assigns a Boolean value to each marking.We write P(M) rather than P(M) = t and similarly¬P(M) for P(M) = f . A property holds for aPetri net N if P(M) holds for all M ∈ R(N). A propertyis co-linear if its violation can be expressed by a linear

inequality: ¬P(M) if and only if A · M ≥ B for someA ∈ Q k×|S| and B ∈ Q k for some k ∈ N.Definition 2.10 (Linear, integer, mixed programming).A linear programming problem is a set of linear inequalitiesA · X ≤ B with A ∈ Q m×n and B ∈ Q m on a set ofvariables X ∈ Q n . The inequalities are also called constraints.There may be an additional objective functionC T · X with C ∈ Q n to be maximized. We denote a linearprogramming problem byVariables: X (potentially with type)Maximize C T · X subject toA · X ≤ B.A solution to the problem is a vector K ∈ Q n that satisfiesA · X ≤ B. The solution is optimal if it maximizes C T · Xin the space of all solutions.If the solution is required to be integer, K ∈ Z n , thenthe problem is called integer programming problem. Ifsome variables are to receive integer values while otherscan be evaluated rational, we have a mixed programmingproblem. A linear, integer, or mixed programming prob-

lem is called feasible if it has a solution. Otherwise it iscalled infeasible.Linear programming is in P while mixed and integerprogramming are NP-complete. We explain how integerprogramming helps checking whether a Petri net N satisfiesa property P. Assume this is not the case. Thenthere is a marking M ∈ R(N) that violates the property.Recall that the marking equation overapproximates thestate space. This means M satisfies M = M 0 + C · X forsome X ∈ N |T | . By co-linearity, violation ¬P(M) is expressedby A · M ≥ B. To sum up, a reachable markingthat violates the property solves the following integerprogramming problem.Definition 2.11 (Basic verification system). ConsiderPetri net N = (S,T,W,M 0 ) and a co-linear property Pdefined by A · X ≥ B for some A ∈ Q k×|S| and B ∈ Q kwith k ∈ N. The basic verification system (BVS) associatedto N and P is

Variables: X,M integerM = M 0 + C · XM,X ≥ 0A · M ≥ B.We argued that feasibility of BVS is necessary for a violationto the property.Proposition 2.3. Consider a Petri net N and a propertyP. If the associated BVS is infeasible, then P holds forN.Basic verification systems are too weak for the analysisof concurrent programs that communicate via sharedvariables. Programs typically rely on tests of the formc 0 ; if x = 0 then c 1 ; ... else ...to determine the flow of control. These tests are canonicallymodelled by loops in Petri nets. There is a transitiont leading from a place for command c 0 to a placefor command c 1 . This transition has arcs from and to aplace s that reflects the valuation x = 0. In consequence,the connectivity matrix has entry C(s,t) = W(t,s) −

W(s,t) = 0. Therefore, the connectivity matrix cannotdistinguish the test from the absence of a test. As a result,Proposition 2.3 often is not applicable and a prooffor unreachability of c 1 fails. Indeed, the BVS does notchange for program c 0 ;c 1 where the latter command isreachable.To strengthen the verification approach, we refine theset of constraints in BVS. We add inequalities that reflectthe trap property: all initially marked traps have toremain marked in the marking that solves the mixed programmingproblem. The resulting enhanced verificationsystem is sensitive to guards.To incorporate traps, we construct for a given markingM a trap inequality. It has a rational solution if andonly if M satisfies the trap property. Note that it is notobvious how to check a universal quantifier (all initiallymarked traps remain marked in M) by means of feasibility(there is a solution to the trap inequality). The ideais to state the reverse. We set up a constraint system thatis feasible iff there is a trap for which M violates thetrap property. Then we use Farkas’ lemma to capture bymeans of feasibility the negation of this statement: for

all traps M satisfies the trap property. We briefly explainthe steps in our construction.1. We exploit the linear algebraic characterization oftraps to set up a system of inequalities. This so-calledprimal system is feasible if and only if M violates thetrap property for some trap.2. By Farkas’ lemma we then construct a dual systemof inequalities that is feasible if and only if the primalsystem is infeasible. Together with the first statement,the dual system is thus feasible if and only if M satisfiesthe trap property for all traps.3. In combination with the marking equation, M becomesvariable which leads to non-linearity of the resultingconstraints. We manipulate the constraint systemto deal with this.The primal system is a reformulation of the trap property.Definition 2.12 (Primal system). Consider Petri net N =(S,T,W,M 0 ) with trap matrix C Q ∈ Z |S|×|S||T | . Let M ∈N |S| be some marking. The primal system is

Variables: Y rationalY T · C Q ≥ 0Y ≥ 0Y T · M 0 > 0Y T · M = 0.By the first two inequalities, Y forms a trap. The strictinequality then requires Y to be initially marked, and theequality finds Y unmarked at M. As a result, M violatesthe trap property for Q Y from Proposition 2.2.Lemma 2.8. The primal system is feasible if and only ifM violates the trap property.For the second phase of our construction, we briefly recallFarkas’ lemma. Certain systems of inequalities, socalledprimal systems, have a dual system that enjoys thefollowing equivalence. The primal system is infeasible ifand only if the dual system is feasible.Lemma 2.9 (Farkas 1894). One and only one of the followinglinear programming problems is feasible:

Variables: X rationalVariables: Y rationalA · X ≤ B Y T · A ≥ 0X ≥ 0 Y T · B < 0Y ≥ 0.The system from Definition 2.12 is not quite in the formon the right hand side. We apply several transformationsto obtain an equivalent constraint system of the requiredshape. Equivalent here means that the solutions do notchange. To begin with, note that M ∈ N |S| and thus M ≥0. Moreover, we require Y ≥ 0. Hence, we have Y T ·M =0 if and only if Y T · M ≤ 0. Changing the signs invertsthe inequality, i.e., Y T · M ≤ 0 holds if and only if Y T ·(−M) ≥ 0. We treat M 0 similarly and rewrite the systemfrom Definition 2.12 toVariables: Y rationalY T · C Q ≥ 0Y ≥ 0Y T · (−M 0 ) < 0Y T · (−M) ≥ 0.

A last step in constructing the desired shape is to extendC Q by a column for −M, denoted by (C Q − M). Thissummarize the first and the last inequality. Indeed, wehave Y T · C Q ≥ 0 and Y T · (−M) ≥ 0 if and only if Y T ·(C Q − M) ≥ 0.Variables: Y rationalY T · (C Q − M) ≥ 0Y T · (−M 0 ) < 0Y ≥ 0.To this system, we apply Farkas’ lemma.Definition 2.13 (Dual system). Given Petri net N withtrap matrix C Q ∈ Z |S|×|S||T | and a marking M ∈ N |S| , thedual system isVariables: X rational(C Q − M) · X ≤ −M 0X ≥ 0.Combining Lemma 2.8 with Farkas’ lemma immediatelyshows:

Lemma 2.10. The dual system is feasible if and only ifM satisfies the trap property: all initially marked trapsremain marked at M.Up to now, M was assumed constant. The goal of the enhancedverification system, however, is to overapproximateall reachable markings that satisfy the trap property.To this end, we combine the dual system with themarking equation. The problem in this construction is inthe product (−M) · X that is non-linear, and hence out ofscope for linear programming techniques. The solutionis again to manipulate the constraint system. We turn tothe technicalities of the third phase.Since −M is added to the trap matrix C Q ∈ Z |S|×|S||T | ,the dimension of X is |S||T | + 1. Hence, vector X isthe composition (X ′ x ′ ) T with X ′ ∈ Q |S||T | and x ′ ∈ Q.The product (C Q − M) · X ≤ −M 0 is thus equivalent tox ′ M ≥ M 0 + C Q · X ′ . We rewrite the dual system accordingly:

Variables: X ′ ,x ′ rationalx ′ M ≥ M 0 + C Q · X ′X ′ ≥ 0x ′ ≥ 0.Since M ≥ 0 the system is solvable with x ′ = 0 if andonly if there is a solution with x ′ > 0. This allows us todivide the first and the second inequality by x ′ . Note alsothat x ′ > 0 if and only if 1 x ′ > 0:Variables: X ′ ,x ′ rationalM ≥ 1 x ′ M 0 + C Q · ( 1 x ′ X ′ )1x ′ X ′ ≥ 01x ′ > 0.1If we setx ′ to be the rational variable z and use Z for1x ′ X ′ , we obtain the desired trap inequality.Definition 2.14 (Trap inequality). Consider Petri netN = (S,T,W,M 0 ) with trap matrix C Q ∈ Z |S|×|S||T | . LetM ∈ N |S| be a vector. The trap inequality is

Variables: Z,z rationalM ≥ z M 0 + C Q · ZZ ≥ 0z > 0.Proposition 2.4. Consider Petri net N and M ∈ N |S| .Marking M satisfies the trap property if and only if thetrap inequality is feasible.We are now prepared to combine the trap inequality withthe basic verification system from Definition 2.11 to amixed programming problem.Definition 2.15 (Enhanced verification system). Let Petrinet N have connectivity matrix C ∈ Z |S|×|T | and trapmatrix C Q ∈ Z |S|×|S||T | . Moreover, let P be a co-linearproperty on N defined by A · X ≥ B with A ∈ Q k×|S| andB ∈ Q k for some k ∈ N. The associated enhanced verificationsystem (EVS) is

Variables: M,X integer Z,z rationalM = M 0 + C · X (2.3)M,X ≥ 0M ≥ z M 0 + C Q · Z (2.4)Z ≥ 0z > 0A · M ≥ B. (2.5)Equality 2.3 is the marking equation. It states that M isreachable from M 0 via Parikh vector X. The trap inequalityis given as 2.4. By Proposition 2.4 it holds for M iffall initially marked traps remain marked in M. Therefore,the enhanced verification system is a more preciseapproximation to the Petri net’s state space than BVS. Bydefinition of co-linearity, the last Inequality 2.5 capturesa violation to the property. Since we overapproximate thestate space, checking EVS for infeasibility proves correctness.Phrased differently, the analysis is sound.Theorem 2.3. Consider a Petri net N and a co-linearproperty P. If the associated enhanced verification systemis infeasible, then P holds for N.

Mixed programming only solves non-strict inequalitiesz ≥ 0 and thus cannot handle z > 0 in Inequality 2.4. Toovercome this problem, the idea is to use the objectivefunction. We relax EVS to z ≥ 0 and look for a solutionthat maximizes z. Then EVS is infeasible if and only ifthe optimal solution is z = 0.

Chapter 3UnfoldingsAbstract Partial order representations of Petri net statespaces.When linear algebraic verification techniques fail, wehave to analyse the Petri net’s state space. We develop

here a compact representation of these state spaces, calleda finite and complete unfolding prefix. We also providesuitable operations to evaluate analysis problems likereachability of marking on such prefixes.The key idea of unfoldings is to store markings asdistributed objects, so-called cuts. With this distribution,we can determine the effect of transitions locally, i.e., weonly change the marking of the surrounding places. Thedifference to rechability graphs is remarkable. There, atransition firing always yields an overall new marking,even if the token count is changed only in one place.From a computational complexity point of view, unfoldingprefixes trade size for computational hardness ofanalysis problems like reachability. Indeed, in terms ofsize and hardness unfolding prefixes lie in between theoriginal Petri net and its reachability graph. The unfoldingprefix is larger than the Petri net but more compactthan the reachability graph, often exponentially moresuccinct. As a result, reachability becomes easier for unfoldingsthan for Petri nets: NP-complete in the size ofthe unfolding in contrast to PSPACE-complete in thesize of the Petri net. In turn, the problem is NL-completein the size of a given reachability graph.

Technically, unfolding prefixes are themselves Petrinets that have a simpler structure than the original net.They are acyclic and forward branching, i.e., places havea unique input transition. This ease in structure justifiesNP-completeness. In fact, on unfolding prefixes reachabilityqueries can be answered by means of off-the-shelfSAT-solvers.The unfolding is also interesting from a semanticalpoint of view. It preserves more information about thebehaviour of the original net than the reachability graphdoes. It makes explicit causal dependencies betweentransitions, conflicts that arise from competitions abouttokens, and finally the independence of transitions, alsoknown as concurrency. This information is lost in thereachability graph. Indeed, from an unfolding prefix, onecan recompute the reachability graph. The reverse doesnot hold as long as we only take the graph structure intoaccount.One intuition to the definition of unfoldings stemsfrom finite automata. One can unwind a finite automatoninto a computation tree as is done in Algorithm 1.1.This unwinding can be stopped at any moment, yieldingdifferent trees. However, if we continue the process

with a fair selection of transitions, e.g., by choosing abreadth first processing, then we obtain a unique usuallyinfinite tree. Unfoldings mimick this procedure. To unrollthe Petri net, the algorithm first adds places for eachtoken in the input marking. Then it generates a copy ofeach transition that is fired and adds a fresh place for everytoken that is produced. If the process is continued aslong as enabled transitions exist, the result is a uniquestructure similar to the computation tree. It is called theunfolding of the Petri net. The unfolding is typically infinite,stopping it earlier yields an unfolding prefix. Themain contrubtion of this section is an algorithm that determinesa finite prefix of the unfolding that is complete.This means the algorithm stops unrolling so that the resultingprefix is finite but yet contains all informationabout the full unfolding.3.1 Branching ProcessesThe following definition will only be applied to acyclicPetri nets.

Definition 3.1 (Causality, conflict, and concurrency relation).Let N = (S,T,W) be a Petri net that we considerhere as a graph (S ∪ T,W). Two vertices x,y ∈ S ∪ T arein causal relation, denoted by x ≤ y, if there is a (potentiallyempty) path from x to y. They are in conflictrelation, denoted by x # y, if there are distinct transitionst 1 ,t 2 ∈ T so that • t 1 ∩ • t 2 ≠ /0 and t 1 ≤ x and t 2 ≤ y. Thevertices x and y are called concurrent, denoted by x co y,if neither x ≤ y nor y ≤ x nor x # y.The subclass of Petri nets used for unfolding is the following.Definition 3.2 (Occurrence nets). An occurrence net isa Petri net O = (B,E,G) with places B, transitions T ,and weight function G : (B × E) ∪ (E × B) → {0,1} thatsatisfies the following constraints.(O1) O is acyclic.(O2) O is finitely preceeded: the set {y ∈ B ∪ E | y ≤x} is finite for all x ∈ B ∪ E.(O3) O is forward branching: for all b ∈ B we have| • b| = 1.(O4) O is free from self conflicts: for all y ∈ B ∪ E wedo not have y # y.

We assume the existence of a unique ≤-minimal elemente ⊥ ∈ E. The ≤-minimal places are denoted by Min(O).In occurrence nets, places are typically called conditionsand transitions are called events. Note that by the requirementfor acyclicity (B ∪ E,≤) is a partial order.Lemma 3.1. Consider an occurrence net O = (B,E,G).For two vertices x,y ∈ B ∪ E one and only one of thefollowing holds: x = y, x < y, y < x, x # y, or x co y.We are interested in occurrence nets that result from unrollingthe original Petri net. We establish the relationshipbetween the two by labelling the occurrence netwith the places and transitions of the original net.Definition 3.3 (Folding homomorphism, branching process).Let O = (B,E,G) be an occurrence net and N =(S,T,W,M 0 ). A folding homomorphism from O to N is amapping h : B ∪ (E \ {e ⊥ }) → S ∪ T that satisfies thefollowing constraints.(F1) Conditions are labelled by places and events representtransitions: h(B) ⊆ S and h(E \ {e ⊥ }) ⊆ T .(F2) Transition environments are preserved: h(e • ) =h(e) • and h( • e) = • h(e).

(F3) Minimal elements represent the initial marking:h(Min(O)) = M 0 .(F4) No redundancy: for all e, f ∈ E with • e = • f andh(e) = h( f ) we have e = f .The pair (O,h) is a branching process of N.The auxiliary event e ⊥ ∈ E is not mapped. It helps usshorten formal statements about unfoldings, but has nosemantical meaning when relating an occurrence net tothe original Petri net.Branching processes differ in how much they unfoldthe original Petri net. The prefix relation captures thisnotion of unfolding more than in a formal way.Definition 3.4 (Prefix relation). Consider two branchingprocesses (O,h) with O = (B,E,G) and (O ′ ,h ′ ) withO ′ = (B ′ ,E ′ ,G ′ ). Then (O,h) is a prefix of (O ′ ,h ′ ), denotedby (O,h) ⊑ (O ′ ,h ′ ), if O is a subnet of O ′ and thefollowing holds.(P1) If b ∈ B and (e,b) ∈ G ′ then e ∈ E.(P2) If e ∈ E and (b,e) ∈ G ′ or (e,b) ∈ G ′ then b ∈ B.(P3) We have h = h ′ ∩ (B ∪ E).

By our requirement on a unique minimal element, wefind e ⊥ in both E and E ′ . The notion of subnet is definedby inclusion, B ⊆ B ′ , E ⊆ E ′ , and G = G ′ ∩ ((B × E) ∪(E × B)). Requirement (P1) states that the predecessorsof conditions in O according to O ′ have to be in O. Forevents, (P2) requires that we preserve the full environmentof conditions in the pre- and in the postset. Finally,(P3) states that the labelling of O is the labelling of O ′restricted to the conditions and events in O.The unfolding is a branching process that unrolls thegiven Petri net as much as possible — a procedure thatusually does not terminate. The proof that this object isunique is out of the scope of the techniques we discussin this lecture.Theorem 3.1 (Engelfriet 1991). Every Petri net N hasan up to isomorphism (renaming of conditions and events)unique and ⊑-maximal branching process. It is calledthe unfolding of N and denoted by Unf (N).The unfolding keeps the initial marking in terms of ≤-minimal conditions. It also has a representative for eachtransition that occurs in a firing sequence. Therefore, intuitivelythe reachable markings in the unfolding should

coincide, via the folding homomorphism, with the reachablemarkings of the original Petri net. Since the unfoldingis an infinite but unmarked Petri net with a distinguishedtransition e ⊥ ∈ E, we have to first have to definethe notion of reachability for Unf (N). We assumethat every minimal condition carries precisely one token.Transition e ⊥ never executes. All remaining transitionsfire as it is defined for finite Petri nets.Theorem 3.2 (Engelfriet 1991). Let Unf (N) = (O,h)with O = (B,E,G). We have R(N) = h(R(Unf (N))).Moreover, for M 1 ,M 2 ∈ R(Unf (N)) and all e ∈ E wehave M 1 [e〉M 2 if and only if h(M 1 )[h(e)〉h(M 2 ).3.2 Configurations and CutsThe result stated above understands the unfolding as aPetri net. It relies on the classical sequential semanticsdefined in terms of transition sequences as they are representedin interleaving structures like the reachabilitygraph. But this view does not take the partial order ofevents into account. In an unfolding, the counterpart of a

transition sequence is called a configuration. A configurationis a set of events that usually allows for differentsequential executions. This means a single configurationreflects multiple transition sequences in the unfoldingand, with Theorem 3.2, also in the Petri net. Configurationsare at the heart of why unfolding-based approachesto verification scale well with an increasing degree ofconcurrency, whereas reachability graph exploration suffersfrom the state space explosion problem.Definition 3.5 (Configuration). A configuration of (O,h)with O = (B,E,G) is a non-empty set C ⊆ E of eventsthat isC1 causally closed: if f ∈ C and e ≤ f then e ∈ C andC2 conflict free: for all e, f ∈ C we do not have e # f .By C fin (O,h) we denote the set of all finite configurationsof (O,h).Transition sequences lead to markings. For configurations,the analogue is called a cut of the branching process.

Definition 3.6 (Cut). Consider (O,h) with O = (B,E,G).A set B ′ ⊆ B of conditions is concurrent if b 1 co b 2 forall b 1 ,b 2 ∈ B ′ . A cut is an ⊆-maximal concurrent set.The relationship between cuts and markings is againgiven via folding.Lemma 3.2 (and definition). Let (O,h) be a branchingprocess of Petri net N and let C ∈ C fin (O,h). Then C • \ • Cis a cut, denoted by Cut(C). The final marking of C isMark(C) := h(Cut(C)). A marking is said to be representedin (O,h) if there is a configuration C ∈ C fin (O,h)with M = Mark(C).A transition sequence M 0 [σ〉M yields a finite configurationC in the unfolding that represents the marking,M = Mark(C). In turn, every configuration can be linearizedto a transition sequence. As a result, final markingsare reachable.Lemma 3.3. Every M ∈ R(N) is represented in Unf (N).Every marking represented in a branching process isreachable.Definition 3.7 (Extension). Given configuration C ∈ C fin (Oand set of events E. We denote by C ⊕ E the fact that

C ∪ E is a configuration and C ∩ E = /0. We call C ⊕ Ethe extension of C. Moreover, E is also called the suffixof C.Lemma 3.4. If C C ′ then there is a non-empty suffix Eof C so that C ⊕ E = C ′ .3.3 Finite and Complete PrefixesWe study algorithmic aspects related to unfoldings. Tothis end, we first develop a data structure for branchingprocesses. Consider branching process (O,h) withO = (B,E,G) of Petri net N = (S,T,W,M 0 ). We represent(O,h) as a list {n 1 ,...,n k } of nodes. The list containsboth, conditions and events. More precisely, a conditionb ∈ B yields a record node b = (s,e). It containsthe place s ∈ S that labels b, which means h(b) = s.Moreover, e is the input event of b, • b = {e}. Eventse ∈ E are stored similarly as record nodes e = (t,X) withh(e) = t and • e = X ⊆ B. So again the first entry is the labeland the second entry is a set of pointers to the conditionsin the preset. Note that the list representation con-

tains the weight function as well as the labelling. Thismeans we can use (O,h) and {n 1 ,...,n k } interchangably.We describe the events that can be added to a branchingprocess.Definition 3.8 (Possible extensions). Let (O,h) with O =(B,E,G) be a branching process of Petri net N. A pair(t,X) with t ∈ T and X ⊆ B is a possible extension of(O,h) if h(X) = • t and (t,X) does not already belong to(O,h). We denote by Pe(O,h) the set of possible extensionsof (O,h).Lemma 3.5. Let (O,h) = {n 1 ,...,n k } be a branchingprocess of Petri net N. Let t ∈ T have postset t • ={s 1 ,...,s n }. If e = (t,X) is a possible extension of (O,h)then {n 1 ,...,n k ,e,(s 1 ,e),...,(s n ,e)} is a branching processof N.The algorithm to compute the unfolding is given in Figure3.1. The procedure is initialized with the minimalconditions. It keeps adding possible extensions togetherwith their outputs as long as there are some. The unfoldingcomputation terminates if and only if N terminates,i.e., the net does not enable an infinite run. Moreover, for

correctness of the procedure we have to impose the followingfairness requirement: every event e ∈ pe is eventuallychosen to extend the unfolding.Unf := {e ⊥ ,(s 1 ,e ⊥ ),...,(s n ,e ⊥ )}pe := Pe(Unf )while pe ≠ /0 doadd to Unf event e = (t,X) ∈ peadd to Unf condition (s,e) for all s ∈ t •pe := Pe(Unf )end whileFig. 3.1 Unfolding procedure.

3.3.1 Constructing a finite and completeprefixFor algorithmic analyses, we require a finite object thatallows for an exhaustive analysis. We now construct afinite prefix (O,h) of the unfolding of N that is still complete:it contains as much information as Unf (N). Technically,the notion of completeness that we rely on is thefollowing.Definition 3.9 (Complete Prefix). Let N = (S,T,W,M 0 )be a Petri net and (O,h) one of its branching processes.We say (O,h) is complete or a complete prefix of Unf (N)if for all M ∈ R(N) there is a configuration C ∈ C fin (O,h)so that• Mark(C) = M and• for all t ∈ T with M[t〉 there is C ⊕ {e} ∈ C fin (O,h)with h(e) = t.The first requirement states that every marking M reachablein the Petri net is represented by a configuration Cin the complete prefix. The second requirement asks thisconfiguration to also preserve the transitions. If t ∈ T

is enabled in M, then a corresponding event can be appendedto the configuration without leaving the completeprefix. Note that a marking may be represented by severalconfigurations, but only one of them needs to reflectthe transition environment.Note that the unfolding can be reconstructed from acomplete prefix. Indeed, by definition all markings togetherwith their firings are present in this smaller object.It can be shown that the preservation of reachablemarkings themselves is not sufficient to obtain the unfolding,simply because some transitions may be forgottenif there are several paths leading to a marking.The key observation to the theory that we develop isthe following. Since Petri net N is assumed to be safe,it has finitely many reachable markings. This means, theunfolding eventually starts repeating markings. Therefore,intuitively it should contain a complete prefix thatis yet finite. We give a procedure for computing such afinite and complete unfolding prefix. We reuse the procedurein Figure 3.1 but identify events at which thecomputation can be stopped without loosing information.These events are called cut-offs and their detectionis at the heart of the unfolding theory.

Chapter 4CoverabilityAbstract Decidability of coverabilityWe develop a decision procedure for the coverabilityproblem. The problem takes as input a Petri net N anda marking M ∈ N S . The question is whether there is an

M ′ ∈ R(N) that dominates M, M ′ ≥ M. If the state spaceof the Petri net is finite, an immediate solution is to computethe reachable states and look for a covering markingM ′ . If the state space is infinite, however, the problem isnon-trivial. The reachability graph cannot be used for theanalysis as it is no longer finite. Moreover, also an analysisby means of linear algebraic techniques may fail.4.1 Coverability GraphsThe solution is to define a finite structure, the so-calledcoverability graph of a Petri net, that an algorithm cananalyze exhaustively. Coverability graph are similar toreachability graphs in that they reflect the firing of transitionsalong markings. But different from reachabilitygraphs, coverability graphs may abstract away the precisetoken count. They use entries ω in a marking to indicatethat a place may carry arbitrarily many tokens.Technically, we first generalize the natural numbers Nto N ω := N ∪ {ω}. With the number of tokens in mind,the new element ω stands for unbounded. To extend the

operations < and + to N ω , we setm < ω and ω + m := ω =: ω − m for all m ∈ N.We do not define the subtraction ω −ω and will not needit for the development in this section.Definition 4.1 (Generalized marking). Consider Petrinet N = (S,T,W,M 0 ). The set of generalized markings isN S ω. For every marking M ω ∈ N S ω, we denote by Ω(M ω ) :={s ∈ S | M ω (s) = ω} the set of places marked ω. Theoperations on N S ω are taken componentwise, so also thefollowing notions are defined:M ω [t〉if M ω ≥ W(−,t)M ω [t〉M ′ ω if M ω ≥ W(−,t) and M ′ ω = M ω −W(−,Note that firing a transition does not remove ω-entries.This means, M ω (s) = ω and M ω [t〉M ′ ω implies M ′ ω(s) =ω for all M ω ,M ′ ω ∈ N S ω, s ∈ S, and t ∈ T .The coverability graph is computed (and defined) bythe algorithm in Figure 4.1. It introduces ω whenever apath strictly increases the token count. To make the outcomeof the computation deterministic, we use a FIFO

uffer for the work list and an ordering on the transitions.Without this restriction, the resulting coverability graphwould depend on the processing order for markings andtransitions.Lemma 4.1 (Finiteness). For every Petri net N, Cov(N)is finite.The proof bears similarities to the decision procedure forboundedness discussed in Section 1.2. To turn coverabilitygraphs into a decision procedure for coverability, weneed an equivalence of the following form. Marking M iscoverable in N if and only if there is M ω ∈ Cov(N) withM ≤ M ω . The next lemmas provide the required implications.Lemma 4.2 (From N to Cov(N)). Consider Petri netN = (S,T,W,M 0 ) and a transition sequence σ ∈ T ∗ withM 0 [σ〉M for some M ∈ R(N). Then there is a σ-labelledpath M 0σ −→ Mω in Cov(N) that leads to M ω ≥ M.Thus, if a marking M is coverable in N then there is alarger marking M ω ≥ M in the coverability graph. Thefollowing lemma states the reverse. Larger markings inthe coverability graph indeed indicate coverability in N.

input : N = (S,T,W,M 0 )beginV := {M 0 }L := M 0E := /0while L ≠ /0 do//Set of vertices in the coverability graph//Work list of vertices to be processed//Set of edges in the coverability graphlet L = M 1 ω.L ′L := L ′for all t = t 1 ,...t n ∈ T with Mω[t〉 1 do //Process tMω 2 := M ˜ ω 2 where Mω[t〉 1 ˜M 2 ωfor all M ω on a path from M 0 to Mω 1 that satisfy M ωMω(s) 2 := ω for all s ∈ S with M ω (s) < M ˜ ω(s 2end for allif M 2 ω /∈ V thenend ifV := V ∪ {M 2 ω}L := L.M 2 ωE := E ∪ {(M 1 ω,t,M 2 ω)}end for all

Lemma 4.3 (From Cov(N) to N). Consider Petri netN = (S,T,W,M 0 ). For every M ω ∈ Cov(N) and everyk ∈ N there is a marking M ∈ R(N) with M(s) ≥ k forall s ∈ Ω(M ω ) and M(s) = M ω (s) for all s ∈ S\Ω(M ω ).The lemma states that the number of tokens on ω-markedplaces can exceed any bound k ∈ N. The remainingplaces receive the exact token count as it is required bythe given marking M ω . The proof exploits the fact thatsequences which introduce ω-entries in the coverabilitygraph can be repeated arbitrarily. ConsiderM 0τ −→ M1ωσ −→ M2ω with M 1 ω ≨ M 2 ω.By repeating σ, an arbitrary token count can be generatedon the places s ∈ S with M 1 ω(s) < M 2 ω(s). The proofis by induction on the length of the shortest path leadingto M ω . It requires some effort in case a new ω is introducedin the induction step.Theorem 4.1 (Decision procedure for coverability andplace boundedness). Given Petri net N = (S,T,W,M 0 ).1. Marking M ∈ N S is coverable if and only if there isM ω in Cov(N) with M ω ≥ M.

2. Place s ∈ S is unbounded if and only if there is M ω inCov(N) with M ω (s) = ω.

Part IINetwork Protocols and LossyChannel Systems

Network protocols define the interaction among finitestate components that communicate asynchronously bypackage transfer. We introduce a corresponding model oflossy channel systems and investigate algorithms for theautomatic verification of network protocols. Decidabilityof the analysis follows from monotonicity of the models’behaviour with respect to an ordering on the configurations.We extend this insight towards a theory of wellstructured transition systems.

Chapter 5Introduction to Lossy ChannelSystemsAbstract Lossy Channel SystemsLossy channel systems (LCS) formalize network protocolslike the alternating bit protocol or more general slidingwindow protocols that are located at the data link

layer of the ISO OSI reference model. In recent developments,LCS have also proven adequate for modellingprograms running on relaxed memory models like totalstore ordering used in x86 processors.Technically, LCS are finite state programs that communicatevia asynchronous message transfer over unboundedFIFO channels. Without restrictions, such amodel of channel systems is Turing complete. Channelsimmediately reflect the tape of a Turing machine. Therestriction we impose is inspired by the following observationabout the application domain of our analysis.Network protocols are designed to operate correctly inthe presence of package loss. Therefore, a weaker modelwith unreliable channels should be sufficient for theirverification. Lossy channel systems formalize unreliabilityby lossiness: channels may drop packages at anymoment. This weakness indeed yields decidability of theresulting model.

5.1 Syntax and SemanticsDefinition 5.1 (Lossy Channel Systems). A lossy channelsystem (LCS) is a tuple L = (Q,q 0 ,C,M,→) where Qis a finite set of states with initial state q 0 ∈ Q. Moreover,C is a finite set of channels over which we transfer messagesin the finite set M. Transitions in → ⊆ Q×OP×Qperform operations in OP := C × {!,?} × M.A transition (q 1 ,op,q 2 ) ∈ →, typically denoted by q 1op−→q 2 yields a change in the control state from q 1 to q 2 whileperforming operation op. A send operation c!a in OPappends message a to the current content of channel c. Areceive operation c?a ∈ OP removes message a from thehead of channel c. Therefore, the two operations indeeddefine a FIFO channel.In our examples, we often represent LCS by severalautomata. This matches the above formal definition bytaking as set of states the Cartesian product of the statesin the single automata. The initial state is the tuple of initialstates. Every transitions represents the state changein a single automaton.

Like every automaton model, the semantics of LCSrelies on a notion of state at runtime. For LCS, they arecalled configurations and should be understood as analogueof markings in Petri nets.Definition 5.2 (Configuration). Let L = (Q,q 0 ,C,M,→). A configuration of L is a pair γ = (q,W) ∈ Q × M ∗C .It consists of a state q ∈ Q and a function W ∈ M ∗C thatassigns to each channel c ∈ C a finite word W(c) ∈ M ∗ .The initial configuration of L is γ 0 := (q 0 ,ε) where εassigns the empty word (ε) to every channel.Transitions change the channel content. We capture thisby update operations on vectors of words. Lossiness isformalized by an ordering on configurations. For the definitionof this ordering, we first compare words by Higman’ssubword ordering. It sets u ≼ ∗ v if u is a not necessarilycontiguous subword of v. With a componentwisedefinition, we lift the ordering to vectors of words,W 1 ≼ ∗ W 2 . For configurations, we pose the additional requirementthat the states coincide.Definition 5.3 (Updates and ≼ on configurations). Updatestake the form [c := x] with c ∈ C and x ∈ M ∗ . Theyare applied to channel contents W ∈ M ∗C . The result of

this application is a new content W[c := x] ∈ M ∗C definedby W[c := x](c) := x and W[c := x](c ′ ) := W(c ′ ) for allc ′ ≠ c with c ′ ∈ C.For the definition of the subword ordering ≼ ∗ ⊆ M ∗ ×M ∗ , let u = u 1 ...u m and v = v 1 ...v n in M ∗ . We haveu ≼ ∗ v if there are indices 1 ≤ i 1 < ... < i m ≤ n with u j =v i jfor all 1 ≤ j ≤ m. For W 1 ,W 2 ∈ M ∗C , we set W 1 ≼ ∗ W 2if W 1 (c) ≼ ∗ W 2 (c) for all c ∈ C. Finally, for configurations(q 1 ,W 1 ),(q 2 ,W 2 ) ∈ Q × M ∗C we have (q 1 ,W 1 ) ≼(q 2 ,W 2 ) if q 1 = q 2 and W 1 ≼ ∗ W 2 .The semantics of LCS is defined in terms of transitionsbetween configurations.Definition 5.4 (Transition relation between configurations).Consider the LCS L = (Q,q 0 ,C,M,→). It definesa transition relation → ⊆ (Q × M ∗C ) × (Q × M ∗C )between configurations as follows:(q 1 ,W) → (q 2 ,W[c := W(c).m]) if q 1c!m−−→(q 1 ,W[c := m.W(c)]) → (q 2 ,W) if q 1c?m−−→γ ′ 1 → γ ′ 2 if γ ′ 1 ≽ γ 1

for some configurations γ 1 ,γ 2 ∈ Q × M ∗C .For a lossy transition (q 1 ,W 1 ′) → (q 2,W 2 ′ ) that is derivedwith the third condition, we already have a transition(q 1 ,W 1 ) → (q 2 ,W 2 ) with W 1 ′ ≽∗ W 1 and W 2 ≽ ∗ W 2 ′. Intuitively,the messages in W 1 ′ but outside W 1 are lost immediatelybefore the transition and the messages in W 2but outside W 2 ′ are lost immediately afterwards.Interestingly, for LCS the notions of reachability andcoverability coincide. However, as refer to coverabilityin the context of well structured transition systems, wedefine both notions.Definition 5.5 (Reachability and Coverability). Let L =(Q,q 0 ,C,M,→) be an LCS and γ 1 ,γ 2 ∈ Q×M ∗C . We sayγ 2 is reachable from γ 1 if γ 1 → ∗ γ 2 . The set of all configurationsreachable from γ 1 is R(γ 1 ) := {γ ∈ Q × M ∗C |γ 1 → ∗ γ}. We denote the reachable configurations of Lby R(L) := R(γ 0 ). Configuration γ 2 is coverable from γ 1if there is γ ∈ R(γ 1 ) with γ ≽ γ 2 .

Chapter 6Well Structured TransitionSystemsAbstract Well Structured Transition Systems

6.1 Well Quasi OrderingsIn computer science, quasi orderings that are not partialorderings result from syntactically different representationsof semantically equivalent elements. To givean example, let ≤ denote language inclusion. Then theregular expressions a + b and b + a can be ordered bya + b ≤ b + a as well as b + a ≤ a + b. The terms, however,do not coincide.Formally, a quasi ordering (qo) is a reflexive and transitiverelation ≤ ⊆ A × A. We also call the pair (A,≤)a quasi ordering. In a qo, we write a > b for a ≥ b andb ≱ a. Note that a ≥ b and b ≥ a need not imply a = b. Inthis case, ≤ is called a partial ordering. In the theory ofwell structured transition systems, so-called well quasiorderings (wqos) play a key role. In a wqo, every infinitesequence contains two comparable elements.Definition 6.1 (Well quasi ordering). A qo (A,≤) is awell quasi ordering (wqo) if for every infinite sequence(a i ) i∈N in A there are indices i < j with a i ≤ a j .

We exploit the unavoidability of repetitions to establishtermination of verification algorithms. Indeed, classicaltermination proofs rely on well founded relations thatdecrease with every transition. Recall that a quasi ordering(A,≤) is well founded if it does not contain infinitesequences (a i ) i∈N that strictly decrease, a 0 > a 1 > ...Wqos additionally impose the absence of antichains. Anantichain is a set B ⊆ A of incomparable elements, a ≰ bfor all a,b ∈ B.Theorem 6.1 (Characterization of wqos). Consider theqo (A,≤). The following statements are equivalent:1. (A,≤) is a wqo.2. Every infinite sequence (a i ) i∈N in A contains an infinitenon-decreasing subsequence (a ϕ(i) ) i∈N with a ϕ(i) ≤a ϕ(i+1) for all i ∈ N.3. There is no infinite strictly decreasing sequence andno infinite antichain in A.Proof. (1) ⇒ (2) Consider an infinite sequence (a i ) i∈Nin A. Take the subsequence (a nd(i) ) i∈N of elements thatare not dominated by successors, i.e., for all a nd(i) thereis no a j with nd(i) < j and a nd(i) ≤ a j . The sequence

has to be finite by the well quasi ordering assumption.Let n := nd(k) be the maximal index in this sequence.Starting from n + 1 one finds an infinite non-decreasingsubsequence since every element after a n is dominatedby (≤) some successor.(2) ⇒ (3) By definition.(3) ⇒ (1) Consider an infinite sequence (a i ) i∈N . Weshow that there are i < j with a i ≤ a j . The idea is to descendstrictly decreasing sequences and gather the leastelements in an antichain. By the well foundedness assumptionand the absence of infinite antichains, the procedureterminates and finds two comparable elements.Consider the first element a 0 . If there is a successora j with a 0 ≤ a j we are done. Otherwise, we find the firstsuccessor a ϕ(1) with a 0 > a ϕ(1) . We repeat the argumentationfor a ϕ(1) . If there is a successor a j with a ϕ(1) ≤ a j ,we found two comparable elements. Otherwise, we findthe first successor a ϕ(2) witha 0 > a ϕ(1) > a ϕ(2) .

The search eventually terminates because there are noinfinite strictly decreasing sequences. Let a ϕ(n0 ) be theelement that has no successor a j with a ϕ(n0 ) ≤ a j and nosuccessor a j with a ϕ(n0 ) > a j . Add a ϕ(n0 ) as first elementto an antichain.We proceed with a ϕ(n0 )+1. Again we search for a ϕ(n1 )that has no successor a j with a ϕ(n1 ) ≤ a j and no successora j with a ϕ(n1 ) > a j . By constructiona ϕ(n0 ) ≰ a ϕ(n1 ) and a ϕ(n0 ) ≯ a ϕ(n1 ).Hence, the set {a ϕ(n0 ),a ϕ(n1 )} is an antichain of size two.Repeating the procedure indefinitely yields an infiniteantichain. A contradiction to the assumption that no infiniteantichains exists. We have to find i < j with a i ≤ a j .⊓⊔A reader familiar with Ramsey’s theorem will find amore elegant proof of the last implication (3) ⇒ (1),in fact even of the stronger statement (3) ⇒ (2). Ramsey’stheorem considers infinite complete graphs wherethe edges are labelled by finitely many colors. It statesthat such a graph contains an infinite complete subgraphthat is labelled by a single color. To apply the theo-

em, note that an infinite sequence (a i ) i∈N induces theinfinite complete graph where the elements a i are thevertices. The edges are labelled by the relations {≤,>,incomparable}. Let i < j and consider the edge betweena i and a j . We label it by ≤ if a i ≤ a j . We label it by > ifa i > a j . Otherwise, we label it by incomparable. Ramsey’stheorem applies and yields an infinite completesubgraph labelled by a single color. By the assumptions,the color cannot be > and not incomparable. Hence, wefound an infinite non-decreasing subsequence.6.2 Upward and downward closed setsIn wqos, every set B contains finitely many minimal elementsmin(B). Minimal elements are interesting as theyrepresent, in a precise way, so-called upward closed sets.Definition 6.2 (Minimal elements). Let (A,≤) be a wqoand let B ⊆ A. A set of minimal elements is a subsetmin(B) ⊆ B that contains for every b ∈ B an elementm ∈ min(B) with m ≤ b and that is an antichain.

Lemma 6.1 (Existence and finiteness of minimal elements).Let (A,≤) be a wqo and B ⊆ A. There is a finiteset of minimal elements min(B).Proof. To the contrary, assume there is no finite set ofminimal elements. We form an infinite sequence (b i ) i∈Nstarting with some b 0 ∈ B. As b i+1 we choose an elementthat is no larger than any predecessor, b j ≰ b i+1 for all0 ≤ j ≤ i. Such an element exists, otherwise we can constructa finite set of minimal elements from {b 0 ,...,b i }.The resulting infinite sequence (b i ) i∈N violates the wqoassumption.⊓⊔Note that min(B) need not be unique as antisymmetry ismissing. With an algorithmic point of view, the lemmacan be understood as follows. Sets min(B) of minimalelements are good candidates for finite representationsof infinite sets. The sets that can be captured preciselyby their minimal elements are upward closed.Definition 6.3 (Upward and downward closure). Let(A,≤) be a wqo. A set I ⊆ A is upward closed if x ∈ Iand a ≥ x for a ∈ A implies a ∈ I. The upward closureof a set B ⊆ A is B↑ := {a ∈ A | a ≥ b for some b ∈ B}.

Similarly, a set D ⊆ A is downward closed if x ∈ D anda ≤ x for a ∈ A implies a ∈ D. The downward closure ofB ⊆ A is B↓ := {a ∈ A | a ≤ b for some b ∈ B}.Lemma 6.2 (Representation of upward closed sets byminimal elements). Let (A,≤) be a wqo and consideran upward closed set I ⊆ A. Let min(I) be a finite set ofminimal elements. Then I = min(I)↑.The decision procedure for coverability in wsts dealswith increasing sequences of upward closed sets. Thewqo assumption guarantees that these sequences stabilize,which in turn ensures termination of the algorithm.Theorem 6.2 (Chains of upward closed sets stabilize).Consider a qo (A,≤). The following statements are equivalent:1. (A,≤) is a wqo.2. For every infinite increasing sequence I 0 ⊆ I 1 ⊆ I 2 ⊆... of upward closed sets I j ⊆ A there is a k ∈ N withI k = I k+1 .3. For every infinite increasing sequence I 0 ⊆ I 1 ⊆ I 2 ⊆... of upward closed sets I j ⊆ A there is an l ∈ N withI l = I l+1 = I l+2 = ...

Proof. (1) ⇒ (2) Towards a contradiction, assume thereis an infinite sequence I 0 I 1 I 2 ... Then there areelements a 0 ∈ I 1 \ I 0 , a 1 ∈ I 2 \ I 1 , a 2 ∈ I 3 \ I 2 , ... Sincethe sets I j are upward closed, we can conclude a i ≰ a jfor all i, j ∈ N with i < j. The sequence (a i ) i∈N violatesthe wqo assumption.(2) ⇒ (3) Again we proceed by contradiction and assume(3) does not hold. This means there is an infinitesequence I 0 ⊆ I 1 ⊆ I 2 ⊆ ... so that for every k ∈ N thereis k 1 with k < k 1 and I k I k1 . For k 1 there is again alater k 1 < k 2 with I k1 I k2 etc. We single out this infinitestrictly increasing subsequence.I k I k1 I k2 ...By assumption (2), the sequence contains I k j= I k j+1. Acontradiction.(3) ⇒ (1) Consider sequence (a i ) i∈N in A. We definea sequence of upward closed sets: I 0 := {a 0 } ↑,I 1 := {a 0 ,a 1 }↑, etc. Since I 0 ⊆ I 1 ⊆ ... there is a smallestl ∈ N with I l = I l+1 = ... This means there is j < l + 1with a j ≤ a l+1 .⊓⊔

6.3 Constructing well quasi orderingsThe importance of well structured transition systemsstems from the fact that many sets are well quasi ordered.This in turn is based on the observation that wqos can becomposed into new ones. We present an algebraic toolkitto derive the wqos needed in this lecture. The list is notcomplete. We skip Kruskal’s theorem on a well quasi orderingon trees and also the graph minor theorem.Every finite set is well quasi ordered by equality.Moreover, the natural numbers are well quasi ordered by≤.Lemma 6.3. If A is finite, then (A,=) is a wqo. Moreover,(N,≤) is a wqo.Well quasi orderings are stable under Cartesian products.Lemma 6.4. Consider two wqos (A,≤ A ) and (B,≤ B ).Then (A×B,≤ A×B ) is a wqo where (a 1 ,b 1 ) ≤ A×B (a 2 ,b 2 )if a 1 ≤ A a 2 and b 1 ≤ B b 2 .Proof. Consider an infinite sequence (a i ,b i ) i∈N in A×B.As (a i ) i∈N is an infinite sequence in A and A is a wqo by

the assumption, there is (Theorem 6.1) an infinite nondecreasingsubsequence (a ϕ(i) ) i∈N with a ϕ(i) ≤ A a ϕ(i+1)for all i ∈ N.Consider the sequence (a ϕ(i) ,b ϕ(i) ) i∈N . As (b ϕ(i) ) i∈Nis an infinite sequence in B, by the wqo assumption thereare i < j with b ϕ(i) ≤ B b ϕ( j) . By the definition of subsequences,i < j implies ϕ(i) < ϕ( j). So we found indicesϕ(i) < ϕ( j) witha ϕ(i) ≤ A a ϕ( j) and b ϕ(i) ≤ B b ϕ( j) .We conclude (a ϕ(i) ,b ϕ(i) ) ≤ A×B (a ϕ( j) ,b ϕ( j) ) as required.⊓⊔Words can be understood as an unbounded version ofCartesian products. Higman has shown that also wordsare well quasi ordered (by the subword relation).Lemma 6.5 (Higman 1952). If (A,≤) is a wqo, so is(A ∗ ,≤ ∗ ). Here, u ≤ ∗ v with u = u 1 ...u m and v = v 1 ...v nif there are 1 ≤ i 1 < ... < i m ≤ n with u j ≤ v i jfor all1 ≤ j ≤ m.Proof. To the contrary, assume there are infinite sequencesthat are bad, i.e., that do not contain comparable ele-

ments. We rely on a combinatorial construction to derivethe contradiction. It forms an infinite bad sequence(u i ) i∈N that is particularly small as follows. Select theshortest word u 0 that starts a bad sequence. Assume weconstructed the sequence u 0 ,...,u n . We then append theshortest word u n+1 so that the result u 0 ,...,u n+1 stillforms a prefix of a bad sequence.The infinite sequence (u i ) i∈N is bad. Let u i = a i .v iwith a i ∈ A and v i ∈ A ∗ . By the well quasi ordering assumptionon A and Theorem 6.1, sequence (a i ) i∈N containsan infinite non-decreasing subsequence (a ϕ(i) ) i∈N .Consider now the sequenceu 0 ,...,u ϕ(0)−1 ,v ϕ(0) ,v ϕ(1) ,...Since v ϕ(0) is strictly shorter than u ϕ(0) , the sequence hasto be good (otherwise we would have selected v ϕ(0) insteadof u ϕ(0) ). This means, there are two comparableelements. They cannot be among u 0 ,...,u ϕ(0)−1 , otherwisethe sequence (u i ) i∈N would have been good. Moreover,the ordering cannot be between u i and v ϕ( j) . Otherwise,we had u i ≤ ∗ v ϕ( j) ≤ ∗ u ϕ( j) and so u i ≤ ∗ u ϕ( j) .Again a contradiction to the assumption that (u i ) i∈N is

ad. Hence, we have v ϕ(i) ≤ ∗ v ϕ( j) with i < j. By monotonicity,this means ϕ(i) < ϕ( j). But since also a ϕ(i) ≤a ϕ( j) , we derive u ϕ(i) = a ϕ(i) .v ϕ(i) ≤ ∗ a ϕ( j) .v ϕ( j) = u ϕ( j) .A contradiction.⊓⊔6.4 Well Structured Transition SystemsWell structured transition systems are a framework forthe automatic verification of infinite state systems. Theconcept was found independently by Alain Finkel (Cachan)and Parosh Abdulla (Uppsala) when they worked ongeneralizations of decision procedures that were knownfor particular models. Finkel strived for an extension ofcoverability graphs in order to decide termination andboundedness problems. Abdulla was interested in coverabilityand simulation problems for lossy channel systems.Technically, wsts are (usually infinite) transition systemswhere the configurations are equipped with a wellquasi ordering. This wqo has to be compatible withthe transitions, i.e., larger configurations can imitate the

transitions of smaller ones. Imitation is formalized byso-called simulation relations.Definition 6.4 (Well structured transition system (wsts),simulation relation). A transition systems is a tripleTS = (Γ ,γ 0 ,→) with a (typically infinite) set of configurationsΓ , an initial configuration γ 0 ∈ Γ , and a transitionrelation → ⊆ Γ × Γ . The transition system is wellstructured if there is ≤ ⊆ Γ ×Γ that is a wqo and a simulationrelation. We also write TS = (Γ ,γ 0 ,→,≤) for awsts.Recall that ≤ ⊆ Γ ×Γ is a simulation (relation) if forall γ 1 ,γ 2 ,γ 3 ∈ Γ with γ 1 → γ 2 and γ 1 ≤ γ 3 there is γ 4 ∈ Γwith γ 3 → γ 4 and γ 2 ≤ γ 4 .With the ordering ≼ ⊆ (Q × M ∗C ) × (Q × M ∗C ) fromDefinition 5.3, lossy channel systems are indeed wellstructured.Theorem 6.3 (Lcs are wsts). Consider the lcs L = (Q,q 0 ,C). The transition system (Q×M ∗C ,γ 0 ,→,≼) is well structured.For the proof, it remains to be shown that ≼ is a wqo anda simulation.

6.5 Abdulla’s Backwards SearchOur goal is to decide coverability in lossy channel systems.Recall that configuration (q,W) ∈ Q×M ∗C is coverablein L = (Q,q 0 ,C,M,→) if there is a configurationγ ∈ R(L) with γ ≽ (q,W). With upward closed sets,the problem can be rephrased as follows. Is the upwardclosed set {(q,W)}↑ reachable?We present an algorithm that solves reachability ofupward closed sets in a wsts. Formally, the problem takesas input a wsts TS = (Γ ,γ 0 ,→,≤) and an upward closedset I ⊆ Γ . The question is whether I is reachable from γ 0 .More precisely, is there an element γ ∈ I with γ 0 → ∗ γ.We first discuss the general decision procedure for wstsand then instantiate it to lossy channel systems.Before we plunge into the details, we sketch the procedureand mention the key arguments. The idea is toperform the reachability analysis backwards. We startwith the set I 0 = I of interest. Then we compute the setof configurations I 1 that reach I in at most one step. Wecontinue with the configurations I 2 that lead to I in upto two steps and so on. The procedure allows us to re-

formulate reachability as follows. The set I is reachableform γ 0 if and only if γ 0 ∈ ⋃ j≥0 I j .The sets I j can be shown to be upward closed. Moreover,they form an infinite chain I 0 ⊆ I 1 ⊆ I 2 ⊆ ... Therefore,Theorem 6.2 applies and states that the chain stabilizesin some k ∈ N: I k = I k+1 = I k+2 = ... With referenceto the infinite union above, we get ⋃ j≥0 I j = I k . Thisequation suggests the following procedure to decide upwardclosed reachability:• Generate the sequence of upward closed sets I 0 ⊆ I 1 ⊆I 2 ⊆ ...• Check for stabilization, I k = I k+1 .• If the sequence stabilized, check for membership γ 0 ∈I k .The problem is that the sets I j are infinite. This meansneither equality I k = I k+1 nor membership γ 0 ∈ I k can bechecked algorithmically without further assumptions onthe I j . The solution is to represent these sets symbolicallyby means of minimal elements M j and exploit theequation I j = M j ↑. This allows us to store and updateonly finite sets.

Overview: I is reachable from γ 0 iff γ 0 ∈ I kwith I k = I k+1 iff γ 0 ≥ γ with γ ∈ M k and M k ↑=M k+1 ↑Part I: I is reachable from γ 0 iff γ 0 ∈ I k with I k = I k+1Consider a wsts (Γ ,γ 0 ,→,≤) and an upward closed setI ⊆ Γ to be checked for reachability. In the constructionof the sequence I 0 ⊆ I 1 ⊆ I 2 ⊆ ... the following observationis important. In wsts, upward closed sets are closedunder computing predecessors: if I is upward closed sois pre(I). 1 This follows immediately from the requirementthat ≤ is a simulation. Interestingly, the fact thatupward closure is preserved under predecessors characterizessimulation relations.Lemma 6.6 (pre(I) is upward closed). Consider a transitionsystem (Γ ,γ 0 ,→) and a relation ≤ ⊆ Γ ×Γ . Then1 Here, pre(I) := {γ ∈ Γ | γ → γ ′ ∈ I} is the set of predecessorsof I. Those configurations that lead to I in a single step.

≤ is a simulation if and only if pre(I) is upward closedfor every upward closed set I ⊆ Γ .We define the sequenceI 0 := I and I j+1 := I ∪ pre(I j ) for all j ∈ N.Denote by pre l (I) the set obtained by l ∈ N applicationsof pre(−) to I:pre l (I) := pre(...pre(I)) .} {{ }Then the equality I j =l−times(6.1)holds and gives rise to the following lemma.Lemma 6.7. Consider wsts (Γ ,γ 0 ,→,≤), I ⊆ Γ upwardclosed, γ ∈ Γ , and n ∈ N. Then I is reachable from γ inat most n steps if and only if γ ∈ I n .As a consequence, set I is reachable from the initial configurationγ 0 if and only if γ 0 ∈ pre ∗ (I) where pre ∗ (I) :=⋃j∈N I j . The union is not really infinite. Equation 6.1shows the inclusions I 0 ⊆ I 1 ⊆ I 2 ⊆ ... With Lemma 6.6,l

the sets I j are upward closed for all j ∈ N. Theorem 6.2applies and yields a first index k ∈ N that satisfies I k =I k+1 . By definition of the sets I j , we obtain I k = I k+1 =I k+2 = ...Theorem 6.4. Consider a wsts (Γ ,γ,→,≤) and an upwardclosed set I ⊆ Γ . Then I is reachable from γ 0 if andonly if γ 0 ∈ pre ∗ (I) = ⋃ j∈N I j = I k with I k = I k+1 .Part II: γ 0 ∈ I k with I k = I k+1 iff γ 0 ≥ γ with γ ∈ M kand M k ↑= M k+1 ↑It remains to decide equality I k = I k+1 and membershipγ 0 ∈ I k . The trick is to define, in accordance with the I j ,a sequence of minimal elements:M 0 := min(I) and M j+1 := min(M 0 ∪ ⋃γ∈M jminpre(The definition relies on a function minpre(−) that returnsa set of minimal elements min(pre({γ} ↑)) for thepredecessors of {γ}↑. Computability of minpre(−) doesnot follow from the requirements on wsts but has to be

shown for every instantiation of the framework. We saya wsts has computable minimal predecessors if the setminpre(γ) is computable for every γ ∈ Γ . The M j areindeed sets of minimal elements for the I j .Lemma 6.8. I j = M j ↑ for all j ∈ N.Proof. We proceed by induction where the base caseI 0 = min(I) ↑= M 0 ↑ follows from Lemma 6.2. For theinduction step, assume we already have I j = M j ↑ forj ∈ N. We consider I j+1 and deriveI j+1 = I ∪ pre(I j ){ Induction hypothesis } = I ∪ pre( ⋃{γ}↑)γ∈M j{ Distributivity of pre(−) over ∪ } = I ∪ ⋃pre({γ}↑)γ∈M j{ pre({γ}↑) upward closed } = M 0 ↑ ∪ ⋃min(pre(γ∈M j{ Distributivity ↑ over ∪ } = ( M 0 ∪ ⋃min(pre({γ∈M j{ Definition minimal elements } = min(M 0 ∪ ⋃min(pγ∈M j

Note that the definition of the M j does not rely on theupward closed sets I j . The relationship is given only byLemma 6.8. We now havepre ∗ (I) = ⋃ j∈NI j = I k = M k ↑⊓⊔where k ∈ N is the first index with I k = I k+1 or equivalentlyM k ↑= M k+1 ↑. The latter equality M k ↑= M k+1 ↑is decidable provided the wqo ≤ is decidable: one justcompares the minimal elements.Theorem 6.5 (Decidability of upward closed reachability,Abdulla 1996). Let (Γ ,γ 0 ,→,≤) be a wsts withcomputable minimal predecessors and decidable ≤. Considerthe upward closed set I ⊆ Γ given by its minimalelements min(I). Then it is decidable whether I is reachablefrom γ 0 .Proof. The algorithm computes the sequence of minimalelements as defined above. When it finds M k ↑= M k+1 ↑,it terminates as now pre ∗ (I) = M k ↑. By Theorem 6.4, γ 0reaches I iff γ 0 ≥ γ with γ ∈ M k .⊓⊔

To instantiate the algorithm to LCS, we need a suitableminpre(−) function. Let L = (Q,q 0 ,C,M,→). We takeas minpre(q 2 ,W 2 ) := min(T ), where T is the smallest setso that(q 1 ,W 1 ) ∈ T if q 1c!m−−→ q 2 and W 2 = W 1 [c := W 1 .m](q 1 ,W 2 ) ∈ T if q 1c!m−−→ q 2 and the last element of W 2 (c) ≠(q 1 ,W 1 ) ∈ T if q 1c?m−−→ q 2 and W 1 = W 2 [c := m.W 2 (c)]Lemma 6.9. Consider LCS L = (Q,q 0 ,C,M,→) and configurationγ ∈ Q×M ∗C . Then minpre(γ) = min(pre({γ}↑)).One may be skeptical about (q 1 ,W 2 ) ∈ T if q 1c!m−−→ q 2 andthe last element of W 2 (c) is different from m. We have(q 1 ,W 2 ) → (q 2 ,W 2 [c := W 2 (c).m]) ≥ (q 2 ,W 2 ). Hence,(q 1 ,W 2 ) ∈ pre({(q 2 ,W 2 )}↑).There is no configuration (q 1 ,W ′ 2 ) with W ′ 2 ≺∗ W 2 (incase last W 2 (c) ≠ m). One adds m in order to take thetransition. The letter is lost to get W 2 (c). Since only asingle letter can be added, W 2 (c) cannot be constructedfrom W ′ 2 (c) ≺∗ W 2 (c).

Chapter 7Simple Regularity and SymbolicForward AnalysisAbstract Symbolic forward analysis of lossy channelsystems

7.1 Simple Regular Expressions andLanguagesRecall that the regular expressions over an alphabet Mare defined by finite unions, concatenation, and Kleenestar of single letters:re ::= /0 | ε | a | re 1 + re 2 | re 1 .re 2 | re ∗ where a ∈ M.Regular expressions re denote languages L (re) ⊆ M ∗ inthe standard way:L (/0) := /0 L (re 1 + re 2 ) := L (re 1 ) ∪ L (re 2 )L (ε) := {ε} L (re 1 .re 2 ) := L (re 1 ).L (re 2 )L (a) := {a}L (re ∗ ) := L (re) ∗ := ⋃ L (re) jj∈NHere, L (re) j denotes j ∈ N concatenations of L (re)where we fix L (re) 0 := ε. Simple regular expressionsare designed to represent languages that are downward

closed wrt. Higman’s subword ordering ≼ ∗ . Therefore,every occurrence of a letter also offers the choice of loss.Definition 7.1 (Simple regular expression). Considersome underlying alphabet M. Atomic expressions e allowfor choices among letters and form the base case.They are concatenated to products p. Simple regular expressions(sres) r are then choices among products:e ::= (a + ε) | (a 1 + ... + a m ) ∗ p ::= ε | e.p rwhere a,a 1 ,...,a m ∈ M. A language L ⊆ M ∗ is simpleregular if there is a simple regular expression r withL = L (r).Haines showed that downward closed languages are regular.We first establish this result and then sharpen it asfollows. Downward closed languages are precisely thelanguages represented by sres.Theorem 7.1 (Haines ’69). Let L ⊆ M ∗ be any language.Then L ↓ is regular.Proof. Since L ↓ is downward closed, the complementL ↓ is upward closed. Since Higman’s ordering ≼ ∗ is a

wqo, this upward closed language can be represented byits (finitely many) minimal elements:⋃L ↓ = min(L ↓)↑ = {w}↑ . (7.1)w∈min(L↓)Note that the upward closure of a word w = w 1 ...w n isthe language{w}↑ = {y ∈ M ∗ | w ≼ ∗ y} = L (M ∗ .w 1 .M ∗ ...M ∗ .w n .Mwhere M ∗ denotes the choice Σ m∈M m. This means {w}↑is regular. Since min(L ↓) is finite by Lemma 6.1 andsince regular languages are closed under finite unions,we conclude with Equation 7.1 that L ↓ is regular. Regularlanguages are also closed under complementation,so L↓= L ↓ is regular.⊓⊔The result is indeed surprising. If we define the languageof a Turing machine to contain all sequences of transitionsthat lead to a halting state, we get that L (TM)↓ isregular. This in turn means that the downward closure oflanguages cannot be computable in general. In the exampleof Turing machines, we would obtain

TM halts iff L (TM)↓≠ /0 iff ε ∈ L (TM)↓ .So there is no algorithm to compute a representation ofL (TM) ↓ (more precisely, no representation which allowsus to evaluate emptiness or membership of ε).There are interesting classes of languages for whichthe downward closure is computable. Van Leeuwen hasshown in 1978 that the downward closure of context freelanguages is effectively computable. For Petri nets, theproblem remained open until 2010 when it was solvedpositively by Habermehl, Wimmel, and the author. Establishingsuch computability results is a beautiful theoreticalchallenge that finds applications in decidabilityresults for asynchronous hardware. Indeed, consider ashared memory architecture with a writer and a reader.The reader always sees the downward closure of thewriters actions. If the reader process is slower than thewriter, it may miss intermediary instructions. It was AhmedBouajjani who realized this applications of downwardclosed languages in modelling and verification.Theorem 7.2 (Bouajjani ’98). Language L is downwardclosed if and only if it is simple regular.

Proof. For the if direction, recall that simple regularitymeans L = L (r) for some sre r. Therefore, an inductionalong the structure of sres is sufficient that showsL (r) is downward closed for all sres.For the only if direction, we apply Haines’ theoremand obtain⋃⋂L = L = {w}↑ = {w}↑. (7.2)w∈min(L )w∈min(L )To find an sre for {w}↑, we take a detour and represent{w}↑ by a finite automaton. This allows us to apply thestandard construction for complementation, which hintsto the required expression. Let w = w 1 ...w n with M asunderlying alphabet. The language {w}↑ is accepted byMMMA {w}↑w 1 w 2 w... ... nq 1q 0q

The M labelled loops denote |M| loops, one for each letterin M. We determinize the automaton with the powersetconstruction of Rabin and Scott. Switching then finaland non-final states yields an automaton for the complementlanguage:det(A {w}↑ )M \ {w 1 } M \ {w 2 }w 1 w 2 w... ... n−{q 0 }{q 0 ,q 1 }{The automaton operations are known to reflect the operationson languages. Thus, the language of det(A {w}↑ ) isas desired:L (det(A {w}↑ )) = L (det(A {w}↑ )) = L (A {w}↑ ) = {w}↑The language is characterized by the sre(M \ {w 1 }) ∗ .(w 1 + ε).(M \ {w 2 }) ∗ .(w 2 + ε)...(w n−1 + ε).

According to Equation 7.2, we need an sre for the intersection⋂ w∈min(L ){w}↑. On automata, this intersectionis reflected by a parallel composition∏ det(A {w}↑ ).w∈min(L )The result is an, up to loops, acyclic automaton. We decomposeit into its maximal paths and reuse the aboveconstruction.⊓⊔7.2 Inclusion among simple regularlanguagesWe intend to use sres to represent sets of configurationsin a lossy channel system. More precisely, we developa concept of symbolic configurations (q,R) where R isa function that assings to each channel c an sre R(c).Based on such symbolic configurations, we again developa fixed point algorithm of the form

I 0 ⊆ I 1 ⊆ I 2 ⊆ ... until I k+1 = I k for some k ∈ N.As the sequence already is increasing, we only needto check I k+1 ⊆ I k . This calls for an inclusion checkL (r 1 ) ⊆ L (r 2 ) among simple regular languages. Thefollowing result is key to making this inclusion checkefficient. It states that we only need to compare productswith products.Lemma 7.1. Consider a product p and an sre r = p 1 +... + p k . If L (p) ⊆ L (r) then L (p) ⊆ L (p i ) for some1 ≤ i ≤ k.Proof. The proof approach is interesting. We devise asingle word y ∈ L (p) that is demanding enough so as toensure inclusion of the full language L (p). More precisely,the word will guarantee thaty ∈ L (p i ) implies L (p) ⊆ L (p i )for every product p i with 1 ≤ i ≤ k. This proves thelemma as

k⋃y ∈ L (p) ⊆ L (r) = L (p i )i=1yields y ∈ L (p i ) for some 1 ≤ i ≤ k. With the above implication,we conclude L (p) ⊆ L (p i ) for this p i . Allthat remains is to give the construction of y.Let p = e 1 ...e n and let j be the maximal number ofatomic expressions in the products in r = p 1 + ... + p k .The goal is to enforce L (p) ⊆ L (p i ) if y ∈ L (p i ). Weset y = y 1 ...y n withy i := a if e i = (a + ε) y i := (a 1 ...a m ) j+1 if e i =This means we have a word for every atomic expression.For a choice e i = (a + ε) we select y i = a to demandthe occurrence of letter a. For e i = (a 1 + ...a m ) ∗we apply the pigeonhole principle. Let the longest productin r be e ′ 1 ...e′ j . We choose y i = (a 1 ...a m ) j+1 . Thismeans at least two iterations of a 1 ...a m have to be in thelanguage of a same expression, (a 1 ...a m ) 2 ∈ L (e ′ l ) forsome 1 ≤ l ≤ j. This implies e ′ l = (... + a 1 + ... + a m ) ∗and guarantees L (e i ) ⊆ L (e ′ l). Inclusion of the full

product p = e 1 ...e n iterates the argument for single expressions.⊓⊔We now develop a recursive algorithm that checks inclusionamong products in linear time. If one of the productsis the empty word, we have L (ε) ⊆ L (p) for everyproduct p and L (p) ⊈ L (ε) for all p ≠ ε. For atomicexpressions, we haveL (a + ε) ⊆ L ((a 1 + ... + a m ) ∗ ) if a ∈ {a 1 ,..L ((a 1 + ... + a m ) ∗ ) ⊆ L ((b 1 + ... + b n ) ∗ )if {a 1 ,...,aIt remains to set up the recursion for proper productse 1 .p 1 and e 2 .p 2 . We return L (e 1 .p 1 ) ⊆ L (e 2 .p 2 ) if oneof the following holds:L (e 1 ) ⊈ L (e 2 ) and L (e 1 .p 1 ) ⊆ L (p 2 )L (e 1 ) = L (e 2 ) = L (a + ε) and L (p 1 ) ⊆ L (p 2 )L (e 1 ) ⊆ L (e 2 ) = L ((a 1 + ... + a m ) ∗ ) and L (p 1 ) ⊆Lemma 7.2. Inclusion among products can be checkedin linear time.

To check inclusion L (p 1 +...+ p m ) ⊆ L (p ′ 1 +...+ p′ n)among sres, we compare each product p i with everyproduct p ′ j until we find L (p i ) ⊆ L (p ′ j ). This localcheck among products is sufficient according to Lemma 7.1Lemma 7.3. Inclusion among sres can be checked inquadratic time.7.3 Computing the Effect of TransitionsThe result of applying an operation like c!a to an sre rshould again be an sre. We show how to compute thissre. In the next section, we obtain a similar computabilityresult for the application of iterated sequences of operations.We fix the channel c to which we apply the operationsand write !a and ?a instead of c!a and c?a. LetM be the alphabet of messages that are sent and received.We define the effect of performing a send operation!a on L ⊆ M ∗ to be the language L ⊕!a :={y ∈ M ∗ | y = x.a for some x ∈ L }. Similarly, the effectof receiving from L is defined by L ⊕?a := {y ∈

| x = a.y for some x ∈ L }. The languages L weare concerned with are represented by sres r. The followinglemma shows how to compute an sre that representsL (r) ⊕ op.M ∗Lemma 7.4. Consider an sre r and an operation op ∈{!a,?a}. There is an sre r⊕op with L (r⊕op) = L (r)⊕op. Moreover, r ⊕ op can be computed in linear time.Proof. We first consider products. For send operations,we set p⊕!a := p.(a + ε). For receive operations, thebase case is ε⊕?a := /0. In the induction step, we have⎧⎪⎨ e.p if e = (a 1 + ... + a m ) ∗ and a ∈ {(e.p)⊕?a := p if e = (a + ε)⎪⎩p⊕?a otherwise.This means the operation is applied to the remainingproduct p provided letter a cannot be served by the firstatomic expression e.For an sre r = p 1 + ... + p k we set r ⊕ op := (p 1 ⊕op) + ... + (p k ⊕ op) to apply the operation to all products.It is readily checked that language equality holds

and that r ⊕op can be computed in time linear in the sizeof r.⊓⊔7.4 Computing the Effect of LoopsOur goal is to accelerate the coverability analysis in lossychannel systems. The term acceleration means we determinethe effect of arbitrary iterations of control loops ina single computation, rather than calculating the effectof every transition.Technically, a control loop is a sequence of transitionsthat starts and ends in a same state:opq 1 op0 −−→2 opq1 −−→ ... −−→nqn with q 0 = q n .We assume that all operations in ops = op 1 ...op n act onthe same channel c. 1 The main contribution is an algorithmwhich, given an sre r and sequence ops, computes1 If this is not the case, we first decompose ops into the subwordsops c for the single channels.

a new sre r ⊕ ops ∗ . The latter reflects the effect of arbitraryiterations of ops on r.The key insight is that the effect of loops stabilizes.For every sre r and sequence ops, there is an n ∈ Nthat satisfies the following. The language obtained by atleast n iterations of ops on r is characterized by an srer ⊕ ops ≥n . As a consequence, the effect of arbitrary iterationsof ops on r can be captured by the srer ⊕ ops ∗ := r + (r ⊕ ops) + ... + (r ⊕ ops n−1 ) + (r ⊕ ops ≥n )Theorem 7.3 (Bouajjani 1998). Consider product p anda sequence of operations ops. There is an n ∈ N and aproduct p ⊕ ops ≥n so that either L (p ⊕ ops n ) = /0 orL (p ⊕ ops ≥n ) = ⋃ j≥n L (p ⊕ ops j ). The value of n islinear in the size of p and p ⊕ ops ≥n can be computed inquadratic time.Before we turn to the proof, we define notions that helpus shorten the presentation. Consider a sequence ops ofoperations !a or ?a where a is in the alphabet M. Wedenote by ops? the subword of receive operations. Similarly,ops! yields the subword of send operations. Weassume the symbol of operation to be removed. So for

ops =!a.?b.?c.!d we have ops? = b.c and ops! = a.d.We use M(ops?) and M(ops!) to restrict alphabet M tothe letters in ops? and ops!, respectively.We extend Higman’s ordering into two directions. Weuse the growing subword ordering x ≼ ∗ grow y with x,y ∈M ∗ to indicate that there is m ∈ N so that x m+1 ≼ ∗ y m . Notonly does x ≼ ∗ grow y imply x ≼ ∗ y. It indeed shows that yis large enough so as to accommodate several instancesof x. If both words are iterated m+1 times, then x m+1 fitsinto only m iterations of y. The (m + 1)st iteration of y isleft untouched by the subword ordering. Ordering ≼ ∗ growcan be checked in quadratic time.If we iterate a control loop, ops can be understoodas a cycle. Indeed, when the last operation op n in thecontrol loop is reached, the word will continue with thefirst operation op 1 . The cyclic subword ordering x ≼ ∗ cyc yrequires that there is a decomposition x = x 1 .x 2 so thatx 2 .x 1 ≼ ∗ y. Intuitively, the ordering rotates the cyclicword by x 1 . Note that x ≼ ∗ cyc y implies x ≼ ∗ y 2 . Moreover,≼ ∗ cyc can be checked in quadratic time as well.Proof. We distinguish four cases. In the first two, thecontrol loop can be iterated an unbounded number oftimes so that the channel content grows unboundedly.

In the third case, the loop can be iterated an unboundednumber of times but the channel content stabilizes. Finally,a deadlock may occur because a receive fails.Case (1) L ((ops?) ∗ ) ⊆ L (p) If ops? = ε we set n := 0and p⊕ops ≥n := p.M(ops!) ∗ . If ops? ≠ ε, there is a firstatomic expression e = (a 1 + ... + a m ) ∗ in p = p 1 .e.p 2that satisfies M(ops?) ⊆ {a 1 ,...,a m }. We set n := |p 1 |and p ⊕ ops ≥n := e.p 2 .M(ops!) ∗ .Case (2) L ((ops?) ∗ ) ⊈ L (p) and ops? ≼ ∗ grow ops! andp⊕ops ≠ /0 We set n := |p| and p⊕ops ≥n := M(ops!) ∗ .Case (3) L ((ops?) ∗ ) ⊈ L (p) and ops? ⋠ ∗ grow ops! andops? ≼ ∗ cyc ops! and p⊕ops 2 ≠ /0 We set n := |p|+1 andp ⊕ ops ≥n := p ⊕ ops n .Case (4) where (1)-(3) do not applyand have p ⊕ ops n = /0.We set n := |p|+1⊓⊔In Case (1), there is an atomic expression e = (a 1 +...+a m ) ∗ in product p = p 1 .e.p 2 . It serves all receive operationsin ops once p 1 has been consumed. This means opscan be iterated an arbitrary number of times. Sequenceops? is always received from e and ops! is appended after

p 2 . Let ops! = b 1 ...b n . Due to lossiness, the downwardclosure of L ((ops!) ∗ ) isL ((ops!) ∗ )↓= (b 1 + ... + b n ) ∗ = M(ops!) ∗ .In the second case we do not have L ((ops?) ∗ ) ⊆ L (p).Therefore, the original channel content will be consumedafter at most n = |p| iterations of the control loop. Butas ops? ≼ ∗ grow ops! we have (ops?) m+1 ≼ ∗ (ops!) m forsome m ∈ N. This means the channel content grows byops! every m + 1 iterations of the loop. So we can haveany number of ops! sequences at the end of the channel.The downward closure is again M(ops!) ∗ . Condition p⊕ops ≠ /0 ensures the first iteration of the control loop isexecutable. The remaining iterations can be performedsince ops? ≼ ∗ grow ops! implies ops? ≼ ∗ ops!.In the third case, the channel content is again lost after|p| iterations of the control loop. Afterwards, the sendoperations in ops! serve the receive operations in ops? ina way that forbids the channel content to grow. We requiretwo iterations of ops to be feasible on p to guaranteeexecutability of arbitrary iterations. The reason isthat x ≼ ∗ cyc y implies X ≼ ∗ y 2 but does not imply x ≼ ∗ y.

A counterexample to why p ⊕ ops ≠ /0 is not sufficientfor feasibility of arbitrary iterations is the following:p = (b + ε).(a + ε)ops =?b.?a.!a.!b.Whe have p ⊕ ops = (a + ε).(b + ε) and p ⊕ ops 2 = /0.If cases (1) to (3) fail, the loop can be iterated at most|p| times. Then the channel is empty and the next iterationenters a deadlock as a receive fails.7.5 A Symbolic Forward Algorithm forCoverabilityConsider an lcs L = (Q,q 0 ,C,M,→) and a set of configurationsΓ F ⊆ Q × M ∗C . Harnessing the algorithmsfrom Section 7.2 to 7.4, we now design a procedure thatchecks reachability of Γ F from the initial configurationof L. Different from the backwards search from Section6.5, the new algorithm no longer stores minimal elementsto describe upward closed sets. The idea is to storesymbolic configurations (q,R) where function R assigns

an sre R(c) to every channel c ∈ C. The symbolic configurationdenotes the set of (standard) configurationsL ((q,R)) := {(q,W) ∈ Q × M ∗C | W(c) ∈ L (R(c)) for aThe overall verification algorithm is given in Figure7.1. It maintains a set V of symbolic configurationscomputed so far. When we calculate the effect of transitionsand control loops, we find new symbolic configurationsγ. We add γ to V provided it denotes newstandard configurations that are not represented by V sofar. When a configuration in Γ F is found, the algorithmreturns reachable. When no more symbolic configurationsare found (V 0 ⊆ V 1 ⊆ ... ⊆ V k = V k+1 ), the procedurereturns unreachable. The algorithm expects a finiteset loops of control loops to be accelerated. A canonicalchoice for loops are the simple control loops that do notrepeat states.The algorithm requires two comments. First, note thata symbolic configuration γ may be added to V and Lalthough it does not represent new configurations. Thishappens if

input : L = (Q,q 0 ,C,M,→), Γ F ⊆ Q × M ∗C ,beginV := {γ 0 }L := {γ 0 }loops a finite set of control loops to be acceleratedwhile L ≠ /0 dolet γ 1 = (q 1 ,R 1 ) ∈ LL := L \ {γ 1 }c,opfor all transitions q 1 −−→ q 2 doγ := (q 2 ,R 1 [c := R 1 (c) ⊕ op])if L (γ) ⊈ L (γ ′ ) for all γ ′ ∈ V thenend ifend for allV := V ∪ {γ}L := L ∪ {γ}for all control loops q 1ops−→ q 1 with ops ∈ loopsγ := (q 1 ,R) where R(c) := R 1 (c) ⊕ ops ∗ c for all c ∈ Cif L (γ) ⊈ L (γ ′ ) for all γ ′ ∈ V thenV := V ∪ {γ}L := L ∪ {γ}do

L (γ) ⊆ ⋃L (γ ′ )γ ′ ∈Vbut there is no single γ ′ ∈ V so that LWe stick with the local comparison as it can be checkedin polynomial time.A second comment is that the algorithm is sound butincomplete. If it returns reachable or unreachable theanswer is correct. But the procedure may run forever.More precisely, with a breadth-first processing of configurationsthe algorithm is a semidecider for reachableinstances: if Γ F is reachable, it will find a configuration inΓ F and terminate. (Indeed the algorithm only finds reachableconfigurations.) However, it may fail to terminatewhen Γ F is unreachable. We discuss the underlying computabilitytheoretic reasons in the following chapter.

Chapter 8Undecidability Results for LossyChannel SystemsAbstract Undecidability and non-computability resultsfor lossy channel systems.We establish a fundamental undecidability result for lossychannel systems. As main consequence, we derive in-

completeness of the previous acceleration algorithm. Theproblem we consider asks for whether a given controlstate in a lossy channel system can be visited infinitelyoften. Consider an LCS L = (Q,q 0 ,C,M,→) and a stateq ∈ Q. More formally, the recurrent state problem (RSP)asks for whether there is an infinite sequence of configurationsγ 0 → γ 1 → ... with γ i = (q i ,W i ) so that q i = q forinfinitely many i ∈ N.We show that RSP is undecidable. This is interestingfor several reasons. First, the infinite repetition of a designatedstate corresponds to the acceptance condition inBüchi automata. 1 Like finite automata serve as monitorsfor safety properties, Büchi automata act as observers forliveness properties: is a desirable situation guaranteed tohappen? Undecidability of RSP rules out decidability ofliveness properties for LCS. As a consequence, livenessproperties are undecidable for general WSTS. Surprisingly,liveness properties can be shown to be decidablefor Petri nets. It is an open research problem to find anatural subclass of WSTS that has a decidable liveness1 Syntactically, Büchi automata are finite state automata. Their semantics,however, is defined in terms of infinite words.

problem. A good restriction to general WSTS should extendand at best explain the positive result for Petri nets,and illustrate the strength of LCS.As second consequence of this undecidability resultfor RSP, we prove that the channel content is not computablefor LCS. This shows Bouajjani’s acceleration approachhas to be incomplete.We obtain undecidability by a reduction from thecyclic Post’s correspondence problem (CPCP). It takesas input a finite alphabet M and a finite list of pairs(x 1 ,y 1 ),...,(x n ,y n ) with x i ,y i ∈ M ∗ . The question is whethethere is a finite and non-empty sequence of indices i 1 ,...,i m{1,...,n} so thatx i1 ...x im = cyc y i1 ...y im .Here, x = cyc y if there are x ′ ,x ′′ ∈ M ∗ so that x = x ′ .x ′′ andy = x ′′ .x ′ . Intuitively, x and y are equal when consideredas circles.Theorem 8.1 (Ruohonen 1983). CPCP is undecidable.We reduce CPCP to RSP in order to establishTheorem 8.2 (Abdulla, Jonsson). RSP is undecidable.

Proof. Consider an instance of CPCP with alphabet Mand list (x 1 ,y 1 ),...,(x n ,y n ). We construct an LCS L =(Q,q 0 ,C,M,→) with a designated state q ∈ Q so that thefollowing equivalence holds: CPCP has a solution if andonly if L has a transition sequence γ 0 → γ 1 → ... thatvisits q infinitely often. The construction, illustrated inFigure 8.1, is as follows.c!mq 0d!mc!md!mqchange c from y i .z to z.x i1 ≤ i ≤ nchange d from x i .z ′ to z ′ .y iFig. 8.1 Sketch of the lossy channel system in the encoding ofCPCP. There are loops labelled by c!m and d!m for every m ∈ M,and similar for the transitions from q 0 to q.The LCS takes as messages the alphabet M of theCPCP instance. It has two channels {c,d} =: C. In theinitial state q 0 , the LCS guesses channel contents for c

and d via loops labelled by c!m and d!m for every m ∈ M.The channel contents are supposed to solve the CPCPinstance. With a transition from q 0 to the state q of interest,the LCS stops guessing and starts validating theproposed solution. To this end, it has a cycle for everypair (x i ,y i ) with 1 ≤ i ≤ n. Cycle i changes the contentof channel c from y i .z to z.x i for every z ∈ M ∗ . Asimilar change is performed on d. It is immediate to implementthe changes via sequences of receive and sendoperations. We now argue that the CPCP instance has asolution iff L admits a transition sequence that visits qinfinitely often.⇒ Assume that i 1 ,...,i m solves the CPCP instance.The words arex := x i1 ...x im y := y i1 ...y im so that x = cyc y.By definition of = cyc , we have x = x ′ .x ′′ so that y = x ′′ .x ′for some x ′ ,x ′′ ∈ M ∗ . We construct a transition sequencethat visits q infinitely often. In state q 0 , we send y.x ′′ tochannel c and x.x ′ to channel d. With this channel content,we move to q. The i1st cycle transforms

y.x ′′ = y i1 .y i2 ...y im .x ′′ into y i2 ...y im .x ′′ .x i1 for channx.x ′ = x i1 .x i2 ...x im .x ′ into x i2 ...x im .x ′ .y i1 for channeThen we continue with the i2nd cycle in the expectedway. Eventually, channel c contains x ′′ .x and d holds x ′ .y.We now observe thatx ′′ .x = x ′′ .x ′ .x ′′ = y.x ′′x ′ .y = x ′ .x ′′ .x ′ = x.x ′ .This means m-iterations of the cycles recreate the initialchannel contents y.x ′′ for c and x.x ′ for d. To visit qinfinitely often, we repeat the m-iterations infinitely often.Note that the transition sequence we chose does notloose messages.⇐ For the reverse direction, one can show that if CPCPhas no solution, then every transition sequence that leadsto q eventually deadlocks.⊓⊔The above proof relies on two channels, and one mayask whether LCS with a single channel have a decidableRSP. The answer is negative and sheds some light on theexpressiveness of LCS.

Lemma 8.1. RSP is undecidable even for LCS with onechannel.Idea. Consider the above LCS L with two channels cand d. We construct a new LCS L ′ with a single channels. The new alphabet is C × M. This means the newmessages (c,m) and (d,m) keep track of the channel cor d that message m stems from. The configurations γ =(q,(w c ,w d )) of L are imitated in the new LCS by configurationsγ ′ = (q,w). So the state q coincides, but thecontent of γ ′ is a shuffle w ∈ (({c} × w c ) ({d} × w d ))of the contents in both channels. 2 A send action c!m ofL yields s!(c,m) in L ′ . Imitating a receive c?m of L ismore delicate. The problem is that, due to shuffling, L ′may not have (c,m) at the head of channel s. The rotationconstruction from the exercises solves this problem.⊓⊔2 The shuffle operator is well known in formal language theory.Consider M as underlying alphabet. The operator is defined inductivelyby w ε := w =: ε w for all w ∈ M ∗ and a 1 .w 1 a 2 .w 2 :=a 1 .(w 1 a 2 .w 2 ) ∪ a 2 .(a 1 .w 1 w 2 ) for all a 1 ,a 2 ∈ M, w 1 ,w 2 ∈ M ∗ .

Theorem 8.2 yields our main result. The channel contentin LCS is not computable. Therefore, the accelerationprocedure from Chapter 7 has to be incomplete.Theorem 8.3. For an LCS L = (Q,q 0 ,C,M,→) with stateq ∈ Q and channel c ∈ C there is no algorithm to computean SRE that representsW(q,c) := {w ∈ M ∗ | γ 0 → ∗ (q,W) with W(c) = w}.Note, however, that W(q,c) is simply regular by Theorem7.2.Proof. The result follows from a reduction of RSP. Consideras instance the LCS L = (Q,q 0 ,C,M,→) and stateq ∈ Q. We construct a modified LCS L ′ with a new channeln ∈ C so that the content of n reflects the repetition ofq as follows. There is a transition sequence γ 0 → γ 1 → ...that visits q infinitely often iff W(q,c) is infinite. Essentially,L ′ keeps track of when q is entered by adding amessage to the new channel n. More precisely, L ′ addsto L a new state q ′ . Every transition that leads to q isredirected to q ′ . From q ′ , a single transition labelled n!xleads to q. Here, x ∈ M is an arbitrary but fixed message.The remaining transitions of L are left unchanged in L ′ .

In particular there are no transitions that consume messagesfrom the new channel n. Figure 8.2 illustrates theconstruction.We show that there is a run visiting q infinitely oftenif and only if W(q,n) is infinite. The direction fromleft to right is immediate. For the reverse, one forms atree of all transition sequences that end in a configuration(q,W). Since language W(q,n) is infinite, there areinfinitely many transition sequences leading to q. Thus,the tree is infinite. Moreover, the tree is finitely branching.König’s lemma applies and yields an infinite pathγ 0 → γ 1 → ... in the tree. State q is visited infinitely oftenon this path. To see this, assume there was a last configurationwith state q. Then, by construction, the pathwould end in this configuration. A contradiction.We now derive the desired non-computability resultfor channel contents. If an SRE was computable forW(q,n), then we could also decide finiteness of W(q,n)using this SRE. With the previous reduction, this decidesRSP. Hence, such an SRE is not computable. ⊓⊔The proof shows more. No representation of W(q,n) iscomputable that allows us to decide finiteness of the language.

......c 1 !m 1 c k !m k c 1 !m 1qq ′n!xqc k !m kFig. 8.2 Reduction from RSP to the computation of channel contents.The original transitions in L are given to the left, the modificationin L ′ is depicted to the right.

Chapter 9Expand, Enlarge, and CheckAbstract EECWe are still looking for a forward algorithm that solvesupward closed reachability in WSTS in a complete way.The strong motivation for forward algorithms is in their

efficiency. Backwards algorithms often encounter searchtrees with high outdegree. Forward algorithms are moredeterministic. Moreover, verification techniques like partialorder reduction immediately apply to forward algorithmswhile their design is difficult for backwardssearches.To circumvent the non-computability result from Theorem8.3, we refrain from computing the precise set ofreachable configurations in a WSTS. We rather employtwo sequences of approximationsUnder(TS,Γ 0 ),Under(TS,Γ 1 ),... and Over(TS,Γ 0 ,L 0 ),Sequence Under(TS,Γ 0 ),Under(TS,Γ 1 ),... provides moreand more precise underapproximations of the WSTS TS.They are used to decide the positive instances of upwardclosed reachability: if the upward closed set is reachablefrom the initial configuration, some underapproximationUnder(TS,Γ i ) will report this. The second sequencegives more and more precise overapproximationsof the WSTS. They will decide the negative instances.Since we have two semi-decision procedures, the combi-

nation of both algorithms decides upward closed reachability.The construction enjoys a beautiful analogy. Abdulla’salgorithm is a backwards search that manipulates upwardclosed sets represented by minimal elements. EECin turn is a forward algorithm that manipulates downwardclosed sets. The following section shows how torepresent downward closed sets by limit elements.9.1 Domains of LimitsConsider the WQO (C,≤). Upward closed sets I ⊆ C arefinitely represented by their minimal elements: min(I) ↑= I. The representation is effective. Membership in andinclusion among upward closed sets can be checked via≤. What is a finite and effective representation of downwardclosed sets? We propose to use limit elements l /∈C.The idea is to reflect infinite non-decreasing sequencesc 0 ≤ c 1 ≤ c 2 ≤ ...

For example, the sequence (0,0),(0,1),(0,2),... in N 2is represented by (0,ω). Similarly, the sequence of languagesL (a + ε),L ((a + ε).(b + ε)),L ((a + ε).(b + ε).(a + ε))yields as limit the language L ((a + b) ∗ ). To be usefulin a decision procedure for upward closed reachability,limit elements should satisfy some constraints.Definition 9.1 (Adequate domain of limits). Let (C,≤) be a WQO. A pair (L,r) consisting of a set of limitelements L with L ∩C = /0 and a representation functionr : L ∪C → P(C) is called an adequate domain of limits(ADL) for (C,≤) provided the following conditions hold.(L1) For l ∈ L, r(l) is downward closed. Moreoever,r(c) := {c}↓ f.a. c ∈ C.(L2) There is a top element ⊤ ∈ L with r(⊤) = C.(L3) For any downward closed set D ⊆ C there is afinite set D ′ ⊆ C ∪ L with r(D ′ ) = D. Condition (L3)is also called completeness.The domain of limits has to be compatible with the transitionrelation in the WSTS.

Definition 9.2 (Effectiveness). A WSTS (Γ ,γ,→,≤) andan ADL (L,r) for (Γ ,≤) are called effective if(E1) For all d ∈ Γ ∪ L, finite D ⊆ Γ ∪ L, inclusionsuc(r(d)) ⊆ r(D) is decidable.(E2) For all finite D 1 ,D 2 ⊆ Γ ∪ L, inclusion r(D 1 ) ⊆r(D 2 ) is decidable.We observed that Petri nets are WSTS. The limit elementsare extended markings in N |S|ω . That this domain isadequate and effective is not hard to check. For LCS, thesymbolic configurations from Chapter 7 form an ADLthat can be shown to be effective. Recall that symbolicconfigurations assign an SRE to every channel.Consider WSTS TS = (Γ ,γ 0 ,→,≤) and an upwardclosed set I ⊆ Γ . To solve upward closed reachabilitymeans to decide R(TS) ∩ I = /0. The following lemmashows that downward closed sets are sufficient for thistask.Lemma 9.1. We have R(TS)∩ I = /0 if and only if R(TS)↓∩ I = /0.Note that Definition 9.1 yields a finite representation forR(TS)↓. By (L3), there is a finite set CS(TS) ⊆ Γ ∪ L so

that r(CS(TS)) = R(TS)↓. We call R(TS)↓ the coveringset of R(TS). The finite set CS(TS) is the coverability setof R(TS).Combined with Lemma 9.1 this finiteness brings uscloser to a decision procedure for coverability. Indeed,the term coverability set is chosen intentionally: the EECalgorithm can be understood as an advanced version ofcoverability graphs. But how to circumvent the noncomputabilityof coverability sets for LCS? The trickis to approximate CS(TS) rather than to compute it precisely.9.2 UnderapproximationWe construct an underapproximation of a transition systemTS = (Γ ,γ 0 ,→) wrt. a finite subset of configurationsΓ ′ ⊆ Γ . The idea is to reflect the transition sequencesthat visit configurations in Γ ′ , only.Definition 9.3 (Underapproximation wrt. Γ ′ ). Let TS =(Γ ,γ 0 ,→) and consider a finite set Γ ′ ⊆ Γ with γ 0 ∈ Γ ′ .

The underapproximation of TS wrt. Γ ′ is the transitionsystem Under(TS,Γ ′ ) := (Γ ′ ,γ 0 ,→ ∩ (Γ ′ ×Γ ′ )).With Γ ′ large enough, this underapproximation decidesthe positive instances of upward closed reachability. Tobegin with, we argue that the underapproximation reportscorrectly on reachability. If it finds an upwardclosed set I ⊆ Γ reachable, then the set is reachable inthe original transition system.Lemma 9.2 (Soundness). If R(Under(TS,Γ ′ )) ∩ I ≠ /0then R(TS) ∩ I ≠ /0.Moreover, if set I is reachable in TS then some underapproximationwill detect this.Lemma 9.3 (Completeness). If R(TS)∩ I ≠ /0 then thereis a finite set Γ ′ ⊆ Γ with γ 0 ∈ Γ ′ so that R(Under(TS,Γ ′ ))∩I ≠ /0.9.3 OverapproximationFor the following development, we assume that the WSTSTS = (Γ ,γ 0 ,→,≤) to be approximated is deadlock free:

for all γ 1 ∈ Γ there is γ 2 ∈ Γ so that γ 1 → γ 2 . In the caseof LCS, deadlock freeness can always be achieved byadding a loop to each state that sends to a fresh channel.The underapproximation of TS is parameterized by afinite set of configurations Γ ′ ⊆ Γ . The overapproximationOver(TS,Γ ′ ,L ′ ) additionally relies on a finite set oflimit elements L ′ from an ADL (L,r). Intuitively, transitionsequences that stay within Γ ′ are represented preciselyby Over(TS,Γ ′ ,L ′ ). When we encounter a configurationoutside Γ ′ , we overapproximate it using limitsfrom L ′ .The problem is in the choice of limits. There may betwo sets E 1 ,E 2 ⊆ Γ ′ ⊎L ′ that overapproximate suc(r(d))with d ∈ Γ ′ ⊎ L ′ . This means suc(r(d)) ⊆ r(E 1 ) andsuc(r(d)) ⊆ r(E 2 ). If the sets are incomparable, r(E 1 ) ⊈r(E 2 ) and r(E 2 ) ⊈ r(E 1 ), both overapproximation arereasonable. The trick is to avoid a choice but consider alloverapproximations. As a result, Over(TS,Γ ′ ,L ′ ) will bean and-or graph rather than a transition system.

9.3.1 And-Or GraphsAnd-or graphs are bipartite graphs with an initial orvertex.Definition 9.4 (And-or graph). An and-or graph is agraph G = (V A ⊎V O ,v O ,→) with disjoint sets of and verticesV A , or vertices V 0 with initial vertex v O ∈ V O , andedges → ⊆ (V A ×V O ) ∪ (V O ×V A ). We assume that forevery v 1 ∈ V A ⊎V O there is v 2 ∈ V O ⊎V A with v 1 → v 2 .For and-or graphs, the analogue of a transition sequenceis an execution tree.Definition 9.5 (Execution tree). Consider G = (V A ⊎V O ,v O ,→). An execution tree of G is an infinite treeT = (N,n r ,,λ) with node labelling λ : N → V A ⊎V Othat satisfies the following compatibility requirements:(i) λ(n r ) = v O(ii) For all n 1 ∈ N with λ(n 1 ) ∈ V O there is precisely onen 2 ∈ N with n 1 n 2 . Moreover, the nodes satisfyλ(n 1 ) → λ(n 2 ).(iii) For all n 1 ∈ N with λ(n 1 ) ∈ V A we have that

(a)for all v 2 ∈ V O with λ(n 1 ) → v 2 there is preciselyone n 2 ∈ N with n 1 n 2 and λ(n 2 ) = v 2 .(b)for all n 2 ∈ N with n 1 n 2 there is v 2 ∈ V O withλ(n 1 ) → v 2 and λ(n 2 ) = v 2 .We relate unreachability of upward closed sets in WSTSto the avoidability problem in and-or graphs. The problemtakes as input an and-or graph G = (V A ⊎V O ,v O ,→) and a set of vertices E ⊆ V A ⊎ V O . The question iswhether there is an execution tree T = (N,n r ,,λ) sothat λ(N) ∩ E = /0. In this case, we say E is avoidablein G. The avoidability problem can be shown to be completefor polynomial time P.9.3.2 Over(TS,Γ ′ ,L ′ )Let TS = (Γ ,γ 0 ,→,≤) be a WSTS with ADL (L,r) wrt.(Γ ,≤). Consider finite sets Γ ′ ⊆ Γ with γ 0 ∈ Γ ′ and L ′ ⊆L with ⊤ ∈ L ′ .

Definition 9.6 (Overapproximation wrt. Γ ′ and L ′ ).The overapproximation of TS wrt. Γ ′ and L ′ is the and-orgraph Over(TS,Γ ′ ,L ′ ) := (V A ⊎V O ,v O ,→) defined by(A1) V 0 := Γ ′ ⊎ L ′(A2) V A := {E ⊆ Γ ′ ⊎ L ′ | E ≠ /0 and ̸ ∃ d 1 ,d 2 ∈ E :r(d 1 ) ⊆ r(d 2 )}(A3) v O := γ 0(A4) For all v 1 ∈ V A and v 2 ∈ V O we have v 1 → v 2 iffv 2 ∈ v 1 .(A5) For all v 1 ∈ V O and v 2 ∈ V A we have v 1 → v 2iff suc(r(v 1 )) ⊆ r(v 2 ) and there is no v ∈ V A withsuc(r(v 1 )) ⊆ r(v) r(v 2 ).By Condition (A1), or-nodes are configurations in Γ ′ orlimits in L ′ . And-nodes, defined by (A2), are sets of configurationsand limit elements. Sets arise for two reasons.First, due to non-determinism a configuration may haveseveral successors. Second, as discussed above it may beunclear which limit elements to choose for the overapproximationof successors. By Condition (A5), we selectthe most precise overapproximations of suc(r(v 1 )).The definition of and-or graphs requires each vertexto have a successor. To see that Over(TS,Γ ′ ,L ′ ) obeys

this constraint, consider an and-node. By definition, thisis a non-empty set E ⊆ Γ ′ ⊎ L ′ . By Condition (A4), thetransitions leaving and-nodes just select an element fromE. For an or-node, observe that {⊤} is an and-node. Itcan be used to overapproximate suc(r(v)) ≠ /0 for any ornodev ∈ V O . Non-emptiness holds by deadlock freedom.To link unreachability of I ⊆ Γ to avoidability inOver(TS,Γ ′ ,L ′ ), we define the set of vertices V I ⊆ V A ⊎V O that represent elements in I:V I := {v ∈ V A ⊎V O | r(v) ∩ I ≠ /0}.To prove the overapproximation sound, we first showthat it imitates the behaviour of TS. Note that the followingstatements holds for any choice of Γ ′ and L ′ .Lemma 9.4. Let γ 0 → ... → γ k in TS. Then in every executiontree T = (N,n r ,,λ) of Over(TS,Γ ′ ,L ′ ) there isa path n r n 1 ... n 2k so that γ i ∈ r(λ(n 2i )).So we use or-vertices λ(n 2i ) to reflect configurations.Theorem 9.1 (Soundness). If V I is avoidable in Over(TS,Γthen R(TS) ∩ I = /0.

Proof. We proceed by contraposition and assume R(TS)∩I ≠ /0. Then there is a path γ 0 → + γ k with γ k ∈ I inTS. By Lemma 9.4, every execution tree T = (N,n r ,,λ) of Over(TS,Γ ′ ,L ′ ) contains a path n r + n 2k withγ i ∈ r(λ(n 2i )). We conclude r(λ(n 2k )) ∩ I ≠ /0 and soλ(N) ∩V I ≠ /0.⊓⊔The overapproximation is actually complete. In case ofunreachability, the sets Γ ′ and L ′ can be chosen preciseenough so as to avoid V I . Precise enough here means thatCS(TS) ⊆ Γ ′ ⊎L ′ . This is the key observation that distinguishesEEC from the acceleration approach. It is sufficientto overapproximate the coverability set, it is notnecessary to compute it precisely.Theorem 9.2 (Completeness). Let CS(TS) ⊆ Γ ′ ⊎ L ′ . IfR(TS) ∩ I = /0 then V I is avoidable in Over(TS,Γ ′ ,L ′ ).Proof. We compute an execution tree T = (N,n r ,,λ)so that all n ∈ N satisfyr(λ(n)) ⊆ r(CS(TS)).Since r(CS(TS)) = R(TS)↓ and since R(TS)↓ ∩ I = /0 ifand only if R(TS)∩ I = /0, we conclude r(λ(n))∩ I = /0.

This means λ(N) ∩V I = /0, tree T avoids V I .We construct the tree by induction on the number of layersof or- and and-vertices. In the base case, we start fromthe root withr(λ(n r )) = r(v O ) = r(γ 0 ) = {γ 0 }↓ ⊆ r(CS(TS)).We have to determine an and-vertex v ∈ V A with v 0 → vso that r(v) ⊆ r(CS(TS)). With such an and-vertex, weextend the execution tree by n r n so that λ(n) = v.To find a suitable and-vertex, it is sufficient to showthatsuc(r(γ 0 )) ⊆ r(CS(TS)).Since and-vertices are most precise overapproximations,there is v ∈ V A with v O → v that satisfies r(v) ⊆ CS(TS).In the worst case, we select CS(TS) itself.To establish the inclusion, consider γ ∈ r(γ 0 ) = {γ 0 }↓that takes a transition γ → γ ′ for some γ ′ ∈ Γ . By definitionof WSTS, ≤ is a simulation relation and so γ 0 canimitate the transition. There is γ ′′ ∈ Γ with γ 0 → γ ′′ andγ ′′ ≥ γ ′ . Since γ ′′ ∈ r(CS(TS)) and since r(CS(TS)) is

downward closed, we have γ ′ ∈ r(CS(TS)).The induction step is along similar lines.⊓⊔9.4 Overall AlgorithmEEC expects as input a WSTS (Γ ,γ 0 ,→,≤) with anADL (L,r) that are effective. For the iterative constructionof under- and overapproximations, we additionallyrequire Γ and L to be recursively enumerable. As a consequenceof this, there is an infinite sequence of finitesets of configurationsΓ 0 ⊆ Γ 1 ⊆ ...with γ 0 ∈ Γ 0 that satisfies the following. For every γ ∈ Γthere is i ∈ N so that γ ∈ Γ i . Likewise, there is an infinitesequencce of finite sets of limitsL 0 ⊆ L 1 ⊆ ...

so that ⊤ ∈ L 0 and for every l ∈ L there is i ∈ N so thatl ∈ L i . Then for any finite Γ ′ ⊎ L ′ ⊆ Γ ⊎ L there is j ∈ Nso thatΓ ′ ⊎ L ′ ⊆ Γ j ⊎ L j .Theorem 9.3. EEC terminates and returns reachable ifR(TS) ∩ I ≠ /0 and unreachable otherwise.Proof. Provided → is decidable, Under(TS,Γ i ) is computabledue to finiteness of Γ i . With a decidable ≤, thetest R(Under(TS,Γ i )) ∩ I ≠ /0 is also decidable. Similarly,Over(TS,Γ i ,L i ) and V I are computable due to effectiveness.Avoidability of V I can then be checked inpolynomial time.For correctness, let R(TS) ∩ I ≠ /0. Then V I is notavoidable in all Over(TS,Γ i ,L i ) by soundness of overapproximation(applied in contraposition). By completenessof underapproximation, there is j ∈ N so that R(Under(I ≠ /0. EEC returns reachable.Let R(TS)∩ I = /0. We have R(Under(TS,Γ i ))∩ I = /0for all i ∈ N by soundness of underapproximation. But

Finite representation of WSTS TS = (Γ ,γ 0 ,→,≤) with ADL (L,r)Infinite sequence Γ 0 ⊆ Γ 1 ⊆ ... of finite subsets of Γ as discussed ainput :Upward closed set I ⊆ Γ represented by min(I)Infinite sequence L 0 ⊆ L 1 ⊆ ... of finite subsets of L as discussedbegini := 0while true doCompute Under(TS,Γ i )//ExpandCompute Over(TS,Γ i ,L i )//Enlarif R(Under(TS,Γ i )) ∩ I ≠ /0 then //Chereturn reachableelse if V I avoidable in Over(TS,Γ i ,L i ) thenreturn unreachableend ifi := i + 1end whileend

there is j ∈ N with CS(TS) ⊆ L j ⊎Γ j . By completeness ofoverapproximation, V I is avoidable in Over(TS,Γ j ,L j ).EEC returns unreachable as desired.⊓⊔

Part IIIDynamic Networks andπ-Calculus

Text.

Chapter 10Introduction to π-CalculusAbstract π-CalculusThe π-Calculus is a process algebra for modelling dynamicnetworks. The origins of process algebras dateback to the 1970s with Hoare’s Communicating Sequen-

tial Processes (CSP) and Milner’s Calculus of CommunicatingSystems (CCS). Both lines of research were devotedto the study of the semantics of concurrency —with the following observation. Communication, sendingand simultaneous receiving of messages, is the fundamentalcomputation mechanism in concurrent systems.More complex mechanisms, e.g., semaphores, can be derivedfrom communications.Communications exchange messages over channels.To transmit its IP address to a server located at someURL, a client uses the output action url〈ip〉. It sends themessage ip on the channel url. The input action url(x)of the server listens on channel url and replaces variablex by the incoming message. The key idea is to letmessage and channel have the same type: they are justnames. Therefore, a message that is received in one communicationmay serve as the channel in the following.We extend the model of the server to S = url(x).x〈ses〉.The server receives a channel x on url from the client.As a reply it sends a session ses on the received channel,i.e., to the client. We also extend the client to receive thesession: C = url〈ip〉.ip(y).

Concurrent execution of client and server is reflectedby parallel composition. In the scenario, the parallelcomposition is C | S = url〈ip〉.ip(y) | url(x).x〈ses〉. Sincea communication of C and S forms a computation step,we derive the transitionurl〈ip〉.ip(y) | url(x).x〈ses〉 → ip(y) | ip〈ses〉.Note that the communication changes the link structure.While in C | S client and server share channel url,they are connected by ip in the next step. The numberof entities in the system stays constant. To also modelobject creation, the parallel composition can be nestedunder action prefixes. Therefore, the two characteristicfeatures of dynamic networks are well-reflected in π-Calculus.We focus on the computational expressiveness of dynamicnetworks, i.e., we study restrictions of π-Calculusthat yield system classes with decidabile verificationproblems. Interestingly, dynamic networks require a newcorrectness criterion. They ask for proper connectionsamong entities, different from the earlier systems where

we focussed on proper interaction. As we shall see, alsolinkage problems relate to coverability.The main insight is that, despite the unbounded numberof components and links that may be generated, dynamicnetworks often feature a strong similarity insideits configurations. There often is a finite set of connectionpatterns that all components make use of. We exploitthis observation to derive finite representation ofdynamic networks. As we shall see, the requirement canalso be weakened. We later consider architectures whereonly certain dependency chains are bounded, similar towhat is the case in n-tier architectures.10.1 SyntaxThe basic elements of processes are names a,b,x,y in theinfinite set of names N . They are used as channels andmessages. The previously introduced output and inputactions are prefixesπ ::= x〈y〉 | x(y) | τ.

The silent prefix τ performs an internal action.Let ã abbreviate a finite sequence of names a 1 ,...,a n .To define parameterized recursion, we use process identifiersK,L. A process identifier represents a process Pvia a recursive definition K( ˜x) := P, where the elementsin ˜x are pairwise distinct. The term K⌊ã⌋ is a call to theprocess identifier, which results in the process P with thenames ˜x replaced by ã. The remaining operators are asfollows.Symbol 0 is the stop process without behaviour. Aprefixed process π.P offers π for communication and behaveslike P when π is consumed. The choice betweenprefixed processes is represented by π.P + M. If π.P ischosen, the alternatives in M are forgotten. In a parallelcomposition P | Q, the processes P and Q communicatevia pairs of send and receive prefixes. The restriction operatorνa.P converts the name a in P into a private name.It is different from all other names.Definition 10.1. The set of all π-Calculus processes Pis defined inductively byM ::= 0 | π.P + M P ::= M | K⌊ã⌋ | P 1 | P 2 |

Every process relies on finitely many process identifiersK, each of which defined by an equation K( ˜x) := Q.We write π instead of π.0. A sequence of restrictionsνa 1 ...νa n .P is abbreviated by νã.P with ã := a 1 ,...,a n .To avoid brackets, we define that (1) prefix π and restrictionνa bind stronger than choice composition + and (2)choice composition binds stronger than parallel composition| .10.2 Names and SubstitutionsWe mentioned that a restricted name νa is different fromall other names in the process P ∈ P under consideration.To ensure this, we define ν to bind the name a. Wethen allow for renaming bound names by α-conversion.Similarly, in a prefixed process a(y).Q the receive actiona(y) binds the name y. Intuitively, y is a variablewhich has not yet received a concrete value and thereforeshould be different from all other names in P. Werefer to the set of bound names by bn(P). A name that is

not bound is said to be free and we denote the set of freenames in P by fn(P).Of particular interest to the theory we develop are therestricted names that are not covered by a prefix in thesyntax tree. We call them active restricted names anddenote them by arn(P). Inνa.(a〈b〉.νc.a〈c〉 | a(x) | K⌊b⌋)the restriction νa is active while νc is not as it is coveredby the prefix a〈b〉. Note that active restricted namesare bound, arn(P) ⊆ bn(P). Active restrictions connectthe processes that use the name. In the example, νa connectsa〈b〉.νc.a〈c〉 and a(x), but not K⌊b⌋. We formalisethe idea of connecting processes by active restrictions inSection 11.1. Formally, we say process P uses name a ifa ∈ fn(P).Since we will permit α-conversion of bound names,the following constraints (1) and (2) can always be achievedWe assume wlog. (1) that all bound names are differentand (2) that bound names and free names

do not interfere. (3) Defining equations K( ˜x) := Pshould not contribute names. Therefore, we requirethat fn(P) ⊆ ˜x.Technically, α-conversion of a bound name a to cmeans changing νa.P to νc.P ′ , where every free occurrenceof a in P is replaced by c in P ′ . For example,νa.a(x) is α-converted to νc.c(x). To rename free namesin a process, we use substitutions.Definition 10.2 (σ : N → N ). A substitution is a mappingfrom names to names, σ : N → N . Let xσ denotethe image of x under σ. If we give domain andcodomain, σ : A → B with A,B ⊆ N , we demand xσ ∈ Bif x ∈ A and xσ = x otherwise. An explicitly defined substitutionσ = {a 1 ,...,a n /x 1 ,...,x n } maps x i to a i , i.e.,σ : {x 1 ,...,x n } → {a 1 ,...,a n } with x i σ = a i .An application of a substitution σ : A → B to a processP results in a new process Pσ, where all free names in Pare changed according to σ.

To ensure that substitution σ : A → B does not introducenew bindings in process P ∈ P, we assumethat the names in σ do not interfere with thebound names: (A ∪ B) ∩ bn(P) = /0.We formalize the application of substitutions.Definition 10.3 (Application of Substitutions). Considerσ : A → B and P ∈ P with (A∪B)∩bn(P) = /0. The applicationof σ to P yields Pσ ∈ P defined by0σ := 0τσ := τx(y)σ := xσ(y)x〈y〉σ := xσ〈yσ〉(π.P + M)σ := (πσ).(Pσ) + (Mσ)K⌊ã⌋σ := K⌊ãσ⌋(P | Q)σ := Pσ | Qσ(νa.P)σ := νa.(Pσ).10.3 Structural CongruenceTo give an operational semantics to a process algebra,the behaviour of every process has to be defined. To keep

the definition of the transition relation simple, Berry andBoudol suggested to define only the transitions of representativeterms and use a second relation to link processeswith representatives. By definition, a process thenbehaves like its representative. Intuitively, the definitionof the operational semantics is factorized into the definitionof a transition and a structural relation.Berry and Boudol called the approach chemical abstractmachine with the following idea. Processes arechemical molecules that change their structure. Changingthe structure heats molecules up or cools them down.Only heated molecules react with one another, whichchanges their state.The π-Calculus semantics that exploits the chemicalabstract machine idea was introduced by Milner. Hecalled the relation to identify processes with representativesstructural congruence and the name is still in use.Many results in this part of the lecture exploit invarianceof the transition relation under structural rewriting.Before we turn to the definition of structural congruence≡ ⊆ P × P, we recall that a congruence relationis an equivalence which is compatible with the operatorsof the algebra under study. That ≡ is an equivalence

means we have∀P ∈ P : P ≡ P∀P,Q ∈ P : P ≡ Q implies Q ≡ P∀P,Q,R ∈ P : P ≡ Q and Q ≡ R implies P ≡ R.(Reflex(Symm(TransitThat structural congruence is a congruence means it ispreserved under composition, using any of the operators:∀P,Q,M ∈ P : ∀π : P ≡ Q implies π.P + M ≡ π.Q + M∀P,Q,R ∈ P : P ≡ Q implies P | R ≡ Q | R∀P,Q ∈ P : ∀a ∈ N : P ≡ Q implies νa.P ≡ νa.Q.Definition 10.4 (Structural Congruence). Structural congruence≡ ⊆ P × P is the least congruence on processeswhich allows for α-converting bound namesνx.P ≡ νy.(P{y/x})a(x).P ≡ a(y).(P{y/x}),where in both cases {y} ∩ (fn(P) ∪ bn(P)) = /0. Moreover,+ and | are commutative and associative with 0 asneutral element,

M + 0 ≡ M M 1 + M 2 ≡ M 2 + M 1M 1 + (M 2 + M 3 ) ≡ (M 1 + M 2 ) + M 3P | 0 ≡ P P 1 | P 2 ≡ P 2 | P 1P 1 | (P 2 | P 3 ) ≡ (P 1 | P 2 ) | P 3 ,and restriction is a commutative quantifier that is absorbedby 0 and whose scope can be shrunk and extrudedover processes not using the quantified name:νx.νy.P ≡ νy.νx.P νx.0 ≡ 0νx.(P | Q) ≡ P | (νx.Q), if x /∈ fn(P).The latter law is called scope extrusion.Structural congruence preserves the free names in a process.Lemma 10.1 (Invariance of fn under ≡). P ≡ Q impliesfn(P) = fn(Q).

10.4 Transition RelationTo define the behaviour of π-Calculus processes, we employthe structural approach to operational semantics.Plotkin argues that the states of a transition system, likethat of a program or that of a π-Calculus process, have asyntactic structure. They are compositions of basic elementsusing a set of operators. He then proposes todefine transitions between these structured states by aproof system: a transition exists iff it is provable in theproof system. In order to define the behaviour of everystate, the proof system uses induction on their structure.It comprises (1) axioms that define the transitions of basicelements and (2) proof rules that define the transitionsof composed states from the transitions of the operands.The benefit of structural operational semantics is theirsimplicity and elegance, combined with the ability toestablish properties of transitions by induction on thederivations.Definition 10.5 (Transition Relation and System). Thetransition relation → ⊆ P × P is defined by the rulesin Table 10.1. For a process P ∈ P, we define the set

of reachable processes to be R(P) := {Q ∈ P | P → ∗Q}. The transition system of P factorizes along structuralcongruence, T (P) := (R(P)/ ≡ ,→,[P]) where [Q] → [Q ′ ]iff Q → Q ′ .(Tau)τ.P + M → P(React)x(y).P + M | x〈z〉.Q + N → P{z/y} | Q(Const)K⌊ã⌋ → P{ã/ ˜x}, if K( ˜x) := P(Par)P → P ′P | Q → P ′ | Q(Struct)(Res)P → P ′Q → Q ′ , if P ≡ Q and P′ ≡ Q ′ .Table 10.1 Rules defining the transition relation → ⊆ P × P.P →νa.P →Different from Plotkin’s classical approach where theproof system only relies on the transition relation, Definition10.5 makes use of the chemical abstract machineidea (cf. Section 10.3). All rules except for (Struct) definethe transitions of representative processes. Rule (Struct)

then postulates that a process can do all transitions of therepresentative it is related to by structural congruence.

Chapter 11A Petri Net Translation ofπ-CalculusAbstract From π-Calculus to Petri netsWe develop a translation of π-Calculus processes intoPetri nets. This allows us to reuse the techniques andtools that have been developed for the analysis of Petri

nets for the verification of dynamic networks. The π-Calculus is Turing complete while finite Petri nets arenot. Therefore, the translation yields infinite Petri netsfor some processes. This means we relax the definitionof Petri nets N = (S,T,W,M 0 ) in that S, T , or W may beinfinite sets.For process algebras, the investigation of automatatheoreticmodels has a long standing tradition. The classicquestion was to find representations that reflect theconcurrency of processes. The translation consideredhere exploits the connections induced by restricted names,instead. Rather than understanding a process as a setof programs running concurrently, we understand it asa graph where the references to restricted names connectprocesses. We call this translation a structural semanticsto distinguish it from classical concurrency semantics.The benefit of taking the viewpoint of structureinstead of concurrency are finite net representations forprocesses with unboundedly many restricted names andunbounded parallelism. We outline the intuition behindthe translation.The graph interpretation of a π-Calculus process P ∈P is a hypergraph G (P) that makes the use of active

estricted names explicit. A hypergraph is a graph whereseveral vertices may be connected to a single so-calledhyperedge. The interpretation of a process is obtainedas follows. We draw a vertex labelled by Q for everyprocess Q = M with M ≠ 0 and for every Q = K⌊ã⌋ inP. We then add a hyperedge labelled by a for every activerestricted name νa. An arc is inserted between a vertexQ and an edge a if the name is free in the process, a ∈fn(Q). Due to process creation, process destruction, andname passing this graph structure changes during systemexecution. We illustrate the interpretation on an example.a〈a〉.νb.b(x) + c〈c〉adc(x).K⌊a⌋K⌊d⌋Fig. 11.1 Graph interpretation of a π-Calculus process

Example 11.1. Let P = νa.(a〈a〉.νb.b(x)+c〈c〉 | c(x).K⌊a⌋The graph interpretation G (P) is given in Figure 11.1.Note that the choice a〈a〉.νb.b(x) + c〈c〉 is representedby one vertex which is connected with a, although thealternative c〈c〉 does not contain a as a free name. Furthermore,there is no hyperedge c as the name is free inthe process.In the example, process P is represented by two unconnectedgraphs. This means dynamic networks consistof independent parts that only communicate overpublic channels. The idea of the structural semantics isto represent each such graph by a place in a Petri net.We then obtain the current process by putting tokens onthe places, one for each occurrence of the correspondinggraph. Technically, we do not work with graphs buttransform every process into a normal form.11.1 Restricted FormThe restricted form captures the intuition of unconnectedgraphs discussed above. It serves the definition of the

structural semantics and also helps in the definition ofthe characteristic functions depth and breadth. The ideaof the restricted form is to minimize the scopes of activerestricted names. This results in a process where thetopmost parallel components correspond to the unconnectedgraphs. We call them fragments. The decompositionfunction that we define in Section 11.2 then countshow often a fragment occurs in a process in restrictedform. It acts as a marking in the structural semantics.Definition 11.1 (Fragments and Restricted Form). Fragmentsin the set P fg are defined inductively byF ::= M | K⌊ã⌋ | νa.(F 1 | ... | F n ),where M ≠ 0 and a ∈ fn(F i ) for all 1 ≤ i ≤ n. A processP rf = Π i∈I F i is in restricted form. The set of allprocesses in restricted form is P rf .In case the index set is empty, we define P rf = Π i∈/0 F i tobe 0. This means 0 ∈ P rf . Function fg ( P rf ) determinesthe set of fragments in a process in restricted form.For Π i∈I F i , we often refer (1) to the fragments F i thatcontain some name a and (2) to those that are structurally

congruent with a given fragment F. To determine thesefragments, we define subsets I a and I F of the index set I.Definition 11.2 (I a ,I F ). Consider process Π i∈I F i in P rf .For every name a ∈ N , we define the index set I a ⊆ Iby i ∈ I a if and only if a ∈ fn(F i ). For every fragmentF ∈ P fg , we define I F ⊆ I by i ∈ I F if and only if F ≡ F i .To transform a process into restricted form via structuralcongruence, we employ the recursive function rf : P →P rf . It uses the rule for scope extrusion to shrink thescopes of restrictions and removes parallel compositionsof stop processes 0.Definition 11.3 (rf : P → P rf ). The function rf in Table11.1 computes for any process P ∈ P a process rf (P)in restricted form, i.e., rf (P) ∈ P rf . We call rf (P) the restrictedform of P.The following lemma states that rf (P) is in fact in restrictedform and structurally congruent with P.Lemma 11.1. For process P ∈ P we have rf (P) ∈ P rfand rf (P) ≡ P.The restricted form is only invariant under structuralcongruence up to reordering and rewriting of fragments.

f (M) := M rf (K⌊ã⌋) := K⌊ã⌋⎧0, if rf (P) = 0 = rf (Q)⎪⎨rf (P), if rf (P) ≠ 0 = rf (Q)rf (P | Q) :=rf (Q), if rf (P) = 0 ≠ rf (Q)⎪⎩rf (P) | rf (Q), if rf (P) ≠ 0 ≠ rf (Q)⎧⎪⎨ rf (P),if a /∈ fn(P)rf (νa.P) := νa.rf (P), if a ∈ fn(P) and (1)⎪⎩νa.(Π i∈Ia F i ) | Π i∈I\Ia F i , if a ∈ fn(P) and (2)Table 11.1 Definition of function rf . With rf (P) = Π i∈I≠/0 F i , condition(1) requires that I a = I and (2) states that I a ≠ I.So P ≡ Q does not imply rf (P) = rf (Q) but it impliesrf (P) ≡ rf rf (Q). Relation ≡ rf is defined as follows.Definition 11.4 (Restricted Equivalence). The restrictedequivalence relation ≡ rf ⊆ P rf × P rf is the smallestequivalence on processes in restricted form that satisfiescommutativity and associativity of parallel compositions,

P rf1 | Prf 2 ≡ rf P rf2 | Prf 1P rf1 | (Prf 2 | Prf 3 ) ≡ rf (P rf1 | Prf 2 ) | Prf 3 ,and that replaces fragments by structurally congruentones,F | P rf ≡ rf G | P rf ,where F ≡ G and P rf is optional.We illustrate the indicated relationship between P ≡ Qand rf (P) and rf (Q) on an example.Example 11.2 (Invariance of rf under ≡ up to ≡ rf ). Considerthe processesP = νa.(a〈a〉.νb.b(x) + c〈c〉 | c(x).K⌊a⌋ | νd.K⌊d⌋)≡ νa.(c(x).K⌊a⌋ | a〈a〉.νb.b(x) + c〈c〉 | νd.K⌊d⌋) = Q.We compare the restricted forms:rf (P) = νa.(a〈a〉.νb.b(x) + c〈c〉 | c(x).K⌊a⌋) | νd.K⌊d⌋≡ rf νa.(c(x).K⌊a⌋ | a〈a〉.νb.b(x) + c〈c〉) | νd.K⌊d⌋We have rf (P) ≠ rf (Q) but rf (P) ≡ rf rf (Q).

Proposition 11.1 states invariance of the restricted formup to restricted equivalence, P ≡ Q implies rf (P) ≡ rfrf (Q). Even more, restricted equivalence characterizesstructural congruence, i.e., also rf (P) ≡ rf rf (Q) impliesP ≡ Q.Proposition 11.1 (Characterisation of ≡ with ≡ rf ). ForP,Q ∈ P we have P ≡ Q if and only if rf (P) ≡ rf rf (Q).Proof. To show the implication from right to left weobserve that all rules making up equivalence ≡ rf alsohold for structural congruence. Thus, rf (P) ≡ rf rf (Q)implies rf (P) ≡ rf (Q). Combined with P ≡ rf (p) fromLemma 11.1, we get P ≡ Q by transitivity of structuralcongruence. The reverse direction uses an induction onthe derivations of structural congruence.⊓⊔11.2 Structural SemanticsWe assign to every process P a Petri net N(P) as illustratedin Example 11.4. The places of the net are the frag-

ments of all reachable processes. More precisely, we dealwith classes of fragments under structural congruence.We use two disjoint sets of transitions. Transitions ofthe first kind are pairs ([F],[Q]) of places [F] and processes[Q], with the condition that F → Q. These transitionsreflect communications inside fragments. The secondset of transitions contains pairs ([F 1 | F 2 ],[Q]) where[F 1 ] and [F 2 ] are places and F 1 | F 2 → Q. These transitionsrepresent communications between fragments usingpublic channels.There is an arc from place [G] to transition ([F],[Q])provided G ≡ F. If G is structurally congruent with F 1and F 2 , there is an arc weighted two from place [G] totransition ([F 1 | F 2 ],[Q]). This models a communicationof fragment F 1 with the structurally congruent fragmentF 2 on a public channel. If G is structurally congruentwith F 1 or F 2 , there is an arc weighted one from place [G]to transition ([F 1 | F 2 ],[Q]). In case F 1 ≢ G ≢ F 2 , there isno arc.The number of arcs from ([F],[Q]) to place [G] is determinedby the number of occurrences of G in the decompositionof Q. Similarly, the initial marking of the

net is determined by the decomposition of the initial processP.To capture the notion of process decomposition wedefine function dec(P rf ). It counts how many fragmentsof class [F] are present in P rf . For P rf = F | G | F ′with F ≡ F ′ and F ≢ G we have (dec(P rf ))([F]) = 2,(dec(P rf ))([G]) = 1, and (dec(P rf ))([H]) = 0 with F ≢H ≢ G.Definition 11.5 (dec : P rf → N P fg/ ≡). Consider P rf =Π i∈I F i . We assign to P rf the function dec(P rf ) : P fg / ≡ →N via (dec(P rf ))([F]) := |I F |.The support of dec(P rf ) is always finite. This ensuresprocessΠ [H]∈supp(dec(P rf )) Π (dec(Prf ))([H]) His defined. Intuitively, the term selects a representativefor each fragment and then rearranges the fragments sothat the same representatives lie next to each other.Example 11.3 (Elementary Equivalence). For process P rf =F | G | F ′ we choose F as representative for F ≡ F ′ andlet G ≢ F represent itself. We then have

F | G | F ′ ≡ rf Π 2 F | Π 1 G = Π (dec(Prf ))([F]) F | Π (dec(Prf ))([GThis relationship holds in general.Lemma 11.2 (Elementary Equivalence). For P rf ∈ P rfwe haveP rf ≡ rf Π [H]∈supp(dec(P rf )) Π (dec(Prf ))([H]) H .That dec is invariant under restricted equivalence ensuresthe structural semantics is well-defined. That iteven characterizes restricted equivalence is exploited inthe proof of Theorem 11.1.Lemma 11.3. P rf ≡ rf Q rf if and only if dec(P rf ) = dec(Q rf )We are now prepared to define the structural semantics.Definition 11.6. The structural semantics translates processP into the Petri net N(P) as defined in Table 11.2.We call N(P) the structural semantics of P.Consider fragment F 1 with F 1 → Q. It yields a transition([F 1 ],[Q]). But F 1 | F 2 also leads to Q | F 2 for everyfragment F 2 . Thus, we additionally have transitions([F 1 | F 2 ],[Q | F 2 ]) for every reachable fragment [F 2 ]. The

S := fg(rf (R(P)))/ ≡T := {([F],[Q]) ∈ S × P/ ≡ | F → Q}∪ {([F 1 | F 2 ],[Q]) ∈ P/ ≡ × P/ ≡ | [F 1 ],[F 2 ] ∈ S and F 1 | F 2 →M 0 := dec(rf (P)).Consider place [G] ∈ S and two transitions([F],[Q]),([F 1 | F 2 ],[Q]) ∈ T . The weight function W isdefined as follows:W([G],([F],[Q])) := (dec(F))([G])W([G],([F 1 | F 2 ],[Q])) := (dec(F 1 | F 2 ))([G])W(([F],[Q]),[G]) := (dec(rf (Q)))([G])W(([F 1 | F 2 ],[Q]),[G]) := (dec(rf (Q)))([G]).Table 11.2 Definition of the structural semantics N(P) =(S,T,W,M 0 ) of process P.situation is illustrated in Figure 11.2. The additional transitionsdo not change the transition system and we donot compute them. Excluding them by a side conditionwould complicate the proof of Theorem 11.1.

([F 1 ],[Q]) ([F 1 | F 2 ],[Q | F 2 ])[F 1 ] [F 2 ]Fig. 11.2 Illustration of the transitions ([F 1 ],[Q]) and([F 1 | F 2 ],[Q | F 2 ]). The latter are depicted dotted and can beavoided in the construction.Example 11.4 (Structural Semantics). We illustrate thePetri net translation on an example. ConsiderP = Π 2 a(x).x(y).y(z).a〈d〉 + a〈b〉 | νh.b〈h〉.h〈b〉.(c(x) | c(The semantics N(P) is depicted in Figure 11.3. Thereachable fragments are given by the transition sequence

Π 2 a(x).x(y).y(z).a〈d〉 + a〈b〉 | νh.b〈h〉.h〈b〉.(c(x) | c(x→ b(y).y(z).a〈d〉 | νh.b〈h〉.h〈b〉.(c(x) | c(x))→ νh.(h(z).a〈d〉 | h〈b〉.(c(x) | c(x)))→ a〈d〉 | c(x) | c(x).Since all processes are in restricted form, we can taketheir fragments as the set of places. The transitions are asfollows. Fragment F 1 communicates with a structurallycongruent fragment, t 1 = ([F 1 | F 1 ],[F 2 ]). Fragment F 3passes the restricted name h to F 2 , which results in fragmentF 4 = νh.(h(z).a〈d〉 | h〈b〉.(c(x) | c(x))). Transitiont 2 = ([F 2 | F 3 ],[F 4 ]) models this communication. Itdemonstrates how the scope of restricted names influencesthe Petri net semantics. A pair of processes is representedby a single token on place [F 4 ]. Fragment F 4 letsits two processes communicate on the restricted channelh, which yields Q = a〈d〉 | c(x) | c(x) = F 6 | F 5 | F 5 . Bydefinition, we get the transition t 3 = ([F 4 ],[Q]). The transitionshows how fragments consisting of several processesbreak up when restricted names are forgotten.The definition of the set of transitions does not takethe overall process behaviour into account. The Petri net

t 42[F 1 ][F 6 ]t 1[F 2 ][F 5 ]2t 3[F 4 ]t 2 [F 3 ]F 1 = a(x).x(y).y(z).a〈d〉 + a〈b〉F 3 = νh.b〈h〉.h〈b〉.(c(x) | c(x))F 5 = c(x)F 2 = b(y).y(z).a〈d〉F 4 = νh.(h(z).a〈d〉 | h〈b〉.(c(x) | cF 6 = a〈d〉Fig. 11.3 The structural semantics N(P) of process P in Example11.4. The meaning of transitions is explained in the text.may contain transitions that are never enabled. Transitiont 4 illustrates this fact. The fragments F 1 and F 6communicate to G = d(y).y(z).a〈d〉. This results in t 4 =([F 1 | F 6 ],[G]). The transition is never executed since thereaction is not possible in P. Since G is no reachable

fragment, (dec(G))([F]) = 0 for all places [F], so transitiont 4 has no places in its postset.The example suggests the following rules of thumb forthe structural semantics.Remark 11.1. Passing restricted names merges fragments.If fragment F passes a restricted name νa to fragmentG, this may result in a new fragment νa.(F ′ | G ′ ) andwe have a transition from the places [F] and [G] to place[νa.(F ′ | G ′ )]. Transition t 2 in Example 11.4 illustratesthe behaviour.Forgetting restricted names splits fragments. If fragmentF forgets the restricted name a when it evolves toF ′ , fragment νa.(F | G) reacts to F ′ | νa.G. This resultsin a transition with [νa.(F | G)] in its preset and [F ′ ] and[νa.G] in its postset. Transition t 3 in Example 11.4 servesas an example.To ensure that our semantics is a suitable representationof π-Calculus processes, we show that we can retrieve allinformation about a process and its transitions from thesemantics. To relate a marking in the Petri net N(P) anda process, we define the function retrieve : R(N(P)) →

P/ ≡ . It constructs a process from a marking by composing(1) the fragments that are marked in parallel (2) asoften as required by the marking. This mimics the constructionin the elementary equivalence.Definition 11.7. Given a process P ∈ P, the functionretrieve : R(N(P)) → P/ ≡ associates with every markingreachable in the structural semantics, M ∈ R(N(P)),a process class [Q] ∈ P/ ≡ as follows:retrieve(M) := [Π [H]∈supp(M) Π M([H]) H].The support of M has to be finite to ensure retrieve(M)is a process. This holds since every transition has a finitepostset and the initial marking is finite.The transition systems of P and N(P) are isomorphic.Furthermore, the states in both transition systems correspondusing the retrieve function. This relationship isillustrated in Figure 11.4.Theorem 11.1. The transition systems of P ∈ P and itsstructural semantics N(P) are isomorphic. The isomorphismiso : R(P)/ ≡ → R(N(P)) maps [Q] to dec(rf (Q)).A process is reconstructed from a marking by retrieve(iso([Q[Q].

iso[F 1 | F 1 | F 3 ] (2 0 1 0 0 0)[F 2 | F 3 ] (0 1 1 0 0 0)[F 4 ] (0 0 0 1 0 0)[F 5 | F 5 | F 6 ] (0 0 0 0 2 1)Fig. 11.4 Illustration of the transition system isomorphism in Theorem11.1 on process P from Example 11.4. The transition systemT (P) is depicted to the left, T (N(P)) is depicted to the right. Theisomorphism iso : R(P)/ ≡ → R(N(P)) is represented by dotted arrows.To prove the theorem one shows that retrieve is the inverseof iso and that iso is an isomorphism between thetransition systems, i.e., iso maps the initial process tothe initial marking, iso is bijective, and iso is a stronggraph homomorphism. A strong graph homomorphismrequires that [P 1 ] → [P 2 ] in the transition system of P if

and only if iso([P 1 ]) → iso([P 2 ]) in the transition systemof N(P).The definition of the structural semantics is declarativeas it refers to the set of all reachable fragments andadds transitions where appropriate. In the following section,we comment on the implementation.

Chapter 12Structural StationarityAbstract Finiteness of N(P)We proposed a Petri net semantics of π-Calculus thathighlights the connection structure of processes. Sincethe π-Calculus is Turing complete but finite Petri netsare not, such a semantics has to yield infinite nets forsome processes. The goal of this section is to understandthe sources of infinity for the structural semantics. Our

interest in finiteness is based on the observation that allautomated verification methods for Petri nets rely on thisconstraint. Ultimately this research will lead us to theborderline of decidability for dynamic networks.For simplicity, call a process P ∈ P structurally stationaryif its Petri net N(P) is finite. We obtain two alternativecharacterizations of structural stationarity that referto the parallel composition and to the restriction operator,respectively. The first characterization eases theproof of structural stationarity. The second one revealsthat infinity of the semantics has two sources: unboundedbreadth and unbounded depth. Unbounded breadth iscaused by unbounded distribution of restricted names.Unbounded depth is caused by unboundedly long chainsof processes connected by restricted names. In particular,unbounded name and unbounded process creation do notnecessarily imply infinite automata-theoretic representations.

12.1 Structural Stationarity and FinitenessIntuitively, a process is structurally stationary if there isa finite number of fragments in the system. Technically,there is a finite set of fragments so that the restricted formof all reachable processes is a parallel composition ofthose fragments.Definition 12.1. Process P ∈ P is structurally stationaryif∃{F 1 ,...,F n } ⊆ P fg : ∀Q ∈ R(P) : ∀F ∈ fg(rf (Q)) : ∃i ∈ [1The set of all structurally stationary processes is P fg

To prove structural stationarity is not easy. The difficultpart is to come up with a suitable set of fragments{F 1 ,...,F n }. The characterization in Section 12.3 reducesthis task to finding a bound on the number ofsequential processes in every reachable fragment. Toestablish completeness of this characterization, i.e., toshow structural stationarity from boundedness, we infact have to construct a finite set of fragments. The benefitis that we do this construction once when provingTheorem 12.1. When the characterization has been established,we simply apply it whenever we show structuralstationarity. The construction relies on the notion ofderivatives.12.2 DerivativesThe derivatives of a process P can be understood as a finiteskeleton for all reachable processes. More formally,we show that all reachable processes are created fromderivatives via parallel composition, restriction, and sub-

stitution. The corresponding Proposition 12.1 is crucialin the proof of Theorem 12.1.The derivatives are constructed by recursively removingall prefixes from P as if they were consumed in communications.If a process identifier K is called, directlyin P or indirectly in one of its defining equations, we alsoadd the derivatives of the process defining K.Definition 12.2. We rely on the auxiliary function der :P → P(P) defined byder(0) := /0der(π.P + M) := {π.P + M} ∪ der(P) ∪ der(M)der(νa.P) := der(P).der(K⌊ãder(P | QThe set of derivatives of P ∈ P, denoted by derivatives(P),is the smallest set so that (1) der(P) ⊆ derivatives(P)and (2) if K⌊ã⌋ ∈ derivatives(P) and K( ˜x) := Q then alsoder(Q) ⊆ derivatives(P).There are two differences between the derivatives andthe processes obtained by transitions. Names y that arereplaced by received names when an action b(y) is consumedremain unchanged in the derivatives. Parameters

˜x that are instantiated to ã in a call K⌊ã⌋ are not replacedin the derivatives. Both shortcomings are corrected bysubstitutions applied to the free names in the derivatives.Proposition 12.1 shows that this yields all reachable processes.Proposition 12.1. Every process Q ∈ R(P) and everyfragment F ∈ fg(rf (Q)) is structurally congruent to aprocess νã. ( Π i∈I Q i σ i)where Qi ∈ derivatives(P) andσ i : fn(Q i ) → fn(P) ∪ ã.The following example provides some intuition to thistechnical statement.Example 12.1. Consider P = νb.a〈b〉.b(x) | a(y).K⌊a,y⌋with K(a,y) := y〈a〉. The only transition sequence isνb.a〈b〉.b(x) | a(y).K⌊a,y⌋ → νb.(b(x) | K⌊a,b⌋) → νb.(bWe compute the set of derivatives:derivatives(P) = {a〈b〉.b(x),b(x),a(y).K⌊a,y⌋,K⌊a,y⌋,y〈aThe following congruences show that every reachablefragment can be constructed from the derivatives as statedin Proposition 12.1:

νb.a〈b〉.b(x) ≡ νb.((a〈b〉.b(x)){a,b/a,b})a(y).K⌊a,y⌋ ≡ (a(y).K⌊a,y⌋){a/a}νb.(b(x) | K⌊a,b⌋) ≡ νb.(b(x){b/b} | K⌊a,y⌋{a,b/a,y})νb.(b(x) | b〈a〉) ≡ νb.(b(x){b/b} | y〈a〉{b,a/y,a}).In the proof of Theorem 12.1, finiteness of the set ofderivatives is important.Lemma 12.2. The set derivatives(P) is finite for all P ∈P.12.3 First Characterization of StructuralStationarityWe characterize structural stationarity as mentioned above:structural stationarity is equivalent to boundedness of allreachable fragments in the number of sequential processes.The number of sequential processes in P ∈ Pis ||P|| S ∈ N defined by ||0|| S := 0 and (with M ≠ 0):

||M|| S := 1 ||P | Q|| S := ||P|| S + ||Q|| S||K⌊ã⌋|| S := 1 ||νa.P|| S := ||P|| S .The function is invariant under structural congruence:P ≡ Q implies ||P|| S = ||Q|| S . Bounding this numbermeans we actually restrict the use of parallel composition.In Section 12.4, we establish a second characterizationof structural stationarity, which restricts the useof operator ν instead. While the present characterizationprovides a handle to proving structural stationarity, thesecond characterization explains which processes fail tobe structurally stationary.Definition 12.3. A process P ∈ P is bounded in the sequentialprocesses if there is a bound on the number ofsequential processes in all reachable fragments:∃k S ∈ N : ∀Q ∈ R(P) : ∀F ∈ fg(rf (Q)) : ||F|| S ≤ k S .The set of all processes that are bounded in the sequentialprocesses is P S

Proof. ⇒ If P ∈ P fg

FG i := { rf (νũ i .(Π i j=1 Q jσ j )) | Q j ∈ derivatives(P), σ jand rf (νũ i .(Π i j=1 Q jσ j ))We first show that FG i is finite for every i ∈ N. The Q jare derivatives of P. This set is finite by Lemma 12.2.The same finiteness means that the maximum maxFN :=max{|fn(Q)| | Q ∈ derivatives(P)} exists. A parallelcomposition of i derivatives thus restricts at most i ·maxFN names. Hence, the names ũ i := u 1 ,...,u i·maxFNare sufficient to reflect all restrictions. There are finitelymany substitutions σ j : fn(Q j ) → fn(P) ∪ ũ i between thefinite sets fn(Q j ) and fn(P)∪ũ i . This concludes the proofof finiteness for FG i . Finiteness of FG follows immediately.It remains to show that up to structural congruence everyreachable fragment F is included in FG. With Proposition12.1, F is structurally congruent with a fragmentrf (νũ |I| .(Π i∈I Q i σ i )) in FG |I| . The inclusion FG |I| ⊆ FGthen follows from|I| = ||νũ |I| .(Π i∈I Q i σ i )|| S = ||F|| S ≤ k S .

The second equality is due to the invariance of ||−|| S understructural congruence. The inequality is the boundednessassumption.⊓⊔We explain the construction of FG on an example.Example 12.2 (FG). Reconsider P = νb.a〈b〉.b(x) | a(y).K⌊from Example 12.1 with K(a,y) := y〈a〉 . The numberof sequential processes in all reachable fragments isbounded by k S = 2. The set FG is therefore defined asFG = FG 1 ∪ FG 2 . The maximal number of free namesin derivatives is maxFN = 2. Thus, FG 1 and FG 2 containfragmentsrf (νu 1 ,u 2 .(Qσ)) and rf (νu 1 ,...,u 4 .(Q 1 σ 1 | Q 2 σ 2 )),where Q ∈ derivatives(P) with σ : fn(Q) → {u 1 ,u 2 ,a}and Q j ∈ derivatives(P) with σ j : fn(Q j ) → {u 1 ,...,u 4 ,a},for j = 1,2. As an example, consider process Q = a〈b〉.b(x)derivatives(P). Applying the substitutions σ : {a,b} →{u 1 ,u 2 ,a} yields amongst othersνu 1 .((a〈b〉.b(x)){a,u 1 /a,b}) = νu 1 .a〈u 1 〉.u 1 (x) ∈ FG 1 .

The process is structurally congruent with the reachablefragment νb.a〈b〉.b(x).Several known subclasses of π-Calculus are immediatelyshown to be structurally stationary with Theorem 12.1Furthermore, the proof of Theorem 12.2 underlines itsimportance.12.4 Second Characterization of StructuralStationarityThe characterization of structural stationarity we developin this section refers to the restriction operator. Weobserve that a bounded number of restricted names doesnot imply structural stationarity. In fact, a process withonly one restricted name may not be structurally stationary.Consider νa.K⌊a⌋ with K(x) := x〈x〉 | K⌊x⌋. It generatesprocesses sending on the restricted channel a. Thetransition sequenceνa.K⌊a⌋ → νa.(a〈a〉 | K⌊a⌋) → νa.(a〈a〉 | a〈a〉 | K⌊a⌋) →

forms infinitely many fragments that are pairwise notstructurally congruent. In the graph interpretation in Figure12.1 there is no bound on the number of vertices connectedwith the hyperedge of name a, i.e., the degree ofthis edge is not bounded.The degree of a hyperedge is the number of processesthat share the name. To imitate this value at processlevel, we define ||F|| | the maximal number of fragmentsunder a restriction. For example ||νa.K⌊a⌋|| | = 1 and||νa.(a〈a〉 | K⌊a⌋)|| | = 2. To reflect the maximum of theedge degrees, we search for the widest representation F Bof a fragment F. Widest means that ||F B || | is maximal inthe congruence class.K⌊ã⌋ a → K⌊ã⌋ a→ K⌊ã⌋ aa〈a〉a〈aFig. 12.1 Transition sequence illustrating unbounded breadth

Definition 12.4. The maximal number of fragments undera restriction is defined inductively by ||M|| | := 1,||K⌊ã⌋|| | := 1, and||νa.(F 1 | ... | F n )|| | := max{n,||F 1 || | ,...,||F n || | }.The breadth of fragment F is ||F|| B := max{||G|| | | G ≡F}. Process P ∈ P is bounded in breadth, denoted byP ∈ P B

After n ∈ N transitions we have the following fragmentF D ≡ F B :F D = νa.(Π ni=1 νa i.(a〈a i 〉 | a〈a i 〉) | L⌊a⌋)F B = νa 1 .(...(νa n .(νa.(Π ni=1 (a〈a i〉 | a〈a i 〉) | L⌊a⌋)))...)We have ||F D || | = n + 1 and ||F B || | = 2n + 1. In F B thenumber of fragments under a restriction is maximal inthe congruence class of F D ≡ F B . So after n transitionswe have ||F D || B = ||F B || B = ||F B || | = 2n + 1. There isno bound on the breadth of the reachable fragments,νa.L⌊a⌋ /∈ P B

fragments that are pairwise not structurally congruentbut have breadth two:νa.K⌊a⌋ → νa.(νb.(b〈a〉 | K⌊b⌋)) → νa.(νb.(b〈a〉 | νc.(cIn the graphs in Figure 12.2, the length of the simplepaths is not bounded. Recall that a path is simple if itdoes not repeat hyperedges. At process level, we mimicthis length by the nesting of restrictions ||F|| ν . In the example,||νa.K⌊a⌋|| ν = 1 and ||νa.(νb.(b〈a〉 | K⌊b⌋))|| ν =2. To ensure the restrictions contribute to a simple path,we consider the flattest representation F D of F where||F D || ν is minimal.Definition 12.5. The nesting of restrictions ||F|| ν is definedby ||M|| ν := 0 where M ≠ 0, ||K⌊ã⌋|| ν := 0, and||νa.(F 1 | ... | F n )|| ν := 1 + max{||F 1 || ν ,...,||F n || ν }.With this auxiliary function, the depth of F is ||F|| D :=min{||G|| ν | G ≡ F}. Process P ∈ P is bounded indepth, P ∈ P D

Also the depth of fragments is invariant under structuralcongruence, ||F|| D = ||G|| D for fragments F ≡ G. Wecontinue with process νa.L⌊a⌋ from Example 12.3.Example 12.4 (Depth). After n ∈ N transitions we haveF D ≡ F B :F D = νa.(Π ni=1 νa i.(a〈a i 〉 | a〈a i 〉) | L⌊a⌋)F B = νa 1 .(...(νa n .(νa.(Π ni=1 (a〈a i〉 | a〈a i 〉) | L⌊a⌋)))...).We have ||F D || ν = 2 and ||F B || ν = n+1.The nesting in F Dis minimal in the class. Thus, ||F B || D = ||F D || D = ||F D || ν =2. So the depth of all fragments reachable from νa.L⌊a⌋is bounded by two, νa.L⌊a⌋ ∈ P D

||F|| S = 1 = 1 0 = ||F|| ||F|| ν|.For the induction step, assume ||F i || S ≤ ||F i || ||F i|| ν|for all F iwith 1 ≤ i ≤ n. We then have for F = νa.(F 1 | ... | F n ):||F|| S{ Def. ||F|| S } = Σ n i=1 ||F i|| S{ Hypothesis } ≤ Σ n i=1 ||F i|| ||F i|| ν|{ Def. max } ≤ Σ n i=1 max{||F i|| | | 1 ≤ i ≤ n} max{||F i|| ν | 1≤Abbreviate max | := max{||F i || | | 1 ≤ i ≤ n} and max ν :=max{||F i || ν | 1 ≤ i ≤ n}. With this, the above term equalsn · max max ν|{ Def. max } ≤ max{n,max | } · max{n,max | } max= max{n,max | } 1+max ν{ Def. ||F|| ν and ||F|| | } = ||F|| ||F|| ν|.⊓⊔

Together, boundedness in breadth and in depth yieldstructural stationarity — the main result in this section.While the previous proof of structural stationarity fromboundedness in the sequential processes was direct andcumbersome, Theorem 12.1 now yields an elegant proofof Theorem 12.2: a process is structurally stationary ifand only if it is bounded in breadth and bounded indepth.Theorem 12.2. P fg

||F D || ν = min{||G|| ν | G ≡ F} = ||F|| D . We now have||F|| S{ || − || S invariant under ≡ } = ||F D || S{ Lemma 12.3 } ≤ ||F D || ||F D|| ν|{ ||F D || | ≤ max{||G|| | | G ≡ F} = ||F|| B } ≤ ||F|| ||F D|| νB{ Observation ||F D || ν = ||F|| D } = ||F|| ||F|| DB{ k B and k D bounds on breadth and depth } ≤ k k DB.This proves P is bounded in the number of sequentialprocesses. With Theorem 12.1, P is structurally stationary.⊓⊔Theorem 12.2 helps disproving structural stationarity. Aprocess is not structurally stationary if and only if it isnot bounded in breadth or not bounded in depth. Thus,there are two sources of infinity for the structural semantics.For processes of bounded depth but unbounded breadth,termination can be shown to be decidable by an instantiationof the WSTS framework. Processes of boundedbreadth but unbounded depth are Turing complete. This

follows from an encoding of counter machines that wepresent in the following chapter.

Chapter 13Undecidability ResultsAbstract Undecidability results for π-CalculusThere are several machine models with the ability toperform arithmetic operations on data variables, whichare known to be Turing complete. For the undecidabil-

ity proofs in this chapter, we use a model introduced byMinsky. Although Minsky called his formalism a programmachine that operates on registers, the model isnowadays well-known under the name of (2-)countermachines acting on counter variables. We exploit Turingcompleteness of counter machines to show Turing completenessfor processes of bounded breadth. As a consequence,we obtain undecidability of structural stationarity,boundedness in depth, and boundedness in breadth.We then change the encoding to establish undecidabilityof reachability for processes of depth one.13.1 Counter MachinesA counter machine has two counters c 1 and c 2 that storearbitrarily large natural numbers and a finite sequence oflabelled instructions l : op. There are two kinds of operationsop. The first increments a counter, say c 1 , by oneand then jumps to the instruction labelled by l ′ :c 1 := c 1 + 1 goto l ′ (13.1)

The second operation has the formif c 1 = 0 then goto l ′ ; else c 1 := c 1 − 1; goto l ′′ (13.2) ;It checks counter c 1 for being zero and—if this is thecase—jumps to the instruction labelled by l ′ . If the valueof c 1 is positive, the counter is decremented by one andthe machine jumps to l ′′ .Definition 13.1. A counter machine is a triple CM =(c 1 ,c 2 ,instr) where c 1 ,c 2 are counters and instr = l 0 :op 0 ;...,l n : op n ;l n+1 : halt is a finite sequence of thelabelled instructions defined above. The sequence endswith operation halt to terminate the execution.To define the operational semantics of a counter machineCM, we define the notion of a configuration. Aconfiguration of CM is a triple cf = (v 1 ,v 2 ,l), wherev i ∈ N is the current value of counter c i with i = 1,2 andl ∈ {l 0 ,...,l n+1 } is the label of the operation to be executednext. A run of CM is a finite or infinite sequenceof configurationscf 0 → cf 1 → cf 2 → ...

subject to the following constraints. Initially, the countervalues are zero and l 0 is the next instruction to be executed,cf 0 = (0,0,l 0 ). For every transition cf i → cf i+1with cf i = (v 1 ,v 2 ,l) the values of the counters and theinstruction are changed according to the current operationop with l : op. In case op is an increment operationfor the first counter as defined in (13.1), we have cf i+1 =(v 1 + 1,v 2 ,l ′ ). This means value v 1 is incremented, v 2 isnot changed, and the current label is changed to l ′ . Thedecrement operation on c 1 in (13.2) depends on whetherv 1 = 0 holds. In this case, we jump to l ′ without modifyingthe counter values, cf i+1 = (v 1 ,v 2 ,l ′ ). If the contentof c 1 is positive, we decrement it and jump to l ′′ , whichyields cf i+1 = (v 1 − 1,v 2 ,l ′′ ). Action halt does not yielda transition.We say CM terminates if all its runs are finite. A configurationcf = (v 1 ,v 2 ,l) is reachable in CM if there is arun cf 0 → ... → cf k = cf for some k ∈ N. Since countermachines are Turing complete, termination and reachabilityare undecidable.Theorem 13.1 (Minsky 1967). Counter machines areTuring complete. Hence, for a counter machine CM it is

undecidable whether (1) CM terminates and (2) whethera given configuration cf is reachable in CM.13.2 From Counter Machines to BoundedBreadthThe idea is to encode counters by lists. To fix the terminology,a list consists of list elements, namely several listitems and one list end. The number of list items representsthe value of the counter. Every list item and the listend has three channels to communicate on—reflectingthe three operations on counters. Channel i is used forincrement operations. Thus, a communication on i appendsa list item to the list. Communications on channeld decrement the counter value. A message on t is a testfor zero. We first explain the behaviour of a list item. Tokeep the definition short, we abbreviate i,d,t by ˜c. Similarly,the channels i ′ ,d ′ ,t ′ of the following list elementare abbreviated by ˜c ′ . Since we are only interested in thechannels, we omit parameters x in send and receive actionsi〈x〉 and i(x):

LI( ˜c, ˜c ′ ) := i.i ′ .LI⌊ ˜c, ˜c ′ ⌋ + d. ( d ′ .LI⌊ ˜c, ˜c ′ ⌋ +t ′ .LE⌊ ˜c⌋ ) .An increment operation received on channel i is passedto the following list element with the send action i ′ . Asa list item stands for a positive counter value, the test forzero fails. A list item does not communicate on channelt. If a list item receives a decrement, it contacts the followinglist element. Since it is unknown whether this isa list item LI or a list end LE, the current list item triesto communicate on both channels d ′ and t ′ . If the nextelement is a list item, it answers the decrement call. Alist end receives the t ′ message and, as a reaction, terminates.Now the current list item is the last element andtherefore calls the defining equation LE⌊ ˜c⌋.A list end answers a test for zero and terminates. As itrepresents value zero, it does not listen on the decrementchannel. If the list end receives an increment, it createsnew control channels ˜c ′ = i ′ ,d ′ ,t ′ and a new list end processLE⌊ ˜c ′ ⌋. The former list end becomes a list item bycalling the defining equation LI⌊ ˜c, ˜c ′ ⌋:LE( ˜c) := t + i.ν ˜c ′ .(LI⌊ ˜c, ˜c ′ ⌋ | LE⌊ ˜c ′ ⌋).

Every instruction l : op of the counter machine translatesinto a process identifier K l whose defining processis determined by the operation op. For the increment operation(13.1) on counter c 1 , we getK l ( ˜c 1 , ˜c 2 ) := i 1 .K l ′⌊ ˜c 1 , ˜c 2 ⌋.The parameters ˜c 1 = i 1 ,d 1 ,t 1 and ˜c 2 = i 2 ,d 2 ,t 2 are thecontrol channels of the lists that represent the countersc 1 and c 2 , respectively.The encoding of the decrement operation in (13.2)contains a subtlety. If the test for zero is successful, wedelete the list end of counter c 1 and have to create a newone. This yieldsK l ( ˜c 1 , ˜c 2 ) := t 1 .ν ˜c ′ 1. ( K l ′⌊ ˜c ′ 1, ˜c 2 ⌋ | LE⌊ ˜c ′ 1⌋ ) + d 1 .K l ′′⌊ ˜c 1 , ˜c 2 ⌋.The instruction l : halt is translated into K l ( ˜c 1 , ˜c 2 ) :=halt. The send action will be helpful later to prove undecidabilityof boundedness in breadth.To sum up, the counter machine CM is translated intothe processP(CM) := ν ˜c 1 .ν ˜c 2 .(LE⌊ ˜c 1 ⌋ | LE⌊ ˜c 2 ⌋ | K l0 ⌊ ˜c 1 , ˜c 2 ⌋)

Example 13.1. Configuration (2,0,l) of a counter machineis represented byν ˜c 1 . [ ν ˜c ′ 1. ( LI⌊ ˜c 1 , ˜c ′ 1⌋ | ν ˜c ′′1.(LI⌊ ˜c ′ 1, ˜c ′′1⌋ | LE⌊ ˜c ′′1⌋) ) | ν ˜c 2 . ( LEThere are two list items in the list for c 1 to representcounter value two. Similarly, the list of counter c 2 consistsof a single list end. The label of the current instructioncan be deduced from the process identifier K l .Example 13.1 suggests a tight relationship between theconfigurations reachable in a counter machine CM andthe processes reachable in its encoding P(CM). We shallonly need that the encoding preserves termination.Proposition 13.1. CM terminates if and only if P(CM)terminates.The process representation of a counter machine is boundedin breadth by two. We exploit this observation in the followingsection to establish undecidability of boundednessin depth and breadth.Lemma 13.1. For every counter machine CM we haveP(CM) ∈ P B

With proper synchronization mechanisms, the constructioncan be modified so that the steps of the counter machinecoincide with step sequences of the correspondingprocess.Remark 13.1. Processes of bounded breadth P B

input :CM a counter machinebegincompute P(CM)if ¬isStructurallyStationary(P(CM)) thenreturn CM does not terminateelsecompute N(P(CM))return terminates(N(P(CM)))endFig. 13.1 Proof of undecidability of structural stationarity. Theprocedure checks whether a counter machine terminates, assumingisStructurallyStationary(−) decides structural stationarity forP B

pute the process P(CM) ∈ P B

Corollary 13.1 (Undecidability of Boundedness in DepthConsider P ∈ P B

with K B=∞ (a) := a〈a〉 | K B=∞ ⌊a⌋. The counter machineterminates if and only if it reaches its halt operation.This is the case if and only if process P(CM) sendshalt. Since P(CM) is bounded in breadth, reachabilityof halt is equivalent to unboundedness in breadth forP(CM) | halt.νa.K B=∞ ⌊a⌋.⊓⊔13.4 Undecidability of Reachability inDepth 1To establish undecidability of reachability for processesof depth one, we reduce the corresponding problem forcounter machines. Since the resulting processes have tobe bounded in depth, we can no longer represent countervalues by lists. Instead, we use a different encoding thatreflects counter values by parallel composition. For example,c 1 = 3 yields a | a | a.The problem with this representation is that parallelcompositions, very similar to Petri nets, cannot faithfullymodel a test for zero:

l : if c 1 = 0 then goto l ′ ; else c 1 := c 1 − 1 goto l ′′ ;To overcome this problem, we use the following trick.We implement a test for zero by a nondeterministicchoice between a decrement and a test operation. Ifthe test was done incorrectly (we branch to l ′ althoughc 1 > 0), we reach an error process. From an error processwe can never get back to a counter machine configuration.Technically, an error process leaves garbageνa.(a | a | a) that cannot be removed. We turn to the construction.We attach the processes a to a so-called process bunchPB⌊a,i c1 ,d c1 ,t c1 ⌋. To set up this link, we simply restrictthe name a. For counter value c 1 = 3, this givesνa.(PB⌊a,i c1 ,d c1 ,t c1 ⌋ | a | a | a).Due to the restriction, the process bunch PB⌊a,i c1 ,d c1 ,t c1 ⌋has exclusive access to its processes a. It offers three operationsto modify their numbers: i c1 , d c1 , and t c1 . Communicationson i c1 stand for increment and create a newprocess a. Similarly, a message on d c1 decrements theprocess number by consuming a process a. A test for

zero on t c1 creates a new and empty process bunch forcounter c 1 . The old process bunch terminates. A termνa.(a | a | a) without process bunch is the garbage thatwas mentioned above. The names i c1 , d c1 , and t c1 arefree. Their index c 1 indicates that the process bunchmodels counter c 1 . We abbreviate the parameter list by˜c x = i cx ,d cx ,t cx for x ∈ {1,2} and definePB(a, ˜c x ) := i x .(PB⌊a, ˜c x ⌋ | a) + d x .a.PB⌊a, ˜c x ⌋ + t x .νbThe computational strength in this construction is in theprocess bunch deletion. This changes the linkage of anarbitrary number of processes a with a single transition.The translation of the labelled instructions is similarto the one in Section 13.2. An increment operation l :c 1 := c 1 + 1 goto l ′ yields a process identifierK l (˜c 1 , ˜c 2 ) := i c1 .K l ′⌊˜c 1 , ˜c 2 ⌋.The test for zero discussed above yields a nondeterministicchoiceK l (˜c 1 , ˜c 2 ) := t c1 .K l ′⌊˜c 1 , ˜c 2 ⌋ + d c1 .K l ′′⌊˜c 1 , ˜c 2 ⌋.

A process bunch may accept a decrement although itis empty. In this case, the system deadlocks and reachabilityis preserved. A halt l : halt translates intoK l (˜c 1 , ˜c 2 ) := halt. The full translation of counter machineCM is the processP 1 (CM) := νa.PB⌊a, ˜c 1 ⌋ | νb.PB⌊b, ˜c 2 ⌋ | K l0 ⌊˜c 1 ,(13.3)˜c 2 ⌋.Example 13.2. Consider counter machine CM = (c 1 ,c 2 ,instwithinstr :l 0 : c 1 := c 1 + 1 goto l 1 ;l 1 : if c 1 = 0 then goto l 1 ; else c 1 := c 1 − 1 goto l 2 ;l 2 : halt.The machine sets c 1 to one, the following check for zerofails, c 1 is decremented, and the machine stops. The associatedprocess P 1 (CM) has the form in (13.3) with thefollowing defining equations:

K l0 (˜c 1 , ˜c 2 ) := i c1 .K l1 ⌊˜c 1 , ˜c 2 ⌋K l1 (˜c 1 , ˜c 2 ) := t c1 .K l1 ⌊˜c 1 , ˜c 2 ⌋ + d c1 .K l2 ⌊˜c 1 , ˜c 2 ⌋K l2 (˜c 1 , ˜c 2 ) := halt.The reachable states of CM can be computed from thereachable processes of P 1 (CM). More precisely, the countermachine CM reaches the state (v 1 ,v 2 ,l) if and only if itsencoding reaches the processνa.(PB⌊a, ˜c 1 ⌋ | Π v 1a) | νb.(PB⌊b, ˜c 2 ⌋ | Π v 2b) | K l ⌊˜c 1 , ˜c 2Combined with the observation that P 1 (CM) is alwaysbounded in depth by one, we arrive at the desired undecidability.Theorem 13.2. Consider two processes P,Q ∈ P D

gives a counter machine CM that terminates but whoseprocess representation P 1 (CM) has an infinite run.Since reachability is decidable for Petri nets, we concludethat there is no reachability-preserving translationinto Petri nets for any class of processes that subsumesthose of depth one.