Introduction

Transition systems
Petri nets
Linear time properties

Modeling and Verification of Concurrent Systems:

the model-checking approach

Claude JARD

University of Nantes

Course 1 – November 2019

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Why verification?

Software engineering must be a science

Science requires models
Verification of models must be performed at different
abstraction levels
Programming is error-prone, especially in concurrent
environments

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Milestones in formal verification - Turing awards

Mathematical approach towards program correctness

[Turing, 1949]
Syntax-based technique for sequential programs
[Hoare, 1969]
Syntax-based technique for concurrent programs
[Pnueli, 1977]
Automated verification of concurrent programs
[Emerson, Clarke & Sifakis, 1981]

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Model checking overview

Requirements System

formalizing modeling

Property specification System model Location error

model checking
simulation

Lack of resource Counterexample

Satisfied

vs Testing: not biased towards the most probable scenarios

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Transition systems

Formal model to capture the system dynamics (“behaviours”)

State: current values of the model variables
States can be labeled by a set of (atomic) propositions
Transition: state change
low-level, but directly deduced from the operational semantics
of any formal language

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Formal definition

A transition system TS is a tuple (S, A, →, I , P, L) where

S is a set of states
A is a set of actions
→⊆ S × A × S is a transition relation
I ⊆ S is the set of initial states
P is a set of propositions
L : S → 2P is the labeling function of states
α
Notation: s → s 0 instead of (s, α, s 0 ) ∈→
TS can be displayed as labeled graphs. Behaviours (or traces) can
be defined as initial paths in the graph.

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Example 1: the sender part of a simple connection protocol

?disc2 !req
!disc1
1

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Traces

Succession of states and transitions

Take care of non-determinism

a a a

b c b c

6=?

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Example 2: the receiver part of a simple connection

protoco

!disc2 ?req
?disc1
1

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Composition of TS

How to compose concurrent transition systems?

0 0

?disc2 !req !disc2 ?req

!disc1 ?disc1
1 1
?
The answer of Petri nets...

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Definition of PT-nets

A (place/transition) Petri net is a tuple (P, T , W ) where:

P is a finite set of places,
T is a finite set of transitions, with P ∩ T = ∅,
W : (P × T ) ∪ (T × P) → {0, 1} is the transition relation.
Defines a bipartite oriented graph such that W (x, y ) = 1 iff it
exists an edge from x to y .
Notation: ∀x ∈ P ∪ T , •x = {y ∈ P ∪ T | W (y , x) = 1},
x • = {y ∈ P ∪ T | W (x, y ) = 1}.

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Marking (states)

Marking m : P → N. For all p ∈ P, m(p) is the number of

tokens in place p.
We consider marked-nets (N , m) where N is a PT-net and m
a marking of N (the initial marking).
A transition t ∈ T is “enabled” by a marking m if •t ≤ m.
en(m) is the set of transitions enabled by m.

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Operational semantics

A net can be simulated from the initial marking m by the following

algorithm:
1 Compute en(m),
2 Select a t ∈ en(m),
3 Replace m by (m − •t) + t • .

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Exercise 1: model a FIFO queue

1 One type of message, one cell,

2 Two types of message, one cell,
3 Two types of message, two cells.

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Exercise 2

1 Install the Romeo tool on your machines

(http://romeo.rts-software.org/)
2 Build the net for the sender/receiver protocol using one cell
FIFO queue for each direction
3 Make simulations

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Transition systems of PNs: marking graphs

Principle: exhaustive computation of the state space G by the

following recursive algorithm, called with the initial marking (put in
S and G ):
MG (M) =
for all transition t ∈ en(M) do
t
if M → M 0 then
if M 0 6∈ S then
S := S ∪ {M 0 }
put M 0 in G
put the edge (M, M 0 ) in G
call MG (M 0 )

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Exercise 3 : marking graph

1 Build (by hand) the marking graph of the protocol of exercise

2
2 Are there deadlocks?
3 What are the infinite behaviors?

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Termination of the construction?

Termination (boundedness of the marking graph) is decidable

for this class of PNs
G infinite iff ∃M, M 0 reachable from the initial such that M 0
reachable from M and M 0 > M
Proof based on the monotonicity of the operational semantics
and the fact that the natural order on vector of integers is
well-founded
Notion of covering to handle infinite marking graphs
It is undecidable for more general models

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Exercise 3 : covering graph

P1

T1 T2 T3

P2 P3

1 Build (by hand) the covering graph of this unbounded net

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

General problem of termination

Does this program terminate for all possible values of N?

read N
while N>1 do
if N even then N := N/2
else N := 3*N+1

Example: N=1000

Claude JARD Modeling and Verification of Concurrent Systems: the model-che

 Introduction
Transition systems
Petri nets
Linear time properties

Safety and liveness

Safety properties specify that “something bad never happens”

Doing nothing easily fulfills a safety property, as this will never
lead to a “bad” situation
Safety properties are complemented by liveness properties that
require some progress
Liveness properties assert that: “something good” will happen
eventually
Liveness properties are violated in “infinite time”, whereas
safety properties are violated in finite time
Finite traces are of no use to decide whether a property holds
or not: we have to consider infinite traces, produced by loops
in finite TS for example

Claude JARD Modeling and Verification of Concurrent Systems: the model-che