1 Introduction

In recent years, the model checking of CTL [10] and LTL [22] temporal logics for (colored) Petri nets (PN) has seen a boost in interest, and several tools and methods have been developed. Efficiency has been a main driving force behind this effort, also motivated by the lively Model Checking Competition (MCC) [19]. MCC models, formulae, and their evaluations are publicly available, making MCC data a very valuable benchmark for (Petri net) tools. The MCC includes LTL and CTL properties, but does not consider CTL* [15] ones. CTL* is a temporal logic strictly more expressive than CTL and LTL. Although various theoretical aspects of CTL* model checking have been extensively studied in the past, very few CTL* model checkers exist, despite the fact that CTL* properties are of practical interests, for example for modelling fairness constraints for CTL properties. It is well known that various forms of fairness constraints are directly expressible in LTL, while this is not the case for CTL.

Algorithms for CTL* model checking can either be based on Büchi automata, as illustrated in [6](page 429), or they can rely on the translation from CTL* into \(\mu \)-calculus [20], as done in the work of Dam [11, 12], using the standard fixed point iteration of \(\mu \)-calculus to compute the sat-set.

RGMEDD*, the CTL* model checker described in this paper, computes the sat-sets using a Büchi-based model checking algorithm. Given a CTL* formula, the algorithm identifies the LTL sub-formulae of maximal length and uses Spot [14] to translate each of them into a Büchi automaton. States are encoded as Decision Diagrams (DD), using the Meddly [5] library. RGMEDD* can be run as a stand-alone tool or as part of the GreatSPN [2] tool suite, called from a “check property” window of the GreatSPN graphical interface [1].

We could only find another Petri net tool that can deal directly with CTL*: LTSmin [18]. This tool translates CTL* into \(\mu \)-calculus, using the procedures defined in [11, 12]). Note that \(\mu \)-calculus for Petri nets is available also in TINA [7], but no translator from CTL* to \(\mu \)-calculus is provided. We could not find any CTL* tool based on Büchi automata. the set of available tools does not change even when looking to model checkers with input languages other than Petri Nets. There are papers on CTL* for Spin [17, 25], but we could not find any implementation available. There is an implementation of \(\mu \)-calculus for nuXmv [8], which could lead to a CTL* model checker but, for the time being, only CTL* formulae that are either LTL or CTL are actually processed.

Validation of RGMEDD* has been achieved taking advantage of the MCC2018 models, LTL and CTL formulae, and associated truth values for the models’ initial state. Computations of the sat-sets of CTL* formulae have been checked in two ways: sat-sets of formulae that are plain CTL have been compared with the sat-set computed by RGMEDD3, the existing CTL model checker of GreatSPN, and LTSmin, while for CTL*-only formulae the comparison has been conducted against LTSmin, using its CTL* module.

We undertook the construction of a CTL* model checker to use it: 1) to test the efficiency of a DD-based implementation of LTL and CTL*; 2) to explore whether a Büchi automata approach can favour the formulation of counterexamples and witnesses; 3) to investigate the efficacy for CTL* of the variable ordering techniques developed in [3]; and 4) to support teaching: following the effort in [4] the users of GreatSPN to experiment (within the same window of the GUI) formulae of multiple logics: LTL, (fair)CTL and CTL*.

The paper is organized as follows: Sect. 2 introduces basic definitions, Sect. 3 reviews the algorithm for CTL* model checking, the symbolic data structures used to implement it, the tool architecture and the integration into the GreatSPN graphical interface. Section 4 describes the testing performed, while Sect. 5 concludes the paper.

2 Background

PT-nets. A place-transition (PT) Petri net M is defined [21] as a tuple \(M={\langle {P,T,A,W,m_0}\rangle }\), where P is the set of places, T is the set of transitions, \(A \subseteq (P \times T) \cup (T \times P)\) is the set of arcs, \(W : A \rightarrow \mathbb {N}_{\ge 1}\) is the arc weight function, and \(m_0 : P \rightarrow \mathbb {N}\) is the initial marking. Markings represent states of the system, i.e. assignments of tokens to places. A transition \(t \in T\) is enabled if and only if all input places of t contain at least W(pt) tokens. The firing of t removes such tokens from the input places, and adds to each output place \(p'\) an amount of \(W(t,p')\) new tokens. Notation \(m\xrightarrow {t}m'\) indicates the firing of t from marking m to \(m'\). The reachability set (RS) is the set of all markings reachable from \(m_0\). Figure 1(A) shows a simple Petri net model M with 3 places and 4 transitions, with a RS of 4 markings.

GBA. A Generalized Büchi Automaton (GBA) is a tuple \(A=\langle Q, \varSigma , \delta , Q_0, \mathcal {F} \rangle \), where Q is a finite set of locations, \(\varSigma \) is a set of atomic proposition labels, \(\delta : Q\times \varSigma \rightarrow 2^Q\) is a total transition function, \(q_0 \subseteq Q\) is the set of initial locations, and \(\mathcal {F}\) is a subset of \(2^Q\) and each element of \(\mathcal {F}\) is called an acceptance set. Every LTL formula \(\phi \) can be translated into an equivalent GBA [23]. The details of this translation are outside the scope of this paper. Figure 1(B) shows a GBA with 3 locations and a single atomic proposition \(\#P2{=}1\), corresponding to a boolean formula on M. Location 1 is \(q_0\), and \(\mathcal {F}=\bigl \{ \{0\} \bigr \}\).

CTL*. The language of CTL* formulae of RGMEDD* is inductively defined by:

$$\begin{aligned} \varPsi&~{:}{:=}~ \top ~|~ \bot ~|~ \text {dead} ~|~ \text {en}(\tau ) ~|~ \varTheta \bowtie \varTheta ~|~ \varPsi \wedge \varPsi ~|~ \varPsi \vee \varPsi ~|~ \lnot \varPsi ~|~ \exists \phi ~|~ \forall \phi \\ \phi&~{:}{:=}~ \varPsi ~|~ \phi \wedge \phi ~|~ \phi \vee \phi ~|~ \lnot \phi ~|~ X \phi ~|~ F \phi ~|~ G \phi ~|~ \phi \,U \phi \\ \varTheta&~{:}{:=}~ n ~|~ \#\text {p} ~|~ \text {bounds}(\pi ) ~|~ -\varTheta ~|~ \varTheta \circ \varTheta \end{aligned}$$

where \(n \in \mathbb {N}\), \(p \in P\), \(\pi \subseteq P\), \(\tau \subseteq T\), \({\bowtie }\in \{=,\ne , >, <, \ge , \le \}\) is a comparison operator, and \(\circ \in \{+,-,*,/ \}\) is an arithmetic operator. The rules \(\varPsi \), \(\phi \) and \(\varTheta \) are the rules for the state, path and integer formulae, respectively. The state formula dead is a special label for all RS states that do not enable any transition; en\((\tau )\) is satisfied in all RS states enabling at least one transition \(t \in \tau \); \(\# p\) evaluates to the cardinality of place p in the current marking; bounds\((\pi )\) is the maximum sum of token counts of all places in \(\pi \) in every reachable marking. A CTL* formula with no quantifiers but the initial one is an LTL formula.

Fig. 1.
figure 1

An example of the MDDs and MxDs generated for CTL* evaluation.

Full size image

Product \({RS \otimes A}\). Model checking of properties expressed using Büchi automata follows the schema of [24]. A Transition System (TS) is generated from the cross product \(RS \otimes A\) between a path-formula GBA A and the RS of M. States of this TS are pairs \({\langle {m, q}\rangle }\), with m a Petri net marking and q a GBA location.

MDD and MxD. Decision Diagrams (DD) are a data structure used to encode large sets of structured data. GreatSPN uses the DD library Meddly [5], which supports, among others, binary (BDD) and multivalued (MDD) DDs. We shall use MDD to encode both the RS of the Petri net, and the TS of the product \(RS \otimes A\). MDDs encoding a relation function are called MxD, and are used by the tool to represent transitions and their union as a transition relation. An MxD has twice the levels of an MDD, and in each pair of levels it encodes the before/after relations of a variable (i.e. a place or a location).

Figure 1(C) and (D) shows the RS and the transition relation of M encoded as a MDD and as a MxD, respectively. A reachable state corresponds to a path in the MDD of (C): so, taking the rightmost path, we have that (1, 0, 0) is a reachable state. The MDD are fully-reduce, so the leftmost path encodes both (0, 0, 0) and (0, 0, 1).

figure a

3 The RGMEDD* Architecture

Given a Petri net model M and a CTL* formula \(\psi \), the solver first descends recursively through the syntax tree of \(\psi \) to extract each maximal proper state subformula [6, pp. 427], and then model checks each maximal proper state subformula \(\psi \) independently, in a bottom up process. Let \(\psi '\) be a maximal proper state subformula where all inner maximal proper state subformulae have been replaced with atomic propositions. For example if a and b are atomic propositions, then \(\exists \mathrm {X X} (\forall \, a \mathrm {U F }b)\) has two maximal subformulas: \(\forall \, a \mathrm {U F} b\) and \(\exists \mathrm {X X} c\), where c is the atomic proposition that stands for the sat-set of \(\forall \, a \mathrm {U F} b\). If \(\psi '\) only contain logical operations, it is trivially checked by applying the corresponding logical functions. Therefore, it remains to treat only the quantified cases \(\psi ' = \exists \phi \) and \(\psi ' = \forall \phi \). For the first case the model checker implements a single function to compute the set of states of M satisfying \(\phi \), denoted Sat\(\exists \)LTL\((M, \phi )\). The method Sat\(\exists \)LTL\((M, \phi )\) identifies the set of all markings m that have at least one path starting in m satisfying \(\phi \), which gives the semantics for the CTL* expression \(\exists \phi \). The CTL* expression \(\forall \phi \), corresponding to the more usual LTL semantics, is obtained from \(\forall \phi = \lnot (\exists \lnot \phi )\), which is computed as \(Sat(\forall \phi ) = RS \setminus \text {Sat}\exists \text {LTL}(M, \lnot \phi )\).

A pseudo-code of the Sat\(\exists \)LTL\((M, \phi )\) function is given in Algorithm 1. The function first translates the path formula \(\phi \) into a GBA A using Spot (line 2). It then encodes (line 3) the transition system \(RS \otimes A\): each TS state \({\langle {m, q}\rangle }\), is encoded in a MDD with \(|P|+1\) levels. The set of reachable states in \(RS \otimes A\) is generated using saturation [9] (line 4). An infinite path meets the state-based acceptance condition of a GBA if it visits infinitely often at least one state in each acceptance set \(F \in \mathcal {F}\). The work in [16] shows that the set of states originating accepting paths can be computed by the fair CTL formula \(E_\textit{fair}G(\mathbf {true}, \mathcal {F})\) on the TS. For some subclasses of GBAs (weak and terminal), a simplified procedure (lines 5–11) can be used [26]. The final set \( Sat (\phi )\) is obtained by taking all the fair states (i.e. those that satisfy the acceptance condition of the GBA) that are also initial states of the RS (line 12).

figure b

Most of the complexity resides in the generation of \(RS \otimes A\) with Decision Diagrams, summarized in Algorithm 2. Its generation requires both the MDD of the RS and the MxD of the transition relation, referred to as the Next-State-Function [9] (\( NSF \)) of the Petri net model. Each edge \(q\xrightarrow {s}q'\) of A is encoded as a new MxD (line 5), by modifying the transition relation of the Petri net to reach only Sat(s) markings, and at the same time by moving the GBA location from q to \(q'\). To ensure that the generated transition system is a proper Kripke structure, all deadlock states of the Petri net model must be closed by a self-loop, which is built separately for each edge (lines 6–7). The transition relation \({NSF}^{TS}\) of the TS is created from the union of all the edge’s MxD (line 8). The function relabel(dq) takes a MDD d and sets the location level to q, while the \(loc\_change(x, q, q')\) takes a MxD x and replaces for the location level the relation \(q \rightarrow q'\). The encoded TS is a tuple made by the transition relation \( NSF ^{TS}\), the set of initial states \(S_0^{TS}\) of the TS, which is the set of markings that are accepted by an edge leaving an initial location of the GBA (line 10), and the encoding \(AS_\mathcal {F}^{TS}\) of the accepting sets \(\mathcal {F}\) of the TS as MDDs (line 14).

Example. Figure 1 shows in (E) the MDD of \( RS ^{TS}\), generated as a fixed-point image of the MxD \( NSF ^{TS}\) shown in (F). The DDs of \(RS \otimes A\) encode both the places of M and the locations of A, and therefore have an additional level of nodes. The set of fair states \( FS ^{TS}\) visited infinitely often are also encoded as a MDD, shown in (G). Finally (H) shows the MDD of the sat-set of the CTL* formula \(\exists \,\phi \), encoding the 3 satisfying markings (all markings of RS except the one where all places have zero tokens).

Fig. 2.
figure 2

A screenshot of the CTL/CTL* interface of RGMEDD* in GreatSPN.

Full size image

Tool. The CTL* model checker is available both as a command line tool and inside the integrated GUI. Figure 2 shows the interface. For each model, a list of queries can be inserted, following the grammar given in Sect. 2. Queries are declared as either CTL or CTL*, which changes the model checking algorithm used. The algorithm described in Sect. 3 is used for CTL* queries only.

4 Testing

We have tested different aspects of RGMEDD*: the correctness of the results and the performance of the tool. MCC2018 models and relative model instances and formulae were used. We have considered only instances for which GreatSPN is able to build the RS, since the RS is required for sat-set computation.

The reported tests are the final ones, but the MCC instances have been extensively used also during the debugging phase allowing to discover both technical errors (in the implementation of the algorithm) and semantics ones (different behaviour for systems with deadlocks). Indeed Petri net models with deadlocks do not feature only infinite paths, as per the semantics of LTL and CTL. A standard way to turn around this problem is to “stutter” deadlock states by adding a self-loop. MCC assumes that deadlock states are stuttered only for LTL model checking, since this is required by the Büchi-based construction. RGMEDD* assumes deadlocks are stuttered, which may cause discrepancies when comparing RGMEDD* on CTL formulae. Therefore the MCC instances considered have been split in two sets: deadlock-free models (DFM), with 408 instances, and non deadlock-free models (DM), with 539 instances.

4.1 Testing of Truth Values for CTL and LTL Formulae

This test is based on the MCC2018 results for four categories of queries: CTLCardinality, CTLFireability, LTLCardinality and LTLFireability. Each category has 16 queries. A pair \(\langle model~instance, category \rangle \) is called an examination. For each examination an expected result is provided, that was used to check the correctness of RGMEDD*. To limit resource consumption we set a time limit of 300s and a memory limit of 2GB. With these limitations we could complete 360 examinations, that is to say 5760 (\({=}360 * 16\)) queries. For LTL categories we have used instances of both DFM and DF models, while for CTL only DFM ones have been used. Over all the 5760 tests performed we have got a single mismatch, but this is query for which there is a mismatch also among the three tools that were able to evaluate the query in MCC2018.

4.2 Testing of Sat-Sets Computation of CTL Formulae

GreatSPN has a CTL model checker called RGMEDD3 that recursively computes the sat-set of CTL formulae. With a timeout of 60 seconds and 2GB of memory, RGMEDD3 completes 3544 queries from 168 different model instances from the DF set. RGMEDD* timeout-out on 10.05% of the queries. RGMEDD3 was faster than RGMEDD* in 92.65% of all queries completed by both tools.

Figure 3 (A) shows the execution times of the two tools, each query being a dot. In all completed tests the tools produce sat-sets of equal cardinality.

Fig. 3.
figure 3

Execution times of RGMEDD* vs. RGMEDD3 (A) and vs. LTSmin (B).

Full size image

4.3 Assessment on CTL* Formulae

Here we report the assessment of RGMEDD* against LTSmin, run using the pins2lts-sym interface with the –ctlstar option which first converts CTL* into \(\mu \)-calculus (which may incur an exponential cost). Also LTSmin is based on decision diagrams (of the Sylvan [13] library) and to make a more realistic comparison we have enforced the use of the same variable order by the two tools. Before checking CTL* formulae we have tested their behaviours on known results.

  1. 1.

    Tool validation against MCC results. We computed the sat-sets generated by RGMEDD* and pnml2lts-sym when provided with the same queries from the MCC examination of LTLCardinality and CTLCardinality (DF only models) set for which the RS can be built. With the same resource limits as before, of the 1248 formulae considered (covering instances from 32 different models), RGMEDD* completed 1162 and LTSmin 702. Among these 702 formulae successfully completed by both model checkers, there were 7, from different models, over which the two tools did not agree: For these formulae MCC states that they are true in the initial marking, RGMEDD* returns sat-sets that include the initial marking, while LTSmin returns empty sat-sets, which seems a wrong answer.

  2. 2.

    Relative performances of the two tools. We checked the time performance of the two tools on the same instances as above, excluding the time for RS computation. Figure 3 (B) shows the comparison. RGMEDD* performs better in average and a closer look at LTSmin times reveals that a significant amount of time is spent converting CTL* formulae to \(\mu \)-calculus.

  3. 3.

    Correctness and performance on CTL* formulae. Since there is no available set of CTL* formulae for the MCC models (and for any other models we could find) we have generated formulae algorithmically by parsing CTLCardinality queries from MCC2018 and deleting each path quantifiers with a probability of 70%. The first quantifier is always kept, in order to preserve consistency with the CTL* grammar. For these tests, which are mainly aimed at checking correctness, we considered only 39 models whose RS are rather quick to generate. This gives a total of 624 queries, and on 218 both tools complete with the given resources. RGMEDD* timed out in \(5.44\%\) of the queries while LTSmin timed out in \(65.06\%\) of the queries. RGMEDD* was faster than LTSmin in \(85.78\%\) of all queries completed by both tools. More importantly the cardinality of the sat-sets coincides for both tools.

5 Conclusion

RGMEDD* is the new CTL* model checker of GreatSPN. It leverages two libraries: Spot for the translation from CTL* to Büchi automata and Meddly for decision diagram manipulation. RGMEDD* allows GreatSPN users to compute the set of reachable states that satify CTL* and LTL properties. The approach is fully integrated into the GreatSPN GUI, that already included the possibility of computing the sat-set of CTL formulae. RGMEDD* itself can be used to check also CTL properties, although our testing has confirmed that, as expected, the standard CTL model checking algorithm has superior performances.

Testing of RGMEDD* had to face a number of difficulties, due to the availability of a single CTL* tool, LTSmin. To be able to use LTSmin for our benchmark it was first necessary to fix a few syntactic problems in the LTSmin parsing of CTL* formulae: nevertheless it was an easy to use tool and we observed very limited discrepancies in the results. Although both tools are based on decision diagrams, RGMEDD* seems to perform significantly better than LTSmin, that suffers for the expensive translation from CTL* into \(\mu \)-calculus.

Based on the experience gained in building RGMEDD* we plan to develop a model checker for the fair variant of CTL (reusing the available implementation of the Emerson-Lei algorithm for \(E_ fair G \phi \)). We also plan to work on the generation of counterexamples and witnesses: these two topics are of paramount importance for the verification of distributed algorithms.

Finally, we shall work on improving memory and time performance by avoiding, as much as possible, the construction of a single monolithic decision diagram for the next state function of the Petri Net and of the \(RS \otimes A\) transition system.

Availability. A virtual machine with the tool pre-installed can be downloaded from http://www.di.unito.it/~greatspn/VBox/RGMEDDstar-vm.ova. The source code of GreatSPN is available from https://github.com/greatspn/SOURCES.