1 Introduction

Reversible computing is attracting interest for its applications in many fields including hardware design and quantum computing [30], the modelling of bio-chemical reactions [12, 25, 26], parallel discrete event simulation [27] and program reversing for debugging [8, 11, 16].

A model for reversible computation features two computation flows: the standard forward direction and the reverse one, which allows to reach back any past state of the computation. Reversibility is well understood in a sequential setting in which executions are totally ordered sets of events (see [17]): a sequential computation can be reversed by successively undoing the last not yet undone event. Reversibility becomes more challenging in a concurrent setting because there is no natural way for totally ordering events. Often concurrency models account for the causal dependencies among events, which are reflected as a partial order. Reversing an execution consisting of a partially ordered set of events reduces to successively undoing one of the maximal events not yet undone. This is at the basis of the causally-consistent reversibility [6, 15, 23], which relates reversibility with causality. Intuitively, this notion stipulates that any event can be undone provided that all its consequences, if any, are undone beforehand. Reversibility in distributed systems such as in checkpoint/rollback protocols [29] and in transactions [7, 13] can be modelled by causal-consistent reversibility. The interplay between reversibility and concurrency has been widely studied in process calculi [4, 6, 14, 19, 23], event structures [5, 9, 24, 28] and lately Petri Nets [1, 21]. Despite being a very basic model of concurrency, Petri nets still lack a satisfactory causally-consistent reversible semantics. For instance, no current models are able to handle cyclic nets.

A key point when reversing computation in Petri nets is to handle backward conflicts, i.e., the fact that a token can be generated in a place because of different causes. Consider the net in Fig. 1(a) showing the initial state of a system that can either perform \(\mathsf{t}_1\) followed by \(\mathsf{t}_3\), or \(\mathsf{t}_2\) followed by \(\mathsf{t}_4\). The final state of a complete computation is depicted in Fig. 1(b). The information in that state is not enough to deduce whether the token in \(\mathsf{d}\) has been produced because of \(\mathsf{t}_3\) or \(\mathsf{t}_4\). Even worse, if we “naively” reverse the net by just adding transitions in the reverse direction, as shown in Fig. 1(c), the reverse transition will do more than undoing the computation. In fact, the token in \(\mathsf{d}\) can be put back either in \(\mathsf{b}\) or \(\mathsf{c}\) regardless of the previous computation.

Fig. 1.
figure 1

Backward conflict and naive reversing.

Full size image

Analogous problems arise when a net is cyclic. Previous approaches [1, 21] to reversing Petri nets tackle backward conflicts by relying on a new kind of tokens, called bonds that keep track of the execution history. Bonds are rich enough for allowing other approaches to reversibility, such as out-of-order reversibility [12], but they cannot cope with cyclic nets. We propose here a reversible model for p/t nets that can handle cyclic nets by relying on standard notions in Petri net theory. We first observe that a Petri Net can be mapped via the standard unfolding construction to an occurrence net, i.e., an acyclic net that does not have backward conflicts and makes causal dependencies explicit. Then, an occurrence net can be “simply” reversed by reversing each of its transitions. Such construction gives a model that features causally-consistent reversibility. This is shown by proving that each reachable marking in the reversible version of the occurrence net is a marking that can be reached by just forward computational steps. We observe that the unfolding construction could produce an infinite occurrence net. However, the unfolding can be seen as the definition of a coloured net, where colours account for causal histories. Such interpretation associates a p/t net with an equivalent coloured p/t net, which can be reversed in the “simple” way. The correctness of the construction is shown by exhibiting a one-to-one correspondence of its executions with the ones of the reversible version of the unfolding. Interestingly, the colours used by the construction resemble the memories common in reversible calculi [6, 14].

We remark that our proposal deals with reversing (undoing) computation in a Petri net and not with the classical problem of reversibility [3] which requires every computation to be able to reach back the initial state of the system (but not necessary by undoing the previous events). In this sense, the problem of making a net reversible equates to adding a minimal amount of transitions that make a net reversible [2]. Reversibility is a global property while reversing a computation is a local one, as discussed in [2].

2 Background

2.1 Petri Nets

Petri nets are built up from places (denoting, e.g., resources and message types), which are repositories for tokens (representing instances of resources), and transitions, which fetch and produce tokens. We consider the infinite sets \(\mathcal {P}\) of places and \(\mathcal {T}\) of transitions, and assume that they are disjoint, i.e., \(\mathcal {P}\cap \mathcal {T}= \emptyset \). We let \(\mathsf{a}, \mathsf{a}', \ldots \) range over \(\mathcal {P}\) and \(\mathsf{t}, \mathsf{t'}, \ldots \) over \(\mathcal {T}\). We write \(x, y, \ldots \) for elements in \(\mathcal {P}\cup \mathcal {T}\).

A multiset over a set S is a function \(m: S \rightarrow \mathbb {N}\) (where \(\mathbb {N}\) denotes the natural numbers including zero). We write \(\mathbb {N}^{S}\) for the set of multisets over S. For \(m\in \mathbb {N}^{S}\), \( supp (m)= \{x \in S \; | \; m(x) > 0 \}\) is the support of m, and \(|m|= \sum _{x\in S} m(x)\) stands for its cardinality. We write \(\emptyset \) for the empty multiset, i.e., \(supp(\emptyset ) = \emptyset \). The union of \(m_1,m_2\in \mathbb {N}^{S}\), written \((m_1 \oplus m_2)\), is defined such that \((m_1 \oplus m_2)(x) = m_1(x)+m_2(x)\) for all \(x\in S\). Note that \(\oplus \) is associative and commutative, and has \(\emptyset \) as identity. Hence, \(\mathbb {N}^S\) is the free commutative monoid \(S^\oplus \) over S. We write x for a singleton multiset, i.e., \( supp (x)= \{x\}\) and \(m(x)=1\). Moreover, we write \(x_1\ldots x_n\) for \(x_1\oplus \ldots \oplus x_n\). Let \(f : S \rightarrow S'\), we write f also for its obvious extension to multisets, i.e., \(f(x_0\ldots x_n) = f(x_0)\ldots f(x_n)\). We avoid writing \( supp (\_)\) when applying set operators to multisets, e.g., we write \(x \in m\) or \(m_1\cap m_2\) instead of \(x\in supp (m)\) or \( supp (m_1)\cap supp (m_2)\).

Definition 1

(Petri Net). A net N is a 4-tuple \(N = (S_N, T_N, {}^\bullet {\_}_N, \_^\bullet _N)\) where \(S_N\subseteq \mathcal {P}\) is the (nonempty) set of places, \(T_N \subseteq \mathcal {T}\) is the set of transitions and the functions \({}^\bullet {\_}_N, \_^\bullet _N: T_N\rightarrow 2^{S_N}\) assign source and target to each transition such that \({}^\bullet {\mathsf{t}} \ne \emptyset \) and \(\mathsf{t}^\bullet \ne \emptyset \) for all \(\mathsf{t}\in T_N\). A marking of a net N is a multiset over \(S_N\), i.e., \(m\in \mathbb {N}^S\). A Petri net is a pair (Nm) where N is a net and m is a marking of N.

We denote \(S_N\cup \ T_N\) by N, and omit the subscript N if no confusion arises. We abbreviate a transition \(\mathsf{t} \in T\) with preset \({}^\bullet {t} = s_1\) and postset \(t^\bullet = s_2\) as \(s_1 {[}{\rangle }s_2\). Hereafter, we only consider nets whose transitions have non-empty presets. The pre and postset of a place \(\mathsf{a} \in S\) are defined respectively as \({}^\bullet {\mathsf{a}} = \{\mathsf{t}\ |\ \mathsf{a} \in \mathsf{t}^\bullet \}\) and \(\mathsf{a}{}^\bullet = \{\mathsf{t}\ |\ \mathsf{a} \in {}^\bullet {\mathsf{t}}\}\). We let \({}^\circ {N} = \{x\in N\ |\ {}^\bullet {x} = \emptyset \}\) and \(N^\circ = \{x\in N |\ x^\bullet = \emptyset \}\) denote the sets of initial and final elements of N respectively. Note that we only consider nets whose initial and final elements are places since transitions have non-empty pre and postsets, i.e., \({}^\bullet {\mathsf{t}} \ne \emptyset \) and \(\mathsf{t}^\bullet \ne \emptyset \) holds for all \(\mathsf{t}\).

Definition 2

(Net morphisms). Let \(N, N'\) be nets. A pair \(f =(f_S: S_N \rightarrow S_{N'}, f_T: T_N \rightarrow T_{N'})\) is a net morphism from N to \(N'\) (written \(f: N \rightarrow N'\)) if \(f_S ({}^\bullet {\mathsf{t}}_{N}) = {}^\bullet {(f_T(\mathsf{t}))}_{N'}\) and \(f_S (\mathsf{t}^\bullet _{N}) = (f_T(\mathsf{t}))^\bullet _{N'}\) for any \(\mathsf{t}\). Moreover, we say N and \(N'\) are isomorphic if f is bijective.

The operational (interleaving) semantics of a Petri net is given by the least relation on Petri nets satisfying the following inference rule:

which describes the evolution of the state of a net (represented by the marking \(m\oplus m''\)) by the firing of a transition \(m{[}{\rangle }m'\) that consumes the tokens m in its preset and produces the tokens \(m'\) in its postset. We sometimes omit \(\mathsf{t}\) in when the fired transition is uninteresting.

According to Definition 1, transitions consume and produce at most one token in each place. On the other hand, p/t nets below fetch and consume multiple tokens by defining the pre- and postsets of transitions as multisets.

Definition 3

A Place/Transition Petri net (p/t net) is a 4-tuple \(N = (S_N, T_N, {}^\bullet {\_}_N, \_^\bullet _N)\) where \(S_N\subseteq \mathcal {P}\) is the (nonempty) set of places, \(T_N \subseteq \mathcal {T}\) is the set of transitions and the functions \({}^\bullet {\_}_N, \_^\bullet _N: T_N\rightarrow \mathbb {N}^{S_N}\) assign source and target to each transition.A marking of a net N is multiset over \(S_N\), i.e., \(m\in \mathbb {N}^S\). A marked p/t net is a pair (Nm) where N is a p/t net and m is a marking of N.

The notions of pre- and postset, initial and final elements, morphisms and operational semantics are straightforwardly extended to p/t nets. Note that Petri nets can be regarded as a p/t net whose arcs have unary weights.

Next, we introduce some notation for sequences of transitions. Let ‘;’ denote concatenation of such sequences. For the sequence if ; we call if there exists s such that , and \(\epsilon _m\) for the empty sequence.

Definition 4

Let (Nm) be a p/t net. The set of reachable markings \({ reach}(N, m)\) is defined as .

We say a marked p/t net (Nm) is (1-)safe if every reachable marking is a set, i.e., \(m'\in { reach}(N,m)\) implies \(m'\in 2^{S_N}\).

Fig. 2.
figure 2

p/t nets

Full size image

Example 5

Figure 2 shows different p/t nets, which will be used throughout the paper. As usual, places and transitions are represented by circles and boxes, respectively. The nets \(O_1\) and \(N_4\) are Petri nets, and \(N_1\), \(N_2\) and \(N_3\) are p/t nets which, when executing, may produce multiple tokens in some places.

2.2 Unfolding of P/T Nets

Our approach to reversing Petri nets relies on their occurrence net semantics, which explicitly exhibit the causal ordering, concurrency, and conflicts among events. We start by introducing several useful notions and notations. First, we shall describe a flow of causal dependencies in a net with the relation \(\prec \):

Definition 6

Let \(\prec \) be \(\{ (\mathsf{a},\mathsf{t}) | \mathsf{a}\in S_N \wedge \mathsf{t}\in \mathsf{a}^\bullet \} \ \cup \ \{ (\mathsf{t},\mathsf{a}) | \mathsf{a}\in S_N \wedge \mathsf{t}\in {}^\bullet {\mathsf{a}}\}\). We write \(\preceq \) for the reflexive and transitive closure of \(\prec \).

Consider Fig. 2. We have \(\mathsf{a} \prec \mathsf{t}_1\) and \(\mathsf{t}_1 \prec c\) in \(O_1\) as well as \(\mathsf{t}_1 \preceq \mathsf{t}_2\) in \(N_1\).

Two transitions \(\mathsf{t}_1\) and \(\mathsf{t}_2\) are in an immediate conflict, written \(\mathsf{t}_1 \#_0 \mathsf{t}_2\), when \(\mathsf{t}_1 \ne \mathsf{t}_2\) and \({}^\bullet {\mathsf{t}_1} \cap {}^\bullet {\mathsf{t}_2} \ne \emptyset \). For example, \(\mathsf{t}_1\) and \(\mathsf{t}_2\) in \(N_4\) in Fig. 2 are in an immediate conflict since they share a token in the place \(\mathsf{c}\). Correspondingly, for \(\mathsf{t}_2\) and \(\mathsf{t}_3\) in \(N_1\). The conflict relation \(\#\) is defined by letting \(x\#y\) if \(x\ne y\) and there are \(\mathsf{t}_1, \mathsf{t}_2 \in T\) such that \(\mathsf{t}_1 \preceq x\), and \(\mathsf{t}_2 \preceq y\), and \(\mathsf{t}_1 \#_0 \mathsf{t}_2\).

We are now ready to give the definition of an occurrence net following [10, 20].

Definition 7

(Occurrence net). A net (Nm) is an occurrence net if

  1. 1.

    N is acyclic;

  2. 2.

    N is a (1-)safe net, i.e, any reachable marking is a set;

  3. 3.

    \(m = {}^\circ {N}\), i.e., the initial marking is identified with the set of initial places;

  4. 4.

    there are no backward conflicts, i.e., \(|{}^\bullet {\mathsf{a}}|\le 1\) for all a in \(S_N\);

  5. 5.

    there are no self-conflicts, i.e, \(\lnot (\mathsf{t} \#\mathsf{t})\) for all \(\mathsf{t}\) in \(T_N\).

We use O to range over occurrence nets.

Example 8

The net \(O_1\) in Fig. 2 is an occurrence net, while the remaining nets are not. \(N_1\) is not an occurrence net since there is a token in place \(\mathsf{c}\) and \(\mathsf{c}\) is not an initial place of the net. \(N_2\) has a backward conflict since two transitions produce tokens on the place \(\mathsf{d}\). \(N_3\) is cyclic, and \(N_4\) is cyclic and has a backward conflict on \(\mathsf{c}\).

The absence of backward conflicts in occurrence nets ensures that each place appears in the postset of at most one transition. Hence, pre- and postset relations can be interpreted as a causal dependency. So, \(\preceq \) represents causality.

We say \(x, y \in N\) are concurrent, written \(x\ co\ y\), if \(x\ne y\) and \(x\not \preceq y\), \(y\not \preceq x\), and \(\lnot x \# y\). A set \(X\subseteq N\) is concurrent, written CO(X), if \(\forall x, y\in X: x\ne y \Rightarrow x\ co\ y\), and \(|\{\mathsf{t}\in T_N\ |\ \exists x \in X, \mathsf{t} \preceq x\}|\) is finite. For example, the set \(\{\mathsf{t_1},\mathsf{t_2}\}\) of firings in \(O_1\) of Fig. 2 is concurrent, so we can write \(CO(\{\mathsf{t_1}, \mathsf{t_2}\})\).

Two transitions are coinitial if they start with the same marking, and cofinal if they end up in the same marking. We now have a simple version of the Square Lemma [6] for forward concurrent transitions. It will be helpful in proving our Lemma 16 in the next section.

Lemma 9

Let \(\mathsf{t}\) and \(\mathsf{t}'\) be coinitial concurrent transitions. Then, there exist transitions \(\mathsf{t}_1\) and \(\mathsf{t}_1'\) such that \(\mathsf{t};\mathsf{t}_1'\) and \(\mathsf{t}';\mathsf{t}_1\) are cofinal.

The lemma says that if transitions \(\mathsf{t}\) and \(\mathsf{t}'\) originate from one corner of a square, and if they represent independent (concurrent) events, then the square completes with two other independent transitions (\(\mathsf{t}_1\) and \(\mathsf{t}_1'\)) meeting at the opposite corner of the square. The order in which concurrent transitions are executed in a firing sequence does not matter. Indeed, the order which should be preserved among firings in a sequence is the causal order. We then consider sequences equivalent up to the swapping of concurrent transitions. This corresponds to considering the set of Mazurkiewicz traces induced by co as the independence relation.

Formally, trace equivalence \(\equiv \) is the least congruence over firing sequences s such that \(\forall \mathsf{t}_1, \mathsf{t}_2 : \mathsf{t}_1\ co\ \mathsf{t}_2 \implies \mathsf{t}_1 ; \mathsf{t}_2 \equiv \mathsf{t}_2;\mathsf{t}_1\). The equivalence classes of \(\equiv \) are the (Mazurkiewicz) traces. We use \(\omega \) to range over such traces. We also will use \(\epsilon \) for the empty trace, and ;  for the concatenation operator.

For occurrence nets we have this standard property:

(1)

Two traces are coinitial if they start with the same marking, and cofinal if they end up in the same marking. Hence, Eq. (1) tells us that two traces that are coinitial and cofinal are then trace equivalent.

The unfolding of a net N is the least occurrence net that can account for all the possible computations of N and makes explicit causal dependencies, conflicts and concurrency between firings [20].

Fig. 3.
figure 3

Unfolding rules.

Full size image
Fig. 4.
figure 4

Unfoldings of p/t nets

Full size image

Definition 10

(Unfolding). Let (Nm) be a p/t net. The unfolding of N is the occurrence net \(\mathcal {U}[N,m]= (S,T,\delta _0,\delta _1)\) generated inductively by the inference rules in Fig. 3 and the folding morphism \((f_S, f_T) : \mathcal {U}[N,m]\rightarrow N\) defined such that \(f_S(\mathsf{a}, \_, \_) = \mathsf{a}\) and \(f_T(\mathsf{t}, \_) = \mathsf{t}\).

Places are named by triples \(\mathsf{a}(H, i)\) where: \(\mathsf{a}\) is a place of N where tokens reside; H is the set of immediate causes (i.e., the history of tokens); and i is a positive integer used to disambiguate tokens with the same history. Transitions (or events) are encoded as \(\mathsf{t}(H)\), where H is as above and \(\mathsf{t}\) is the fired transition.

Example 11

The unfoldings of the nets \((N_1, \mathsf{a} \oplus \mathsf{b} \oplus \mathsf{c} \oplus \mathsf{d})\), \((N_2,\mathsf{a} \oplus \mathsf{b} \oplus \mathsf{c})\) and \((N_3, \mathsf{a})\) in Fig. 2 are shown in Fig. 4. Note that since \(O_1\) is an occurrence net its unfolding is isomorphic to \(O_1\), thus it is omitted. Consider the occurrence net \(\mathcal {U}[N_1, \mathsf{a} \oplus \mathsf{b} \oplus \mathsf{c} \oplus \mathsf{d}]\). The leftmost transition \(\mathsf{t}_2\) is different from the other transition \(\mathsf{t}_2\) since they have different histories: the leftmost \(\mathsf{t}_2\) is caused by the tokens in \(\mathsf{b}\) and \(\mathsf{c}\) (which are available in the initial marking), whereas the other \(\mathsf{t}_2\) is caused only by the token in \(\mathsf{b}\) and the token that is produced by the firing of \(\mathsf{t}_1\). Correspondingly, for the two transitions labelled \(\mathsf{t}_3\). Consider \(\mathcal {U}[N_2, \mathsf{a} \oplus \mathsf{b} \oplus \mathsf{c}]\). After the transitions \(\mathsf{t}_1\) and \(\mathsf{t}_2\) have fired, there is a token in each of the places labelled \(\mathsf{d}\). The token in the leftmost \(\mathsf{d}\) has the history \(\mathsf{t}_1\) and the token in the other \(\mathsf{d}\) has the history \(\mathsf{t}_2\). Once \(\mathsf{t}_3\) has fired, we can tell the copies of \(\mathsf{t}_3\) apart by inspecting their histories: the leftmost \(\mathsf{t}_3\) is caused by a token in \(\mathsf{d}\) with the history \(\mathsf{t}_1\) (as well as the token in \(\mathsf{c}\)), whereas the other \(\mathsf{t}_3\) is caused by \(\mathsf{d}\) with the history \(\mathsf{t}_2\) and by \(\mathsf{c}\).

3 Reversing Occurrence Nets

Definition 12

Let O be an occurrence net. The reversible version of O is defined such that

Given a transition \(\mathsf{t}\) we write for a transition that reverses \(\mathsf{t}\). We shall call transitions like and in Fig. 5 reverse (or backwards) transitions (or firings), and use \(t, t_1\) and \(t_2\) to denote transitions or reverse transitions.

For \(\overleftarrow{O}\), we write for a forward firing when \(\mathsf{t}\in T_O\), and for the reverse (or backward) firing when \( \mathsf{t}\not \in T_O\). We also let be . We will often refer to a firing . Given a firing \(\mathsf{t}\) we indicate with its inverse that is

figure b

Hence, we have . We shall work with sequences of transitions and reverse transitions, ranged over by \(s, s_1\) and \(s_2\). We say that a sequence is a forward (resp. backward) sequence when all its firings are forward (resp. backward).

Next, we extend the notions of causality, conflict and concurrency to transitions and reverse transitions in reverse versions of occurrence nets. We extend \(\prec \) in Definition 6 to cover reverse transitions in an obvious way using Definition 12. As a result, we obtain and . As for the conflict relation, we define an immediate conflict between different and as . This is \(\mathsf{t_1}^\bullet \cap \mathsf{t_2}^\bullet \ne \emptyset \), meaning \(\mathsf{t}_1\) and \(\mathsf{t}_2\) are in backward conflict, which is ruled out in occurrence nets. Hence, the immediate conflict relation is empty between reverse transitions, and so is the conflict relation. The immediate conflict relation between \(\mathsf{t}\) and is defined as . This is equivalent to \({}^\bullet {\mathsf{t}} \cap \mathsf{t'}^\bullet \ne \emptyset \), which means \(\mathsf{t'} \preceq \mathsf{t}\). Consequently, the conflict relation on transitions in \(\overleftarrow{O}\) is given by the conflict relation on the forward transitions, and can be defined using the causality relation for pairs of a transition and reverse transition. This allows us to define concurrent transitions in \(\overleftarrow{O}\). We say \(t\ co\ t'\) if (a) \(t\ co\ t'\) for \(t,t'\in T_O\), (b) \(t\not \preceq t'\) and \(t'\not \preceq t\) if \(t,t'\) are reverse transitions, and (c) \(t\not \preceq t', t'\not \preceq t\) and if t is a transition and \(t'\) is a reverse transition.

Next, we show that \(\overleftarrow{O}\) is a conservative extension of O.

Lemma 13

.

In general, a reversible occurrence net is not an occurrence net. This is because adding reverse transitions may introduce backward conflict for these transitions. Consider \(N_1\) in Fig. 2. We notice that initially \(\mathsf{t}_1\) and \(\mathsf{t}_2\) are in conflict. Then, in in Fig. 5, the place \(\mathsf{c}\) with a token has two reverse transitions in its preset, namely and , hence there is a backward conflict.

4 Properties

We now study the properties of the reversible versions of occurrence nets.

An important property of a fully reversible system is the Loop Lemma stating that any reduction can be undone. Formally:

Lemma 14

(Loop Lemma). iff .

We can generalise the result of the Loop Lemma to sequences as follows:

Corollary 15

.

Next, we have a lemma which is instrumental for the proof of causal-consistent reversibility in reversible calculi [6, 14]. Note that t and \(t'\) can be either forward or reverse transitions.

Lemma 16

(Square Lemma). Let t and \(t'\) be coinitial concurrent transitions. Then, there exist transitions \(t_1\) and \(t_1'\) such that \(t;t_1'\) and \(t';t_1\) are cofinal.

In order to prove causal consistency we first define a notion of equivalence on sequences of transitions and reverse transitions in reversible occurrence nets. By following Lévy’s approach [18], we define the notion of reverse equivalence on such sequences as the least equivalence relation \(\asymp \) which is closed under composition with ;  such that the following hold (recall that \(t,t'\) are transitions or reverse transitions):

Reversible equivalence \(\asymp \) allows us to swap the order of t and \(t'\) in an execution sequence as long as \(t,t'\) are concurrent. Moreover, it allows cancellation of a transition and its inverse. We have that \(\equiv \subset \asymp \). The equivalence classes of \(\asymp \) are called traces; it is clear that they contain the Mazurkiewicz traces. Hence, we shall use \(\omega , \omega _1\) and \(\omega _2\) to range over such traces.

The following lemma says that, up to reverse equivalence, one can always reach for the maximum freedom of choice, going backward, and only then going forwards.

Lemma 17

(Parabolic Lemma). Let \(\omega \) be a trace. There exist two forward traces \(\omega _1\) and \(\omega _2\) such that .

Proof

By lexicographic induction on length of \(\omega \) and on the distance between the beginning of \(\omega \) and the earliest pair of opposing firings in \(\omega \). The analysis uses both the Loop Lemma (Lemma 14) and the Square Lemma (Lemma 16).

The following lemma says that, if two traces \(\omega _1\) and \(\omega _2\) are coinitial and cofinal (e.g. they start from the same marking and end in the same marking) and \(\omega _2\) is a forward only trace, then \(\omega _1\) has some forward firings and their reverse ones that cancel each other. And this implies that \(\omega _1\) is causally equivalent to a forward trace in which all those pairs of fairing are cancelled out.

Lemma 18

(Shortening Lemma). Let \(\omega _1\asymp \omega _2\) with \(\omega _2\) forward. Then, \(|\omega _2| \le |\omega _1|\).

Proof

The proof is by induction on length of \(\omega _1\), using Lemma 16 and Lemma 17. In the proof, the forward trace \(\omega _2\) is the main guideline for shortening \(\omega _1\) into a forward trace. Indeed, the proof relies crucially on the fact that \(\omega _1\) and \(\omega _2\) share the same source and target and that \(\omega _2\) is a forward trace.

Theorem 19

(Causal Consistency). Two traces \(\omega _1\) and \(\omega _2\) are reversible equivalent iff they are coinitial and cofinal, namely

Proof

The “if” direction follows by definition of reverse equivalence and trace composition. The “only if” direction exploits the properties the Square, Parabolic and Shortening Lemmas.

With Theorem 19 we proved that the notion of causal consistency characterises a space for admissible rollbacks which are: (1) consistent (in the sense that they do not lead to previously unreachable configurations) and (2) flexible enough to allow rearranging of undo actions. This implies that starting from an initial marking, all the markings reached by mixed computations are markings that could be reached by performing only forward computations. Hence, we have:

Theorem 20

Let O be an occurrence net and \(m_0\) an initial marking. Then,

5 Reversing P/T Nets

This section takes advantage of the classical unfolding construction for p/t nets and the reversible semantics of occurrence nets to add causally-consistent reversibility to p/t nets.

Definition 21

Let (Nm) be a marked p/t net and \(\mathcal {U}[N,m ]\) its unfolding. The reversible version of (Nm), written , is .

Example 22

The reversible version of the nets in Fig. 2 are shown in Fig. 5. We remark that they are the reversible versions of the nets in Fig. 4, which are the unfoldings of the original nets.

Fig. 5.
figure 5

Reversible p/t and Petri nets

Full size image

The following result states that a reversible net is a conservative extension of its original version, i.e., reversibility does not change the set of reachable markings. The result is a direct consequence of Lemma 13 and the fact that unfoldings preserve reductions up-to the folding morphism \(\mathcal {U}\).

Lemma 23

iff and \(m' = f_s(m'')\), where \((f_s,f_t): \mathcal {U}[N,m]\rightarrow N\), defined such that \(f_S(\mathsf{a}, \_, \_) = \mathsf{a}\) and \(f_T(\mathsf{t}, \_) = \mathsf{t}\), is the folding morphism.

We remark that the reversible version of a p/t is defined as the reversible version of an occurrence net (i.e., its unfolding). Consequently, all properties shown in the previous section apply to the reversible semantics of p/t nets. In particular, Lemma 23 combined with Theorem 20 ensures that all markings reachable by the reversible semantics are just the reachable markings of the original P/T net.

6 Finite Representation of Reversible P/T Nets

As shown in Fig. 5(c), the reversible version of a finite net may be infinite. In this section we show how to represent reversible nets in a compact, finite way by using coloured Petri nets. We assume infinite sets \(\mathcal {X}\) of variables and \(\mathcal {C}\) of colours, defined such that \(\mathcal {X}\subset \mathcal {C}\). For \(c\in \mathcal {C}\), we write \({ vars}(c)\) for the set of variables in c. With abuse of notation we write \({ vars}(m)\) for the set of variables in a multiset \(m\in \mathbb {N}^{\mathcal {P}\times \mathcal {C}}\). Let \(\sigma :\mathcal {X}\rightarrow \mathcal {C}\) be a partial function and c a colour (also, \(m\in \mathbb {N}^{\mathcal {P}\times \mathcal {C}}\)), we write \(c\sigma \) (resp., \(m\sigma \)) for the simultaneous substitution of each variable x in c (resp., m) by \(\sigma (x)\).

Definition 24

A coloured place/transition net (c-p/t net) is a 4-tuple \(N = (S_N, T_N, {}^\bullet {\_}_N, \_^\bullet _N)\) where \(S_N\subseteq \mathcal {P}\) is the (nonempty) set of places, \(T_N \subseteq \mathcal {T}\) is the set of transitions and the functions \({}^\bullet {\_}_N, \_^\bullet _N: T_N\rightarrow \mathbb {N}^{S_N\times \mathcal {C}}\) assign source and target to each transition defined such that \({ vars}(\mathsf{t}^\bullet ) \subseteq { vars}({}^\bullet {\mathsf{t}})\). A marking of a c-p/t net N is multiset over \(S_N\times \mathcal {C}\) that does not contain variables, i.e., \(m \in \mathbb {N}^{S\times \mathcal {C}}\) and \({ vars}(m) = \emptyset \). A marked c-p/t net is a pair (Nm) where N is a p/t net and m is a marking of N.

c-p/t nets generalise p/t nets by extending markings to multisets of coloured tokens, and transitions to patterns that need to be instantiated with appropriate colours for firing, as formally stated by the firing rule below.

The firing of a transition \(t = m\; {[}{\rangle }\; m' \) requires to instantiate m and \(m'\) by substituting variables by colours, i.e., the firing of t consumes the instance \(m\sigma \) of the preset m and produces the instance \(m'\sigma \) of the postset of \(m'\).

We now introduce an encoding that associates each p/t net N with an equivalent c-p/t net \(\llbracket N\rrbracket \), whose tokens carry their execution history. We rely on the set of colours \(\mathcal {C}\) defined as the least set that contains \(\mathcal {X}\) and it is closed under the following rules.

Colours resemble the unfolding construction (Fig. 3): the colours for tokens are (hn), where h denotes its (possible empty) set of causes and n is a natural number used for distinguishing tokens with identical causal history. Causal histories are build from coloured versions of transitions (\(\mathsf{t}(h)\)) and places (\(\mathsf{a}(h)\)).

Definition 25

(P/T as C-P/T). Let \(N = (S_N, T_N, {}^\bullet {\_}_N, \_^\bullet _N)\) be a p/t net. Then, \(\llbracket N\rrbracket \) is the c-p/t defined such that \(\llbracket N\rrbracket = (S_N, T_N, {}^\bullet {\_}_{\llbracket N\rrbracket }, {}^\bullet {\_}_{\llbracket N\rrbracket })\) and

  • \({}^\bullet {\mathsf{t}}_{\llbracket N\rrbracket } = \mathsf{a_1}(x_1)\oplus \ldots \oplus \mathsf{a_n}(x_n)\) where \({}^\bullet {\mathsf{t}}_{N} = \mathsf{a_1}\ldots \mathsf{a_n}\) and \(\forall 1\le i \le n.x_i\in \mathcal {X}\).

  • \(\mathsf{t}^\bullet _{\llbracket N\rrbracket } = \{\mathsf{a} (\{\mathsf{t}(h)\}, i) \mid \mathsf{a} \in supp {(\mathsf{t}^\bullet _{ N})} \ \wedge \ 1 \le i \le \mathsf{t}^\bullet _N(\mathsf{a}) \ \wedge \ h = {}^\bullet {\mathsf{t}}_{\llbracket N\rrbracket }\}\).

A marked net (Nm) is encoded as \(\llbracket (N,m)\rrbracket = (\llbracket N\rrbracket , \llbracket m\rrbracket )\) where \(\llbracket m\rrbracket = \{\mathsf{a} (\emptyset , i) \mid \mathsf{a} \in supp {(m)} \ \wedge \ 1 \le i \le m(\mathsf{a}) \}\).

The encoding does not alter the structure of a net; it only adds colours to its tokens. In fact, an encoded net has the same places and transitions as the original net, and pre- and postsets of each transition have the same support. Added colours do not interfere with firing because the preset of each transition uses different colour variables for different tokens. The colour \(\{\mathsf{t}(h)\}\) assigned to each token produced by the firing of \(\mathsf{t}\) describes the causal history of the token, i.e., it indicates that the token has been produced by \(\mathsf{t}\) after consuming the tokens in the preset of \(\mathsf{t}\), which is denoted by h. The natural number i is used for distinguishing multiple tokens produced by the same firing. Tokens in the initial marking are coloured as \((\emptyset , i)\), i.e., they have empty causal history.

Example 26

The encoding of the nets in Fig. 2 are shown in Fig. 6. We comment on the encoding of \(N_1\). The transition \(\mathsf{t_1} = \mathsf{a} {[}{\rangle }\mathsf{c}\) in \(N_1\) is encoded as \(\mathsf{a}(x) {[}{\rangle }\mathsf{c}(\mathsf{t_1}(a(x)),1)\), i.e., the firing of \(\mathsf{t_1}\) that consumes a token with colour h from place \(\mathsf{a}\) generates a token in \(\mathsf{c}\) with colour \((\mathsf{t_1}(a(h)),1)\). The transition \(\mathsf{t_2} = \mathsf{b} \oplus c {[}{\rangle }\mathsf{e}\) has two places in the preset and uses two variables x and y in its encoded form \(\mathsf{b}(x) \oplus c(y) {[}{\rangle }\mathsf{e}(\mathsf{t_2}(\mathsf{b}(x)\oplus \mathsf{c}(y)),1)\). Note that the colour of the token produced in \(\mathsf{c}\) carries the information of the tokens consumed from both places \(\mathsf{b}\) and \(\mathsf{c}\). The encoding for \(\mathsf{t_3}\) is defined analogously.

We illustrate a sequence of firings of \(\llbracket (N_1, \mathsf{a} \oplus \mathsf{b} \oplus \mathsf{c} \oplus \mathsf{d}) \rrbracket \).

The firing of \(\mathsf{t}_1\) consumes the token \((\emptyset ,1)\) from \(\mathsf{a}\) and produces the token \((\mathsf{t_1}(\mathsf{a}\) \((\emptyset ,1)),1)\) in place \(\mathsf{c}\). The causal history of the token \(\mathsf{t_1}(\mathsf{a}(\emptyset ,1)\) indicates that the token has been produced by the firing of \(\mathsf{t}_1\) that consumed the token \((\emptyset ,1)\) from \(\mathsf{a}\). The second reduction takes place because of the firing of \(\mathsf{t}_2\). By inspecting the causal history of the token produced in the place \(\mathsf{e}\) we can conclude that \(\mathsf{t}_2\) has consumed the token previously generated by \(\mathsf{t}_1\).

The following result shows that there is a tight correspondence between the semantics of the coloured version of a p/t net and its unfolding.

Lemma 27

Let (Nm) be a marked p/t net and \(\mathcal {U}[N,m]= (O,m')\) its unfolding. Then, iff .

Proof

The if part follows by induction on the length of the reduction. The base case follows by taking \(m'' = m'\) and noting that \(\llbracket N,m\rrbracket = (\llbracket N\rrbracket , m')\). The inductive step \(s = s';\mathsf{t}\) follows by applying inductive hypothesis on \(s'\) to conclude that iff . If) implies \(m''' = {}^\bullet {\mathsf{t}}_{\llbracket N\rrbracket } \oplus m''''\) and \(m'' = \mathsf{t}^\bullet _{\llbracket N\rrbracket } \oplus m''''\). Since , \(CO({}^\bullet {\mathsf{t}})\). Then, by the unfolding construction we conclude . The only if follows analogously.

The reversible version of \(\llbracket N\rrbracket \) is defined as for occurrence nets, by adding transitions that are the swapped versions of the ones in N.

Definition 28

(Reversible P/T net). Let N be a p/t net. The reversible version of N is . The reversible version of a marked p/t net (Nm) is the marked c-p/t net .

Fig. 6.
figure 6

p/t nets as c-p/t nets

Full size image
Fig. 7.
figure 7

Reversible coloured net .

Full size image

Example 29

The net , the reversible version of \(\llbracket N_2\rrbracket \) from Fig. 6, is shown in Fig. 7. We now illustrate the execution of .

In the example above, the firing \(\mathsf{t_2}\) can choose to consume either the token \(\mathsf{b}(\emptyset ,1)\) or the token \(\mathsf{b}(\mathsf{t_1}(\mathsf{a}(\emptyset ,1)),1)\). Since the first one is chosen, then after \(\mathsf{t_2}\) it is still possible to undo \(\mathsf{t_1}\). If \(\mathsf{t_2}\) chose the second token, then in order to undo \(\mathsf{t_1}\) we would first undo \(\mathsf{t_2}\), since firing is not enabled by the token \(\mathsf{a}(\emptyset ,1)\).

The following result states that the reductions of the reversible c-p/t of a net are in one-to-one correspondence with the reductions of its reversible unfolding.

Theorem 30

(Correctness). Let (Nm) be a marked p/t net and \(\mathcal {U}[N,m]= (O,m')\) its unfolding. Then, iff .

7 Conclusions

We have presented a causally reversible semantics for Place/Transitions Petri Nets (P/T nets) based on two observations. First, occurrence net can be straightforwardly reversed by adding for each transition its reverse. Second, the standard unfolding construction associates a P/T net with an occurrence net that preserves all of its computation. Consequently, the reversible semantics of a P/T net can be obtained as the reversible semantics of its unfolding. We have showed that reversibility in reversible occurrence net is causal-consistent, that is it preserves causality. The unfolding of an occurrence net can be infinite (e.g., it the original P/T net is not acyclic). Therefore we have shown that the reversible behaviour of reversible occurrence nets can be expressed as a finite net whose tokens are coloured by causal histories. Colours in our encoding resemble the causal memories that are typical in reversible process calculi [6, 14].

Occurrence nets have a direct mapping into prime event structures. We shall investigate in the future the relation between reversible event structures [5, 9, 24, 28] and our reversible occurrence nets. There is an alternative method for proving causally-consistent reversibility in a reversible model of computation. It is based on showing other properties than those in Sect. 4, mainly the well-foundedness (lack of infinite reverse sequences) and Reverse Diamond properties [22, 23]. It would be worthwhile to prove the alternative properties for our reversible nets, and compare the two approaches.