Property Directed Reachability for Generalized Petri Nets

We propose a semi-decision procedure for checking generalized reachability properties, on generalized Petri nets, that is based on the Property Directed Reachability (PDR) method. We actually define three different versions, that vary depending on the method used for abstracting possible witnesses, and that are able to handle problems of increasing difficulty. We have implemented our methods in a model-checker called SMPT and give empirical evidences that our approach can handle problems that are difficult or impossible to check with current state of the art tools.


Introduction
We propose a new semi-decision procedure for checking reachability properties on generalized Petri nets, meaning that we impose no constraints on the weights of the arcs and do not require a finite state space. We also consider a generalized notion of reachability, in the sense that we can not only check the reachability of a given state, but also if it is possible to reach a marking that satisfies a combination of linear constraints between places, such as (p 0 +p 1 = p 2 +2)∧(p 1 p 2 ) for example. Another interesting feature of our approach is that we are able to return a "certificate of invariance", in the form of an inductive linear invariant [26], when we find that a constraint is true on all the reachable markings. To the best of our knowledge, there is no other tool able to compute such certificates in the general case.
Our approach is based on an extension of the Property Directed Reachability (PDR) method, originally developed for hardware model-checking [8,9], to the case of Petri nets. We actually define three variants of our algorithm-two of them completely new when compared to our previous work [1]-that vary based on the method used for generalizing possible witnesses and can handle problems of increasing difficulty.
Reachability for Petri nets is an important and difficult problem with many practical applications: obviously for the formal verification of concurrent systems, but also for the study of diverse types of protocols (such as biological or business processes); the verification of software systems; the analysis of infinite state systems; etc. It is also a timely subject, as shown by recent publications on this subject [7,15], but also with the recent progress made on settling its theoretical complexity [12,13], which asserts that reachability is Ackermann-complete, and therefore inherently more complex than, say, the coverability problem.
A practical consequence of this "inherent complexity", and a general consensus, is that we should not expect to find a one-size-fits-all algorithm that could be usable in practice. A better strategy is to try to improve the performances on some cases-for example by developing new tools, or optimizations, that may perform better on some examples-or try to improve "expressiveness"-by finding algorithms that can manage new cases, that no other tool can handle. This wisdom is illustrated by the current state of the art at the Model Checking Contest (MCC) [3], a competition of model-checkers for Petri nets that includes an examination for the reachability problem. Albeit strongly oriented towards the analysis of bounded nets. As a matter of fact, the top three tools in recent competitions-ITS-Tools [30], LoLA [34], and Tapaal [14]-all rely on a portfolio approach. Methods that have been proposed in this context include the use of symbolic techniques, such as k-induction [31]; abstraction refinement [10]; the use of standard optimizations with Petri nets, like stubborn sets or structural reductions; the use of the "state equation"; reduction to integer linear programming problems; etc.
The results obtained during the MCC highlight the very good performances achieved when putting all these techniques together, on bounded nets, with a collection of randomly generated properties. Another interesting feedback from the MCC is that simulation techniques are very good at finding a counter-example when a property is not an invariant [7,31].
In our work, we seek improvements in terms of both performance and expressiveness. We also target what we consider to be a difficult, and less studied area of research: procedures that can be applied when a property is an invariant and when the net is unbounded, or its state space cannot be fully explored. We also focus on the verification of "genuine" reachability constraints, which are not instances of a coverability problem. These properties are seldom studied in the context of unbounded nets. Interestingly enough, our work provides a simple explanation of why coverability problems are also "simpler" in the case of PDR; what we will associate with the notion of monotonic formulas.
Concerning performances, we propose a method based on a well-tried symbolic technique, PDR, that has proved successful with unbounded model-checking and when used together with SMT solvers [11,22]. Concerning expressiveness, we define a small benchmark of "difficult nets": a set of synthetic examples, representative of patterns that can make the reachability problem harder.
Outline and Contributions. We define background material on Petri nets in Sect. 2, where we use Linear Integer Arithmetic (LIA) formulas to reason about nets. Section 3 describes our decision method, based on PDR and SMT solvers, for checking the satisfiability of linear invariants over the reachable states of a Petri net. Our method builds sequences of incremental invariants using both a property that we want to disprove, and a stepwise approximation of the reachability relation. It also relies on a generalization step where we can abstract possible "bad states" into clauses that are propagated in order to find a counter-example, or to block inconsistent states.
We describe a first generalization method, based on the upset of markings, that is able to deal with coverability properties. We propose a new, dual variant based on the concept of hurdles [21], that is without restrictions on the properties. In this method, the goal is to block bad sequences of transitions instead of bad states. We show how this approach can be further improved by defining a notion of saturated transition sequence, at the cost of adding universal quantification in our SMT problems.
We have implemented our approach in an open-source tool, called SMPT, and compare it with other existing tools. In this context, one of our contributions is the definition of a set of difficult nets, that characterizes classes of difficult reachability problems.

Petri Nets and Linear Reachability Constraints
Let N denote the set of natural numbers and Z the set of integers. Assuming P is a finite, totally ordered set {p 1 , . . . , p n }, we denote by N P the set of mappings from P → N and we overload the addition, subtraction and comparison operators (=, ≥, ≤) to act as their component-wise equivalent on mappings. A QF-LIA formula F , with support in P , is a Boolean combination of atomic propositions of the form α ∼ β, where ∼ is one of =, ≤ or ≥ and α, β are linear expressions, that is, linear combinations of elements in N ∪ P . We simply use the term linear constraint to describe F .
A Petri net N is a tuple (P, T, pre, post) where P = {p 1 , . . . , p n } is a finite set of places, T is a finite set of transitions (disjoint from P ), and pre : T → N P and post : T → N P are the pre-and post-condition functions (also called the flow functions of N ). A state m of a net, also called a marking, is a mapping of N P . We say that the marking m assigns m(p i ) tokens to place p i . A marked net (N, m 0 ) is a pair composed from a net and an initial marking m 0 .
A transition t ∈ T is enabled at marking m ∈ N P when m pre(t). When t is enabled at m, we can fire it and reach another marking m ∈ N P such that m = m − pre(t) + post(t). We denote this transition m t − → m . The difference between m and m is a mapping ∆(t) = post(t) − pre(t) in Z P , also called the displacement of t.
By extension, we say that a firing sequence σ = t 1 . . . t k ∈ T * can be fired from m, denoted m σ = ⇒ m , if there exist markings m 0 , . . . , m k such that m = m 0 , m = m k and m i ti+1 −−→ m i+1 for all i < k. We can also simply write m → m . In this case, the displacement of σ is the mapping ∆(σ) = ∆(t 1 ) + · · · + ∆(t k ). We denote by R(N, m 0 ) the set of markings reachable from m 0 in N . A marking m is k-bounded when each place has at most k tokens. By extension, we say that a marked Petri net (N, m 0 ) is bounded when there is k such that all reachable markings are k-bounded.
While reachable states are computed by adding a linear combination of "displacements" (vectors in Z P ), the set R(N, m 0 ) is not necessarily semilinear or, equivalently, definable using Presburger arithmetic [20,26]. This is a consequence of the constraint that transitions must be enabled before firing. But there is still some structure to the set R(N, m 0 ), like for instance the following monotonicity constraint: We have other such results, such as with the notion of hurdle [21]. Just as pre(t) is the smallest marking for which a given transition t is enabled, there is a smallest marking at which a given firing sequence σ is fireable. This marking, denoted by H(σ), has a simple inductive definition: Given this notion of hurdles, we obtain that m σ = ⇒ m if and only if (1) the sequence σ is enabled: m H(σ), and (2) m = m + ∆(σ). We use this result in the second variant of our method.
We can go a step further and characterize a necessary and sufficient condition for firing the sequence σ.σ k , meaning firing the same sequence more than once. Given ∆(σ), a place p with a negative displacement (say −d) means that we "loose" d token each time we fire σ. Hence we should budget d tokens in p for each new iteration. On the opposite, nothing is needed for places with a positive displacement, which accrue tokens.

Examples
We give two simple examples of unbounded nets in Fig. 1, which are both part of our benchmark. Parity has a single place, hence its state space can be interpreted as a subset of N: with an initial marking of 1, this is exactly the set of odd numbers (and therefore state 0 is not reachable). We are in a special case where the set R(N, m 0 ) is semilinear. For instance, it can be seen as solution to the constraint ∃k.(p = 2k + 1), or equivalently p ≡ 1 (mod 2). But it cannot be expressed with a linear constraint involving only the variable p without quantification or modulo arithmetic. This example can be handled by most of the tools used in our experiments, e.g. with the help of k-induction.
In PGCD, transitions t 0 /t 1 can decrement/increment the marking of p 0 by 1. Nonetheless, with this initial state, it is the case that the number of occurrences of t 0 is always less than the one of t 1 in any feasible sequence σ. Hence the two predicates p 0 ≥ 2 and p 2 ≥ p 1 are valid invariants. (Since some tools do not accept literals of the form p ≥ q, we added the "redundant" place p 3 so we can restate our second invariant as p 3 ≥ 1.) These invariants cannot be proved by reasoning only on the displacements of traces (using the state equation) and are already out of reach for LoLA or Tapaal.

Linear Reachability Formulas
We can revisit the semantics of Petri nets using linear predicates. In the following, we use p for the vector (p 1 , . . . , p n ), and F (p) for a formula with variables in P . We also simply use F (α) for the substitution is true. Hence we can also interpret F as a predicate over markings. Finally, we define the semantics of F as the set F = {m ∈ N P | m |= F }.
As usual, we say that a predicate F is valid, denoted |= F , when all its interpretations are true ( F = N P ); and that F is unsatisfiable (or simply unsat), denoted F , when F = ∅.
We can define many properties on the markings of a net N using this For instance, we can model the set of markings m such that some transition t is enabled using predicate ENBL t (see Equation (2) below). We can also define a linear predicate to describe the relation between the markings before and after some transition t fires. To this end, we use a vector p of "primed variables" (p 1 , . . . , p n ), where p i will stand for the marking of place p i after a transition is fired. With this convention, formula FIRE t (p, p ) is such that FIRE t (m, m ) entails m t − → m or m = m when t is enabled at m. With all these notations, we can define a predicate T(p, p ) that "encodes" the effect of firing at most one transition in the net N .
In our work, we focus on the verification of safety properties on the reachable markings of a marked net (N, m 0 ). Examples of properties that we want to check include: checking if some transition t is enabled (commonly known as quasiliveness); checking if there is a deadlock; checking whether some linear invariant between place markings is true; . . . All properties that can be expressed using a linear predicate.

Definition 1 (Linear Invariants and Inductive Predicates).
It is possible to characterize inductive predicates using our logical framework.
. As a consequence, a sufficient condition for a predicate F to be invariant is to have both conditions (i) and (ii); conditions that can be checked using a SMT solver. Unfortunately, the predicates that we need to check are often not inductive. In this case, the next best thing is to try to build an inductive invariant, say R, such that R ⊆ F (or equivalently R ∧ ¬F unsat). This predicate provides a certificate of invariance that can be checked independently.

Lemma 1 (Certificate of Invariance). A sufficient condition for
This result is in line with a property proved by Leroux [26], which states that when a final configuration m is not reachable there must exist a Presburger inductive invariant that contains m 0 but does not contain m. This result does not explain how to effectively compute such an invariant. Moreover, in our case, we provide a method that works with general linear predicates, and not only with single configurations. On the other side of the coin, given the known results about the complexity of the problem, we do not expect our procedure to be complete in the general case.
In the next section, we show how to (potentially) find such certificates using an adaptation of the PDR method. An essential component of PDR is to abstract a "scenario" leading to the model of some property F -say a transition m σ = ⇒ m with m |= F -into a predicate that contains m (and potentially many more similar scenarios). More generally, a generalization of the trio (m, σ, F ) is a predicate G satisfied by m such that m 1 |= G entails that there is m 1 → m 2 with m 2 |= F .
Lemma 2 (Generalization). Assume we have a scenario such that m σ = ⇒ m and m |= F . We have three possible generalizations of the trio (m, σ, F ).
Assume a, b are mappings of N P such that a = H(σ) and b = (−∆(σ)) + , with the notations used in (H3). Then Each property is a direct result of properties (H1) to (H3).
Property (G3) is the first and only instance of linear formula using an extra variable, k, that is not in P . The result is still a linear formula though, since we never need to use the product of two variables. This generalization is used when we want to "saturate the sequence σ". This is the only situation where we may need to deal with quantified LIA formulas. Another solution would be to replace each quantification with the use of modulo arithmetic, but this operation may be costly and could greatly increase the size of our formulas. It would also not cut down the complexity of the SMT problems.

Property Directed Reachability
Some symbolic model-checking procedure, such as BMC [6] or k-induction [28], are a good fit when we try to find counter-examples on infinite-state systems. Unfortunately, they may perform poorly when we want to check an invariant. In this case, adaptations of the PDR method [8,9] (also known as IC3, for "Incremental Construction of Inductive Clauses for Indubitable Correctness") have proved successful.
We assume that we start with an initial state m 0 satisfying a linear property, I, and that we want to prove that property P is an invariant of the marked net (N, m 0 ). (We use blackboard bold symbols to distinguish between parameters of the problem, and formulas that we build for solving it.) When checking for the reachability from the initial state, we can simple choose I such that I = {m 0 }.
We define F = ¬P as the "set of feared events"; such that P is not an invariant if we can find m in R(N, m 0 ) such that m |= F. To simplify the presentation, we assume that F is a conjunction of literals (a cube), meaning that P is a clause. In practice, we assume that F is in Disjunctive Normal Form.
PDR is a combination of induction, over-approximation, and SAT or SMT solving. The goal is to build an incremental sequence of predicates F 0 , . . . , F k that are "inductive relative to stepwise approximations": such that m |= F i and m → m entails m |= F i+1 , but not m |= F. The method stops when it finds a counter-example, or when we find that one of the predicates F i is inductive.
Function prove(I, F: linear predicates) We adapt the PDR approach to Petri nets, using linear predicates and SMT solvers for the QF-LIA and LIA logics in order to learn, generalize, and propagate new clauses. The most innovative part of our approach is the use of specific "generalization algorithms" that take advantage of the Petri nets theory, like the use of hurdles for example.

Algorithm
Our implementation follows closely the algorithm for IC3 described in [9]. We only give a brief sketch of the OARS construction.
By construction, each frame F i in the OARS is defined as a set of clauses, CL(F i ), meaning that F i is built as a formula in CNF: F i = cl∈CL(Fi) cl . We also enforce that CL(F i+1 ) ⊆ CL(F i ) for 0 i < k, which means that the monotonicity property between frames is trivially ensured.
The body of function prove contains a main iteration (line 4) that increases the value of k (the number of levels of the OARS). At each step, we enter a second, minor iteration (line 2 in function strengthen), where we generate new minimal inductive clauses that will be propagated to all the frames. Hence both the length of the OARS, and the set of clauses in its frames, increase during computation.
The procedure stops when we find an index i such that F i = F i+1 . In this case we know that F i is an inductive invariant satisfying P. We can also stop during the iteration if we find a counter-example (a model m of F). In this case, we can also return a trace leading to m.
Function strengthen(k : current level) When we start the first minor iteration, we have k = 1, F 0 = I and F 1 = P. If we have F k (p) ∧ T (p, p ) ∧ F(p) unsat, it means that P is inductive, so we can stop and return that P is an invariant. Otherwise, we proceed with the strengthen phase, where each model of F k (p) ∧ T (p, p ) ∧ F(p) becomes a potential counterexample, or witness, that we need to "block" (line 3-5 of function strengthen).
Instead of blocking only one witness, we first generalize it into a predicate that abstracts similar dangerous states (see the call to generalizeWitness). This is done by applying one of the three generalization results in Lemma 2. We give more details about this step later. By construction, each generalization is a cube s (a conjunction of literals). Hence, when we block it, we learn new clauses from ¬s that can be propagated to the previous frames.
Before pushing a new clause, we test whether s is reachable from previous frames. We take advantage of this opportunity to find if we have a counterexample and, if not, to learn new clauses in the process. This is the role of functions pushGeneralization and inductivelyGeneralize.
We find a counter example (in the call to inductivelyGeneralize) if the generalization from a witness found at level k, say s, reaches level 0 and F 0 (p) ∧ T (p, p ) ∧ s(p ) is satisfiable (line 1 in inductivelyGeneralize). Indeed, it means that we can build a trace from I to F by going through F 1 , . . . , F k .
Procedure generateClause(s : cube, i: level, k: level) The method relies heavily on checking the satisfiability of linear formulas in QF-LIA, which is achieved with a call to a SMT solver. In each function call, we need to test if predicates of the form F i ∧ T ∧ G are unsat and, if not, enumerate its models. To accelerate the strengthening of frames, we also rely on the unsat core of properties in order to compute a minimal inductive clause (MIC).
Our approach is parametrized by a generalization function (generalizeWitness) that is crucial if we want to avoid enumerating a large, potentially unbounded, set of witnesses. This can be the case, for example, in line 5 of pushGeneralization. In this particular case, we find a state m at level n (because m |= F n ), and a transition t that leads to a problematic clause in F n+1 . Therefore we have a sequence σ of size k − n + 1 such that m σ = ⇒ m and m |= F. We consider three possible methods for generalizing the trio (m, σ, F), that corresponds to property (G1)-(G3) in Lemma 2.

State-based Generalization
A special case of the reachability problem is when the predicate F is monotonic" meaning that m 1 |= F entails m 1 + m 2 |= F for all markings m 1 , m 2 . A sufficient (syntactic) condition is for F to be a positive formula with literals of the form i∈I p i ≥ a. This class of predicates coincide with what is called a coverability property, for which there exists specialized verification methods (see e.g. [18,19]).
By property (G1), If we have to block a witness m such that m σ = ⇒ m and m |= F, we can as well block all the states greater than m. Hence we can choose the predicate GEQ m to generalize m. This is a very convenient case for verification and one of the optimizations used in previous works on PDR for Petri nets [1,16,23,24]. First, the generalization is very simple and we can easily compute a MIC when we block predicate GEQ m in a frame. Also, we can prove the completeness of the procedure when F is monotonic. An intuition is that it is enough, in this case, to check the property on the minimal coverability set of the net, which is always finite [18]. The procedure is also complete for finite transition systems. These are the only cases where we have been able to prove that our method always terminates.

Transition-based Generalization
We propose a new generalization based on the notion of hurdles. This approach can be used when F is not monotonic, for example when we want to check an invariant that contains literals of the form p = k (e.g. the reachability of a fixed marking) or p q.
Assume we need to block a witness of the from m σ = ⇒ m |= s. Typically, s is a cube in F, or a state resulting from a call to pushGeneralization. By property (G2), we can as well block all the states satisfying G σ (p) def = GEQ H(σ) (p) ∧ s(p + ∆(σ)). This generalization is interesting when property s does not constraint all the places, or when we have few equality constraints. In this case G σ may have an infinite number of models. It should be noted that using the duality between "feasible traces" and hurdles is not new. For example, it was used recently [19] to accelerate the computation of coverability trees. Nonetheless, to the best of our knowledge, this is the first time that this generalization method has been used with PDR.

Saturated Transition-based Generalization
We still assume that we start from a witness m σ = ⇒m |= s. Our last method relies on property (G3) and allows us to consider several iterations of σ. If we fix the value of k, then a possible generalization is G k σ def = i∈1..n (p i a(i) + k · b(i)) ∧ s(p + (k + 1) · ∆(σ)), where a, b are the mappings of N P defined in Lemma 2. (Notice that G 1 σ = G σ .) More generally the predicate G k σ = G 1 σ ∨ · · · ∨ G k σ is a valid generalization for the witness (m, σ, s), in the sense that if m 1 |= G k σ then there is a trace m 1 → m 2 such that m 2 |= s. At the cost of using existential quantification (and therefore a "top-level" universal quantification when we negate the predicate to block it in a frame), we can use the more general predicate G σ def = ∃k.G k σ , which is still linear and has its support in P . We know examples of invariants where the PDR method does not terminate except when using saturation. A simple example is the net Parity, used as an example in Sect. 2, with the invariant P = (p 1). In this case, F = ¬P = (p = 0). Hence we are looking for witnesses such that m → 0. The simplest example is 2 t2 − → 0, which corresponds to the "blocking clause" p = 2. In this case, we have H(t 2 ) = 2 and ∆(t 2 ) = −2. Hence the transition-based generalization is (p ≥ 2) ∧ (p − 2 = 0) ≡ (p = 2), which does not block new markings. At this point, we try to block (p = 0) ∨ (p = 2). The following minor iteration of our method will consider the witness 4 t2.t2 = == ⇒ 0, etc. Hence after k minor iterations, we have F k ≡ (p = 0) ∧ (p = 2) ∧ · · · ∧ (p = 2k). If we saturate t 2 , we find in one step that we should block ∃k.(p − 2 · (k + 1) = 0). This is enough to prove that (p 1) is an invariant as soon as the initial marking is an odd number.
This example proves that PDR is not complete, without saturation, in the general case. We conjecture that it is also the case with saturation. Even though example Parity is extremely simple, it is also enough to demonstrate the limit of our method without saturation. Indeed, when we only allow unquantified linear predicates with variables in P , it is not possible to express all the possible semilinear sets in N P . (We typically miss some periodic sets.) In practice, it is not always useful to saturate a trace and, in our implementation, we use heuristics to limit the number of quantifications introduced by this operation. Actually, nothing prevents us from mixing our different kinds of generalization together, and there is still much work to be done in order to find good tactics in this case.

Experimental Results
We have implemented our complete approach in a tool, called SMPT (for Satisfiability Modulo P/T Nets), and made our code freely available under the GPLv3 license. The software, scripts and data used to perform our analyses are available on Github (htttps://github.com/nicolasAmat/SMPT) and are archived in Zenodo [2]. The tool supports the declaration of reachability constraints expressed using the same syntax as in the Reachability examinations of the Model Checking Contest (MCC). For instance, we use PNML as the input format for nets. SMPT relies on a SMT solver to answer sat and unsat-core queries. It interacts with SMT solvers using the SMT-LIBv2 format, which is a well-supported interchange format. We used the z3 solver for all the results presented in this section.

Evaluation on Expressiveness
It is difficult to find benchmarks with unbounded Petri nets. To quote Blondin et al. [7], "due to the lack of tools handling reachability for unbounded state spaces, benchmarks arising in the literature are primarily coverability instances". It is also very difficult to randomly generate a true invariant that does not follow, in an obvious way, from the state equation. For this reason, we decided to propose our own benchmark, made of five synthetic examples of nets, each with a given invariant. This benchmark is freely available and presented as an archive similar to instances of problems used in the MCC.
Our benchmark is made of deceptively simple nets that have been engineered to be difficult or impossible to check with current techniques. We already depicted our two first examples in Fig. 1  We give a brief description of the nets composing our "reachability" benchmark (except for Parity and PGCD from Fig. 1 already described previously). Each of our example is quite small, with less than 10 places or transitions, and is representative of patterns that can make the reachability problem harder: the use of self-loops; dead transitions that cannot be detected with the state equation; weights that are relatively prime; etc. Also, most of our examples can be turned into families of nets using parameters such has the initial marking, weights on the arcs, or by adding copies of a sub-net.
-CryptoMiner describes the, simplified, daily schedule of someone mining bitcoins. The net is composed of two disjoint state machines synchronized by self-loops (trivial cycles of weight 1). Removing the self-loops do not modify the incidence matrix, and so do not change the solutions of the state equation. The difficulty when analysing this net lies in the presence of constraints that cannot be derived from the state equation alone. For instance, the presence of tokens in Coin implies Connection empty. For instance, the state equation allows to get 3 tokens in p 7 , which would contradict our invariant. -Murphy is a net combining PGCD with the "bottom component" of net Process.
We compared SMPT against ITS-Tools, LoLA, and Tapaal and give our results in Table 1. All results are computed using 4 cores, a limit of 16 GB of RAM, and a timeout of 1 h. A result of TLE stands for "Time Limit Exceeded". For SMPT, we marked with an asterisk ( * ) the results computed using our saturation-based generalization. Our results show that SMPT is able to answer on several classes of examples that are out of reach for some, or all the other tools; often by orders of magnitude.
We also experimented with two other tools for reachability recently presented at TACAS: KReach [15], that provides a complete implementation of Kosaraju's original decision procedure, and FastForward [7], a tool for efficiently finding counter-examples in unbounded Petri nets (but that may report that an invariant is true in some cases). We do not include these tools in our findings since they were unable to answer any of our problems. (But input files for our benchmark, for both tools, are available in our artifact.)

Computing Certificate of Invariance
A distinctive feature of SMPT is the ability to output a linear inductive invariant for reachability problems: when we find that P is invariant, we are also able to output an inductive formula C, of the form P ∧ G, that can be checked independently with a SMT solver. We can find the same capability in the tool Petrinizer [16] in the case of coverability properties.
To get a better sense of this feature, we give the actual outputs computed with SMPT on the two nets of Fig. 1. The invariant for the net Parity is P 1 = (p 0 1), and for PGCD it is P 2 = (p 1 p 2 ) The certificate for property P 1 on Parity is C 1 ≡ (p 0 1) ∧ ∀k.((p 0 < 2 k + 2) ∨ (p 0 2 k + 3)), which is equivalent to (p 0 1) ∧ (∀k 1).(p 0 = 2.k), meaning the marking of p 0 is odd. This invariant would be different if we changed the initial marking to an even number.

Evaluation on Performance
Since it is not sufficient to use only a small number of hand-picked examples to check the performance of a tool, we also provide results obtained on a set of 30 problems (a net together with an invariant) that are borrowed from test cases used by the tool Sara [32,33] (examples test{3, 4, 12}) and a similar software, called Reach, that is part of the Tina toolbox [5] (examples 1, 3u, . . . , zz). Most of these problems can be easily answered, but are interesting to test our reliability on a relatively even-handed benchmark.
Our benchmark also include 6 examples of bounded nets obtained by limiting the number of times we can fire transitions in the nets PGCD and CryptoMiner. (This is achieved by adding a new place that loses a token when a transition is fired.) The experiments were performed with the same conditions as previously, but with a timeout of only 255s. We display our results in the chart of Fig. 5, which gives the number of feasible problems, for each tool, when we change the timeout value. We also provide the computation times, for the same dataset, in Table 2. We observe that our performances are on par with Tapaal, which is the fastest among our three reference tools on this benchmark.
Our tool is actually quite mature. In particular, a preliminary version of SMPT [1] (without many of the improvements described in this work) participated in the 2021 edition of the MCC, where we ranked fourth, out of five competitors, and achieved a reliability in excess of 99.9%.
Even if it was with a previous version of our tool, there are still lessons to be learned from these results. In particular, it can inform us on the behavior of SMPT on a very large and diverse benchmark of bounded nets, with a majority of reachability properties that are not invariants.
We can compare our results with those of LoLA, that fared consistently well in the reachability category of the MCC. LoLA is geared towards model checking of finite state spaces, but it also implements semi-decision procedures for the

Conclusion and Related Works
One of the most important results in concurrency theory is the decidability of reachability for Petri nets or, equivalently, for Vector Addition Systems with States (VASS) [25]. Even if this result is based on a constructive proof, and its "construction" streamlined over time [26], the classical Kosaraju-Lambert-Mayr-Sacerdote-Tenney approach does not lead to a workable algorithm. It is in fact a feat that this algorithm has been implemented at all, see e.g. the tool KReach [15]. While the (very high) complexity of the problem means that no single algorithm could work efficiently on all inputs, it does not prevent the existence of methods that work well on some classes of problems. For example, several algorithms are tailored for the discovery of counter-examples. We mention the tool FastForward [7] in our experiments, that explicitly targets the case of unbounded nets. We propose a method that works as well on bounded as on unbounded ones; that behaves well when the invariant is true; and that works with "genuine" reachability properties, and not only with coverability. But there is of course no panacea. Our approach relies on the use of linear predicates, which are incrementally strengthened until we find an invariant based on: the transition relation of the net; the property we want to prove (it is "property-directed"); and constraints on the initial states. This is in line with a property proved by Leroux [26], which states that when a final configuration is not reachable then "there exist checkable certificates of non-reachability in the Presburger arithmetic." Our extension of PDR provides a constructive method for computing such certificates, when it terminates. For our future works, we would like to study more precisely the completeness of our approach and/or its limits. This is not something new. There are many tools that rely on the use of integer programming techniques to check reachability properties. We can mention the tool Sara [33], that is now integrated inside LoLA and can answer reachability problems on unbounded nets; or libraries like Fast [4], designed for the analysis of systems manipulating unbounded integer variables. An advantage of our method is that we proceed in a lazy way. We never explicitly compute the structural invariants of a net, never switch between a Presburger formula and its representation as a semilinear set (useful when one wants to compute the "Kleene closure" of a linear constraint), . . . and instead let a SMT solver work its magic.
We can also mention previous works on adapting PDR/IC3 to Petri nets. A first implementation of SMPT was presented in [1], where we focused on the integration of structural reductions with PDR. This work did not use our abstraction methods based on hurdles and saturation, which are new. We can find other related works, such as [16,23,24]. Nonetheless they all focus on coverability properties. Coverability is not only a subclass of the general reachability problem, it has a far simpler theoretical complexity (EXPSPACE vs NONELEMENTARY). It is also not expressive enough for checking the absence of deadlocks or for complex invariants, for instance involving a comparison between the marking of two places, such as p < q. The idea we advocate is that approaches based on the generalization of markings are not enough. This is why we believe that abstractions (G2) and (G3) defined in Lemma 2 are noteworthy.
We can also compare our approach with tools oriented to the verification of bounded Petri nets; since many of them integrate methods and semi-decision procedures that can work in the unbounded case. The best performing tools in this category are based on a portfolio approach and mix different methods. We compared ourselves with three tools: ITS-Tools [30], Tapaal [14] and LoLA [34], that have in common to be the top trio in the Model Checking Contest [3]. (And can therefore accept a common syntax to describe nets and properties.) Our main contribution in this context, and one of our most complex results, is to provide a new benchmark of nets and properties that can be used to evaluate future reachability algorithms "for expressiveness".
The methods closest to ours in these portfolios are Bounded Model Checking and k-induction [28], which are also based on the use of SMT solvers. We can mention the case of ITS-Tools [31], that can build a symbolic overapproximation of the state space, represented as set of constraints. This approximation is enough when it is included in the invariant that we check, but inconclusive otherwise. A subtle and important difference between PDR and these methods is that PDR needs only 2n variables (the p and p ), whereas we need n fresh variables at each new iteration of k-induction (so kn variables in total). This contributes to the good performances of PDR since the complexity of the SMT problems are in part relative to the number of variables involved. Another example of over-approximation is the use of the so-called "state equation method" [27], that can strengthen the computations of inductive invariants by adding extra constraints, such as place invariants [29], siphons and traps [16,17], causality constraints, etc. We plan to exploit similar constraints in SMPT to better refine our invariants.
To conclude, our experiments confirm what we already knew: we always benefit from using a more diverse set of techniques, and are still in need of new techniques, able to handle new classes of problems. For instance, we can attribute the good results of Tapaal, in our experiments, to their implementation of a Trace Abstraction Refinement (TAR) techniques, guided by counter-examples [10]. The same can be said with LoLA, that also uses a CEGAR-like method [33]. We believe that our approach could be a useful addition to these techniques.