1 Introduction

Due to the constant availability of networks and the minimization of powerful devices, modern systems are increasingly composed of a huge number of networked computers. Even if the system itself appears to be a single coherent unit, the components of such a distributed system act autonomously [52]. To avoid a constant communication of every single component with a central control, systems are more and more decentralized. This comes with the cost of an incomplete knowledge of the system’s components about the system’s environment. Especially in manufacturing there is a rising demand for the development of local controllers and their mutual communication [40, 41].

The growth of these systems in size and complexity makes it even more challenging for humans to correctly implement sound controllers. Synthesis [11] avoids this error-prune task by automatically generating controllers from a description of all possible actions in the system and a specification of the system’s common goal which should be guaranteed against all possible behavior of the system’s environment.

In this paper we consider Petri games [25], a game-theoretic approach for the synthesis of distributed systems. The game is played between two teams: the system players (the controllable behavior) and the environment players (the uncontrollable behavior). Solving such games means finding a strategy for the system players that is winning, i.e., it satisfies a given safety objective against all the environment’s decisions. A strategy takes the locally known decisions of the other players as input and produces a deterministic output in form of a decision for the next step. In Petri games the players are the tokens of the underlying place/transition Petri net (P/T Petri net). The places of the net are partitioned into system and environment places. The assignment of the team membership is done via the place the player currently resides on. Players in distant locations do not know anything about each other as long as they are not communicating, i.e., participating on the firing of a joint transition. During such communications the players exchange their knowledge about the causal past of the other players, i.e., the places and transitions the player previously resided on or participated in firing, as well as his or her own past.

The high-level representation of Petri games [30] allows for a concise description of these games. Rather than depending on P/T Petri nets, high-level Petri games are based on schemata of Colored Petri Nets (CPNs) [29, 36]. This facilitates to have several individual and distinguishable tokens residing on a single place. So far high-level Petri games are solved via a transformation to the equivalent low-level variant of the game and by applying the solving algorithms for P/T Petri games to the result of the transformation. In practical applications, modeling with high-level Petri games often results in low-level Petri nets exhibiting a large amount of symmetric behavior. The main reason is that in many cases the individual tokens, e.g., robots, processes, work pieces, etc., do not need to behave that differently to win the game.

In this paper we present a solving algorithm for a subclass of high-level Petri games with a single environment player, a bounded number of system players, and a safety objective. This new algorithm exploits the symmetries of the system. The subclass is defined by two restrictions. First, we consider only set-based high-level Petri games, where the markings are sets rather than multisets of individual, colored tokens. Second, we consider only Petri games where the single environment player is recurrently interfering, i.e., in every infinite sequence of transitions there are infinitely many environment transitions.

The key idea of the algorithm is a combination of the reduction technique of the corresponding class of P/T Petri games described in [25] and the construction of a reduced reachability graph for CPNs presented in [8]. We introduce the symbolic two-player game \(\mathbb {G}^H\), a two-player game over a finite graph with complete information. This game is solvable if and only if the corresponding high-level Petri game \(\mathscr {H}\) is solvable. The states of \(\mathbb {G}^H\) are equivalence classes of the states of the two-player game \(\mathbb {G}^L\) presented in [25] of the corresponding low-level Petri game, with respect to defined symmetries. The correctness of the construction is shown via a bisimulation between these two-player games. Furthermore, we provide an algorithm to create a winning positional strategy in \(\mathbb {G}^L\) from the winning positional strategy in \(\mathbb {G}^H\).

We validate the state space reduction of our approach on a set of benchmark families introduced in [21, 22] in a prototype implementation. We develop the high-level representation of those benchmark families which had not already been introduced in [30] and introduce a completely new benchmark family about a package delivery service with drones. The experimental results calculated with a two hour time out show a state space reduction of a factor of up to 2366.

The remainder of the paper is structured as follows: We informally introduce the new benchmark family of a package delivery in Sect. 2 and motivate our approach by providing an intuition of the symmetries of the system. Section 3 recalls the formalism of low-level and high-level Petri games. In Sect. 4 the new solving technique for high-level Petri games is introduced and proven to be correct, before Sect. 5 shows the state-space reduction of this new technique on several benchmark families. We finish with the related work and a conclusion in Sects. 6 and 7.

2 Motivating example

We motivate our approach by introducing a new benchmark family for the synthesis of distributed systems. In this family, called Package Delivery (PD), an armada of autonomous drones has the mission to deliver packages against a hostile environment. The environment is able to let one of the drones crash. The other drones, however, get informed of the crash and can recover the lost package after their own successful delivery. A visual representation as a high-level Petri game is depicted in Fig. 1.

Fig. 1
figure 1

A high-level Petri game representing the benchmark family \(\textit{PD}\). An armada of \(n\) drones \(D=\{d_1,\ldots ,d_n\}\) wants to deliver \(m\) packages \(P=\{p_1,\ldots ,p_m\}\). The hostile environment, initially residing in the place \(\textit{Env}\), destroys via transition \(\textit{destroy}\) one drone \(d\in D\) and puts its name \(d\) into the place Malfunction. Small letters \(d,d',\) and \(p\) at the edges are variables ranging over elements from \(D\) and \(P\), respectively. The functioning drones can deliver their assigned packages via transition \(\textit{deliver}\). After each delivery, a drone has the option to save the package of the crashed drone via transition \(\textit{save}\). The system players win when every package is delivered and thus by firing transition \(\textit{end}\) the place \(\textit{Bad}\) can be avoided

Full size image

The \(n\) drones are represented by a set \(D=\{d_1,\ldots ,d_n\}\) of \(n\) individual elements called tokens, which initially reside on the place with label \(\textit{Drones}\). Similarly, the \(m\) packages are represented by the set \(P=\{p_1,\ldots , p_m\}\), which elements initially reside on the place \(\textit{Packages}\). The gray colored places belong to the controllable players, i.e., tokens residing on such places belong to the team of system players. However, tokens residing on white places belong to the team of environment players, also called the uncontrollable players. A transition is depicted as a rectangular node. A mode of a transition is a valuation of the variables at the transition’s edges. Those variables (like \(d, d', p\) in Fig. 1) are bound only locally to the transition. A transition is enabled in a mode iff on the places connected to its incoming edges the necessary tokens are available in this mode and a predicate, written as a dashed box connected to the transition, is satisfied in this mode. A missing dashed box represents the predicate \( true \). The transition fires in a mode by removing the tokens from the places connected to its incoming edges and by putting tokens to the places connected to its outgoing edges. A transition can only fire in a mode if it is enabled in the mode.

Initially, the transitions \(\textit{assign}\) and \(\textit{destroy}\) are concurrently enabled. For simplicity reasons, in descriptions we omit the mode of a transition when it is clear from the context. Thus, the assignment of the packages to drones and the subsequent takeoff (via transition \( \textit{takeoff} \)) may occur concurrently to the decision of the environment which drone will crash. In Petri games the players do not have a global view of the whole system. They only learn something about the other players by taking a joint transition. In this case the participating players exchange their complete knowledge, i.e., all places and transitions they had previously used as well as the knowledge they obtained from other player by previous joint transitions. This knowledge is called their causal past. For the example this means that even in the case that transition \(\textit{destroy}\) fires before transition \(\textit{assign}\), the drones, each loaded with a package, take off without knowing which drone will crash. The non-functioning drone, say \(d\), cannot take transition \(\textit{deliver}\) due to the predicate \(d \ne d'\). To avoid trivial solutions, where the system decides to just not move any further even though there is still a possible move and only by this is able to prevent ending up in a bad place, we are searching for deadlock-avoiding strategies. Hence, the drone \(d\) must take transition \(\textit{crash}\) and has to put its package into the place \(\textit{Lost}\). The functioning drones can deliver their packages (via transition \(\textit{deliver}\)) and meanwhile receive the emergency signal of the crashed drone. Thus, by taking transition \(\textit{deliver}\), the drone is getting the environment’s decision for the first time because the environment token residing in place \(\textit{Malfunction}\) has the transition \(\textit{destroy}\) in its causal past. This information is passed to the system player via the joint transition. After each delivery, the drone can decide in place \(\textit{Wait}\) to pickup another assigned package via transition \(\textit{takeoff}^{\,\, \prime }\), or, to recover the lost package and call it a day via transition \( \textit{save} \). By taking transition \(\textit{deliver}\), a drone not only learns which drone has crashed but also exactly which package is lost and can therewith recover particularly this package. If no drone decides to recover the lost package, the system cannot avoid reaching the bad place \(\textit{Bad}\) due to the deadlock-avoiding constraint. Only when each package is delivered, i.e., all \(p\in P\) reside on place \(\textit{Delivered}\), the system can avoid the bad place and reach the place \(\textit{End}\) via transition \(\textit{end}\). Even in the case that the environment decides to destroy a drone without an assigned package, all loaded drones can take transition \(\textit{Delivered}\) and thus the place \(\textit{End}\) is reached.

Consider for example the case of two drones ordered to deliver three packages. In this case, the system cannot win the game because two packages have to be assigned to the same drone. If the environment now destroys this drone, the other, functioning drone, cannot save both undelivered packages. Therefore, some package has to take transition \( \textit{bad} \) or \( \textit{bad}^{\,\prime }\), and the system loses.

In contrast, if three drones, say \( d_1,d_2\), and \(d_3 \), have to deliver two packages, say \( p_1 \) and \( p_2 \), the system can win this game. Initially, the packages decide on an assignment, say \( p_1 \) is assigned to \( d_1 \) and \( p_2 \) is assigned to \( d_2 \), and the drones take off. In the case of the environment destroying drone \(d_1\), package \(p_1\) is lost. Then, \( d_2 \) can deliver its package, and afterwards can recover \( p_1 \) via transition \( \textit{save} \). Both packages now reside on \( \textit{Delivered} \), and therefore can take the transition \( \textit{end} \) to avoid taking any bad transition. In the case that the environment decides to let any other drone crash, the system still can win the game because either now the other drone saves the lost package or no package gets lost anyhow.

We see here that the behavior of the game is highly symmetric: it does not matter to which drones the packages \( p_1 \) and \( p_2 \) get assigned, as long as the two chosen drones are different. For example, there is no difference in the general behavior in the case that \( p_1 \) gets assigned to \( d_3 \) and \( p_2 \) to \( d_1 \). We say, this situation is symmetric to the situation above. It also does not matter which of the drones loaded with a package is destroyed by the environment – the other drone, after delivering its own cargo, will save the lost package.

These observations lead to the idea of exploiting symmetric behavior: we do not have to consider many different situations anymore, but can limit our examination to representatives of whole classes of symmetric situations. This makes it easier to determine whether the system can win the game.

3 Petri games

In this section we give an informal definition of low-level Petri games and their properties [24] and recall the definitions of high-level Petri games and their reduction technique to low-level Petri games from [30]. We assume some familiarity with Petri nets (e.g., [43, 47]).

3.1 Low-level Petri games

A Petri game \(\mathscr {G}=(\mathscr {P}_S,\mathscr {P}_E,\mathscr {T},\mathscr {F}, In ,\mathscr {B})\) models a multi-player game, where the tokens of the underlying Petri net \(\mathscr {N}= (\mathscr {P},\mathscr {T},\mathscr {F}, In )\), with a finite set of places \(\mathscr {P}\), a finite set of transitions \(\mathscr {T}\), a flow relation \(\mathscr {F}\), and an initial marking \( In \), represent the players. Although the solving algorithm in [25] is presented for k-bounded Petri games, in this paper we assume that \(\mathscr {G}\) is 1-bounded, i.e., in any state of the game each place hosts at most one token. We do so to keep the paper less technical. We distinguish two teams of players: the (uncontrollable) environment players are the tokens residing on environment places \(\mathscr {P}_E\) (depicted as white circles) and the (controllable) system players are the tokens residing on the system places \(\mathscr {P}_S\) (depicted as gray circles). The disjoint union of these sets yields the places of the underlying net: \(\mathscr {P}=\mathscr {P}_E\,{{\dot{\cup }}}\,\mathscr {P}_S\). Additionally, the Petri game identifies a set \(\mathscr {B}\subseteq \mathscr {P}\) of bad places from the point of view of the system (depicted as double circled places). For each transition \(t\in \mathscr {T}\) the pre- and postset of t are defined by \(\textit{pre}( t)=\{p\in \mathscr {P}\;\mid \;(p,t) \in \mathscr {F}\}\) and \(\textit{post}( t)=\{p\in \mathscr {P}\;\mid \;(t,p)\in \mathscr {F}\}\). Since we assume \(\mathscr {G}\) to be 1-bounded, a marking of \(\mathscr {G}\) is a set \(M \subseteq \mathscr {P}\). A transition t is enabled at M if \(\textit{pre}( t) \subseteq M\). Firing an enabled transition at M yields a new marking \(M' = (M {\setminus } \textit{pre}( t)) \cup \textit{post}( t)\). This firing relation is denoted by \(M \,[t\rangle \, M' \). We call transitions with a preset only consisting of system places system transitions and all other transitions environment transitions. Transitions with a preset only consisting of environment places are called pure environment transitions. Note that only pure environment transitions are under control of the environment player, whereas transitions which contain at least one system place in its preset are under control of the system players.

Each player knows its own causal past, i.e., the places and transitions which have been used to reach the current place. This information is exchanged with all players participating at a joint transition. The aim of the system players is to cooperate to avoid reaching any bad place \(p\in \mathscr {B}\). To satisfy this safety objective, the players can solely use their locally available information.

Fig. 2
figure 2

A low-level Petri game in which the environment player (initially residing on place \(E_1\)) orders the system player (initially residing on place \(S\)) to let its processes work jointly or solely. The system can only win, i.e., avoid that any token ever resides on place \(\bot \), by informing itself over the environment’s decision via transition \(\textit{info}\) and let its created processes work together or alone according to the environment’s decision

Full size image

Example 1

(Low-level Petri game) Figure 2 shows a simple Petri game with one environment player (initially residing on place \(E_1\)) and maximally three system players. At the outset there is only one system player (initially residing on place \(S\)). Later on, this player can create two independent processes. The environment however can decide whether these processes should work together (via transition \(\textit{order}_j\)) or on their own (via transition \(\textit{order}_a\)). In the beginning, the system player can decide whether it waits for the environment’s decision and creates the two processes with this information attached (via transition \(\textit{info}\)) or whether it just creates two processes without any further attached information (transition \(\textit{uninf}\)). In both cases the processes can choose whether they want to work together (transition \(j\)) or alone (transition \(a_i\) for \(i\in \{1,2\}\)). The system can only win, i.e., avoid reaching the bad place \(\bot \), when it meets the order of the environment. Therefore, the processes must be created with the information about the environment’s order. This knowledge is available in the causal past of the token residing on place \(E_2\) and therewith is transmitted via transition \(\textit{info}\) to the system.

The causal dependencies (and independencies) in \(\mathscr {G}\) are formally represented by the unfolding of the underlying net \(\mathscr {N}\) [17, 19]. There, every loop in \(\mathscr {N}\) is unrolled and every backward branching place is expanded by multiplying the place, so that every transition in the unfolding stands for the unique occurrence (instance) of a transition of \(\mathscr {N}\) during an execution. The unfolding exhibits concurrency, causal dependency, and nondeterminism (forward branching of places) of the unique occurrences of the transitions in \(\mathscr {N}\) during all possible executions. The unfolding is lifted to Petri games by keeping the distinction of environment, system, and bad places. The unfolding of the Petri game presented in Fig. 2 is shown in Fig. 3. The solid elements together with the lighter shaded ones form the complete unfolding of the Petri game.

Fig. 3
figure 3

The unfolding and a winning strategy for the system players in the Petri game presented in Fig. 2. The winning strategy is depicted by the solid elements

Full size image

A strategy for the system players in \({\mathscr {G}}\) describes a local controller for each system player which operates based on its currently available information about the whole system. A strategy is obtained from the unfolding by deleting some of the branches that are under control of the system players. Thus, it is technically a subprocess of the unfolding and describes for each place which transitions the player in that place can take. A strategy has to meet four conditions: (i) The strategy should not disallow any pure environment transition. This means the system players cannot prevent the environment from working on its own. (ii) Each refusal of a transition must be justified, i.e., when a system player refuses an instance of a transition in a place of the strategy, no other instance of this transition is allowed to occur in the postset of this place. This means that in a specific state, the system can only allow or disallow a transition of the original net. It cannot choose between two instances of this transition in the unfolding, when these instances are indistinguishable due to the available knowledge for the system player. (iii) The strategies must be deterministic, i.e., in no state of the strategy two transitions are enabled involving the same system player. (iv) The strategy must be deadlock-avoiding, i.e., whenever the system can proceed in \(\mathscr {G}\) there must also be a continuation in the corresponding situation in the strategy, to avoid trivial solutions. Since we consider a safety objective, the system players would win a non deadlock-avoiding strategy by just doing nothing.

In a play conforming to a given strategy for the system players all remaining nondeterminism has been resolved. The system players win this play when it avoids any bad place in \(\mathscr {B}\). A strategy \(\sigma \) for the system players in \(\mathscr {G}\) is winning iff all plays conforming to \(\sigma \) are winning. The formal definitions for unfolding, strategy, and plays are given in “Appendix A”.

Example 2

(Strategy in a low-level Petri game) The solid elements of Fig. 3 show a winning strategy for the Petri game presented in Fig. 2. Every strategy has to contain transitions \(\textit{order}_{{ a}}\) and \(\textit{order}_{{ j}}\) because all pure environment transitions have to occur. When the system in place S decides to get informed about the environment’s decision (as in this winning strategy), it has to do so uniformly in every indistinguishable situation. Thus either no instance of an \(\textit{info}\) transition is present in the strategy or both \(\textit{info}\) and \(\textit{info}^\prime \). After getting informed of the environment’s decision (which, due to the different causal pasts, results in two branches) the system can enable the appropriate transitions to avoid a bad place.

The game can only be won because every player memorizes its causal past and transmits this knowledge to all players participating in a joint transition. Suppose in place S the system decides to have \(\textit{uninf}\) in its strategy. By the deterministic constraint, it includes neither transition \(\textit{info}\) nor \(\textit{info}^\prime \) and thus it is not informed of the environment’s decision. Then the system cannot avoid a bad place while fulfilling the constraints of a winning strategy. Indeed, allowing all three transitions \(\textit{a}_1'\),\(\textit{a}_2'\), and \(\textit{j}'\) in the postsets of \( P_1'\), \(P_2'\) exhibits nondeterminism. Thus, since the system must not deadlock, either \( A_1'\) and \( A_2' \), or \( J' \) must be part of the strategy. Disallowing the subsequent transitions (\({\bot }_{{a_{1}}}\) and \({{\bot _{{{{ a}}_{2}}}}}\), or \({\bot }_{j}'\), respectively) leading to a bad place, however, would yield a deadlock in one of the environment’s decision.

A decision taken by the strategy in a place p depends on the causal past of p, which may be arbitrarily large. Similar to model checking approaches based on net unfoldings [18], we use cuts (maximal subsets of pairwise concurrent places in the unfolding) as unique representatives of the causal past. The standard notion of cuts, however, collects places with possibly different knowledge of the individual players about the causal past. Consider for example the cut \(\kappa =\{E_2,C_a,S\}\) in the unfolding presented in Fig. 3. The environment player residing on \(E_2\) and the system player residing on \(C_a\) know the same about the causal past because their last move was the joint transition \(\textit{order}_{a}\). However, the system player residing on \(S\) does not know anything about the environment’s decision. Therefore, the paper [25] introduced a new kind of cut, called maximal cuts, abbreviated mcut. For an environment place p an mcut is a cut including p such that for all places q in that cut either (1) the system players have maximally progressed at q, in the sense that any further system transition would require an additional environment transition starting from place p, or (2) the future starting at q does not depend on the environment. Mcuts are especially interesting for strategies in Petri games with a single environment player. Consider for example the loosing strategy where the system decides to take transition \(\textit{uninf}\). There the cut \(\kappa \) is not an mcut because the system player residing on \(S\) can still progress without moving the token residing on \(E_2\). In the presented winning strategy however, \(\kappa \) is an mcut because only transition \(\textit{info}\) with \(E_2\in \textit{pre}( \textit{info})\) is enabled. Hence, for the winning strategy also the system player residing in \(S\) can be considered to be equally informed about the environment’s decision because the only possible next move for this player will provide this information. In general for Petri games with one environment player every maximally progressed system player of an mcut [case (1)] can be considered to be equally informed about the environment because the next transition either directly involves the environment player or at least contains the current environment place in its causal past. This is exploited in [25] to create a two-player game with complete information which is used to solve Petri games. Also the construction of the later introduced symbolic two-player game for high-level Petri games rests on these cuts such that the complete informedness of the players does not cause any harm.

For simplicity, we restrict ourselves in this paper to Petri games \(\mathscr {G}\) where alternative (2) does not arise. In the terminology of [25], we do not consider type-2 places here. In other words, we require that in every infinite sequence of transitions there are infinitely many environment transitions. Formally, \(\mathscr {G}\) has a recurrently interfering environment if in every infinite firing sequence

$$\begin{aligned} In = M_0\, [t_0\rangle \, M_1\, [t_1\rangle \, M_2 [t_2\rangle \dots \end{aligned}$$

of \(\mathscr {G}\) there are infinitely many \(i \in {\mathbb {N}}\) with \( \textit{pre}( t_i) \cap \mathscr {P}_E\ne \emptyset \). This restriction allows us to keep the formal definitions of elements used in the solving algorithm for Petri games, namely decision sets and the two-player game, as simple as possible and saves to introduce an additional pre-processing algorithm similar to the one presented in [25].

3.2 High-level Petri games

Parameterized set-based high-level Petri games were introduced in [30]. The term set-based means that at no point in time two tokens of the same color reside on any place of the game. This corresponds to 1-bounded Petri games in the low-level case. In this paper we restrict ourselves to set-based high-level Petri games without parameters. We recall a slightly adapted version of the definition and its properties.

We consider data values that are called colors, following [36]. We refer to a finite set of colors as a color domain, with typical letter \(\mathtt {C}\). Let \(\mathscr {C}\) denote the set of all considered color domains. We use typed variables that range over a specific color domain. Let \(\mathsf {Var}\) denote the set of all variables. We use the function \(ty :\mathsf {Var}\rightarrow \mathscr {C}\) to declare the type \(ty (x)\) of a given variable \(x \in \mathsf {Var}\), i.e., its color domain. In high-level Petri nets individual tokens will be represented by colors.

A high-level Petri game \(\mathscr {H}=(\mathscr {P}_S^H, \mathscr {P}_E^H, \mathscr {T}^H, \mathscr {F}^H, ty , g, e, In ^H, \mathscr {B}^H)\) is a structure with

  • a finite set of system places \(\mathscr {P}_S^H\),

  • a finite set of environment places \(\mathscr {P}_E^H\) (the disjoint union \(\mathscr {P}^H=\mathscr {P}_S^H{{\dot{\cup }}}\mathscr {P}_E^H\) yields the set of all places),

  • a finite set of transitions \(\mathscr {T}^H\) satisfying \( \mathscr {P}^H\cap \mathscr {T}^H=\emptyset \ne \mathscr {P}^H\cup \mathscr {T}^H\),

  • a flow relation \(\mathscr {F}^H\subseteq (\mathscr {P}^H\times \mathscr {T}^H) \cup (\mathscr {T}^H\times \mathscr {P}^H)\),

  • a type function \(ty :\mathscr {P}^H\rightarrow \mathscr {C}\), which maps each place \(p\in \mathscr {P}^H\) to its color domain, i.e., the colors which can reside on \(p\),

  • a guarding function \(g\), which assigns to each transition \(t\in \mathscr {T}^H\) a guard, i.e., a Boolean expression \(g(t)\) which restricts the firing of \(t\),

  • an arc expression function \(e\), which assigns to each arc \((p,t)\in \mathscr {F}^H\) and \((t,p)\in \mathscr {F}^H\) an arc expression \(e(p,t)\) or \(e(t,p)\), respectively, describing which tokens are withdrawn or placed by \(t\) from or on the corresponding place \(p\) during the firing,

  • an initial marking \( In ^H\subseteq \{ (p,c)\ |\ p\in \mathscr {P}^H\wedge c\in ty (p) \} \), and

  • a set of bad places \(\mathscr {B}^H\subseteq \mathscr {P}^H\).

We require that two different color domains are disjunct, i.e., \( ty (p_1)\ne ty (p_2)\Rightarrow ty (p_1)\cap ty (p_1)=\emptyset \) for all places \(p_1,p_2\in \mathscr {P}^H\). For a place \(p\in \mathscr {P}^H\) and a color \(c\in ty (p)\) we often use \(p.c\) as abbreviation for \((p,c)\) to state that the token \(c\) resides on the place \(p\). For any set \( X\subseteq \mathscr {P}^H\) of places, we denote by \( X.ty =\{ p.c\ |\ p\in X\wedge c\in ty (p) \} \) the set of all possible combinations of places in X with colors according to their types.

For a transition \(t\in \mathscr {T}^H\) let \( \mathsf {var}(t) \) denote the set of free variables occurring in \( g(t) \) or any arc expression \( e(p,t) \) or \( e(t,p) \) for a flow \((p,t)\in \mathscr {F}^H\) or \((t,p)\in \mathscr {F}^H\), respectively. A valuation or mode v of a transition t assigns to each variable \( x\in \mathsf {var}(t) \) a value \( v(x)\in ty (x) \). We denote all valuations of a transition t by \( \textit{Val}(t) \). For a set \( Y\subseteq \mathscr {T}^H\) of transitions, we denote by \( Y.\textit{Val}=\{t.v\ | \ t\in Y\wedge v\in \textit{Val}(t) \} \) the set of all possible combinations of transitions in Y with their valuations. Each valuation v of t is inductively lifted from the variables in \( \mathsf {var}(t) \) to the expressions around t. We denote by v(t) the Boolean value assigned by v to \( g(t) \), and by v(pt) or v(tp) the set of colors assigned by v to e(pt) or e(tp) , respectively. For any combination of a transition \( t\in \mathscr {T}^H\) and a valuation \( v\in \textit{Val}(t) \) with \( v(t)= true \) we define the pre- and postset, by \(\textit{pre}( t.v)=\{p.c\in \mathscr {P}^H\!\!.ty \;\mid \;(p,t)\in \mathscr {F}^H\wedge c\in v (p,t)\}\) and \(\textit{post}( t.v)=\{p.c\in \mathscr {P}^H\!\!.ty \;\mid \;(t,p)\in \mathscr {F}^H\wedge c\in v(t,p)\}\), respectively. Analogously, we define for any combination of a place \( p\in \mathscr {P}^H\) and a color \( c\in ty (p) \) the corresponding sets \( \textit{pre}( p.c)=\{ t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\;\mid \;(t,p)\in \mathscr {F}^H\wedge c\in v(t,p)\wedge v(t)= true \} \) and \( \textit{post}( p.c)=\{ t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\;\mid \;(p,t)\in \mathscr {F}^H\wedge c\in v(p,t)\wedge v(t)= true \} \).

Fig. 4
figure 4

A high-level Petri game with color domains \(\{\bullet \}\), \(P=\{p_1,\ldots ,p_n\}\), and \(\{\div ,{\star }\}\) and the types of the variables \(ty (p)=P\) and \(ty (o)=\{\div ,{\star }\}\). The environment player (initially residing on place \(E_1\)) decides whether a set of sytem processes \(P\) should work together (place \(J\)) or alone (place \(A\)). With a proper renaming and \(n=2\) the Petri game of Fig. 2 is an instance of this high-level version

Full size image

Example 3

(High-level Petri game) Figure 4 shows a high-level version of the scenario presented as low-level Petri game in Fig. 2. Here we use the set \(\{\bullet \}\) as color domain for the environment and for the initial system player, the set \(P=\{p_1,\dots ,p_n\}\) for the created processes, and the set \(\{\div ,{\star }\}\) for the orders of the environment. The type of the places can easily be inferred by the surrounding arc expressions, for instance, \(ty (A)=P\). The type of the variables is given by \(ty (p)=P\) and \(ty (o)=\{\div ,{\star }\}\). The guarding function maps every transition to \( true \). Arcs without a depicted expression are by convention implicitly labeled with \(\bullet \). The idea is the same as in the low-level case: The environment decides via transition \(\textit{order}\) whether the processes should work together (token \( {\star }\)) or alone (token \( \div \)) and the system can decide to create them with or without this knowledge. The processes again choose to do the work jointly (transition \(j\)) or solely (transition \(a\)). In the end, the system can only win by getting informed and following the environment’s order.

Since we consider set-based high-level Petri games, a marking M of \(\mathscr {H}\) is a set \( M\subseteq \mathscr {P}^H\!\!.ty \). We denote by \( {\mathscr {M}}(\mathscr {H})={\mathbb {P}}\left( \mathscr {P}^H\!\!.ty \right) \) the set of all markings. An element \( p.c\in M \) states that in marking \(M\) a player of color c resides on place p. A transition t is enabled in mode \( v\in \textit{Val}(t) \) in marking M, denoted by \( M[t.v\rangle \), iff \( v(t)= true \) and \( \textit{pre}( t.v)\subseteq M \) holds. The restriction to set-based Petri games yields that \(M[t.v\rangle \Rightarrow \textit{post}( t.v)\subseteq (\mathscr {P}^H\!\!.ty {\setminus } M)\cup \textit{pre}( t.v)\) holds for every \(M\in {\mathscr {M}}(\mathscr {H})\). The marking \( M' \) obtained after the firing of t.v is computed as \(M'=(M{\setminus } \textit{pre}( t.v))\cup \textit{post}( t.v)\) and this firing relation is denoted by \( M\,[t.v\rangle \, M' \). The game \(\mathscr {H}\) has a recurrently interfering environment if in every infinite firing sequence

$$\begin{aligned} In ^H= M_0\, [t_0.v_0\rangle \, M_1\, [t_1.v_1\rangle \, M_2 [t_2.v_2\rangle \dots \end{aligned}$$

of \(\mathscr {H}\) there are infinitely many \(i \in {\mathbb {N}}\) with \( \textit{pre}( t_i.v_i) \cap \mathscr {P}_E^H\!.ty \ne \emptyset \).

A given set-based high-level Petri game \(\mathscr {H}\) can be transformed into a 1-bounded P/T Petri game \( \mathtt {L}(\mathscr {H}) =(\mathscr {P}_S,\mathscr {P}_E,\mathscr {T},\mathscr {F}, In ,\mathscr {B})\) with the set of system places \( \mathscr {P}_S=\mathscr {P}_S^H\!.ty \), the set of environment places \( \mathscr {P}_E=\mathscr {P}_E^H\!.ty \), the set of all places \( \mathscr {P}=\mathscr {P}_S\cup \mathscr {P}_E=\mathscr {P}^H\!\!.ty \), the set of transitions \( \mathscr {T}=\mathscr {T}^H\!\!.\!\textit{Val}\), the flow relation \( \mathscr {F}\subseteq (\mathscr {P}\times \mathscr {T})\cup (\mathscr {T}\times \mathscr {P}) \), such that \((p.c,t.v)\in \mathscr {F}\Leftrightarrow p.c\in \textit{pre}( t.v)\) and \((t.v,p.c)\in \mathscr {F}\Leftrightarrow p.c\in \textit{post}( t.v)\) holds for all \( t.v\in \mathscr {T}\) and \( p.c\in \mathscr {P}\), the initial marking \( In = In ^H\), and the set of bad places \( \mathscr {B}=\mathscr {B}^H\!\!.ty \).

With this notation, the markings of \(\mathtt {L}(\mathscr {H})\) are exactly the markings \( {\mathscr {M}}(\mathscr {H}) \) of \(\mathscr {H}\). Here \( p.c\in M \) for a marking M of \(\mathtt {L}(\mathscr {H})\) means that a player resides on place \( p.c\in \mathscr {P}\). The enabledness and firing of a transition also directly coincide. Also, \(\mathscr {H}\) has a recurrently interfering environment player iff \(\mathtt {L}(\mathscr {H})\) has a recurrently interfering environment player.

The unfolding of the high-level Petri game \(\mathscr {H}\) is defined as the unfolding of \(\mathtt {L}(\mathscr {H})\). Consequently, a strategy for the system players in \(\mathscr {H}\) is defined as a strategy in \(\mathtt {L}(\mathscr {H})\). By this, we know that the strategy is winning iff all plays conforming to the strategy avoid any bad place in \(\mathscr {B}=\mathscr {B}^H\!\!.ty \).

Note that appropriately renaming the nodes of the low-level Petri game presented in Fig. 2 yields an instance of the high-level Petri game presented in Fig. 4 with \(P=\{p_1,p_2\}\). Thus, Fig. 3 also shows (modulo renaming) a winning strategy for the system players in the high-level Petri game in Fig. 4. The concrete mapping is given by the following assignment: (i) \(\forall x\in \{ \textit{S}, E_1, E_2, J, \bot \}: x \mapsto x.\bullet \), (ii) \( \forall i\in \{1,2\}: A_i \mapsto A.\textit{p}_{i},\, P_i \mapsto \textit{Pool}.p_i, a_i \mapsto a.\{ p\mapsto \textit{p}_{i} \},\, {\bot _a}_i \mapsto \bot _a.\{ p\mapsto \textit{p}_{i} \}\), (iii) \( C_a \mapsto C.\div ,\, C_j \mapsto C.{\star },\, \textit{order}_{a} \mapsto \textit{order}.\{ o\mapsto \div \},\, \textit{order}_{j} \mapsto \textit{order}.\{ o\mapsto {\star }\}\).

Summarizing, a high-level Petri game \(\mathscr {H}\) is a succinct represention of a detailed low-level Petri game \(\mathtt {L}(\mathscr {H})\), but the semantic notions of markings, firing of transitions, unfoldings, strategies, and plays are all borrowed from \(\mathtt {L}(\mathscr {H})\).

4 Solving high-level Petri games

In this section we show how to solve set-based high-level Petri games with a single recurrently interfering environment player and a bounded number of system players with a safety objective while exploiting the symmetries of the system. The key idea of the approach is the combination of two established concepts. Firstly, we use the techniques for the construction of a symbolic reachability graph (\( \mathtt {SRG}\)) for Coloured Petri Nets with a significantly smaller size (for example presented in [8]). Secondly, we apply these techniques to the two-player game over a finite graph introduced in [24] which serves for solving a low-level Petri game with one environment player and a bounded number of system players with a safety objective. This results in a bisimilar game with a significantly smaller state space. Note that players can terminate and new players can be spawned during the game. The restriction to a bounded number of system players only limits the maximal number of system players in any state of the game, and not the total number of spawned and terminated players. The same applies to the restriction to a single environment player. Proofs that are omitted in this section can be found in “Appendix C”.

Given a set-based high-level Petri game \(\mathscr {H}\) with a single recurrently interfering environment player, a bounded number of system players and a safety objective, the solving algorithm proceeds in four steps:

  1. 1.

    The corresponding symbolic two-player game \(\mathbb {G}^H\) is created with similar techniques as for the two-player game \(\mathbb {G}^L\) described in [25] for a low-level Petri game. Moreover, in the case that \(\mathbb {G}^L\) is created from \(\mathtt {L}(\mathscr {H})\), the states of \(\mathbb {G}^H\) are equivalence classes of the states of \(\mathbb {G}^L\) with respect to the system’s symmetries.

  2. 2.

    Since \(\mathbb {G}^H\) is a two-player game with complete information, standard game solving algorithms are applied to gain a positional winning strategy \(\sigma ^H\) in \(\mathbb {G}^H\).

  3. 3.

    Resolving the symmetries of \(\sigma ^H\) yields a winning strategy \(\sigma ^L\) in \(\mathbb {G}^L\).

  4. 4.

    The techniques in [25] yield a winning strategy \(\sigma \) in \(\mathtt {L}(\mathscr {H})\) from \(\sigma ^L\).

Since the strategy in a high-level Petri game is defined as the strategy in the corresponding low-level Petri game, these four steps yield the strategy \(\sigma \) for the system players in \(\mathscr {H}\). An overview of this algorithm and the interplay of the individual components is presented in Fig. 5. Note that step 3 and step 4 could be combined to obtain the Petri game strategy \(\sigma \) directly from the high-level two-player strategy \(\sigma ^H\). However, only introducing step 3 and showing its correctness yields together with [25] the same result and simplifies the presentation.

Fig. 5
figure 5

The correlation of the games and strategies in the process of solving high-level and low-level Petri games. In the top of the figure the steps involving high-level elements are depicted, whereas the bottom shows the solving of low-level Petri games. The individual steps of the algorithm are marked bold. The edges between the top and the bottom layer show the relation of the high- and the low-level elements

Full size image

Step 1 is the crucial part of the algorithm and this section serves for its elaboration. We start by recalling the definition of \(\mathbb {G}^L\) from [25] (with minor simplifications and adaptations). The definition of \(\mathbb {G}^H\) is split into three parts. Firstly, we define how to apply symmetries on the states of \(\mathbb {G}^L\) to obtain equivalence classes serving as states of \(\mathbb {G}^H\). Secondly, we examine the interrelation of the classes to reduce the number of edges induced by \(\mathbb {G}^L\). The result serves as edges of \(\mathbb {G}^H\). Finally, we define the two-player game \(\mathbb {G}^H\) and show the correctness of our approach by defining a bisimulation between \(\mathbb {G}^L\) and \(\mathbb {G}^H\), and generally proving that two bisimilar two-player Büchi games coincide regarding the existence of a winning strategy for Player 0. We start by introducing some general results and definitions for two-player games over a finite graph.

Preliminaries for two-player games: A two-player Büchi game is a structure \( \mathbb {G}=(V,V_0,V_1,v_0,E,F) \) with the set of all states V, the set of Player 0’s states \( V_0 \), the set of Player 1’s states \( V_1 \), the initial state \( v_0 \), the edge relation E, and the set of accepting states F. The game is played between two players, namely Player 0 and Player 1. A strategy for Player \(i\), for \(i\in \{0,1\}\), in \(\mathbb {G}\) is a function \(\sigma :{V}^*V_i\rightarrow V\) which maps each sequence of states ending in a state of Player \(i\) to some successor state, satisfying \( (v,\sigma (wv))\in E \) for all \( w\in {V}^* \) and \( v\in V_i \). A strategy \( \sigma \) for Player i in \( \mathbb {G}\) is called positional, if \( \sigma (wv)=\sigma (v) \) for all \( w\in {V}^* \) and \( v\in V_i \). A play on \(\mathbb {G}\) is a possibly infinite sequence \(\pi =v_0v_1v_2\ldots \) of states with \((v_j,v_{j+1})\in E \) for all \( j \in {\mathbb {N}} \). Player 0 wins a play if it infinitely often contains an accepting state. Otherwise, Player 1 wins. A play \(\pi \) conforms to a strategy \(\sigma \) for Player \(i\) if for all prefixes \(wvv'\in {V}^*V_iV\) of \(\pi \) the strategy satisfies \(\sigma (wv)=v'\). A strategy \(\sigma \) for Player i is winning if each play which conforms to \(\sigma \) is won by Player i.

From game theory we know that in a Büchi game \( \mathbb {G}\), Player 0 has a winning strategy in \( \mathbb {G}\) iff she has a positional winning strategy in \( \mathbb {G}\). Deciding the question whether Player 0 has a winning strategy in a given Büchi game \( \mathbb {G}\), and, if possible, generating a winning positional strategy, can be done in polynomial time in the number of edges in the game.

4.1 Solving low-level Petri games

In [25] Finkbeiner and Olderog reduce the problem of solving a low-level Petri game \(\mathscr {G}\) with a single environment player and a bounded number of system players with a safety objective to the solving of a two-player game over a finite graph \(\mathbb {G}^L\). They show that Player 0 has a winning strategy in \(\mathbb {G}^L\) iff the system players have a winning strategy in \(\mathscr {G}\).

In this section we simplify the definition of \(\mathbb {G}^L\) for the subclass of Petri games with a single recurrently interfering environment. We define \(\mathbb {G}^L\) specifically for a given low-level Petri game \(\mathtt {L}(\mathscr {H})=(\mathscr {P}_S^H\!.ty ,\mathscr {P}_E^H\!.ty ,\mathscr {T}^H\!\!.\!\textit{Val},\mathscr {F}, In ,\mathscr {B}^H\!\!.ty )\) which is obtained from a set-based high-level Petri game \(\mathscr {H}\) by the transformation presented in Sect. 3.2.

The general idea is that \(\mathbb {G}^L\) simulates \(\mathtt {L}(\mathscr {H})\) through a sequence of decision sets, i.e., enriched markings of \(\mathtt {L}(\mathscr {H})\). In a decision set each system player is equipped with a commitment set, i.e., a set of transitions which are currently selected by the system player to be allowed to fire (or the special symbol \(\top \)). If the commitment set is \(\top \), the system player has to select a new set of transitions. The key idea of the reduction is to delay the environment’s moves until all future moves of each system player are dependent on the environment’s decision. By this, we ensure that all system players get informed of the environment’s decision during their next move and all system player’s commitments, which should be made independently of the environment’s decision, are made before the environment’s choice. This allows for applying solving algorithms for games with complete information to \(\mathbb {G}^L\).

Formally, a decision set is a set \( D\subseteq \mathscr {P}^H\!\!.ty \times (\mathbb {P}(\mathscr {T}^H\!\!.\!\textit{Val})\cup \top ) \) such that in a commitment set only transitions of the place’s postset occur, i.e., \((p.c,C )\in D\wedge C \subseteq \mathscr {T}^H\!\!.\!\textit{Val}\Rightarrow \forall t.v\in C : t.v\in \textit{post}( p.c)\) holds. We denote the set of all decision sets by \( \mathscr {D}(\mathtt {L}(\mathscr {H})) \), and define \( \mathscr {M}\) to map a decision set \( D\in \mathscr {D}(\mathtt {L}(\mathscr {H})) \) to its corresponding marking \( \mathscr {M}(D)=\{p.c\ | \ \exists C :(p.c,C )\in D\} \).

A transition \( t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\) is enabled in a decision set \( D\) iff \( \textit{pre}( t.v)\subseteq \mathscr {M}(D) \). The transition t.v is chosen in \( D\), denoted by \( D(t.v\rangle \), iff \( \forall (p.c,C )\in D: p.c\in \textit{pre}( t.v)\Rightarrow t.v\in C \) holds. We call the transition t.v fireable in \( D\), denoted by \( D[t.v\rangle \), iff t.v is enabled and chosen in \( D\). This condition is equivalent to \( \textit{pre}( t.v)\subseteq \mathscr {M}(D_{t.v}) \), where \( D_{t.v}=\{ (p.c,C )\in D\ |\ t.v\in C \} \). This means that the transition \(t.v\) not only needs to be enabled in the corresponding marking, but also that all players in the transition’s preset must allow \(t.v\). The decision set \( D' \) obtained after firing t.v, denoted by \( D[t.v\rangle D' \), is given by \(D'=\{(p.c,C )\ | \ (p.c,C )\in D\wedge p.c\notin \textit{pre}( t.v) \} \cup \{ (p.c,\top ) \ |\ p.c\in \textit{post}( t.v)\cap \mathscr {P}_S^H\!.ty \} \cup \{ (e.d,\textit{post}( e.d)) \ |\ e.d\in \textit{post}( t.v) \cap \mathscr {P}_E^H\!.ty \}\). This means that the corresponding markings preserve the firing relation, i.e., \( D[t.v\rangle D'\Rightarrow \mathscr {M}(D) [t.v\rangle \mathscr {M}(D') \) holds, and only the moved system players are allowed and have to decide on a new commitment set.

If a decision set \( D\) contains a \(\top \) symbol, denoted by \( D[\top \rangle \), the corresponding system players have to decide on a new commitment set before any other move is allowed. This is denoted by \( D[\top \rangle D' \) where \( D' \) is a decision set such that for a function \(f: \mathscr {P}^H\!\!.ty \rightarrow {\mathbb {P}}\left( \mathscr {T}^H\!\!.\!\textit{Val}\right) \), \(D'=\{(p.c,C ) \;\mid \;(p.c,C )\in D\wedge C \ne \top \} \cup \{ (p.c,f(p.c)) \ |\ (p.c,\top )\in D\}\). We call this relation \(\top \) resolution. The definition means that the \(\top \) resolution of a decision set \(D\) yields one successor decision set for every possible combination of replacing each \(\top \) in \(D\) with a possibly different commitment set \(C \subseteq \mathscr {T}^H\!\!.\!\textit{Val}\). The multiple successors are due to the several decisions the system players can make.

A decision set \( D\in \mathscr {D}(\mathtt {L}(\mathscr {H})) \) can have the following properties: \(D\) is environment-dependent iff there is no \( \top \) symbol in any tuple in D, there is a pair \( (e.d,\textit{post}( e.d))\in D \) for some \( e.d\in \mathscr {P}_E^H\!.ty \), and for all \( t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\) holds that \( \lnot D[t.v\rangle \) or \(e.d\in \textit{pre}( t.v) \), \(D\) contains a bad place iff \( \mathscr {M}(D)\cap \mathscr {B}^H\!\!.ty \ne \emptyset \), \(D\) is a deadlock iff there is a transition \(t'.v'\in \mathscr {T}^H\!\!.\!\textit{Val}\) such that \(\mathscr {M}(D)[t'.v'\rangle \) and \(\forall t.v\in \mathscr {T}^H\!\!.\!\textit{Val}: \lnot D[t.v\rangle \) holds, \(D\) is terminating iff \(\lnot \mathscr {M}(D)[t.v\rangle \) holds for all transitions \(t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\), and \(D\) is nondeterministic iff there are two separate transitions \(t_1.v_1, t_2.v_2\in \mathscr {T}^H\!\!.\!\textit{Val}\), with \(t_1.v_1\ne t_2.v_2\), that share a system place in their presets (\( \mathscr {P}_S^H.ty \cap \textit{pre}( t_1.v_1)\cap \textit{pre}( t_2.v_2)\ne \emptyset \)) and are both fireable in \( D\), i.e., \( D[t_1.v_1\rangle \wedge D[t_2.v_2\rangle \). Note that an mcut in a Petri game strategy corresponds to an environment-dependent decision set, i.e., all next moves of the system players are fixed (there is no \(\top \) symbol in \(D\)) and each of these moves is only possible after a progress of the environment of which each player gets informed by this move.

The game graph for a 1-bounded Petri game \(\mathtt {L}(\mathscr {H})\) with a single recurrently interfering environment player is a vertex labeled graph \( \mathscr {A}^L=(\mathscr {V}^L,\mathscr {L}^L,D_0,\mathscr {E}^L) \) with

  • the vertices \( \mathscr {V}^L=\mathscr {D}(\mathtt {L}(\mathscr {H}))\),

  • the vertex labeling \( \mathscr {L}^L\), defined by \(\mathscr {L}^L(D)=1\), if \( D\) is environment-dependent, and \( \mathscr {L}^L(D)=0 \) otherwise. The corresponding decision sets are collected in \( \mathscr {V}^L_1= (\mathscr {L}^L)^{-1}(1)\) and \( \mathscr {V}^L_0=(\mathscr {L}^L)^{-1}(0) =\mathscr {V}^L{\setminus } \mathscr {V}^L_1\),

  • the initial state \( D_0=\{ (p.c,\top )\ |\ p.c\in In \cap \mathscr {P}_S^H\!.ty \}\cup \{ (e.d,\textit{post}( e.d))\ | \ e.d\in In \cap \mathscr {P}_E^H\!.ty \}\), i.e., the decision set containing all places of the initial marking and the system players still have to decide for a commitment set, and

  • the labeled edge relation \( \mathscr {E}^L\subseteq \mathscr {V}^L\times (\mathscr {T}^H\!\!.\!\textit{Val}\cup \{ \top \})\times \mathscr {V}^L\) defined as follows: If \( D\) contains a bad place, is a deadlock, is terminating, or is nondeterministic, there is only a \( \top \)-labeled self-loop originating from \( D\). Otherwise, we consider three disjunct cases for edges originating in \( D\):

    Case \( D\in \mathscr {V}^L_1\), i.e., all players have decided for a commitment set, but cannot proceed without the environment. Then for all \( t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\), \( (D,t.v,D') \in \mathscr {E}^L\) iff \( D[t.v\rangle D' \).

    Case \( D\in \mathscr {V}^L_0\) and \(D[\top \rangle \), i.e., at least one system player has yet to decide for a commitment set. Then \( (D,\top ,D') \in \mathscr {E}^L\) iff \( D[\top \rangle D' \).

    Case \( D\in \mathscr {V}^L_0\) and \( \lnot D[\top \rangle \), i.e., all system players made their decisions and can proceed without the environment. Then for all \( t.v\in \mathscr {T}^H\!\!.\!\textit{Val}\) with \( \textit{pre}( t.v)\cap \mathscr {P}_E^H\!.ty =\emptyset \), \( (D,t.v,D') \in \mathscr {E}^L\) iff \( D[t.v\rangle D' \). The condition for \(\textit{pre}( t.v)\) ensures that only edges for system transitions are considered.

We define with \( \mathscr {R}(\mathscr {A}^L)\) the elements in \( \mathscr {V}^L\) that are reachable from \( D_0 \) under the edge relation \( \mathscr {E}^L\). We finally define the two-player Büchi game over a finite graph \( \mathbb {G}^L=(V^L,V^L_0,V^L_1,I^L,E^L,F^L) \) with the set of all states \( V^L=\mathscr {R}(\mathscr {A}^L)\), the set of Player 1’s states \( V^L_1=\mathscr {V}^L_1\cap \mathscr {R}(\mathscr {A}^L)\), i.e., the environment-dependent decision sets, the set of Player 0’s states \( V^L_0=\mathscr {V}^L_0\cap \mathscr {R}(\mathscr {A}^L)\), the initial state \(I^L=D_0 \), as in the graph \( \mathscr {A}^L\), the edge relation \( E^L\) with \( (D,D')\in E^L\) iff \( (D, \delta , D')\in \mathscr {E}^L\) for a \( \delta \in \mathscr {T}^H\!\!.\!\textit{Val}\cup \{\top \} \), and the set of accepting states \( F^L\) containing all \( D\in V^L\) that are terminating or environment-dependent, but are not a deadlock, nondeterministic, or contain a bad place.

A strategy for Player \(i\), for \(i\in \{0,1\}\), in \(\mathbb {G}^L\) is a function \(\sigma ^L:({V^L})^*V^L_i\rightarrow V^L\) which maps each sequence of states ending in a state of Player \(i\) to some successor state. A play \(\pi \) on \(\mathbb {G}^L\) is a possibly infinite sequence \(\pi =v_0v_1v_2\ldots \) of states with \(v_0 = I^L\) and \((v_j,v_{j+1})\in E^L\) for all \( j \in {\mathbb {N}} \). Player 0 wins if \(\pi \) infinitely often contains a state \(f\in F^L\). Otherwise, Player 1 wins. A play \(\pi \) conforms to a strategy \(\sigma ^L\) for Player \(i\) if for all prefixes \(wvv'\in ({V^L})^*V^L_iV^L\) of \(\pi \) the strategy satisfies \(\sigma ^L(wv)=v'\). A strategy \(\sigma ^L\) for Player i is winning if each play \(\pi \) which conforms to \(\sigma ^L\) is won by Player i.

In [25], it is shown that there is a winning strategy for the system players in a P/T Petri game \(\mathscr {G}\) with one environment player and a bounded number of system players if and only if there is a winning strategy for Player 0 in a two-player Büchi game over a finite graph. This proof caters for the more general case with type-2 places, i.e., where the environment player does not need to recurrently interfere. The proof rests on a link between mcuts in the strategy of the Petri game and the corresponding environment-dependent decision sets in the two-player game. For more details and insights we refer to [25]. Since the low-level Petri game \(\mathtt {L}(\mathscr {H})\) considered here is a specific instance of the Petri games \(\mathscr {G}\) studied in [25], the result still holds for \(\mathtt {L}(\mathscr {H})\) and \(\mathbb {G}^L\). In this paper, we do not reconsider this proof.

4.2 Symbolic decision sets

In [8], Chiola et al. construct a Symbolic Reachability Graph (\( \mathtt {SRG}\)) for high-level Petri nets. In this graph the nodes are equivalence classes of markings with respect to symmetries, and instead of the ordinary firing relation between the markings, the symbolic firing relation is used. The following section introduces equivalence classes of decision sets with respect to symmetries and lifts results of [8] about markings (see “Appendix B”) to decision sets. The representatives of the equivalence classes form the vertices of the high-level game graph \( \mathscr {A}^H\). This is, analogously to the low-level case, the graph over which the symbolic two player game \(\mathbb {G}^H\) is defined.

A symmetry \( s_\mathtt {C}\) on a color domain \( \mathtt {C}\in \mathscr {C}\) is a permutation on \( \mathtt {C}\). A symmetry s on a high-level Petri game \(\mathscr {H}\) is a family \( (s_\mathtt {C})_{\mathtt {C}\in \mathscr {C}} \) (short \( (s_\mathtt {C})_{\mathtt {C}} )\) of symmetries on all color domains \( \mathtt {C}\). Let \( \mathscr {S}\) be the set of all symmetries on \(\mathscr {H}\). Together with the function composition \( \circ \), defined by \( (s_\mathtt {C})_\mathtt {C}\circ (r_\mathtt {C})_\mathtt {C}=(s_\mathtt {C}\circ r_\mathtt {C})_\mathtt {C}\), the symmetries form a group \( (\mathscr {S},\circ ) \) with \( 1_\mathscr {S}=(\textit{id}_\mathtt {C})_\mathtt {C}\) and \( (s_\mathtt {C})_\mathtt {C}^{-1}=(s_\mathtt {C}^{-1})_\mathtt {C}\). Let \(s=(s_\mathtt {C})_\mathtt {C}\) be a symmetry. For any color \(c\in \mathtt {C}\), \(s(c)\) abbreviates \(s_\mathtt {C}(c)\). The application of \(s\) to a set \( A\subseteq \mathscr {P}^H\!\!.ty \) is defined by \( s(A) = \{ p.s(c) \ |\ p.c\in A \} \) and to a valuation v by \( s(v) = s\circ v \), i.e., if v assigns color c to a variable x then the valuation s(v) assigns color \( s_{ty (x)}(c) \) to x.

For a given high-level Petri game \(\mathscr {H}\) we call a subset \(S \subseteq \mathscr {S}\) of symmetries admissible iff

  • \( (S,\circ ) \) is a subgroup of \( (\mathscr {S},\circ ) \) such that

  • \( \forall s\in S\ \forall t\in \mathscr {T}^H\ \forall v\in \textit{Val}(t): v(t)= s(v)(t)\) and in the case \( v(t)= true \),

    1. (i)

      \(s(\textit{pre}( t.v))=\textit{pre}( t.s(v))\) and

    2. (ii)

      \(s(\textit{post}( t.v))=\textit{post}( t.s(v))\)

holds. This condition ensures that the symmetries are “compatible” with the firing of transitions: if a transition t, fireable in mode v, takes the color c from a place p (i.e., \( p.c\in \textit{pre}( t.v)\)), then it should be fireable in mode s(v) and, when fired, take color s(c) from place p (i.e., \( p.s(c)\in \textit{pre}( t.s(v))\)). The same applies to the postset of \(t\). Hence, admissible symmetries on a high-level Petri game are those symmetries which are compatible with the game’s semantics structure.

As for places, we can apply symmetries to sets of transitions \( A\subseteq \mathscr {T}^H\!\!.\!\textit{Val}\) by \( s(A)=\{t.s(v)\ |\ t.v\in A \} \). For a high-level Petri game \( \mathscr {H}\) we fix one set S satisfying the conditions above, and call it the set of admissible symmetries.

Example 4

Consider the package delivery benchmark family of Fig. 1 with three packages \( P=\{ p_1,p_2,p_3\} \), three drones \( D=\{d_1,d_2,d_3\} \), and the color domains of the places \( \mathtt {C}_0=\{\bullet \} \), \( \mathtt {C}_1=P \), \( \mathtt {C}_2=D \), and \( \mathtt {C}_3=D\times P \). Thus, every symmetry \( s\in \mathscr {S}\) is of the form \( s=(s_0,s_1,s_2,s_3) \), where \( s_i \) is a permutation on \( \mathtt {C}_i \). This means that there is only one possibility for \(s_0\) (namely, \(\textit{id}_{\{\bullet \}}\)), \( |P|!=3!=6 \) possibilities for \(s_1\), \( |D|!=3!=6 \) possibilities for \(s_2\), and consequently there are \( 6\cdot 6 =36\) possibilities for permutations \(s_3\) on the Cartesian product \( D\times P\). Ultimately the set \( \mathscr {S}\) of all symmetries contains \( 1\cdot 6\cdot 6 \cdot 36=1296 \) elements.

We are now interested in the largest set S of admissible symmetries. Therefore, we have to consider the conditions the admissibility property imposes on symmetries. There is only one predicate not equal to \( true \), namely \( d\ne d' \) at transition \( \textit{deliver} \). For all drones \( d,d'\in D \) holds that \( d\ne d'\Leftrightarrow s(d)\ne s(d') \) because all symmetries \( s\in \mathscr {S}\) are bijective. Thus, the predicates do not impose any restricting condition on the symmetries because \( v(t)=s(v)(t) \) holds for all \( t\in \mathscr {T}^H,\ v\in \textit{Val}(t) \), and \( s\in \mathscr {S}\).

Consider now the transition \( \textit{deliver} \). A valuation \( v\in \textit{Val}(\textit{deliver}) \) assigns to all variables in \( \mathsf {var}(\textit{deliver}) \), namely \( d, d' \), and p, a value of the corresponding type. We denote \( {\mathsf {d}}=v(d)\in D,\mathsf {d'}=v(d')\in D \), and \( {\mathsf {p}}=v(p)\in P \). For \({\mathsf {d}}\ne \mathsf {d'}\) the transition \( \textit{deliver} \) in mode v takes a token \( (\mathsf {d'},{\mathsf {p}})\in D\times P \) from the place \( \textit{Fly} \) when firing. Condition (i) for the admissibility of symmetries imposes, regarding the arc expression \((d',p)\), that \(s_3(\mathsf {d'},{\mathsf {p}})=(s_2(\mathsf {d'}),s_1({\mathsf {p}}) ) \) has to hold for every \(s\in S\) and all values \( \mathsf {d'} \) and \( {\mathsf {p}} \) that a valuation can assign to \( d'\) and p. Thus, \( s_3 \) is determined by the choice of \( s_1 \) and \( s_2 \). The condition (i) for the admissibility of symmetries regarding the arc expression \(d\) and condition (ii) for all corresponding arc expressions do not impose any restrictions on the symmetries because of the structure of the arc expressions. The conditions regarding all other transitions of the example do not introduce any other restrictions on the set of admissible symmetries. This means the admissible symmetries S consists of the 36 symmetries of the form \( s=(\textit{id}_{\{\bullet \}}, s_1, s_2, s_3) \) such that \( s_3 (d,p) = (s_2(d),s_1(p) ) \) for all \( (d,p)\in D\times P \). \( \square \)

We now apply symmetries to decision sets and show that their properties are invariant under the application. This means all decision sets in an equivalence class with respect to the admissible symmetries have the same properties. The representatives of these equivalence classes are called symbolic decision sets.

Due to the special syntax of \( \mathtt {L}(\mathscr {H}) \) for a high-level Petri game \( \mathscr {H}\), and since both games have the same semantics, we define the decision sets of \( \mathscr {H}\) as the decision sets of \( \mathtt {L}(\mathscr {H}) \), i.e., \( \mathscr {D}(\mathscr {H})=\mathscr {D}(\mathtt {L}(\mathscr {H})) \). For a decision set \( D\in \mathscr {D}(\mathscr {H}) \) and any symmetry \( s\in S \) we define the application of a symmetry to a decision set by

$$\begin{aligned} s(D)=\{ (p.s(c),s(C ) )\ | \ (p.c,C )\in D\} , \end{aligned}$$

with \( s(C)=\{t.s(v)\ |\ t.v\in C \} \) if \( C\subseteq \mathscr {T}^H\!\!.\!\textit{Val}\) and \( s(\top )=\top \) otherwise. This means if a player of color c on place p allows transition t in mode v in the decision set \( D\) (i.e., \( (p.c,C )\in D\) and \( t.v\in C \)), then after the application of the symmetry s, the player of color s(c) on place p allows transition t in mode s(v) (i.e., \( (p.s(c),s(C ))\in s(D) \) and \( t.s(v)\in s(C ) \)). Since symmetries operate on the first coordinate of a decision set exactly as on markings, we obtain \( s(\mathscr {M}(D))=\mathscr {M}(s(D)) \).

Two decision sets \( D\) and \( D' \) are equivalent iff there is an admissible symmetry \(s \in S\) such that \( s (D)=D' \) holds. This leads to the set of equivalence classes \( \mathscr {D}(\mathscr {H}) / S \) of the decision sets. For a decision set \(D\in \mathscr {D}(\mathscr {H})\), we denote an equivalence class in \( \mathscr {D}(\mathscr {H}) / S \) by \([ D ] \). We define \( \overline{D}\in [ D] \) as an arbitrarily chosen, but fixed representative of \([ D] \). The representatives \( \overline{D} \) are called symbolic decision sets. We fix with \( s_D\) a symmetry that maps a decision set \( D\) to its corresponding representative, i.e., \( s_D(D)=\overline{D} \). Thus, the admissible symmetries on a high-level Petri game are a tool to transform equivalent situations into each other.

As a first property we consider the interplay of symmetries and the relations between decision sets.

Lemma 1

The admissible symmetries are compatible with the firing of a transition \(t\in \mathscr {T}^H\) in mode \(v\in \textit{Val}(t)\) in a decision set. The same is true for the resolution of a \(\top \) symbol in a decision set.

  • \(\forall t\in \mathscr {T}^H\ \forall v\in \textit{Val}(t)\ \forall s\in S: D[t.v\rangle D' \Leftrightarrow s(D)[t.s(v)\rangle s(D')\).

  • \( \forall s\in S: D[\top \rangle D' \Leftrightarrow s(D)[\top \rangle s(D'). \)

Both results follow from the admissibility of a symmetry s and from the equations \( s(\mathscr {M}(D))=\mathscr {M}(s(D)) \) and \( s(D_{t.v}) =s(D)_{t.v}\) (see “Appendix C”).

From now on we assume w.l.o.g. that the initial marking \( In ^H\) of a high-level Petri game \( \mathscr {H}\) is symmetric, i.e., \( s( In ^H)= In ^H\) for all \( s\in S \). If this is not the case, we add an new transition \(t_0\) with a single new environment place \(p_0\) in its preset such that the firing of \(t_0\) generates \( In ^H\) or an equivalent marking. This way, the admissible symmetries remain unchanged. The new initial marking only consists of a fresh colored token \(c_0\) residing on \(p_0\) with a fresh singleton color domain and is thus trivially symmetric. For the explicit construction, see “Appendix B”. Most examples, like the ones in Sects. 2 and  3.2, directly have a symmetric initial marking.

This assumption allows us to show that the following properties of a decision set are preserved by the application of admissible symmetries.

Lemma 2

Let \( D\in \mathscr {D}(\mathscr {H}) \) and \( s\in S \). Then \( D\) is environment-dependent, contains a bad place, is a deadlock, is terminating or is nondeterministic if and only if \( s(D) \) has the same property.

These properties can be proven by using Lemma 1 and the following facts about symmetries (see “Appendix C”). An admissible symmetry \( s\in S \) applied to a set \( A.ty \) with \( A\subseteq \mathscr {P}^H\) leaves the set unchanged, i.e., \( s(A.ty )=A.ty \). This also holds for a set \( A.\textit{Val}\) with \( A\subseteq \mathscr {T}^H\). The application of s is compatible with intersections of sets \( A,B\subseteq \mathscr {P}^H\!\!.ty \) or sets \( A,B\in \mathscr {T}^H\!\!.\!\textit{Val}\), i.e., \( s(A\cap B)=s(A)\cap s(B) \).

Lemma 2 yields the uniform satisfaction of these properties throughout the complete equivalence class.

Corollary 1

Let \( D\) be a decision set. Then \( D\) has one of the properties listed above if and only if all \( D'\in [ D ] \) (and in particular \( \overline{D} \)) have the same property.

The representatives \(\overline{D}\) of the decision sets \(D\in \mathscr {V}^L\) of the low-level game graph \(\mathscr {A}^L\) form the vertices of the high-level game graph \(\mathscr {A}^H\). Here you can already feel the spirit of the symbolic reachability graph \( \mathtt {SRG}\), where the nodes are symbolic markings \( \overline{M} \) instead of ordinary markings M as in the reachability graph \(\mathtt {RG}\).

Usually, the relation on equivalence classes is given by all connections between the individual elements of the corresponding classes. Lemma 1 shows that for equivalence classes of decision sets, we only have to consider connections where the source is a representative of the class. The next section reduces this relation even further, by only considering equivalence classes of firings, local to the source decision set.

4.3 Symbolic firing and symbolic \( \top \) resolution

In this section we define equivalence classes of transition firings to define the edge relation of the high-level game graph \(\mathscr {A}^H\). In general, this relation is smaller than the relation containing an edge for every possible transition firing or \(\top \) resolution between the corresponding equivalence classes of decision sets. Again, results of [8] are lifted from markings to decision sets.

Example 5

Consider the scenario of the package delivery of Fig. 1 with three packages \( P=\{p_1,p_2,p_3\} \) and three drones \( D=\{d_1,d_2,d_3\} \). Assume the packages assigned themselves to the drones according to their index, and the drones, loaded with their corresponding cargo, took off, i.e., the three tokens \( (d_1,p_1), (d_2,p_2) \), and \( (d_3,p_3) \) reside on the place \( \textit{Fly} \). Further assume that the environment decided that drone \( d_1 \) is defective via transition \( \textit{destroy} \) in mode \( v= \{d\mapsto d_1\} \), i.e., a token \( d_1 \) resides on \( \textit{Malfunction} \). The corresponding marking is \( \{ \textit{Fly}.(d_1,p_1),\textit{Fly}.(d_2,p_2),\textit{Fly}.(d_3,p_3), \textit{Malfunction}.d_1\} \).

Since the system players do not know which drone got destroyed and must not deadlock, they should allow both transitions \( \textit{crash} \) and \( \textit{deliver} \) in all possible modes to win the game. The environment player \( d_1 \) on \( \textit{Malfunction} \) as usual also allows both transitions in all modes. We denote the modes \( u \in \textit{Val}( \textit{crash} )\) by \( u_{(i,j)}=\{d\mapsto d_i,\, p\mapsto p_j \}\), and the modes \( v \in \textit{Val}( \textit{deliver} )\) by \( v_{(i,j,k)}=\{ d'\mapsto d_i,\,p\mapsto p_j,\,d\mapsto d_k \} \).

We abbreviate \( \textit{crash}.u_{(i,j)} \) by \( \textit{cr}_{(i,j)} \) and \( \textit{deliver}.v_{(i,j,k)} \) by \( \textit{del}_{(i,j,k)} \). The decision set described above is

$$\begin{aligned} \begin{aligned} D_1= \big \{&( \textit{Fly}.(d_1,p_1), \{ \textit{cr}_{(1,1)}, \textit{del}_{(1,1,2)}, \textit{del}_{(1,1,3)}\} ),\\&( \textit{Fly}.(d_2,p_2),\{ \textit{cr}_{(2,2)}, \textit{del}_{(2,2,1)}, \textit{del}_{(2,2,3)}\} ),\\&( \textit{Fly}.(d_3,p_3), \{ \textit{cr}_{(3,3)}, \textit{del}_{(3,3,1)},\textit{del}_{(3,3,2)}\} ),\\&( \textit{Malfunction}.d_1, \{ \textit{cr}_{(1,j)}, \textit{del}_{(i,j,1)} \;\mid \;i=2,3 \wedge j=1,2,3 \} ) \big \} . \end{aligned} \end{aligned}$$

The fireable transitions from this decision set are \( \textit{cr}_{(1,1)} \), \( \textit{del}_{(2,2,1)} \), and \( \textit{del}_{(3,3,1)} \). This means, when the relation on decision sets is lifted to equivalence classes by collecting all connections between individual elements of the corresponding classes, these three transitions all induce an outgoing edge from \( [ D_1 ] \). This is illustrated in Fig. 6 where \( [ D_1 ] \) is depicted in the middle of the figure. The decision sets obtained after the respective firing are \( D_2 \), \( D_3 \), and \( D_4 \). Since \( D_2 \) and \( D_3 \) are in the same equivalence class, this results in a connection between \( [ D_1 ] \) and \( [ D_2 ] \) for \( \textit{del}_{(2,2,1)} \) and \( \textit{del}_{(3,3,1)} \) each.

Fig. 6
figure 6

An illustration of equivalences of transition firings. The decision set \(D_1\) (depicted in the middle) has three successor decision sets according to the standard firing relation: \(D_2,D_3\), which belong to the same symbolic decision set (depicted at the bottom), and \(D_4\) (depicted at the top). Since the transitions \(\textit{del}_{(2,2,1)}\) and \(\textit{del}_{(3,3,1)}\) can be mapped to one another via a symmetry not affecting \(D_1\), the relation between \([ D_1 ]\) and \([ D_2 ]\) can be represented by only one of them. The equivalence of the transitions is depicted by the dashed connection in the middle

Full size image

Consider now the symmetry \( s\in S \) that swaps \( p_2 \) and \( p_3 \) in P, swaps \( d_2 \) and \( d_3 \) in D, and accordingly operates on the Cartesian product \( P\times D \). This symmetry leaves \( D_1 \) invariant. When applied to \( \textit{del}_{(2,2,1)} \) or \( \textit{del}_{(3,3,1)} \), the respective other transition is obtained. We call these two transitions therefore equivalent with respect to \( D_1 \) (since the symmetry s leaves \( D_1 \) invariant). Instead of considering both firings, we chose one of these transitions to represent both firings. \(\square \)

From Lemma 1 we see that, if an admissible symmetry \( s\in S \) leaves a decision set \( D\) invariant, then a transition t is fireable in mode \( v\in \textit{Val}(t) \) at \( D\) if and only if t is fireable in mode s(v) . These symmetries form a group (later called the isotropy group of \(D\)) and their application leads to equivalence classes of valuations which are locally belonging to the decision set. Instead of considering all valuations in which a transition is fireable from a decision set, it suffices to consider representatives of these equivalence classes. As a result, the size of the firing relation between equivalence classes of decision sets decreases. This reduced firing relation, called the symbolic firing relation, is the first part of the edge relation of the high-level game graph \(\mathscr {A}^H\).

However, considering a symbolic decision set, after firing a transition in a representative of an equivalence class of valuations, the decision set obtained after the firing does not have to be a symbolic decision set itself. Since the symbolic firing relation will be defined between symbolic decision sets, this fact must be taken into account when defining the relation.

Additionally to the firing relation there is the relation of \( \top \) resolution between decision sets. Thus, we also define the symbolic \( \top \) resolution between symbolic decision sets. This relation forms the rest of the edge relation of \(\mathscr {A}^H\).

Let \( D\in \mathscr {D}(\mathscr {H}) \) be a decision set. The isotropy group \( S_D=\{s\in S \ | \ s( D)=D\} \) of \( D\) is the group of all admissible symmetries that preserve \( D\). For a transition \( t \in \mathscr {T}^H\), we denote by \( \textit{Val}(t)_D=\textit{Val}(t)/S_D\) the set containing the equivalence classes of all modes of t, with respect to the isotropy group \( S_D\). The individual modes in one class affect \( D\) in symmetric ways. For each class in \( \textit{Val}(t)_D\) we arbitrarily chose a representative mode \( \overline{v} \) and define \( \alpha _D\) as the function mapping each \( v\in \textit{Val}(t) \) to its representative \( \alpha _D(v) \).

Note that for every representative \( \overline{v} \) of a class in \( \textit{Val}(t)_D\), for every mode v belonging to \( [\overline{v}] \), there is a symmetry \( s\in S_D\) such that \( s(v)=\alpha _D(v)=\overline{v} \). This means that, in a decision set \( D\), a transition can fire in mode v if and only if it can fire in its representative \( \alpha _D(v) \).

We now define the symbolic firing relation between symbolic decision sets. For that, instead of firing a transition in all modes, we only consider the representatives of equivalence classes of modes, local to the symbolic decision set. The symbolic decision set obtained after the symbolic firing is corresponding to the decision set obtained after the ordinary firing of the transition in the representative mode.

We say a transition t can fire symbolically from the symbolic decision set \( \overline{D} \) in mode \( \alpha _{\overline{D}}(v) \) representing v in \( \textit{Val}(t)_{\overline{D}} \), denoted by \( \overline{D}[\![t.\alpha _{\overline{D}}(v)\rangle \!\rangle \), iff \( \overline{D}[t.\alpha _{\overline{D}}(v)\rangle \). The symbolic decision set \( \overline{D'} \) obtained after the symbolic firing is determined as follows:

$$\begin{aligned} \overline{D}[\![t.\alpha _{\overline{D}}(v)\rangle \!\rangle \overline{D'}\Leftrightarrow \exists D''\in [ \,\overline{D'}\, ] : \overline{D}[t.\alpha _{\overline{D}}(v)\rangle D''. \end{aligned}$$

To define the symbolic \( \top \) resolution between symbolic decision sets, we can not use representatives of the symbol \( \top \). Instead, when symbolically resolving a \( \top \) symbol in a symbolic decision set, we declare the possible targets as the representatives of possible targets of an ordinary \( \top \) resolution.

We say a \( \top \) can be symbolically resolved in a symbolic decision set \( \overline{D} \), denoted by \( \overline{D}[\![\top \rangle \!\rangle \), iff \( \overline{D}[\top \rangle \). The possible symbolic decision sets obtained after the symbolic \( \top \) resolution are the representatives of the decision sets \( D'' \) satisfying \( \overline{D}[\top \rangle D'' \):

$$\begin{aligned} \overline{D}[\![\top \rangle \!\rangle \overline{D'}\Leftrightarrow \exists D''\in [ \,\overline{D'}\, ] : \overline{D}[\top \rangle D''. \end{aligned}$$

In the following properties we compare the ordinary firing relation and the ordinary \( \top \) resolution with their symbolic counterparts.

Property 1

Each ordinary transition firing is represented by a symbolic transition firing, and each ordinary \( \top \) resolution is represented by a symbolic one.

  • \( D[ t.v\rangle D' \Rightarrow \overline{D}[\![t.\overline{v} \rangle \!\rangle \overline{D'} \), where \( \overline{v}=\alpha _{\overline{D}}(s_D(v)) \).

  • \( D[\top \rangle D'\Rightarrow \overline{D}[\![\top \rangle \!\rangle \overline{D'} \).

The first property can be shown with the help of Lemma 1, analogously to [8]. The proof of the second property has the same structure.

Property 2

Each symbolic firing represents a set of ordinary firings, in which all source decision sets belong to the equivalence class of the symbolic source decision set of the symbolic firing. The same holds for the resolution of \( \top \).

  • \(\overline{D}[\![t.\overline{v}\rangle \!\rangle \overline{D'} \Rightarrow \)

    \((\forall D_1\in [ \,\overline{D}\, ]\ \forall v'\in \textit{Val}(t) : \alpha _{\overline{D}}(s_{D_1}(v'))=\overline{v} \Rightarrow \exists D_2\in [ \,\overline{D'}\, ] : D_1[t.v'\rangle D_2. \))

  • \( \overline{D}[\![\top \rangle \!\rangle \overline{D'}\Rightarrow \forall D_1\in [ \,\overline{D}\, ]\ \exists D_2\in [ \,\overline{D'}\, ] : D_1[\top \rangle D_2\).

Again, the first property can be shown analogously to [8] using Lemma 1, and the proof of the second property uses the same ideas.

4.4 Symbolic two-player game

In this section we define the high-level game graph \(\mathscr {A}^H\) and, based on its structure, the symbolic two-player game \(\mathbb {G}^H\). We show that Player 0 has a winning strategy in \(\mathbb {G}^H\) if and only if there is a winning strategy for Player 0 in the low-level two-player game \(\mathbb {G}^L\) that corresponds to \(\mathtt {L}(\mathscr {H})\). This is proven by introducing a bisimulation on the two-player games. We fix a set-based high-level Petri game with a single recurrently interfering environment player and a bounded number of system players \(\mathscr {H}=(\mathscr {P}_S^H, \mathscr {P}_E^H, \mathscr {T}^H, \mathscr {F}^H, ty , g, e, In ^H, \mathscr {B}^H)\) throughout the section.

Remember that the vertices of \(\mathscr {A}^L\) are decision sets and an edge between two decision sets \( D\) and \( D' \) only exists if \( D[t.v\rangle D' \) or \( D[\top \rangle D' \) holds. We analogously define the high-level game graph \(\mathscr {A}^H\) by considering the symbolic counterparts. This means, the vertices of \( \mathscr {A}^H\) are the symbolic decision sets and there is an edge between two symbolic decision sets \( \overline{D} \) and \( \overline{D'} \) iff \( \overline{D}[\![t.\overline{v}\rangle \!\rangle \overline{D'} \) or \( \overline{D}[\![\top \rangle \!\rangle \overline{D'} \) holds. Note that we represent an equivalence class \( [ D ] \) with respect to S by the symbolic decision set \( \overline{D} \) when no confusion arises.

For the high-level Petri game \( \mathscr {H}\), we define the vertex labeled high-level game graph \( \mathscr {A}^H=(\mathscr {V}^H,\mathscr {L}^H,\overline{D_0},\mathscr {E}^H) \) with

  • the vertices \( \mathscr {V}^H=\mathscr {D}(\mathscr {H})/S \), the set of all equivalence classes \( [ D ] \) with respect to S,

  • the vertex labeling \( \mathscr {L}^H\), defined by \( \mathscr {L}^H(\overline{D})=1 \), if \( \overline{D} \) is environment-dependent, and \( \mathscr {L}^H(\overline{D})=0 \) otherwise. The corresponding symbolic decision sets are collected in \( \mathscr {V}^H_1= (\mathscr {L}^H)^{-1}(1) \) and \( \mathscr {V}^H_0= \mathscr {V}^H{\setminus }\mathscr {V}^H_1\)

  • the initial state \( \overline{D_0}\) with

    \( D_0=\{ (p.c,\top )\ |\ p.c\in In ^H\cap \mathscr {P}_S^H\!.ty \} \cup \{ (e.d,\textit{post}( e.d))\ | \ e.d\in In ^H\cap \mathscr {P}_E^H\!.ty \}\),

  • the labeled edge relation \( \mathscr {E}^H\subseteq \mathscr {V}^H\times (\mathscr {T}^H\!\!.\!\textit{Val}\cup \{ \top \})\times \mathscr {V}^H\) is defined as follows: If \( \overline{D} \) contains a bad place, is a deadlock, is terminating, or is nondeterministic, there is only a \( \top \)-labeled self-loop originating from \( \overline{D} \). Otherwise, consider three disjunct cases for edges originating in \( \overline{D} \):

    Case \( \overline{D}\in \mathscr {V}^H_1\), i.e., all players have decided for a commitment set, but cannot proceed without the environment. Then for all \( t\in \mathscr {T}^H\) and \( \overline{v}\in \textit{Val}(t)_D\), \( (\overline{D},t.\overline{v},\overline{D'}) \in \mathscr {E}^H\) iff \( \overline{D}[\![t.\overline{v}\rangle \!\rangle \overline{D'} \).

    Case \( \overline{D}\in \mathscr {V}^H_0\) and \( \overline{D}[\![\top \rangle \!\rangle \), i.e., at least one system player has yet to decide for a commitment set. Then \( (\overline{D},\top ,\overline{D'}) \in \mathscr {E}^H\) iff \( \overline{D}[\![\top \rangle \!\rangle \overline{D'} \).

    Case \( \overline{D}\in \mathscr {V}^H_0\) and \( \lnot D[\![\top \rangle \!\rangle \), i.e., all system players made their decisions and can proceed without the environment. Then for all \( t\in \mathscr {T}^H\) and \( \overline{v}\in \textit{Val}(t)_D\) with \( \textit{pre}( t.\overline{v})\cap \mathscr {P}_E^H\!.ty =\emptyset \), \( (\overline{D},t.\overline{v},\overline{D'}) \in \mathscr {E}^L\) iff \( \overline{D}[\![t.\overline{v}\rangle \!\rangle \overline{D'} \).

Note that the labeling of the representatives is identical to the labeling in the low-level case and since the initial marking \( In ^H\) is symmetric, \(\overline{D_0}=D_0\) holds.

The symbolic two-player Büchi game \( \mathbb {G}^H\) is defined on the structure of \( \mathscr {A}^H\), as the definition of \( \mathbb {G}^L\) is based on \( \mathscr {A}^L\). This means that the states in \(\mathbb {G}^H\) are the reachable symbolic decision sets, and there is an edge between two states, if these states are symbolically related.

Let \( \mathscr {S\!R}(\mathscr {A}^H)\) be the set of vertices in \( \mathscr {V}^H\) that are reachable from \( \overline{D_0} \) under \( \mathscr {E}^H\). The high-level two player Büchi game over a finite graph (or symbolic Büchi game) \( \mathbb {G}^H=(V^H,V^H_0,V^H_1,\overline{D_0},E^H,F^H) \) is defined with

  • the set of all states \( V^H=\mathscr {S\!R}(\mathscr {A}^H)\),

  • the set of Player 1’s states \(V^H_1=\mathscr {V}^H_1\cap \mathscr {S\!R}(\mathscr {A}^H)\), i.e., the symbolic decision sets that are environment-dependent,

  • the set of Player 0’s states \(V^H_0=\mathscr {V}^H_0\cap \mathscr {S\!R}(\mathscr {A}^H)\),

  • the initial state \( \overline{D_0} \), as in the high-level graph \( \mathscr {A}^H\),

  • the edge-relation \( E^H\) such that \( (\overline{D},\overline{D'})\in E^H\) iff \( (\overline{D}, \overline{\delta }, \overline{D'})\in \mathscr {E}^H\) for any \( \overline{\delta } \in \mathscr {T}^H\!\!.\!\textit{Val}\cup \{\top \} \), and

  • the set of accepting states \( F^H\), containing all \( \overline{D} \in V^H\) that are terminating or environment-dependent, but are not a deadlock, nondeterministic, or contain a bad place.

To show that the two-player games \( \mathbb {G}^L\) and \( \mathbb {G}^H\) are bisimilar (which yields the correctness of our approach), we compare the structures of \( \mathscr {A}^H\) and \( \mathscr {A}^L\). First, the edge relations of the two graphs correspond to each other (Lemma 3). Second, the set of reachable symbolic decision sets in \(\mathscr {A}^H\) is exactly the set of representatives of decision sets reachable in \(\mathscr {A}^L\) (Lemma 4).

Lemma 3

For every edge in \( \mathscr {A}^L\), there is a corresponding edge in \( \mathscr {A}^H\), and vice versa:

  1. 1.

    \( (D,\delta ,D')\in \mathscr {E}^L\Rightarrow (\overline{D},\overline{\delta },\overline{D'})\in \mathscr {E}^H\), where

    \(\overline{\delta }=t.\overline{v}\) if \(\delta =t.v\) and \(\overline{v}=\alpha _{\overline{D}}(s_D(v))\), and \(\overline{\delta }=\top \) if \(\delta =\top \).

  2. 2.

    \( (\overline{D},\overline{\delta },\overline{D'})\in \mathscr {E}^H\Rightarrow \forall D_1\in [ \,\overline{D}\, ]\ \exists D_2\in [ \,\overline{D'}\, ]\ \exists \delta : (D_1,\delta ,D_2)\in \mathscr {E}^L\), where \(\delta =t.v'\) if \(\overline{\delta }=t.\overline{v}\) and \(v'\) satisfies \(\alpha _{\overline{D}}(s_{D_1}(v'))=\overline{v}\), and \(\delta =\top \) if \(\overline{\delta }=\top \).

Since the self-loops of the edge relations, as well as the assignment of the vertices, depend on the properties of the (symbolic) decision sets and the other edges of the relations are induced by the (symbolic) firing relation and the (symbolic) \(\top \) resolution, the proof mainly depends on Corollary 1 and on Properties 1 and 2 (see “Appendix C”).

Lemma 4

The representatives of decision sets in \( \mathscr {R}(\mathscr {A}^L)\) are exactly the symbolic decision sets in \( \mathscr {S\!R}(\mathscr {A}^H)\): \( \{ \overline{D}\ | \ D\in \mathscr {R}(\mathscr {A}^L)\} = \{ \overline{D}\ |\ [ \,D\, ]\in \mathscr {S\!R}(\mathscr {A}^H)\} \).

This lemma can be proven by an induction over the length of the shortest path from \( D_0 \) to a decision set \( D\) in \( \mathscr {A}^L\), or from \( \overline{D_0} \) to a symbolic decision set \( \overline{D} \) in \( \mathscr {A}^H\), respectively. The induction step follows from Lemma 3 (see “Appendix C”).

We generally define a bisimulation relation on Büchi games and show that two bisimilar Büchi games coincide on the existence of a winning strategy. The instantiation of this result for the low-level two-player game \(\mathbb {G}^L\) and the symbolic high-level game \(\mathbb {G}^H\) yields the correctness of the main step of the solving algorithm for high-level Petri games.

We can view any Büchi game \( \mathbb {G}=(V,V_0,V_1,v_0,E,F) \) as a state-labeled transition system \( (V,E,\lambda ,v_0) \) with the set of states \(V\), the transition relation \(E\), and the initial state \( v_0 \) as defined in \(\mathbb {G}\), and a labeling function \( \lambda : V\rightarrow \mathbb {P}({\{ g,f \}}) \) with propositions \( \{g,f\} \), defined by \(\forall v\in V :(g\in \lambda (v)\Leftrightarrow v\in V_0 ) \wedge (f\in \lambda (v) \Leftrightarrow v\in F)\). A bisimulation between two state-labeled transition systems \( \textit{TS}_1=({\mathscr {S}}_1, \rightarrow _1, \lambda _1, s_0 ) \) and \( \textit{TS}_2= ({\mathscr {S}}_2, \rightarrow _2, \lambda _2, t_0 ) \) is a relation \( B\subseteq {\mathscr {S}}_1\times {\mathscr {S}}_2 \) such that for all \( (s,t)\in B \)

  • \( \lambda _1(s)=\lambda _2(t) \),

  • \( \exists s'\in {\mathscr {S}}_1 : s \rightarrow _1 s' \Rightarrow \exists t'\in {\mathscr {S}}_2 : t\rightarrow _2 t' \wedge (s',t')\in B \), and

  • \( \exists t'\in {\mathscr {S}}_2 : t \rightarrow _2 t' \Rightarrow \exists s'\in {\mathscr {S}}_1 : s\rightarrow _1 s' \wedge (s',t')\in B \)

holds. Two states \( s\in {\mathscr {S}}_1 \) and \( t\in {\mathscr {S}}_2 \) are called bisimilar, denoted by \( s\sim t \), if there is a bisimulation B between \( \textit{TS}_1 \) and \( \textit{TS}_2 \) satisfying \( (s,t)\in B \). The transition systems \(\textit{TS}_1\) and \(\textit{TS}_2\) are called bisimilar, denoted by \( \textit{TS}_1 \sim \textit{TS}_2 \), if \( s_0\sim t_0 \).

Two Büchi games \( \mathbb {G}=(V,V_0,V_1,v_0,E,F) \) and \( \mathbb {G}'=(V',V_0',V_1',v_0',E',F') \) are bisimilar, denoted by \(\mathbb {G}\sim \mathbb {G}'\), if the corresponding transition systems are bisimilar, i.e., \( (V,E,\lambda ,v_0) \sim (V',E',\lambda ',v_0')\). Particularly, this means that for any such bisimulation B and every two states \( v\in V \) and \( v'\in V' \) with \( (v,v')\in B \) the assignment of the states coincide, i.e., \(v\in V_0\Leftrightarrow v'\in V_0'\) and \(v\in F\Leftrightarrow v'\in F'\) holds.

Lemma 5

There is a bisimulation between \( \mathbb {G}^L\) and \( \mathbb {G}^H\).

The bisimulation \(B\subseteq V^L\times V^H\) is given by \( B=\{ (D,\overline{D}) \;\mid \;D\in V^L\}\). Lemma 4 shows that this relation is defined, Lemma 3 and Corollary 1 are used to show that B is in fact a bisimulation (see “Appendix C”).

Lemma 6

Let \( \mathbb {G}=(V,V_0,V_1,v_0,E,F) \) and \( \mathbb {G}'=(V',V_0',V_1',v_0',E',F') \) be two bisimilar Büchi games. Then Player 0 has a winning strategy in \( \mathbb {G}\) if and only if Player 0 has a winning strategy in \( \mathbb {G}' \).

Proof

For inductively defining a strategy on sequences of length n in a Büchi game, it suffices to only define it on paths that are consistent with the so far defined strategy. All other sequences are mapped to an arbitrary successor.

Let \( B \subseteq V\times V'\) be the bisimulation between \(\mathbb {G}\) and \(\mathbb {G}'\) and \( \sigma \) a winning strategy for Player 0 in \( \mathbb {G}\). We construct a winning strategy \( \sigma ' \) for Player 0 in \( \mathbb {G}' \) from \( \sigma \). We define \( \sigma ' \) inductively on paths of length n through the arena. For that we, also inductively, define a helper mapping \( \tau \), that maps paths of length \( n+1 \) in \( \mathbb {G}' \) that are consistent with \( \sigma ' \) to corresponding paths in \( \mathbb {G}\).

The construction will ensure that, for all n,

  • \( \tau \) is defined for all paths of length \( n+1 \) consistent with \( \sigma ' \) such that the image is consistent with \( \sigma \),

  • the states are pairwise bisimilar, i.e., if \( \tau (v_0'\ldots v_n')=v_0\ldots v_n \) then \( (v_j,v_j')\in B \) for all \( 0\le j \le n \),

  • \( \sigma ' \) is defined for all consistent paths of length n that end in a state of \( V_0' \).

(IB) Consider the case \( n=0 \). Define \( \tau (v_0')=v_0 \), and \( \sigma ' \) is undefined since there are no paths of length 0.

(IH) Assume now, for an arbitrary n, that \( \sigma ' \) is defined for all consistent paths of length n and \( \tau \) is defined for all paths of length \( n+1 \) consistent with \( \sigma ' \).

(IS) Consider a path \( v_0'\ldots v_n' \) of length \( n+1 \) in \( \mathbb {G}\) that is consistent with \( \sigma ' \). Let \( v_0\ldots v_n = \tau (v_0'\ldots v_n')\).

Case \( v_n'\in V_0' \). We define \( \sigma '(v_0'\ldots v_n') \) as follows: since \( (v_n,v_n')\in B \), we have that \( v_n\in V_0 \). Let now \( v_{n+1}=\sigma (v_0\ldots v_n ) \). This implies \( (v_n,v_{n+1})\in E \) and therefore, since B is a bisimulation, there is a \( v_{n+1}'\in V' \) such that \( (v_n',v_{n+1}')\in E' \) and \( (v_{n+1},v_{n+1}')\in B \). We define \( \sigma '(v_0'\ldots v_n')=v_{n+1}' \) and \( \tau (v_0'\ldots v_n'v_{n+1}')=v_0\ldots v_nv_{n+1} \).

Case \( v_n'\in V_1' \). We define, for every \( v'\in V' \) with \( (v_n',v')\in E' \), \( \tau (v_0'\ldots v_n'v')=v_0\ldots v_nv \) for an arbitrary v such that \( (v_n,v)\in E \) and \( (v,v')\in B \).

Let \( \pi '= v_0' v_1' v_2'\ldots \) be a play in \( \mathbb {G}' \) that is consistent with \( \sigma ' \). By defining \( v_j \) as the last element in \( \tau (v_0'\ldots v_j') \) for every \( j\ge 0 \), we obtain a play \(\pi = v_0 v_1 v_2\ldots \) in \( \mathbb {G}\) that is consistent with \( \sigma \). Therefore, Player 0 wins \( \pi \) in \( \mathbb {G}\), and since for all j, \( v_j\in F \) iff \( v_j'\in F' \), Player 0 wins \( \pi ' \) in \( \mathbb {G}' \).

Since \( B^\intercal =\{(v',v)\;\mid \;(v,v')\in B\} \) is a bisimulation between \(\mathbb {G}'\) and \(\mathbb {G}\), the converse direction follows analogously. \(\square \)

Lemma 6 together with Lemma 5 yields the conformity of the symbolic high-level game \(\mathbb {G}^H\) and the corresponding low-level game \(\mathbb {G}^L\) regarding the existence of a winning strategy.

Lemma 7

Player 0 of \( \mathbb {G}^H\) has a winning strategy in \(\mathbb {G}^H\) if and only if Player 0 of \(\mathbb {G}^L\) has a winning strategy in \(\mathbb {G}^L\).

The construction of a winning strategy in the proof of Lemma 6 yields a nonpositional strategy \(\sigma ^L:({V^L})^*V^L_0\rightarrow V^L\) in \(\mathbb {G}^L\) for a strategy \(\sigma ^H\) in \(\mathbb {G}^H\). For the introduced solving algorithm of high-level Petri games we are interested in positional winning strategies. The following construction serves for the creation of a positional strategy \(\sigma ^L:V^L_0\rightarrow V^L\) in the low-level game \(\mathbb {G}^L\) from a positional strategy \(\sigma ^H:V^H_0\rightarrow V^H\) in the symbolic high-level game \(\mathbb {G}^H\).

Let \( B=\{ (D,\overline{D}) \;\mid \;D\in V^L\}\) be the bisimulation on \(\mathbb {G}^L\) and \(\mathbb {G}^H\), \( \sigma ^H:V^H_0\rightarrow V^H\) a positional winning strategy for Player 0 in \( \mathbb {G}^H\) and \( D\in V^L_0\). Then \( \overline{D}\in V^H_0\) and \( \sigma ^H(\overline{D}) \) is defined. Let \( \overline{D'}=\sigma ^H(\overline{D}) \). This implies \( (\overline{D},\overline{D'})\in E^H\), and since \( (D,\overline{D})\in B \), we have

$$\begin{aligned} \exists D_1 \in V^L: (D,D_1)\in E^L\wedge (D_1,\overline{D'})\in B \text { (i.e., } \overline{D_1}=\overline{D'} \text {)}. \end{aligned}$$

We define \( \sigma ^L(D)=D_1 \). Hence, \( \sigma ^L \) is positional. The strategy \( \sigma ^L \) is also winning: Let \( \rho =D_0 D_1 \dots \in ({V^L})^\omega \) be a play of \( \mathbb {G}^L\) that is consistent with \( \sigma ^L \). Then \( \overline{\rho }:=\overline{D_0}\,\overline{D_1} \dots \in ({V^H})^\omega \) is a play of \( \mathbb {G}^H\), that by definition is consistent with \( \sigma ^H \). Therefore, \( \overline{\rho } \) is winning in \( \mathbb {G}^H\). This, as in the proof of Lemma 6, implies that \( \rho \) is winning in \( \mathbb {G}^L\).

Since the definition of a winning strategy in a high-level Petri game \(\mathscr {H}\) is defined as a winning strategy in the corresponding low-level Petri game \(\mathtt {L}(\mathscr {H})\) (cp. Sect. 3.2), Lemma 7 yields the final result.

Theorem 1

Let \(\mathscr {H}\) be a set-based high-level Petri game with a single recurrently interfering environment player and a bounded number of system players and \(\mathbb {G}^H\) the corresponding symbolic two-player game. Then the system players have a strategy in \( \mathscr {H}\) if and only if Player 0 has a winning strategy in \(\mathbb {G}^H\).

We construct a winning strategy for the system players in \(\mathscr {H}\), i.e., a winning strategy for the system players in the corresponding low-level Petri game \(\mathtt {L}(\mathscr {H})\), from the positional winning strategy \(\sigma ^H\) for Player 0 in \(\mathbb {G}^H\) in two steps. First, we create a positional winning strategy \(\sigma ^L\) for Player 0 in \(\mathbb {G}^L\) from \(\sigma ^H\) as described above. Second, we apply the algorithm presented in [25] to \(\sigma ^L\), i.e., traversing \(\sigma ^L\) in breadth-first order while adding the corresponding places and transition of the decision sets, to create a winning strategy for the system players in \(\mathtt {L}(\mathscr {H})\). Note that the last step would take infinitely long for infinite Petri game strategies such that a practical algorithm has to provide a finite representation of the strategy.

5 Experimental results

In this section we report on our prototype implementation for generating the symbolic two-player game \(\mathbb {G}^H\). We implemented three algorithms for the creation of the reduced state space and compare their runtime to the complete state space creation of Adam [22]. These results are depicted in Table 1. All algorithms are integrated into the Adam framework to exploit its data structures and functionality for Petri nets and Petri games.

Adam uses Binary Decision Diagrams (BDDs) to answer the question of the existence of a strategy and to calculate a strategy in the positive case. In the original algorithm the explicit state space is never generated and thus, the concrete size of \(\mathbb {G}^L\) could not directly be obtained. To have a proper comparison of the different sizes of the generated state spaces (\(\mathbb {G}^H\) versus \(\mathbb {G}^L\)) we extended Adam with a fixed point algorithm which calculates a BDD for the reachable states of the two-player game \(\mathbb {G}^L\) and ask for the number of solutions to obtain the number of states of \(\mathbb {G}^L\) as reference value. As input, the Reference-Approach takes the low-level version \(\mathtt {L}(\mathscr {H})\) of a high-level Petri game \(\mathscr {H}\). The results and used resources for the calculation of the reduced state space are given in column three and four of Table 1.

For the reduced state space generation we use Symmetric Nets (SNs)Footnote 1 [9, 10] as underlying structure for the high-level Petri game. SNs are a subclass of high-level Petri nets with the same expressive power but allow for an easy and automatic creation of the system’s symmetries from the modeled structure. In SNs the colors are grouped into basic color classes and static subclasses. The arc expressions, as well as the predicates, are restricted to some basic functions. This makes the modeling of practical examples only slightly more cumbersome.

The following three algorithm are all based on the algorithm originally presented in [35]:

  • HL-Approach This approach explicitly calculates the reduced state space from the high-level Petri game \(\mathscr {H}\).

  • LL-Approach This approach first transforms the high-level Petri game \(\mathscr {H}\) into the corresponding low-level Petri game \(\mathtt {L}(\mathscr {H})\) and then uses this to explicitly calculate the reduced state space of \(\mathbb {G}^H\). During this calculation \(\mathscr {H}\) is still exploited to obtain the symmetries of the system.

  • BDD-Approach This approach uses, as in the Reference-Approach of Adam, BDDs to symbolically calculate the number of states of the reduced two-player game. For this purpose, the high-level Petri game is also first transformed into the corresponding low-level one and then the high-level structure is used for the automatic generation of the system’s symmetries.

Note that we neither calculate a winning strategy nor clarify its existence. We take a high-level Petri game and use three different approaches to calculate the reduced state space, i.e., to calculate the number of states of the high-level two-player game \(\mathbb {G}^H\) while exploiting the symmetries of the high-level Petri game as described in Sect. 4.4. Furthermore, we use the adapted algorithm of Adam to compare these sizes to the size of the previously existing low-level two-player game \(\mathbb {G}^L\). Since the running time of any synthesis algorithm crucially depends on the size of the state space it has to explore, this gives a first impression of the potential of our new method.

Table 1 Experimental results of the benchmark families regarding the sizes of \(\mathbb {G}^L\) and \(\mathbb {G}^H\) and their calculation time (in s) for the three different approaches for \(\mathbb {G}^H\) and the reference approach for \(\mathbb {G}^L\)
Full size table

We applied the algorithms on a set of five scalable benchmark families from applications in robotic control, workflow management, and other distributed domains. For each benchmark the elapsed CPU time (time in s) for calculating the size of the state space \(|V^L|\) and the size of the reduced state space \(|V^H|\) are listed in Table 1 for each approach. A timeout for a calculation time of more than two hours is indicated by TO. For each benchmark the time of the fastest of the new approaches is marked bold. The experiments are calculated on an Intel i7-2700K CPU with 3.50 GHz and 32 GB RAM and refer to the following scenarios:

  • Package delivery (PD) There are \(n\) drones which should deliver \(m\) packages. The packages get assigned to the drones. The hostile environment lets an arbitrary drone crash. Drones get informed of the crash and can decide on recovering the package. The system’s goal is to deliver all packages (see Sect. 2). Parameters: \(n\) drones / \(m\) packages.

  • Alarm system (AS) There are \(n\) geographically distributed locations. Every location is secured by an alarm system. A burglar, modeled by the environment, can intrude an arbitrary location. The alarm systems can inform each other about burglaries. The goal is that no alarm system is triggered without an intrusion and all alarm systems indicate the correct intrusion point in case of an intrusion. Parameters: \(n\) alarm systems.

  • Concurrent machines (CM) There are \(n\) machines which should process \(m\) orders. The orders can be processed concurrently, but no machine is allowed to process more than one order. The hostile environment chooses one machine to be defective. The goal is that finally all orders are processed. Parameters: \(n\) machines / \(m\) orders.

  • Document workflow (DW) and (DWs) There are \(n\) clerks endorsing or rejecting a document. The document is circularly passed on by the clerks. The environment decides on which clerk receives the document first. The goal is that all clerks take an unanimous decision. In the simple variant DWs the goal is that all clerks endorse the document. Parameters: \(n\) clerks.

The package delivery benchmark family is newly presented in this paper. The alarm system benchmark family was introduced in [21] and its high-level version was presented in [30]. The benchmark families CM, DW, and DWs were introduced in [22], the high-level version for CM was already presented in [30], the high-level version for DW and DWs were developed for this paper.

The figures show a significant decrease on the size of the state space of the system. The new benchmark PD with parameters 1/8 shows the maximal reduction: 26,299,378 states for the standard state space versus 11,115 states for the reduced one. This is a factor of about 2366. The reason for a comparably small reduction for the DW and DWs benchmark family is the circularly passing of the document which restricts the admissible symmetries to rotations.

The decrease of the state space does not come without a cost. The calculation time of the new algorithms for the reduced state space (the last three columns) is in general notably higher than the ones of the reference algorithm for the standard state space (column three). On the one hand, this is due to the equivalence check which is done every time prior to the adding of a new state. On the other hand, this figures are not directly comparable. Adam uses optimized symbolic algorithms for its calculations which generally outperform explicit algorithms like the ones of the HL- and the LL-Approach on large state spaces. Furthermore, all new algorithms are currently in an early development state.

The main reason of the low performance of the BDD-Approach on larger models is that the current algorithm checks for each newly created state whether there already exists an equivalent one. It is not possible to directly encode this check into a Boolean function for the representation of the two-player game’s transition relation. Thus, in this prototype implementation of a symbolic algorithm exploiting the symmetries of the system, the equivalence check is done explicitly. This means, in every round of the fixed point calculation, each explicit state of the BDD representing the successors of this round is calculated. These costly solving steps of the BDDs thwart the use of a symbolic algorithm.

Generally, the LL-Approach outperforms the HL-Approach. This is explicable by the structure of the decision sets. A decision set of the high-level two-player game consists of the concrete instances of the places and transitions of the high-level net. Hence, the HL-Approach calculates these instances over and over each time a high-level transition is requested. An improvement is to buffer these data, but this nearly results in the LL-Approach.

Overall, these figures already show a big step towards a faster practical solving of Petri games because a smaller state space significantly reduces the running time of the synthesis algorithms. Standard algorithms for solving two-player Büchi games with complete information are polynomial in the number of edges of the game and can be applied to the symbolic two-player game \(\mathbb {G}^H\). The remaining steps for solving high-level Petri games, i.e., resolving the symmetries of the two-player strategy and creating the Petri game strategy, are linear in the number of edges of the strategy and quadratic in the number of admissible symmetries. Given that the presented algorithms are still in a prototype stadium, these results are very encouraging for further work.

6 Related work

An active research area is Petri net synthesis [2]. Two-player games are studied under the name Petri net supervisory control [2], inspired by the work of Ramadge and Wonham on discrete event systems [45]. A significant body of work on synthesis and control based on Petri nets is in this area (cf. [6, 31, 46, 55]), also for structured Petri nets like modules of signal nets [15]. However, these approaches solve the single-process synthesis problem, as opposed to the multi-process synthesis problem for concurrent systems considered in this paper.

The synthesis of distributed systems (short: distributed synthesis) is much more difficult because one must construct multiple processes that, individually, do not have access to the full system state. Most prominent is the model of Pnueli and Rosner [44], where processes communicating via single-writer single-reader shared variables with synchronous concurrency are considered. After a series of isolated decidability results [37, 44], information forks [26] were identified as the necessary and sufficient criterion for undecidability. For architectures without information forks, the synthesis problem can be solved, however, with nonelementary complexity in the number of processes.

Zielonka’s asynchronous automata [56] have been proposed as an alternative setting for distributed synthesis [27, 28, 39, 42]. The decidability of the control problem of asynchronous automata is open in general. There are various decidability results for restricted cases, e.g., concerning the dependencies of actions [27] or the synchronization behavior [39]. Decidability, albeit again with nonelementary complexity, has also been obtained for acyclic communication structures [28, 42].

Petri games based on P/T Petri nets were introduced in [24, 25]. They exploit concurrency and causality in defining a notion of informedness for the players. In [25] it is shown that the problem whether the system players have a winning strategy for a safety objective, is undecidable for unbounded Petri games. However, for Petri games with one environment player and a bounded number of system players the problem is EXPTIME-complete. The winning strategy can be obtained in single-exponential time by a reduction to a two-player graph game. In [23] it was shown that also for one system player and a bounded number of environment players the synthesis problem can be solved with the same complexity. In [20] a bounded synthesis approach was introduced. It sets a bound for the size of the strategy and constitutes a semi-decision procedure, optimized in finding small implementations. A formal connection between games on asynchronous automata and Petri games is established in [5].

For practical applications, higher-level Petri nets in the form of Coloured Petri Nets (CPN) have been introduced [29, 36, 47]. In CPNs, individual data values are represented by coloured tokens to describe concurrent systems succinctly. Boolean conditions on these tokens appear as guards of transitions, and expressions define which of these tokens are moved when a transition fires. In general, multisets of coloured tokens may appear as markings. In [36], a translation from CPNs back into normal P/T Petri nets is defined.

There is a significant body of work regarding symmetries. For high-level Petri nets the notion of equivalent markings and the idea of exploiting symmetries was originally introduced in [34, 35]. For obtaining the symmetries of the system efficiently, several approaches on different subclasses of high-level Petri nets had been introduced, e.g., in [9, 10, 16, 38, 48]. In [8] the idea of using equivalent transitions in addition to the equivalent marking for the creation of the \( \mathtt {SRG}\) is lifted to CPNs. For low-level Petri nets the reduction ideas are introduced in [51]. From then on lots of work has been done following that direction, e.g., [49, 50, 54]. Using symmetries for the alleviation of state-explosion problems are also common in model checking [12,13,14]. The complications that arise when using BDDs for the symmetric state space evaluation in this context is elaborated in [14].

7 Conclusion

We introduced a new, symmetry-exploiting solving algorithm for the subclass of set-based high-level Petri games with a single recurrently interfering source of external information. The main part of the algorithm is a reduction of the high-level Petri game to a two-player game which states consist of enriched equivalence classes of the Petri game’s behavior. The key idea of the reduction is borrowed from the reduction of a low-level Petri games with a single external source of information to a two-player game presented in [24]. We proved the correctness of the new reduction by defining a bisimulation between the new game and the game obtained by converting the high-level Petri game to a low-level one and applying the reduction of [24].

Our experimental results show that the new two-player game is significantly smaller than the old one. Utilizing the symmetries of the system enabled us to reduce the state space needed for resolving the synthesis problem in the presented benchmark families by up to three orders of magnitude.

For future work we want to enhance the presented reduction technique to allow for an improved implementation of the solving algorithm. Adam testifies the well-suited applicability of a symbolic game solving algorithm using BDDs for the synthesis of Petri games. As stated in Sect. 5, a drawback of the current approach is that BDDs cannot directly be used profitably for the calculation of the reduced two-player game. In [10] an algorithm for calculating canonical representatives of the equivalences classes of the reachability graph of a Petri net is presented. A corresponding algorithm for calculating canonical representatives of the equivalence classes of the decision sets could allow for a profitable use of BDDs.

Another step is to investigate several improvements regarding symmetries in high-level Petri nets existing in the literature. For example, the papers [1, 3, 4, 7, 32] introduce efficiency improvements for systems with a mixture of symmetric and asymmetric behaviors, or, in [53] the symmetries of entirely symmetric models are deduced from the system itself, i.e., the color classes of a SN can be partitioned automatically. It could be interesting to investigate to what extent the synthesis of high-level Petri games could profit from these results.