Automata for True Concurrency Properties

Abstract

We present an automata-theoretic framework for the model checking of true concurrency properties. These are specified in a fixpoint logic, corresponding to history-preserving bisimilarity, capable of describing events in computations and their dependencies. The models of the logic are event structures or any formalism which can be given a causal semantics, like Petri nets. Given a formula and an event structure satisfying suitable regularity conditions we show how to construct a parity tree automaton whose language is non-empty if and only if the event structure satisfies the formula. The automaton, due to the nature of event structure models, is usually infinite. We discuss how it can be quotiented to an equivalent finite automaton, where emptiness can be checked effectively. In order to show the applicability of the approach, we discuss how it instantiates to finite safe Petri nets. As a proof of concept we provide a model checking tool implementing the technique.

1 Introduction

Behavioural logics with the corresponding verification techniques are a cornerstone of automated verification. For concurrent and distributed systems, so called true concurrent models can be an appropriate choice, since they describe not only the possible steps in the evolution of the system but also their causal dependencies. A widely used foundational model in this class is given by Winskel’s event structures [1]. They describe the behaviour of a system in terms of events in computations and two dependency relations: a partial order modelling causality and an additional relation modelling conflict. A survey on the use of such causal models can be found in [2]. Recently they have been used in the study of concurrency in weak memory models [3, 4], for process mining and differencing [5], in the study of atomicity [6] and of information flow [7] properties.

Operational models can be abstracted by considering true concurrent equivalences that range from hereditary history preserving bisimilarity to the coarser pomset and step equivalences (see, e.g., [8]) and behavioural logics expressing causal properties (see, e.g., [9,10,11,12,13,14] for a necessarily partial list and [15,16,17,18,19] for some related verification techniques).

Event-based logics have been recently introduced [20, 21], capable of uniformly characterising the equivalences in the true concurrent spectrum. Their formulae include variables which are bound to events in computations and describe their dependencies. While the relation between operational models, behavioural equivalences and event-based true concurrent logics is well understood, the corresponding model checking problem has received limited attention.

We focus on the logic referred to as \(\mathcal {L}_{hp}\) in [20], corresponding to a classical equivalence in the spectrum, i.e., history preserving (hp-)bisimilarity [22,23,24].

Decidability of model checking is not obvious since event structure models are infinite even for finite state systems and the possibility of expressing properties that depends on the past often leads to undecidability [25]. In a recent paper [26] we proved the decidability of the problem for the alternation free fragment of the logic \(\mathcal {L}_{hp}\) over a class of event structures satisfying a suitable regularity condition [27] referred to as strong regularity. The proof relies on a tableau-based model checking procedure. Despite the infiniteness of the model, a suitable stop condition can be identified, ensuring that a successful finite tableau can be generated if and only if the formula is satisfied by the model.

Besides the limitation to the alternation free fragment of \(\mathcal {L}_{hp}\), a shortcoming of the approach is that a direct implementation of the procedure can be extremely inefficient. Roughly speaking, the problem is that in the search of a successful tableau, branches which are, in some sense, equivalent are explored several times.

In this paper we devise an automata-theoretic technique, in the style of [28], for model checking \(\mathcal {L}_{hp}\) that works for the full logic, without constraints on the alternation depth. Besides providing an alternative approach for model-checking \(\mathcal {L}_{hp}\), amenable of a more efficient implementation, this generalises the decidability result of [26] to the full logic \(\mathcal {L}_{hp}\). Given a formula in \(\mathcal {L}_{hp}\) and a strongly regular event structure, the procedure generates a parity tree automaton. Satisfiability is reduced to emptiness in the sense that the event structure satisfies the formula if and only if the automaton accepts a non-empty language.

The result is not directly usable for practical purposes since the automaton is infinite for any non-trivial event structure. However an equivalence on states can be defined such that the quotiented automaton accepts the same language as the original one. Whenever such equivalence is of finite index the quotiented automaton is finite, so that satisfaction of the formula can be checked effectively on the quotient. We show that for all strongly regular event structures a canonical equivalence always exists that is of finite index.

The procedure is developed abstractly on event structures. A concrete algorithm on some formalism requires the effectiveness of the chosen equivalence on states. We develop a concrete instantiation of the algorithm on finite safe Petri nets. It is implemented in a tool, wishfully called True concurrency workbench (TCWB), written in Haskell. Roughly, the search of an accepting run in the automaton can be seen as an optimisation of the procedure for building a successful tableau in [26] where the graph structure underlying the automaton helps in the reuse of the information discovered. Some tests reveal that the TCWB is way more efficient than the direct implementation of the tableau-based procedure (which could not manage most of the examples in the TCWB repository).

The rest of the paper is structured as follows. In Sect. 2 we review event structures, strong regularity and the logic \(\mathcal {L}_{hp}\) of interest in the paper. In Sect. 3 we introduce (infinite state) parity tree automata and we show how the model checking problem for \(\mathcal {L}_{hp}\) on strongly regular pes can be reduced to the non-emptiness of the language of such automata. In Sect. 4 we discuss the instantiation of the approach to Petri nets. Finally, in Sect. 5 we discuss some related work and outline directions of future research. Due to space limitations, proofs are only sketched.

2 Event Structures and True Concurrent Logic

We introduce prime event structures [1] and the subclass of strongly regular event structures on which our model checking approach will be developed. Then we present the logic for true concurrency of interest in the paper.

2.1 Prime Event Structures and Regularity

Throughout the paper \(\mathbb {E}\) is a fixed countable set of events, \(\varLambda \) a finite set of labels ranged over by \(\mathsf {a}, \mathsf {b}, \mathsf {c}\) ... and \(\lambda : \mathbb {E} \rightarrow \varLambda \) a labelling function.

Definition 1

(prime event structure). A (\(\varLambda \)-labelled) prime event structure (pes) is a tuple \(\mathcal {E} = \langle E, \le , \# \rangle \), where \(E \subseteq \mathbb {E}\) is the set of events and \(\le \), \(\#\) are binary relations on E, called causality and conflict respectively, such that: 1. \(\le \) is a partial order and \(\lceil {e} \rceil = \{ e' \in E \mid e' \le e \}\) is finite for all \(e \in E\); 2. \(\#\) is irreflexive, symmetric and inherited along \(\le \), i.e., for all \(e,e',e'' \in E\), if \(e \# e' \le e''\) then \(e \# e''\).

The pes \(\mathcal {E}_{1} = \langle E_{1},\le _{1}, \#_{1} \rangle \), \(\mathcal {E}_{2} = \langle E_{2},\le _{2}, \#_{2}\rangle \) are isomorphic, written \(\mathcal {E}_{1} \sim \mathcal {E}_{2}\), when there is a bijection \(\iota : E_{1} \rightarrow E_{2}\) such that for all \(e_{1},e'_{1}\in E_{1}\), it holds \(e_{1}\le _{1}e'_{1}\) iff \(\iota (e_{1})\le _{2}\iota (e'_{1})\) and \(e_{1}\ \#_{1}\ e'_{1}\) iff \(\iota (e_{1})\ \#_{2}\ \iota (e'_{1})\) and \(\lambda (e_{1})=\lambda (\iota (e_{1}))\).

In the following, we will assume that the components of a pes \(\mathcal {E}\) are named as in the definition above, possibly with subscripts. The concept of concurrent computation for pess is captured by the notion of configuration.

Definition 2

(configuration). A configuration of a pes \(\mathcal {E}\) is a finite set of events \(C \subseteq E\) consistent (i.e., \(\lnot (e \# e')\) for all \(e, e' \in C\)) and causally closed (i.e., \(\lceil {e} \rceil \subseteq C\) for all \(e \in C\)). We denote by \(\mathcal {C}({\mathcal {E}})\) the set of configurations of \(\mathcal {E}\).

The evolution of a pes can be represented by a transition system over configurations, with the empty configuration as initial state.

Definition 3

(transition system). Let \(\mathcal {E}\) be a pes and let \(C \in \mathcal {C}({\mathcal {E}})\). Given \(e \in E \smallsetminus C\) such that \(C \cup \{e\} \in \mathcal {C}({\mathcal {E}})\), and \(X ,Y \subseteq C\) with \(X \subseteq \lceil {e} \rceil \), \(Y \cap \lceil {e} \rceil = \emptyset \) we write \(C \xrightarrow {\smash {{X},\overline{Y}}\, <\, {\smash {e}}}_{\smash {\lambda (e)}} C \cup \{ e \}\). The set of enabled events at a configuration C is defined as \( en ({C}) = \{ e \in E \mid C \xrightarrow {e} C' \}\). The pes is called k-bounded for some \(k \in \mathbb {N}\) (or simply bounded) if \(| en ({C})|\le k\) for all \(C\in \mathcal {C}({\mathcal {E}})\).

Transitions are labelled by the executed event e. In addition, they report its label \(\lambda (e)\), a subset of causes X and a set of events \(Y \subseteq C\) concurrent with e. When X or Y are empty they are normally often, i.e., e.g., we write \(C \xrightarrow {{X}\, <\, {e}}_{\lambda (e)} C'\) for \(C \xrightarrow {{\emptyset }\, <\, {e}}_{\lambda (e)} C'\) and \(C \xrightarrow {e}_{\lambda (e)} C'\) for \(C \xrightarrow {\smash {{\emptyset },\overline{\emptyset }}\, <\, {\smash {e}}}_{\smash {\lambda (e)}} C'\).

The pes modelling a non-trivial system is normally infinite. We will work on a subclass identified by finitarity requirements on the possible substructures.

Definition 4

(residual). Let \(\mathcal {E}\) be a pes. For a configuration \(C \in \mathcal {C}({\mathcal {E}})\), the residual of \(\mathcal {E}\) after C, is defined as \(\mathcal {E}[{C}] = \{ e \mid e\in E \smallsetminus C\ \wedge \ C\cup \{e\}\ \text{ consistent }\}\).

The residual of \(\mathcal {E}\) can be seen as a pes, endowed with the restriction of causality and conflict of \(\mathcal {E}\). Intuitively, it represents the pes that remains to be executed after the computation expressed by C. Given \(C\in \mathcal {C}({\mathcal {E}})\) and \(X \subseteq C\), we denote by \(\mathcal {E}[{C}] \cup X\) the pes obtained from \(\mathcal {E}[{C}]\) by adding the events in X with the causal dependencies they had in the original pes \(\mathcal {E}\).

Definition 5

(strong regularity). A pes \(\mathcal {E}\) is called strongly regular when it is bounded and for each \(k \in \mathbb {N}\) the set \(\{ \mathcal {E}[{C}] \cup \{ e_1, \ldots , e_k \} \mid C\in \mathcal {C}({\mathcal {E}})\ \wedge \ e_1, \ldots , e_k \in C\}\) is finite up to isomorphism of pess.

Strong regularity [26] is obtained from the notion of regularity in [27], by replacing residuals with residuals extended with a bounded number of events from the past. Intuitively, this is important since we are interested in history dependent properties. We will later show in Sect. 4 that the pess associated with finite safe Petri nets, i.e., the regular trace pess [27], are strongly regular.

Fig. 1.

(a) A pes \(\mathcal {E}_{\mathcal {N}}\) associated with the net \(\mathcal {N}\) in (b) via its unfolding (c).

A simple pes is depicted in Fig. 1a. Graphically, curly lines represent immediate conflicts and the causal partial order proceeds upwards along the straight lines. Events are denoted by their labels, possibly with superscripts. For instance, in \(\mathcal {E}_{\mathcal {N}}\), the events \(\mathsf {a}^0\) and \(\mathsf {b}^0\), labelled by \(\mathsf {a}\) and \(\mathsf {b}\), respectively, are in conflict. Event \(\mathsf {c}^0\) causes the events \(\mathsf {a}^i\) and it is concurrent with \(\mathsf {b}^i\) for all \(i \in \mathbb {N}\). It is an infinite pes associated with the Petri net \(\mathcal {N}\) in Fig. 1b in a way that will be discussed in Sect. 4.1, hence it is strongly regular by Corollary 1. It has five (equivalence classes of) residuals extended with an event from the past \(\mathcal {E}_{\mathcal {N}}[{\{ \mathsf {b}^0\}}] \cup \{ \mathsf {b}^0 \}\), \(\mathcal {E}_{\mathcal {N}}[{\{ \mathsf {c}^0, \mathsf {b}^0\}}] \cup \{ \mathsf {b}^0\}\), \(\mathcal {E}_{\mathcal {N}}[{\{ \mathsf {c}^0, \mathsf {a}^0\}}] \cup \{ \mathsf {c}^0\}\), \(\mathcal {E}_{\mathcal {N}}[{\{ \mathsf {c}^0, \mathsf {a}^0\}}] \cup \{ \mathsf {a}^0\}\), and \(\mathcal {E}_{\mathcal {N}}[{\{ \mathsf {c}^0, \mathsf {b}^0, \mathsf {a}^1\}}] \cup \{ \mathsf {b}^0\}\).

2.2 True Concurrent Logic

The logic of interest for this paper, originally defined in [20], is a Hennessy-Milner style logic that allows one to specify the dependencies (causality and concurrency) between events in computation.

Logic formulae include event variables, from a fixed denumerable set \( Var \), denoted by \(x, y, \ldots \). Tuples of variables like \(x_1, \ldots , x_n\) will be denoted by a corresponding boldface letter \({\mathbf {x}}\) and, abusing the notation, tuples will be often used as sets. The logic includes diamond and box modalities. The formula \( \langle \!|{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}|\!\rangle \,\varphi \) holds in a configuration when an \(\mathsf {a}\)-labelled event e is enabled which causally depends on the events bound to \({\mathbf {x}}\) and is concurrent with those in \({\mathbf {y}}\). Event e is executed and then the formula \(\varphi \) must hold, with e bound to variable z. Dually, \( [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}]\!] \,\varphi \) is satisfied when all \(\mathsf {a}\)-labelled events causally dependent on \({\mathbf {x}}\) and concurrent with \({\mathbf {y}}\) bring to a configuration where \(\varphi \) holds.

For dealing with fixpoint operators we fix a denumerable set \(\mathcal {X}^a\) of abstract propositions, ranged over by X, Y, .... Each abstract proposition X has an arity \( ar ({X})\) and it represents a formula with \( ar ({X})\) (unnamed) free event variables. Then, for \({\mathbf {x}}\) such that \(|{{\mathbf {x}}}| = ar ({X})\), we write \({X}({{\mathbf {x}}})\) to indicate the abstract proposition X whose free event variables are named \({\mathbf {x}}\).

Definition 6

(syntax). The syntax of \(\mathcal {L}_{hp}\) over the sets of event variables \( Var \), abstract propositions \(\mathcal {X}^a\) and labels \(\varLambda \) is defined as follows:

For a formula \(\varphi \) we denote by \( fv ({\varphi })\) its free event variables, defined in the obvious way. Just note that the modalities act as binders for the variable representing the event executed, hence \( fv ({ \langle \!|{{\mathbf {x}}}, \overline{{\mathbf {y}}}<\mathsf {{a}\,}{z}|\!\rangle \, \varphi }) = fv ({ [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}]\!] \, \varphi }) = ( fv ({\varphi }) \smallsetminus \{z\}) \cup {\mathbf {x}}\cup {\mathbf {y}}\). For formulae \(\nu {X}({{\mathbf {x}}}). \varphi \) and \(\mu {X}({{\mathbf {x}}}). \varphi \) we require that \( fv ({\varphi }) = {\mathbf {x}}\). The free propositions in \(\varphi \) not bound by \(\mu \) or \(\nu \), are denoted by \( fp ({\varphi })\). When both \( fv ({\varphi })\) and \( fp ({\varphi })\) are empty we say that \(\varphi \) is closed. When \({\mathbf {x}}\) or \({\mathbf {y}}\) are empty are omitted, e.g., we write \( \langle \!|\mathsf {{a}\,}{z}|\!\rangle \, \varphi \) for \( \langle \!|{\emptyset }, \overline{\emptyset } <\mathsf {{a}\,}{z}|\!\rangle \, \varphi \).

For example, the formula \(\varphi _1 = \langle \!|\mathsf {{c}\,}{x}|\!\rangle ( \langle \!|{x}<\mathsf {{a}\,}{y}|\!\rangle \mathsf {T}\wedge \langle \!|\overline{x} < \mathsf {{b}\,}{z}|\!\rangle \mathsf {T})\) requires that, after the execution of a \(\mathsf {c}\)-labelled event, one can choose between a causally dependent \(\mathsf {a}\)-labelled event and a concurrent \(\mathsf {b}\)-labelled event. It is satisfied by \(\mathcal {E}_{\mathcal {N}}\) in Fig. 1a. Instead \(\varphi _2 = \langle \!|\mathsf {{c}\,}{x}|\!\rangle ( \langle \!|\overline{x}< \mathsf {{a}\,}{y}|\!\rangle \mathsf {T}\wedge \langle \!|\overline{x} < \mathsf {{b}\,}{z}|\!\rangle \mathsf {T})\) requiring both events to be concurrent would be false. Moving to infinite computations, consider \(\varphi _3 = [\![\mathsf {{b}\,}{x}]\!] \nu {Z}({x}). \langle \!|\mathsf {{c}\,}{z}|\!\rangle \langle \!|\overline{z}< \mathsf {{b}\,}{y}|\!\rangle \mathsf {T}\wedge [\![{x}<\mathsf {{b}\,}{y}]\!] {Z}({y})\), expressing that all non-empty causal chains of \(\mathsf {b}\)-labelled events reach a state where it is possible to execute two concurrent events labelled \(\mathsf {c}\) and \(\mathsf {b}\), respectively. Then \(\varphi _3\) holds in \(\mathcal {E}_{\mathcal {N}}\). Another formula satisfied by \(\mathcal {E}_{\mathcal {N}}\) is \(\varphi _4 = \langle \!|\mathsf {{c}\,}{x}|\!\rangle \langle \!|\overline{x}< \mathsf {{b}\,}{y}|\!\rangle \nu X(x,y). \langle \!|{y}, \overline{x} <\mathsf {{b}\,}{z}|\!\rangle X(x,z)\) requiring the existence of an infinite causal chain of \(\mathsf {b}\)-labelled events, concurrent with a \(\mathsf {c}\)-labelled event.

The logic \(\mathcal {L}_{hp}\) is interpreted over pess. The satisfaction of a formula is defined with respect to a configuration C and a (total) function \(\eta : Var \rightarrow E\), called an environment, that binds free variables in \(\varphi \) to events in C. Namely, if \( Env _{\mathcal {E}}\) denotes the set of environments, the semantics of a formula will be a set of pairs in \(\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}\). The semantics of \(\mathcal {L}_{hp}\) also depends on a proposition environment \(\pi : \mathcal {X} \rightarrow 2^{\mathcal {C}({\mathcal {E}}) \times Env _{\mathcal {E}}}\) which provides an interpretation for propositions. In order to ensure that the semantics of a formula only depends on the events associated with its free variables and is independent on the naming of the variables, it is required that if \((C, \eta ) \in \pi ({X}({{\mathbf {x}}}))\) and \(\eta '({\mathbf {y}}) = \eta ({\mathbf {x}})\) pointwise, then \((C, \eta ') \in \pi ({X}({{\mathbf {y}}}))\). We denote by \( PEnv _{\mathcal {E}}\) the set of proposition environments, ranged over by \(\pi \).

We can now give the semantics of logic \(\mathcal {L}_{hp}\). Given an event environment \(\eta \) and an event e we write \(\eta [x \mapsto e]\) for the updated environment which maps x to e. Similarly, for a proposition environment \(\pi \) and \(S \subseteq \mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}\), we write \(\pi [{Z}({{\mathbf {x}}}) \mapsto S]\) for the corresponding update.

Definition 7

(semantics). Let \(\mathcal {E}\) be a pes. The denotation of a formula \(\varphi \) in \(\mathcal {L}_{hp}\) is given by the function \(\{\!| {\cdot } |\!\}^{\mathcal {E}}:\mathcal {L}_{hp}\rightarrow PEnv _{\mathcal {E}} \rightarrow 2^{\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}}\) defined inductively as follows, where we write \(\{\!| {\varphi } |\!\}^{\mathcal {E}}_{\pi }\) instead of \(\{\!| {\varphi } |\!\}^{\mathcal {E}}(\pi )\):

where \(f_{\varphi ,{Z}({{\mathbf {x}}}),\pi } : 2^{\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}} \rightarrow 2^{\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}}\) is defined by \(f_{\varphi ,{Z}({{\mathbf {x}}}),\pi }(S) = \{\!| {\varphi } |\!\}^{\mathcal {E}}_{\pi [{Z}({{\mathbf {x}}})\mapsto S]}\) and \( gfp ({f_{\varphi ,{Z}({{\mathbf {x}}}),\pi }})\) (resp. \( lfp ({f_{\varphi ,{Z}({{\mathbf {x}}}),\pi }})\)) denotes the corresponding greatest (resp. least) fixpoint. We say that a pes \(\mathcal {E}\) satisfies a formula \(\varphi \) and write \(\mathcal {E}\,\models \,\varphi \) if \((\emptyset , \eta )\in \{\!| {\varphi } |\!\}^{\mathcal {E}}_{\pi }\) for all environments \(\eta \) and \(\pi \).

The semantics of boolean operators is standard. The formula \( \langle \!|{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}|\!\rangle \, \varphi \) holds in \((C,\eta )\) when configuration C enables an \(\mathsf {a}\)-labelled event e that causally depends on (at least) the events bound to the variables in \({\mathbf {x}}\) and concurrent with (at least) those bound to the variables in \({\mathbf {y}}\) and, once executed, it produces a new configuration \(C' = C\cup \{e\}\) which, paired with the environment \(\eta ' = \eta [z\mapsto e]\), satisfies the formula \(\varphi \). Dually, \( [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}]\!] \, \varphi \) holds when all \(\mathsf {a}\)-labelled events executable from C, caused by \({\mathbf {x}}\) and concurrent with \({\mathbf {y}}\) bring to a configuration where \(\varphi \) is satisfied.

The fixpoints corresponding to the formulae \(\nu {Z}({{\mathbf {x}}}).\varphi \) and \(\mu {Z}({{\mathbf {x}}}).\varphi \) are guaranteed to exist by Knaster-Tarski theorem, since the set \(2^{\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}}\) ordered by subset inclusion is a complete lattice and the functions \(f_{\varphi ,{Z}({{\mathbf {x}}}),\pi }\) are monotonic.

3 Automata-Based Model Checker

We introduce nondeterministic parity tree automata and we show how the model checking problem for \(\mathcal {L}_{hp}\) on strongly regular pess can be reduced to the non-emptiness of the language of such automata. The automaton naturally generated from a pes and a formula has an infinite number of states. We discuss how the automaton can be quotiented to a finite one accepting the same language and thus potentially useful for model checking purposes.

3.1 Infinite Parity Tree Automata

Automata on infinite trees revealed to be a powerful tool to various problems in the setting of branching temporal logics. Here we focus on nondeterministic parity tree automata [29], with some (slightly) non-standard features. We work on k-trees (rather than on binary trees), a choice that will simplify the presentation, and we allow for possibly infinite state automata.

When automata are used for model checking purposes it is standard to restrict to unlabelled trees. A k-bounded branching tree or k-tree, for short, is a subset \(\mathcal {T}\subseteq [1, k]^\star \), such that

1. 1.

   \(\mathcal {T}\) is prefix closed, i.e., if \(wv\in \mathcal {T}\) then \(w\in \mathcal {T}\)

2. 2.

   \(w 1\in \mathcal {T}\) for all \(w \in \mathcal {T}\)

3. 3.

   for all \(i\in [2, k]\) if \(wi\in \mathcal {T}\) then \(w(i-1)\in \mathcal {T}\).

Elements of \(\mathcal {T}\) are the nodes of the tree. The empty string \(\epsilon \) corresponds to the root. A string of the form wi corresponds to the i-th child of w. Hence by (2) each branch is infinite and by (3) the presence of the i-th child implies the presence of the j-th children for \(j \le i\).

Definition 8

(nondeterministic parity automaton). A k-bounded nondeterministic parity tree automaton (NPA) is a tuple \(\mathcal {A}=\langle Q,\xrightarrow {},q_0,\mathcal {F}\rangle \) where Q is a set of states, \(\xrightarrow {} \subseteq Q\times \bigcup \limits _{i=1}^{k}Q^k\) is the transition relation, \(q_0 \in Q\) is the initial state, and \(\mathcal {F}=(F_0,\ldots ,F_h)\) is the acceptance condition, where \(F_0, \ldots , F_h \subseteq Q\) are mutually disjoint subsets of states.

Transitions are written as \(q\xrightarrow {}(q_1,\ldots ,q_m)\) instead of \((q, (q_1, \ldots , q_m)) \in \xrightarrow {}\).

Given a k-tree \(\mathcal {T}\), a run of \(\mathcal {A}\) on \(\mathcal {T}\) is a labelling of \(\mathcal {T}\) over the states \(r : \mathcal {T} \rightarrow Q\) consistent with the transition relation, i.e., such that \(r(\epsilon ) = q_0\) and for all \(u \in \mathcal {T}\), with m children, there is a transition \(r(u)\xrightarrow {}(r(u1),\ldots ,r(um))\) in \(\mathcal {A}\). A path in the run r is an infinite sequence of states \(p=(q_0,q_1,\ldots )\) labelling a complete path from the root in the tree. It is called accepting if there exists an even number \(l\in [0, h]\) such that the set \(\{j\ \mid \ q_j\in F_l\}\) is infinite and the set \(\{j\ \mid \ q_j\in \bigcup _{l<i\le h}F_i\}\) is finite. The run r is accepting if all paths are accepting.

Definition 9

(language of an NPA). Let \(\mathcal {A}\) be an NPA. The language of \(\mathcal {A}\), denoted by \( L ({\mathcal {A}})\), consists of the trees \(\mathcal {T}\) which admit an accepting run.

Observe that for a k-bounded NPA, the language \( L ({\mathcal {A}})\) is a set of k-trees.

The possibility of having an infinite number of states and the associated acceptance condition are somehow non-standard. However, it is easy to see that whenever an NPA is finite, the acceptance condition coincides with the standard one requiring a single state with maximal even priority to occur infinitely often.

Since NPAs are nondeterministic, different runs (possibly infinitely many) can exist for the same input tree. Still, the non-emptiness problem, also for our k-ary variant, is decidable when the number of states is finite (and solvable by a corresponding parity game [30]).

3.2 Infinite NPAs for Model Checking

We show how, given a pes and a closed formula in \(\mathcal {L}_{hp}\), we can build an NPA in a way that, for strongly regular pess, the satisfaction of \(\varphi \) in \(\mathcal {E}\) reduces to the non-emptiness of the automaton language. The construction is inspired by that in [28] for the mu-calculus.

The acceptance condition for the automaton will refer to the fixpoint alternation in the formulae of \(\mathcal {L}_{hp}\). We adapt a definition from [28]. A fixpoint formula \(\alpha {X}({{\mathbf {y}}}).\varphi '\), for \(\alpha \in \{\nu ,\mu \}\), is called an \(\alpha \)-formula. Hereafter \(\alpha \) ranges over \(\{\nu ,\mu \}\). Given an \(\alpha \)-formula \(\varphi = \alpha {X}({{\mathbf {y}}}).\varphi '\), we say that a subformula \(\psi \) of \(\varphi \) is a direct active subformula, written \(\psi \sqsubseteq _d\varphi \), if the abstract proposition X appears free in \(\psi \). The transitive closure of \(\sqsubseteq _d\) is a partial order and when \(\psi \sqsubseteq _d^* \varphi \) we say that \(\psi \) is an active subformula of \(\varphi \). We denote by \(\mathsf {sf}_{}({\varphi })\) the set of subformulae of a formula \(\varphi \) and by \(\mathsf {sf}_{\alpha }({\varphi })\) the set of active \(\alpha \)-subformulae.

The alternation depth of a formula \(\varphi \) in \(\mathcal {L}_{hp}\), written \(\mathsf {ad}({\varphi })\), is defined, for a \(\nu \)-formula \(\varphi \), as \(\mathsf {ad}({\varphi })= \max \{ 1+\mathsf {ad}({\psi }) \mid \psi \in \mathsf {sf}_{\mu }({\varphi })\}\) and dually, for a \(\mu \)-formula \(\varphi \), as \(\mathsf {ad}({\varphi })= \max \{ 1+\mathsf {ad}({\psi }) \mid \psi \in \mathsf {sf}_{\nu }({\varphi })\}\). For any other formula \(\varphi \), \(\mathsf {ad}({\varphi }) = max \{ \mathsf {ad}({\psi }) \mid \psi \in \mathsf {sf}_{}({\varphi }) \setminus \{ \varphi \}\}\). It is intended that \(\max \emptyset = 0\). E.g., by the first clause above, the alternation depth of \(\nu X({\mathbf {x}}).\, \varphi \) is 0 in absence of active \(\mu \)-subformulae.

Hereafter we assume that in every formula different bound propositions have different names, so that we can refer to the fixpoint subformula quantifying an abstract proposition. This requirement can always be fulfilled by alpha-renaming.

Hereafter, if X and \(X'\) are abstract propositions quantified in \(\alpha \)-subformulae \(\alpha {X}({{\mathbf {x}}}).\, \varphi \) and \(\alpha ' X'({\mathbf {x}}').\, \varphi '\), we will write \(\mathsf {ad}({X})\) for \(\mathsf {ad}({\alpha {X}({{\mathbf {x}}}).\, \varphi })\) and \(X \sqsubseteq _dX'\) for \(\alpha {X}({{\mathbf {x}}}).\, \varphi \sqsubseteq _d\alpha ' {X'}({{\mathbf {x}}'}).\, \varphi '\). Moreover, given a pes \(\mathcal {E}\), for a pair \((C,\eta ) \in \mathcal {C}({\mathcal {E}}) \times Env _{\mathcal {E}}\) and variables \({\mathbf {x}}\), \({\mathbf {y}}\), z, we define \(({\mathbf {x}}, \overline{{\mathbf {y}}} < \mathsf {a}z)\)-successors of \((C,\eta )\), as

We can now illustrate the construction of the NPA for a formula and a pes.

Definition 10

(NPA for a formula). Let \(\mathcal {E}\) be a bounded pes and let \(\varphi \in \mathcal {L}_{hp}\) be a closed formula. The NPA for \(\mathcal {E}\) and \(\varphi \) is \(\mathcal {A}_{{\mathcal {E}},{\varphi }} = \langle Q,\xrightarrow {},q_0,\mathcal {F}\rangle \) defined as follows. The set of states \(Q \subseteq \mathcal {C}({\mathcal {E}}) \times Env _{\mathcal {E}} \times \mathsf {sf}_{}({\varphi })\) is \(Q = \{ (C,\eta ,\psi ) \mid \eta ( fv ({\psi }))\subseteq C \}\). The initial state \(q_0 = (\emptyset ,\eta ,\varphi )\), for some chosen \(\eta \in Env _{\mathcal {E}}\). The transition relation is defined, for any state \(q=(C,\eta ,\psi ) \in Q\), by:

• if \(\psi =\mathsf {T}\) or \(\psi =\mathsf {F}\), then \(q \xrightarrow {} (q)\);

• if \(\psi =\psi _1\wedge \psi _2\), then \(q \xrightarrow {}(q_1,q_2)\) where \(q_i=(C,\eta ,\psi _i)\), \(i\in \{1,2\}\);

• if \(\psi =\psi _1\vee \psi _2\), then \(q \xrightarrow {}(q_1)\) and \(q \xrightarrow {}(q_2)\) where \(q_i=(C,\eta ,\psi _i)\), \(i\in \{1,2\}\);

• if \(\psi = [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}]\!] \psi '\) and \(\mathsf {Succ}^{{\mathbf {x}},\overline{{\mathbf {y}}} < \mathsf {a}z}({C,\eta }) = \{(C_1,\eta _1),\ldots ,(C_n,\eta _n)\} \ne \emptyset \) then \(q \xrightarrow {}(q_1,\ldots ,q_n)\) where \(q_i=(C_i,\eta _i,\psi ')\) for \(i\in [1, n]\), otherwise \(q \xrightarrow {}(q)\);

• if \(\psi = \langle \!|{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}|\!\rangle \psi '\) and \(\mathsf {Succ}^{{\mathbf {x}},\overline{{\mathbf {y}}} < \mathsf {a}z}({C,\eta }) = \{(C_1,\eta _1),\ldots ,(C_n,\eta _n)\} \ne \emptyset \) then \(q \xrightarrow {} (q_i)\) where \(q_i=(C_i,\eta _i,\psi ')\) for \(i\in [1, n]\), otherwise \(q \xrightarrow {}(q)\);

• if \(\psi =\alpha {X}({{\mathbf {x}}}).\psi '\) then \(q \xrightarrow {}(q')\) where \(q'=(C,\eta ,{X}({{\mathbf {x}}}))\);

• if \(\psi ={X}({{\mathbf {y}}})\) and \(\psi ' \in \mathsf {sf}_{}({\varphi })\) is the unique subformula such that \(\psi '=\alpha {X}({{\mathbf {x}}}).\psi ''\) then \(q \xrightarrow {}(q')\) where \(q'=(C,\eta [{\mathbf {x}}\mapsto \eta ({\mathbf {y}})],\psi '')\).

The acceptance condition is \(\mathcal {F}=(F_0,\ldots ,F_{h})\) where \(h = \mathsf {ad}({\varphi })+1\) and the \(F_i\) are as follows. Consider \(A_0,\ldots ,A_{h} \subseteq \mathsf {sf}_{}({\varphi })\) such that for \(i \in [0,h]\), if i is even (odd) then \(A_i\) contains exactly all propositions quantified in \(\nu \)-subformulae (\(\mu \)-subformulae) with alternation depth i or \(i-1\). Then \(F_0=(\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}\times (A_0\cup \{\mathsf {T}\})) \cup B\) where \(B = \{ (C, \eta , [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}}<\mathsf {{a}\,}{z}]\!] \psi ) \mid \mathsf {Succ}^{{\mathbf {x}}, \overline{{\mathbf {y}}} < \mathsf {a}z}({C,\eta })= \emptyset \}\) is the set of all subformulae of \(\varphi \) in a context where they are trivially true, and \(F_i=\mathcal {C}({\mathcal {E}})\times Env _{\mathcal {E}}\times A_i\), for \(i\in [1,h]\).

States of \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\) are triples \((C,\eta ,\varphi )\) consisting of a configuration C, an environment \(\eta \) and a subformula \(\psi \) of the original formula \(\varphi \). The intuition is that a transition reduces the satisfaction of a formula in a state to that of subformulae in possibly updated states. It can just decompose the formula, as it happens for \(\wedge \) or \(\vee \), check the satisfaction of a modal operator, thus changing the state consequently, or unfold a fixpoint.

The automaton \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\) is bounded but normally infinite (whenever the pes \(\mathcal {E}\) is infinite and the formula \(\varphi \) includes some non-trivial fixpoint).

We next show that for a strongly regular pes the satisfaction of the formula \(\varphi \) on the pes \(\mathcal {E}\) reduces to the non-emptiness of the language of \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\).

Theorem 1

(model checking via non-emptiness). Let \(\mathcal {E}\) be a strongly regular pes and let \(\check{\varphi }\) be a closed formula in \(\mathcal {L}_{hp}\). Then \( L ({\mathcal {A}_{{\mathcal {E}},{\check{\varphi }}}}) \ne \emptyset \) iff \(\mathcal {E}\,\models \,\check{\varphi }\).

We next provide an outline of the proof. A basic ingredient is an equivalence that can be defined on the NPA. As a first step we introduce a generalised notion of residual in which the relation with some selected events in the past is kept.

Definition 11

(pointed residual). Given a pes \(\mathcal {E}\) and a set X, a X-pointed configuration is a pair \(\langle C, \zeta \rangle \) where \(C \in \mathcal {C}({\mathcal {E}})\) and \(\zeta : X \rightarrow C\) is a function. We say that the X-pointed configurations \(\langle C, \zeta \rangle \), \(\langle C', \zeta ' \rangle \) have isomorphic pointed residuals, written \(\mathcal {\mathcal {E}}[{\langle C, \zeta \rangle }] \approx \mathcal {\mathcal {E}}[{\langle C', \zeta ' \rangle }]\) if there is an isomorphism of pess \(\iota : \mathcal {\mathcal {E}}[{C}] \rightarrow \mathcal {\mathcal {E}}[{C'}]\) such that for all \(x \in X\), \(e \in \mathcal {\mathcal {E}}[{C}]\) we have \(\zeta (x) \le e\) iff \(\zeta '(x) \le \iota (e)\).

Then two states are deemed equivalent if they involve the same subformula (up to renaming of the event variables) and the configurations, pointed by the free variables in the formulae, have isomorphic residuals. This resembles the notion of contextualised equivalence used on tableau judgments in [26].

Definition 12

(future equivalence). Let \(\mathcal {E}\) be a pes, \(\varphi \) be a formula and let \(q_i = (C_i,\eta _i,\psi _i)\), \(i \in \{1,2\}\) be two states of the NPA \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\). We say that \(q_1\) and \(q_2\) are future equivalent, written \(q_1 \approx _fq_2\), if there exists a formula \(\psi \) and substitutions \(\sigma _i : fv ({\psi }) \rightarrow fv ({\psi _i})\) such that \(\psi \sigma _i =\psi _i\), for \(i \in \{1,2\}\), and the \( fv ({\psi })\)-pointed configurations \(\langle C_i, \eta _i \circ \sigma _i \rangle \) have isomorphic pointed residuals.

It can be shown that, given \(q_i = (C_i,\eta _i,\psi _i)\), \(i \in \{1,2\}\) as above, for all proposition environments \(\pi \) (satisfying a technical property of saturation) we have that \((C_1,\eta _1) \in \{\!| {\psi _1} |\!\}^{\mathcal {E}}_{\pi }\) if and only if \((C_2,\eta _2) \in \{\!| {\psi _2} |\!\}^{\mathcal {E}}_{\pi }\). Additionally, using strong regularity, one can prove that the semantics of fixpoint formulae is properly captured by finite approximants and that equivalence \(\approx _f\) is of finite index. These are fundamental building bricks in the proof of Theorem 1 which, roughly, proceeds as follows.

Assume that the language \( L ({\mathcal {A}_{{\mathcal {E}},{\varphi }}}) \ne \emptyset \). Then there is an accepting run r over some k-tree \(\mathcal {T}\). Since \(\mathsf {\varphi }\) is finite, in each infinite path there are infinitely many states \(q_{i_h} = (C_{i_h}, \eta _{i_h}, \psi _{i_h})\) where \(\psi _{i_h}\) is the same subformula, up to renaming. Since \(\approx _f\) is of finite index, infinitely many such states are equivalent. Then one deduces that, for some h, the subformula \(\psi _{i_h}\) is satisfied in \((C_{i_h}, \eta _{i_h})\). For fixpoint subformulae, this requires to show that, since the run is accepting, the subformula of maximal alternation depth that repeats infinitely often is a \(\nu \)-formula and use the fact that, as mentioned before, its semantics can be finitely approximated. Then, by a form of backward soundness of the transitions, we get that all the nodes, including the root, contain formulae which are satisfied.

For the converse implication, assume that \(\mathcal {E}\,\models \,\varphi \). Starting from the initial state \(q_0 = (\emptyset , \eta , \varphi )\) where the formula is satisfied, and using the automaton transitions, we can build a k-tree \(\mathcal {T}\) and a run where for each state \((C', \eta ', \psi )\) the subformula \(\psi \) is satisfied in \((C', \eta ')\) and such run can be proved to be accepting.

3.3 Quotienting the Automaton

In order to have an effective procedure for checking the satisfaction of a formula we need to build a suitable quotient of the NPA, with respect to an equivalence which preserves emptiness. A simple but important observation is that it is sufficient to require that the equivalence is a bisimulation in the following sense. An analogous notion is studied in [31] in the setting of nondeterministic tree automata over finite trees.

Definition 13

(bisimulation). Given an NPA \(\mathcal {A}\), a symmetric relation \(R \subseteq Q \times Q\) over the set of states is a bisimulation if for all \((q, q') \in R\)

1. 1.

   for all \(i\in [0,h]\), \(q \in F_i \iff q'\in F_i\);

2. 2.

   if \(q\xrightarrow {}(q_1,\ldots ,q_m)\) then \(q'\xrightarrow {}(q'_1,\ldots ,q'_m)\) with \((q_i, q'_i) \in R\) for \(i \in [1, m]\).

Given an NPA \(\mathcal {A}\) and an equivalence \(\equiv \) on the set of states which is a bisimulation, we define the quotient as \({\mathcal {A}}_{\scriptscriptstyle /{\equiv }} = \langle {Q}_{\scriptscriptstyle /{\equiv }}, {\xrightarrow {}}_{\scriptscriptstyle /{\equiv }}, [{q_0}]_{\scriptscriptstyle {\equiv }}, {\mathcal {F}}_{\scriptscriptstyle /{\equiv }} \rangle \) where \([{q}]_{\scriptscriptstyle {\equiv }} {\xrightarrow {}}_{\scriptscriptstyle /{\equiv }} ([{q_1}]_{\scriptscriptstyle {\equiv }}, \ldots , [{q_m}]_{\scriptscriptstyle {\equiv }})\) if \(q\xrightarrow {}(q_1,\ldots ,q_m)\) and \({\mathcal {F}}_{\scriptscriptstyle /{\equiv }}=({F_0}_{\scriptscriptstyle /{\equiv }}, \ldots ,{F_{h}}_{\scriptscriptstyle /{\equiv }})\). An NPA and its quotient accept exactly the same language.

Theorem 2

(language preservation). Let \(\mathcal {A}\) be an NPA and let \(\equiv \) be an equivalence on the set of states which is a bisimulation. Then \( L ({{\mathcal {A}}_{\scriptscriptstyle /{\equiv }}}) = L ({\mathcal {A}})\).

When \(\equiv \) is of finite index, the quotient \({\mathcal {A}_{{\mathcal {E}},{\varphi }}}_{\scriptscriptstyle /{\equiv }}\) is finite and, exploiting Theorems 1 and 2, we can verify whether \(\mathcal {E}\,\models \,\varphi \) by checking the emptiness of the language accepted by \({\mathcal {A}_{{\mathcal {E}},{\varphi }}}_{\scriptscriptstyle /{\equiv }}\). Clearly a concrete algorithm will not first generate the infinite state NPA and then take the quotient, but it rather performs the quotient on the fly: whenever a new state would be equivalent to one already generated, the transition loops back to the existing state.

Whenever \(\mathcal {E}\) is strongly regular, the future equivalence on states (see Definition 12) provides a bisimulation equivalence of finite index over \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\).

Lemma 1

(\(\approx _f\) is a bisimulation). Let \(\mathcal {E}\) be a strongly regular pes and let \(\varphi \) be a closed formula in \(\mathcal {L}_{hp}\). Then the future equivalence \(\approx _f\) on \(\mathcal {A}_{{\mathcal {E}},{\varphi }}\) is a bisimulation and it is of finite index.

An obstacle towards the use of the quotiented NPA for model checking purposes is the fact that the future equivalence could be hard to compute (or even undecidable). In order to make the construction effective we need a decidable bisimulation equivalence on the NPA and the effectiveness of the set of successors of a state. This is further discussed in the next section.

4 Model Checking Petri Nets

We show how the model checking approach outlined before can be instantiated on finite safe Petri nets, a classical model of concurrency and distribution [32], by identifying a suitable effective bisimulation equivalence on the NPA.

4.1 Petri Nets and Their Event Structure Semantics

A Petri net is a tuple \(\mathcal {N}=(P,T,F, M_0)\) where P, T are disjoint sets of places and transitions, respectively, \(F: (P\times T) \cup (T\times P) \rightarrow \{ 0, 1\}\) is the flow function, and \(M_0\) is the initial marking, i.e., the initial state of the net. We assume that the set of transitions is a subset of a fixed set \(\mathbb {T}\) with a labelling \(\lambda _N : \mathbb {T} \rightarrow \varLambda \).

A marking of \(\mathcal {N}\) is a function \(M : P \rightarrow \mathbb {N}\), indicating for each place the number of tokens in the place. A transition \(t \in T\) is enabled at a marking M if \(M(p) \ge F(p,t)\) for all \(p\in P\). In this case it can be fired leading to a new marking \(M'\) defined by \(M'(p)=M(p)+F(t,p)-F(p,t)\) for all places \(p\in P\). This is written \(M [{t}\rangle M'\). We denote by \(\mathcal {R}({\mathcal {N}})\) the set of markings reachable in \(\mathcal {N}\) via a sequence of firings starting from the initial marking. We say that a marking M is coverable if there exists \(M' \in \mathcal {R}({\mathcal {N}})\) such that \(M \le M'\), pointwise. A net \(\mathcal {N}\) is safe if for every reachable marking \(M \in \mathcal {R}({\mathcal {N}})\) and all \(p \in P\) we have \(M(p)\le 1\). Hereafter we will consider only safe nets. Hence markings will be often confused with the corresponding subset of places \(\{ p \mid M(p) =1 \} \subseteq P\). For \(x \in P\cup T\) the pre-set and post-set are defined \(\,^{\bullet }x = \{y \in P \cup T \mid F(y,x) = 1 \}\) and \(x^{\bullet } = \{y \in P \cup T \mid F(x,y) = 1 \}\) respectively.

An example of Petri net can be found in Fig. 1b. Graphically places and transitions are drawn as circles and rectangles, respectively, while the flow function is rendered by means of directed arcs connecting places and transitions. Markings are represented by inserting tokens (black dots) in the corresponding places.

The concurrent behaviour of a Petri net can be represented by its unfolding \(\mathcal {U}({\mathcal {N}})\), an acyclic net constructed inductively starting from the initial marking of \(\mathcal {N}\) and then adding, at each step, an occurrence of each enabled transition.

Definition 14

(unfolding). Let \(\mathcal {N}=(P,T,F,m_0)\) be a safe net. Define the net \(U^{(0)} = (P^{(0)}, T^{(0)}, F^{(0)})\) as \(T^{(0)} = \emptyset \), \(P^{(0)} = \{(p, \bot ) \mid p \in m_0\}\) and \(F^{(0)} = \emptyset \), where \(\bot \) is an element not belonging to P, T or F. The unfolding is the least net \(\mathcal {U}({\mathcal {N}})=(P^{(\omega )},T^{(\omega )},F^{(\omega )})\) containing \(U^{(0)}\) and such that

• if \(t \in T\), the set of places \(X \subseteq P^{(\omega )}\) is coverable and \(\pi _1(X)=\,^{\bullet }t\), then \(e=(t,X) \in T^{(\omega )}\);

• for any \(e = (t,X) \in T^{(\omega )}\), the set \(Z = \{ (p,e) \mid p \in \pi _1(e)^{\bullet } \} \subseteq P^{(\omega )}\) where \(\pi _1(u,v) = u\); moreover \(\,^{\bullet }e = X\) and \(e^{\bullet } = Z\).

Places and transitions in the unfolding represent tokens and firing of transitions, respectively, of the original net. The projection \(\pi _1\) over the first component maps places and transitions of the unfolding to the corresponding items of the original net \(\mathcal {N}\). The initial marking is implicitly identified as the set of minimal places. For historical reasons transitions and places in the unfolding are also called events and conditions, respectively.

One can define causality \(\le _N\) over the unfolding as the transitive closure of the flow relation. Conflict is the relation \(e \# e'\) if \(\,^{\bullet }e \cap \,^{\bullet }e' \ne \emptyset \), inherited along causality. The events \(T^{(\omega )}\) of the unfolding of a finite safe net, endowed with causality and conflict, form a pes, denoted \(\mathcal {E}({\mathcal {N}})\). The transitions of a configuration \(C \in \mathcal {C}({\mathcal {E}({\mathcal {N}})})\) can be fired in any order compatible with causality, producing a marking \({C}^\circ = (P^{(0)} \cup \bigcup _{t\in C} t^{\bullet }) \setminus (\bigcup _{t\in C} \,^{\bullet }t)\) in \(\mathcal {U}({\mathcal {N}})\); in turn, this corresponds to a reachable marking of \(\mathcal {N}\) given by \(\mathsf {M}({C}) = \pi _1({C}^\circ )\). As an example, the unfolding \(\mathcal {U}({\mathcal {N}})\) of the running example net \(\mathcal {N}\) and the corresponding pes can be found in Figs. 1c and a.

4.2 Automata Model Checking for Petri Nets

The pes associated with a safe Petri net is known to be regular [27]. We next prove that it is also strongly regular and thus we can apply the theory developed so far for model checking \(\mathcal {L}_{hp}\) over safe Petri nets.

Let \(\mathcal {N}= \langle S,T,F,M_0\rangle \) be a safe Petri net. A basic observation is that the residual of the pes \(\mathcal {E}({\mathcal {N}})\) with respect to a configuration \(C \in \mathcal {C}({\mathcal {E}({\mathcal {N}})})\) is uniquely determined by the marking produced by C. This correspondence can be extended to pointed configurations by considering markings which additionally record, for the events of interest in the past, the places in the marking which are caused by such events. This motivates the definition below.

Definition 15

(pointed marking). Let \(\mathcal {N}= \langle S,T,F,M_0\rangle \) be a safe Petri net. Given a set X, a X-pointed marking is a pair \(\langle M, r \rangle \) with \(r : X \rightarrow 2^M\).

A X-pointed configuration \(\langle C, \zeta \rangle \) induces an X-pointed marking \(\mathsf {M}({\langle C, \zeta \rangle }) = \langle \mathsf {M}({C}), r \rangle \) where \(r(x) = \{ \pi _1(b) \mid b \in {C}^\circ \ \wedge \ \zeta (x) < b \}\). Pointed configurations producing the same pointed marking have isomorphic pointed residuals.

Proposition 1

(pointed markings vs residuals). Let \(\mathcal {N}= \langle S,T,F,M_0\rangle \) be a safe Petri net. Given a set X and two X-pointed configurations \(\langle C_1, \zeta _1\rangle \), \(\langle C_2, \zeta _2 \rangle \) in \(\mathcal {U}({\mathcal {N}})\), if \(\mathsf {M}({\langle C_1, \zeta _1 \rangle }) = \mathsf {M}({\langle C_2, \zeta _2 \rangle })\) then \(\mathcal {\mathcal {E}({\mathcal {N}})}[{\langle C_1, \zeta _1\rangle }] \approx \mathcal {\mathcal {E}({\mathcal {N}})}[{\langle C_2, \zeta _2\rangle }]\).

By the previous result the pes associated with a finite safe Petri net is strongly regular. Indeed, the number of residuals of X-pointed configurations, up to isomorphism, by Proposition 1, is smaller than the number of X-pointed markings, which is clearly finite since the net is safe.

Corollary 1

(strong regularity). Let \(\mathcal {N}\) be finite safe Petri net. Then the corresponding pes \(\mathcal {E}({\mathcal {N}})\) is strongly regular.

In order to instantiate the model checking framework to finite safe Petri nets, the idea is to take an equivalence over the infinite NPA by abstracting the (pointed) configurations associated with its states to pointed markings.

Definition 16

(pointed-marking equivalence on NPA). Let \(\mathcal {N}\) be a finite safe Petri net and let \(\varphi \) be a closed formula in \(\mathcal {L}_{hp}\). Two states \(q_1\), \(q_2\) in the NPA \(\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}\) are pointed-marking equivalent, written \(q_1 \approx _mq_2\), if \(q_i = \langle C_i, \eta _i, \psi \rangle \), \(i \in \{1,2\}\), for some \(\psi \in \mathsf {sf}_{}({\varphi })\) and \(\mathsf {M}({\langle C_1, {\eta _1}_{| fv ({\psi })}\rangle }) = \mathsf {M}({\langle C_2, {\eta _2}_{| fv ({\psi })}\rangle })\).

Using Proposition 1 we can immediately prove that \(\approx _m\) refines \(\approx _f\). Moreover we can show that \(\approx _m\) is a bisimulation in the sense of Definition 13.

Proposition 2

(marking equivalence is a bisimulation). Let \(\mathcal {N}\) be a finite safe Petri net and let \(\varphi \) be a closed formula in \(\mathcal {L}_{hp}\). The equivalence \(\approx _m\) on the automaton \(\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}\) is a bisimulation and it is of finite index.

Relying on Propositions 1 and 2 we provide an explicit construction of the quotient automaton \({\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}}_{\scriptscriptstyle /{\approx _m}}\). We introduce a convenient notation for transitions between pointed markings. Given the variables \({\mathbf {x}}\), \({\mathbf {y}}\), a set X such that \({\mathbf {x}}\cup {\mathbf {y}}\subseteq X\) and an X-pointed marking \(\langle M, r \rangle \), we write \(\langle M, r \rangle \xrightarrow {\smash {{{\mathbf {x}}},\overline{{\mathbf {y}}}}\, <\, {\smash {t}}}_{\smash {\mathsf {a},z}} \langle M', r' \rangle \) if \(M [{t}\rangle M'\), \(\lambda _N(t) =\mathsf {a}\), for all \(x \in {\mathbf {x}}\) we have \(r(x) \cap \,^{\bullet }t \ne \emptyset \) and for all \(y \in {\mathbf {y}}\) it holds \(r(y) \cap \,^{\bullet }t = \emptyset \) and \(r'\) is defined by \(r'(z) = t^{\bullet }\) and \(r'(w) = (r(w) \cap M') \cup \{ s \mid r(w) \cap \,^{\bullet }t \ne \emptyset \ \wedge \ s \in t^{\bullet } \}\), for \(w \ne z\). In words, from the pointed marking \(\langle M, r \rangle \) transition t is fired and “pointed” by variable z. Transition t is required to consume tokens caused by \({\mathbf {x}}\) and not to consume tokens caused by \({\mathbf {y}}\), in order to be itself caused by \({\mathbf {x}}\) and independent from \({\mathbf {y}}\). After the firing, variables which were causes of some \(p \in \,^{\bullet }t\) become causes of the places in \(t^{\bullet }\) and, clearly, z causes \(t^{\bullet }\).

Construction 1

(quotient NPA). Let \(\mathcal {N}\) be a finite safe Petri net and let \(\varphi \in \mathcal {L}_{hp}\) be a closed formula. The quotient NPA \({\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}}_{\scriptscriptstyle /{\approx _m}}\) is defined as follows. The set of states \(Q = \{ ( M, r, \psi ) \mid M \in \mathcal {R}({\mathcal {N}})\ \wedge \ r : fv ({\psi }) \rightarrow 2^M\ \wedge \ \psi \in \mathsf {sf}_{}({\varphi }) \}\). The initial state \(q_0 = (M_0,\emptyset ,\varphi )\). The transition relation is defined, for any state \(q=( M, r, \psi ) \in Q\), by:

• if \(\psi =\mathsf {T}\) or \(\psi =\mathsf {F}\), then \(q \xrightarrow {}(q)\)

• if \(\psi =\psi _1\wedge \psi _2\), then \(q \xrightarrow {}(q_1,q_2)\) where \(q_i=(M,r,\psi _i)\), \(i\in \{1,2\}\)

• if \(\psi =\psi _1\vee \psi _2\), then \(q \xrightarrow {}(q_1)\) and \(q \xrightarrow {}(q_2)\) where \(q_i=(M,r,\psi _i)\), \(i\in \{1,2\}\)

• if \(\psi = [\![{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}]\!] \psi '\), let \(S = \{(M',r'_{| fv ({\psi '})}) \mid \langle M, r \rangle \xrightarrow {\smash {{{\mathbf {x}}},\overline{{\mathbf {y}}}}\, <\, {\smash {t}}}_{\smash {a,z}} \langle M', r' \rangle \}\); if \(S = \{(M_1,r_1),\ldots ,(M_n,r_n)\} \ne \emptyset \) then \(q \xrightarrow {}(q_1,\ldots ,q_n)\) where \(q_i=(M_i,r_i,\psi ')\) for \(i\in [1, n]\), otherwise \(q \xrightarrow {}(q)\);

• if \(\psi = \langle \!|{{\mathbf {x}}}, \overline{{\mathbf {y}}} <\mathsf {{a}\,}{z}|\!\rangle \psi '\), let \(S = \{(M',r'_{| fv ({\psi '})}) \mid \langle M, r \rangle \xrightarrow {\smash {{{\mathbf {x}}},\overline{{\mathbf {y}}}}\, <\, {\smash {t}}}_{\smash {a,z}} \langle M', r' \rangle \}\); if \(S = \{(M_1,r_1),\ldots ,(M_n,r_n)\} \ne \emptyset \) then \(q \xrightarrow {} (q_i)\) where \(q_i=(M_i,r_i,\psi ')\) for \(i\in [1, n]\), otherwise \(q \xrightarrow {}(q)\);

• if \(\psi =\alpha {X}({{\mathbf {x}}}).\psi '\) then \(q \xrightarrow {}(q')\) where \(q'=(M,r,{X}({{\mathbf {x}}}))\);

• if \(\psi ={X}({{\mathbf {y}}})\) and \(\psi ' \in \mathsf {sf}_{}({\varphi })\) is the subformula such that \(\psi '=\alpha {X}({{\mathbf {x}}}).\psi ''\) then \(q \xrightarrow {}(q')\) where \(q'=(M,r[{\mathbf {x}}\mapsto r({\mathbf {y}})],\psi '')\).

The acceptance condition is as in Definition 10.

4.3 A Prototype Tool

The algorithm for model checking Petri nets outlined before is implemented in the prototype tool TCWB (True Concurrency Workbench) [33], written in Haskell. The tool inputs a safe Petri net \(\mathcal {N}\) and a closed formula \(\varphi \) of \(\mathcal {L}_{hp}\) and outputs the truth value of the formula on the initial marking of \(\mathcal {N}\). The algorithm builds the quotient NPA \({\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}}_{\scriptscriptstyle /{\approx _m}}\) “on demand”, i.e., the states of the automaton are generated when they are explored in the search of an accepting run. A path is recognised as successful when it includes a loop where a \(\sqsubseteq _d^*\)-maximal subformula is \(\mathsf {T}\), a \( [\![\mathsf {{}\,}{}]\!]\)-subformula or a \(\nu \)-subformula. In this way only the fragment of \({\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}}_{\scriptscriptstyle /{\approx _m}}\) relevant to decide the satisfaction of \(\varphi \) is built.

Given a net \(\mathcal {N}= (P,T,F,M_0)\) and a formula \(\varphi \), the number of states in the quotient automaton \({\mathcal {A}_{{\mathcal {E}({\mathcal {N}})},{\varphi }}}_{\scriptscriptstyle /{\approx _m}}\) can be bounded as follows. Recall that a state consists of a triple \((M, r, \psi )\) where \(\psi \in \mathsf {sf}_{}({\varphi })\), M is a reachable marking and \(r : fv ({\psi }) \rightarrow 2^M\) is a function. This leads to an upper bound \(O(|{\mathsf {sf}_{}({\varphi })}| \cdot |{\mathcal {R}({\mathcal {N}})}| \cdot 2^{|{P}| \cdot v})\), where \(v= max \{|{ fv ({\psi })}| : \psi \in \mathsf {sf}_{}({\varphi })\}\) is the largest number of event variables appearing free in a subformula of \(\varphi \). In turn, since \(|{\mathcal {R}({\mathcal {N}})}|\le 2^{|{P}|}\), this is bounded by \(O(|{\mathsf {sf}_{}({\varphi })}| \cdot 2^{|{P}| \cdot (v+1)})\). The size of the automaton is thus exponential in the size of the net and linear in the size of the formula. Moving from the interleaving fragment of the logic (where \(v=0\)) to formulae capable of expressing true concurrent properties thus causes an exponential blow up. However, note that the worst case scenario requires all transitions to be related by causality and concurrency to all places in any possible way, something that should be quite unlikely in practice. Indeed, despite the fact that the tool is very preliminary and more tweaks and optimisations could improve its efficiency, for the practical tests we performed the execution time seems to be typically well below than the theoretical worst case upper bound.

5 Conclusions

We introduced an automata-theoretic framework for the model checking of the logic for true concurrency \(\mathcal {L}_{hp}\), representing the logical counterpart of a classical true concurrent equivalence, i.e., history preserving bisimilarity. The approach is developed abstractly for strongly regular pess, that include regular trace pess. A concrete model-checking procedure requires the identification of an effective bisimulation equivalence for the construction of the quotient automaton. We showed how this can be done for finite safe Petri nets. The technique is implemented in a proof-of-concept tool.

We proved that the class of regular trace pess is included in that of strongly regular pess which in turn is included in the class of regular pess. The precise relation of strongly regular pess with the other two classes is still unclear and interesting in view of [34] that recently showed that regular trace pess are strictly included in regular pess, disproving Thiagarajan’s conjecture.

Several other papers deal with model checking for logics on event structures. In [35] a technique is proposed for model checking a CTL-style logic with modalities for immediate causality and conflict on a subclass of pess. The logic is quite different from ours as formulae are satisfied by single events, the idea being that an event, with its causes, represents the local state of a component. The procedure involves the construction of a finite representation of the pes associated with a program which has some conceptual relation with our quotienting phase. In [19] the author shows that first order logic and Monadic Trace Logic (MTL), a restricted form of monadic second order (MSO) logic are decidable on regular trace event structures. The possibility of directly observing conflicts in MTL and thus of distinguishing behaviourally equivalent pess (e.g., the pess consisting of a single or two conflicting copies of an event), and the presence in \(\mathcal {L}_{hp}\) of propositions which are non-monadic with respect to event variables, make these logics not immediate to compare. Still, a deeper investigation is definitively worth to pursue, especially in view of the fact that, in the propositional case, the mu-calculus corresponds to the bisimulation invariant fragment of MSO logic [36].

The work summarised in [18] develops a game theoretic approach for model-checking a concurrent logic over partial order models. It has been observed in [20] that such logic is incomparable to \(\mathcal {L}_{hp}\). Preliminary investigations shows that our model-checking framework could be adapted to such a logic and, more generally, to a logic joining the expressive power of the two. Moreover, further exploring the potentialities of a game theoretic approach in our setting represents an interesting venue of further research.

Compared to our previous work [26], we extended the range of the technique to the full logic \(\mathcal {L}_{hp}\), without limitations concerning the alternation depth of formulae. Relaxing the restriction to strongly regular pess, instead, appears to be quite problematic unless one is willing to deal with transfinite runs which, however, would be of very limited practical interest.

The tool is still very preliminary. As suggested by its (wishful) name (inspired by the classical Edinburgh Concurrency Workbench [37]) we would like to bring the TCWB to a more mature stage, working on optimisations and adding an interface that gives access to a richer set of commands.