Modeling and Simulating Interaction Protocols Using Nested Petri Nets

Abstract

This paper is concerned with the problem of analyzing interaction protocols in a coordination platform called JamSession. We use nested Petri nets to provide a formal model for simulating the protocols and predicting conflicts on the system behavior.

This work was supported by the São Paulo Research Foundation (FAPESP) under the grant 2010/52505-0.

Proofs

In this section we prove that, given a JamSession formula \(F\) and an initial configuration of the graph, the NPN obtained from Definition 2 has a firing sequence that simulates the reduction sequence of \(F\) (Proposition 1). Furthermore, we show that the soundness property defined for a JamSession interaction is decidable (Proposition 2). In the later we say that a marking \(M_f\) of a NPN associated to a JamSession formula is final if there is a single token \(c\) at the sink place and all other places, but \(SGL\), are empty. This is denoted as \(M_f^c\). We will assume that a marking may contain empty places not belonging to the net.

Lemma 1

Let \(J\) be a JamSession specification, \(F\) be a JamSession formula, \(st\) an initial configuration of the graph of locations and \(N\) be the NPN associated to \(J\) and \(F\). If \(F\xrightarrow { st,st_f}c\) with \(c\in Bool\) then there is \(M_f\) s.t. \(I_0[*\rangle M_f^c\) and \(M_f^c(SGL)=st_f\).

Proof

The property trivially holds if \(F\in \{\top ,\bot \}\): the only transition in net (\(t_F\)) is enabled in \(I_0\) and, after it fires, the final marking \(M_f^F\) is obtained. Hence, we have \(I_0[t_F\rangle M_f^c\) with \(F=c\) and \(I_0(SGL)=M_f^c(SGL)=st=st_f\). If \(F= move(a,l_1,l_2)\) then \(F\xrightarrow {st,st_f} c\) either by rule 6 or 7. In both cases we have \(st(a)=l_1\) and, by definition of \(N\), \(I_0\) has a token \((a,l_1)\) at \(SGL\). Since \(I_0(In)=\top \), the transition \(t_m\) is enabled and an autonomous step occurs. After that, the \({ In}\) place is empty, the \(Out\) place has a token which coincides with \(c\) and \(SGL\) is updated according to the rule applied. Hence, \(I_0[t_m\rangle M_f^c\) and \(M_f^c(SGL)=st_f\) holds. When \(F= [a,l]\ pd(\ldots )\) then \(F\xrightarrow {st,st_f} c\) by rule 8 and hence \(st(a)=l\). Therefore, \((a,l)\in I_0(SGL)\), the transition \(t_p\) is enabled and an autonomous step occurs. After that, the \({ In}\) place is empty, \(SGL\) remains unchanged and the \(Out\) place has a token \(c\) using the binding \(x=c\). Thus, we have \(I_0[t_p\rangle M_f^c\) and \(I_0(SGL)=M_f^c(SGL)=st=st_f\).

For the remaining cases, we use induction on the length of the sequence \(F\xrightarrow { st,st_f}c\). If \(F = F_1 \wedge F_2\), then by rules 3–5, we have that \(F_1\xrightarrow { st,st^1_f}c_1\) with \(c_1\in \{\top ,\bot \}\). Note that \(I_0\) can be considered as an initial marking for the net obtained from \(F_1\), say \(N_1\). By induction, there is a final marking \(M_{f,1}\) s.t. \(I_0[*\rangle M_{f,1}^{c_1}\) and \(M_f^c(SGL)=st^1_f\). This marking for \(N_1\) also enables the transition \(t_\wedge \) which, after firing, removes \(c_1\) from \(Out_1\). If \(c_1=\bot \) then \(F\xrightarrow { st,st^1_f}c_1\) using rule 3 and \(t_\wedge \) adds \(c_1=c\) to \(Out_2\) which is also the sink place of \(N\). Hence, we have \(I_0[*\rangle M_{f,1}^{c_1} [t_\wedge \rangle M_f^{c}\) and \(M_f^c(SGL)=st_f^1=st_f\). On the contrary, if \(c_1=\top \) then \(F\rightarrow ^* \top \wedge F_2\xrightarrow {st_f^1,\theta ,st_f^1,\theta } F_2\theta \) by rule 4. Besides, \(c_1\) is added at \(In_2\) by \(t_\wedge \), leading to a marking \(M'\). The net \(N_2\) for \(F_2\) coincides with net for \(F_2\theta \) (say \(N'_2\)) and \(M'\) is an initial marking for \(N'_2\). Using induction, we have that if \(F_2\theta \rightarrow ^!c\) then there \(M'[*\rangle M_f^c\) and \(M_f^c(SGL)=st_f\). Since \(M_f^c\) is also a final marking for \(N\), we obtain \(I_0[*\rangle M_{f,1}^{c_1} [t_\wedge \rangle M'[*\rangle M_f^c\). The proof is analogous in case \(F = F_1 \vee F_2\).

When \(F= [l]\ pt(\ldots )\) we have \(F\xrightarrow {st,\theta ,st,\theta } F_1\) by rule 9. Let \(N_1\) be the net associated to \(F_1\). By the induction hypothesis, if \(F_1\xrightarrow { st,st_f}c\) then there is \(M_{f,1}\) s.t. \(I_1=M_{11}[\rangle M_{21} [*\rangle M_{k1}= M_{f,1}^{c}\) and \(M_{f,1}^c(SGL)=st_f\). Note that, in \(N\), the transition \(t_c\) is enabled and we have the autonomous step \(I_0[t_c\rangle M_1\) where \(M_1(In)=M_1(Out)=\emptyset \) and \(M_1(p_c)=(EN_{pt}, I_{pt})\). By Definition 2, the element net \(EN_{pt}\) has the same structure as \(N_1\), except for \(SGL\) and the two sink transitions at the end. Hence, the marking \(I_{pt}\cup I_0(SGL)\) coincides with \(I_1\). Furthermore, for every marking \(M_{i1}\) in the sequence \(I_1[*\rangle M_{f,1}^{c}\) we obtain a marking \(M_i\) in \(N\) by defining \(M_i(In)=M_i(Out)=\emptyset \), \(M_i(SGL)=M_{i1}(SGL)\) and \(M_i(p_c)=(EN_{pt}, M_{i1}-M_{i1}(SGL))\) with \(1\le i\le k\). Thus, we obtain a sequence \(M_1[\rangle M_2 [*\rangle M_k\) of autonomous steps in \(N\). The marking \(M_k\) enables the transition \(tr_c\) in the net token at \(pc\). At the same time, the transition \(t_c\) in \(N\) gets enabled. Therefore, by a vertical step, the net token is removed from \(pc\) and a token \(c\) is added at \(Out\) reaching desired final marking. All in all, we obtain the sequence \(I_0[\rangle M_1[*\rangle M_k[\rangle M_f^c\) s.t. \(M_f^c(SGL)=st_f\).\(\square \)

Lemma 2

Let \(J\) be a JamSession specification, \(F\) be a JamSession formula, \(st\) an initial configuration of the graph of locations and \(N\) be the NPN associated to \(J\) and \(F\). If \(F\xrightarrow { st,st'}F'\) with \(F'\notin Bool\) then there is a dead marking \(M\) s.t. \(I_0[*\rangle M\), \(M(SGL)=st'\) and \(M(Out)=\emptyset \).

Proof

If \(F=F'\) then either \(F= move(a,l_1,l_2)\) or \(F= [a,l]\ pd(\ldots )\) none of the rules can be applied. This is due to the fact that \(st(a)\ne l_1\) and hence in the initial marking \(I_0\), there is no token \((a,l_1)\) at \(SGL\). Therefore, the only transition in net is not enabled, the initial marking is dead and we obtained \(I_0[*\rangle I_0=M\), \(M(Out)=\emptyset \) and \(M(SGL)=st=st'\).

We proceed using induction on the length of the sequence \(F\xrightarrow { st,st'}F'\) and the size of the formula. If \(F = F_1 \diamond F_2\) with \(\diamond \in \{\vee ,\wedge \}\) then we have the next two cases. Let \(N_1\) and \(N_2\) be the nets obtained from \(F_1\) and \(F_2\) respectively. If \(F_1\xrightarrow { st,st_1}F'_1\) with \(F'_1\notin Bool\) then \(F'=F'_1\diamond F_2\) and \(st_1=st'\). Using induction we have that, for \(N_1\) there is a dead marking \(M'_1\) s.t. \(I_0[*\rangle M'_1\) and \(M'_1(SGL)=st_1\). Since \(Out_1\) (the sink place of \(N_1\)) is empty, the transition \(t_\diamond \) is not enabled and the marking is also dead for \(N\). Otherwise, \(F_1\xrightarrow { st,st_1}c\) and \(F\rightarrow ^* c \diamond F_2\xrightarrow {st_1,\theta ,st_1,\theta } F_2\theta \xrightarrow { st_1,st'}F'\). Then, by Lemma 1, \(I_0[*\rangle M_{f,1}^{c}\) for \(N_1\). The same firing sequence can be considered for \(N\) leading to the firing of the transition \(t_\diamond \). The marking obtained is an initial marking for \(N_2\) (which coincides with the net for \(F_2\theta \)). Let denote this marking as \(I_1\). Now, using induction, we have that \(I_1[*\rangle M\), \(M\) is dead, \(M(SGL)=st'\) and \(M(Out_2)=\emptyset \). The required result holds since \(I_0[*\rangle M_{f,1}^{\top } [t_\diamond \rangle I_1[*\rangle M\) and \(M\) is also a dead for \(N\).

Finally, if \(F= [l]\ pt(\ldots )\) we have \(F\xrightarrow {st,\theta ,st,\theta } F_1\) by rule 9. By the induction hypothesis, the net \(N_1\) corresponding to \(F_1\) has a firing sequence s.t. \(I_1[*\rangle M_1\), \(M_1\) is a dead marking, \(I_1(SGL)=st\), \(M_1(SGL)=st'\) and the sink place of \(N_1\) is empty. For the net \(N\) we have \(I_0[t_c\rangle M'\) where \(M'(In)=M'(Out)=\emptyset \) and \(M'(p_c)=(EN_{pt}, I_{pt})\). Since \(EN_{pt}\) has the same set of places as \(N_1\) except for \(SGL\), the sequence \(I_1[*\rangle M_1\) can be considered as the inner sequence of the net token at \(p_c\). Hence, we obtain a sequence \(I_0[*\rangle M'[*\rangle M\) of autonomous steps in \(N\) s.t. \(M(SGL)=st'\). However, since \(M_1\) is dead and the \(Out\) place of the net token is empty, the transitions for vertical synchronization will never fire. Therefore \(M\) is also dead in \(N\).\(\square \)

Proposition 1

Let \(J\) be a JamSession specification, \(F\in \varSigma \) be a JamSession formula, \(st\) an initial configuration of the graph of locations and \(N\) be the NPN associated to \(J\) and \(F\). Then, there is a firing sequence of \(N\) simulating the reduction sequence of \(F\).

Proof

When the reduction sequence of \(F\) is finite, the result follows from Lemmas 1 and 2. It remains to show that, if there is an infinite sequence of reductions starting from \(F\) and \(st\) then there is also an infinite firing sequence with \(N\). Note that, all rules of Table 1 reduce the size of the formula w.r.t the number of operations and entities, but the last one. Hence, if there is an infinite reduction sequence from \(F\), there is also an infinite reduction sequence from a protocol call which is a subterm of \(F\). Therefore, we may assume that \(F=F_1 \diamond [l]pt(...)\diamond F_2\rightarrow ^*[l]pt(...)\diamond F_2\) and \([l]pt(...)\) leads to an infinite reduction sequence. Since \(F_1\rightarrow ^!c\), we use Lemma 1 to obtain a firing sequence of \(N\) till the creation of the net token corresponding to \([l]pt(...)\). Using induction on the marking structure we obtain an infinite firing sequence corresponding to the reduction sequence of \([l]pt(...)\). From that firing sequence, we construct an infinite sequence of autonomous steps for \(N\) which completes the proof.\(\square \)

Proposition 2

Soundness is decidable for JamSession interactions.

Proof

The coverability tree for a NPN with autonomous elements is constructed in [9] as follows. The nodes of the tree are labeled with markings of \(N\). The root of the tree is labeled as \(I_0\) and any internal node labeled by \(M\) has a child node labeled \(M'\) for each \(M'\) s.t. \(M[\rangle M'\). The leaves of the tree are classified as final (dead markings), covering (markings leading to infinite cycles) and iterative (markings leading to infinite recursion). A node labeled as \(M'\) is called covering if it has an ancestor labeled as \(M\) s.t. \(M\preceq M'\), where \(\preceq \) is a quasi-ordering based on the tree structure of the markings. A node labeled as \(M'\) is called iterative if it has an ancestor labeled as \(M\) s.t. both markings are obtained from the firing of a transition \(t\) that generates the same net token, and the last token is nested in the first one. The net is terminating if all leaves are final.

The extension introduced in Definition 1 does not affect the tree structure of the markings. This is due to the fact that the shared places belong to \(SN\) and no net token is created for this net component. Therefore, for these nets, the quasi-ordering \(\preceq \) and the covering nodes can be defined as in [9]. Nevertheless, a further condition is required in order to ensure that an iterative node leads to an infinite recursive sequence. Since the transition \(t\) may have shared places as input, we should also demand that \(M'\) covers the marking of the shared places in \(M\), i.e. \(M(P_s)\preceq M'(P_s)\). This relation can be effectively computed for places of basic type (or even for multi-level nets). Therefore, the coverability tree is finite. In order to decide the soundness of Definition 3 it is enough to check that all leaves of the tree are labeled by markings with a single token at \(o\) and the remaining places empty, except \({ SGL}\). These markings are dead because \(o\) is a sink and there is no transition in \(N\) having \({ SGL}\) as the only input place.\(\square \)