Petri nets as Executable Specifications of High-Level Timed Parallel Systems

PETRI NETS AS EXECUTABLE SPECIFICATIONS OFHIGH-LEVEL TIMED PARALLEL

SYSTEMS

FRANCK POMMEREAU

∗

Abstrat. Weproposeto usehigh-levelPetri nets asamodelforthe semantisofhigh-levelparallel systems. Thismodel

isknowntobeusefulforthe purposeofveriation andweshow thatitisalsoexeutable ina parallelway. Exeuting aPetri

netisnotdiultingeneralbutmoreompliatedinatimedontext,whihmakesneessarytosynhronisetheinternaltimeof

thePetrinetwiththerealtimeofitsenvironment. Anotherproblemistorelatethe exeutionofaPetrinet,whihhasitsown

semantis,tothatofitsenvironment;i.e.,toproperlyhandleinput/output.

Thispaper presentsaparallelalgorithmtoexeutePetrinetswithtime,enforingthe evenprogressionofinternaltimewith

respettothatofthe realtimeandallowingtheexhangeofinformationwiththe environment. WedenealassofPetrinets

suitable fora parallel exeutionmahine whih preserves the step sequene semantis of the netsand ensures time onsistent

exeutionswhiletakingintoaountthesoliitationofitsenvironment. Thequestionoftheeientveriationofsuhnetshas

beenaddressed inaseparatepaper[14℄,the presentoneismorefousedonthepratialaspetsinvolvedintheexeutionofso

modelledsystems.

Keywords. Petrinets,parallelism,real-time,exeutionmahines.

1. Introdution. Petri nets are widely used as amodel of onurreny, whih allowsto represent the

ourreneof independent events. They anbeaswell amodel of parallelism, where thesimultaneity of the

eventsismoreimportant. Indeed,whenweonsider theirstepsequenesemantis,anexeutionisrepresented

by a sequene of steps, eah of them being the simultaneous ourrenes of some transitions. Within this

semantis,theexeutionofastepmaybereplaedbythatofanyofitslinearisation(totalorpartial). Thisan

beviewedaspossibleexeutionsofthesameprogramonparallelmahineswithdierentnumbersofproessors.

Inthis ontext, the hoie of exeuting onesteporanother beomesaquestion ofsheduling(this is usually

solvednon-deterministiallybythePetrinetsemantis). Petrinetsarethussuitableforspeifyingandverifying

systemsin modelsforwhih theportabilityisanimportantonern.

Ourmain goalin thispaperisto showthat Petri netsarealso suitablefortheexeution of themodelled

systems. Wethusonsiderhigh-levelPetrinetsformodellinghigh-levelparallelsystems,withtheaimtoallow

both veriationand exeution ofthe speiation. Thequestionof theeient veriation ofsuh netshas

been addressedin aseparate paper[14℄, the present oneis morefoused onthe pratialaspets involvedin

theexeutionofsomodelledsystems.

There are at least tworeasons for having exeutable speiations. First, it allows for prototyping and

testing at early stage of the design: there may be no need to have an implementation in order to see how

the program behaves when its model an already be exeuted. Seond, if the exeution of the

speia-tion an be made (or happens to be) eient enough, there is no need to onsider any further

implemen-tation. This ompletely saves from the risk of introduing errors on the way from speiation to

imple-mentation: the veried model and the exeuted program are exatly the same objet. It may be objeted

that Petri nets are suitable for modelling but really not for programming. This is true. However, Petri

nets like those used in this paper are widely used has a semantial domain for parallel programming

lan-guages or proess algebra with onurrent semantis. For instane, the semantis of the parallel language

B(PN) 2

[3℄ is dened in terms of Petri nets similar to those used in this paper. It features most usually

expeted high-level onstruts for programming languages, in partiular: nested delaration of typed

vari-ables and FIFO ommuniation hannels; ommuniation through shared variables or hannels; atomi

a-tions;ontrolowonstrutsinludingparallelism;proedureswithparameterspassedbyvalueorbyreferene

and allowing reursive and parallel alls [10℄; exeptions whose propagation an arry arbitrary value [11℄;

or Ada-liketasking with suspend/resume orabort apability [12℄. Moreover, it an be easily extended with

real-time onstruts using the same approah to timed system aspresented in the following, see [13, Ÿ 7.3℄.

Another example is the Causal Time Calulus dened in [14℄ whih is a proess algebra with timing

fea-tureshavingastep basedsemantis. Both these formalismsould be applied to massivelyparallel problems,

allowingto leavePetrinets in the bakgroundwhile workingwith muh morepleasant and onvenient

nota-tions.

∗

ExeutingaPetrinetisnotdiultwhenweonsideritalone, i.e., inalosedworld. Butassoonasthe

netisembeddedinanenvironment,thequestionbeomesmoreompliated. Therstproblemomeswhenthe

netistimed: wehavetoensurethatitstimereferenemathesthatoftheenvironment. Theseondproblemis

to allowanexhangeofinformation betweenthenetand itsenvironment. Boththese questionsare addressed

inthis paper.

The ausal time approah is a way to introdue timing features in an otherwise untimed model [7℄, in

partiularPetrinets. Theideabehindausaltimeis touse the expressive power ofthe model inorder togive

anexpliitrepresentationofloks inthemodelledsystems. Intheaseofhigh-levelPetrinets,itispossibleto

introdueounters andadistinguishedtik transition whoserole isto simultaneouslyinrementthem. These

ountersthusbeomethetimingrefereneandanbeusedaslok-wathesbytheproessesasin[15,6,13,14℄.

Itwasshownin[6,14℄thattheausaltimeapproahishighlyrelevantsineitissimpletoputintopratieand

allowsfor eient veriation throughmodel heking. This papershowsthat this approah is alsorelevant

when onrete exeution areonsidered. Forthe purposeof veriation,thehypothesisof thelosed world is

assumed: thePetrinetwhihmodelsasystemisonsideredalone,withoutanyreferenetosomethingexternal

to it. The situation diers if we onsider the exeution of suh a Petrinet in an environment whih has its

own timereferene. Indeed,thetiktransitionofaPetri netmayausallydependontheprogressionofother

transitions in the net, whih results in the so alled deadline paradox [7℄: tik is disabled until the system

progresses. Inalosedworld,this statementislogiallyequivalentto thesystemisforedtoprogressbefore

thenexttik,whihsolvesthedeadlineparadox. But,intheaseofanopenworld,onemaywonderhoweven

is the progressionof the ausaltime with respet to that of thereal time, whih is the time imposed by the

environment.

Moreover,ifthePetrinethastoommuniatewithitsenvironment,onemayaskhowthenetanreeive

information from the environment and send bak appropriate responses. Produing output is rather simple

sine thenet is not disturbed; but reading input (i. e., hangingthe behaviour of thenet in reation to the

hangesin theenvironment)ismorediultand maynotbealwayspossible.

Inthispaper,wedeneaparallel exeutionmahine whoseroleistorunaPetrinetwithatiktransition

in suh a way that the tiks ourevenly with respet to the real time. We show that this anbe ensured

underreasonableassumptionsaboutthePetrinet. Theotherroleofthemahineistoallowtheommuniation

between thePetrinet and theenvironmentand we will identify favourable situations, veryeasy to obtainin

pratie, in whih the reationto a messageis ensured within a short delay. An important property of our

exeutionmahine will bethat itwill preservethestepsequene semantisofthePetri net: this mahinean

be seenas an implementation of the Petri net exeution rule inluding additional onstraintsrelated to the

environment(realtimeandommuniation).

In the perspetive of diret exeution of the modelled systems, it beomes natural to provide parallel

exeutions ofthe model of a parallel system. So,our goalin proposing aparallel exeution mahineis more

relatedtoaquestionofonsistenythantothatofspeedup. Thequestionofthespeedofourexeutionmahine

will thus beintentionally left outof the topis of this paper. However,our denitions will leaveenoughfree

spaetoinvestigatein thisdiretionand wewillomebaktothisdisussionattheendofthepaper.

1.1. Exeution mahines. Dening an exeution mahine is the usual way to show that an abstrat

model,dened underassumptionswhihmaybeonsideredasunrealisti,anbeusedforonreteexeutions.

Forinstane,thefamilyofsynhronouslanguages(e.g.,Esterel[2℄),reliesonthesynhronoushypothesiswhih

statesthat thereationto asignalis instantaneous. Thisleads toonsider an innitelyfastomputerin the

abstrat model. Several exeution mahines for these languageshave been dened (see, e. g., [1, 5℄); in all

ases, the solution to remove the synhronous hypothesis makes use of a ompilation stage whih produes

nite automata in whih a whole hain of ation/reation is ollapsed on asingle transition. This allows a

orret implementation of the instantaneous reation assuming a omputer fast enough with respet to the

delays that the environment an observe. However, this breaks the ausality relation between events and

leadsto rejet somesystems whih may be onsidered on theabstrat level but are onretely impossible to

implement.

Similaronerns arisein theaseof Petri nets withausal time; in partiular, wehaveto rejetsystems

whihallowruns of unboundedlength betweentwoonseutivetiks. (Suh behavioursare oftenalled Zeno

providedthattheenvironmentisnottoodemanding. Thisistosaythatwewillneedaomputerfastenough

withrespettoitsenvironment,exatlylikeforsynhronouslanguages.

1.2. Organisation ofthe paper. Thesequelisorganisedasfollows. Thesetion2introduesthebasi

notions related to Petri nets and their semantis. The setion 3 then denes the lass of Petri nets we are

interestedin and givestheassumptionswhih mustbeonsidered in order toallow theirreal-time exeution.

Thesetion4showshowsuhnetsanbeompiledintoaformsuitablefortheirexeution. Then,thesetion5

denes the exeution mahine itself. We nally onlude in the setion 6, introduing disussions about the

eienyofanimplementation.

2. Basi denitions about Petri nets. This setionbriey introduesthelass of Petrinetsand the

relatednotionsthatwill beusedinthefollowing.

2.1. Multisets. A multiset overaset

X

is afuntion

µ

:

X

→

N

. Wedenote by

mult

(

X

)

theset of all nitemultisets

µ

over

X

,i.e., suhthat

P

x

∈

X

µ

(

x

)

<

∞

. Wewrite

µ

≤

µ

′

ifthedomain

X

of

µ

isinludedin thatof

µ

′

,andif

µ

(

x

)

≤

µ

′

₍

_x

₎

,forall

x

∈

X

. Anelement

x

∈

X

belongsto

µ

,denoted

x

∈

µ

,if

µ

(

x

)

>

0

. The sumanddiereneofmultisets,andthemultipliationbyanon-negativeintegerarerespetivelydenotedby

+

,

−

and

∗

(thediereneisdenedonlywhentheseondargumentissmallerorequaltotherstone). Asubset of

X

may be treated asa multiset over

X

, byidentifying it with its harateristi funtion, and asingleton set an beidentied with its sole element. A nite multiset

µ

over

X

may be written as

P

x

∈

_X

µ

(

x

)

∗

x

or

P

x

∈

X

µ

(

x

)

∗ {x}

,aswellasinextendedsetnotation,e.g.,

{a

1

, a

1

, a

2

}

denotesamultiset

µ

suhthat

µ

(

a

1

) = 2

,

µ

(

a

2

) = 1

and

µ

(

x

) = 0

forall

x

∈

X

\ {a

1

, a

2

}

.

2.2. LabelledPetri nets. Let

S

beasetofations symbols,

D

anitesetofdatavalues (orjustvalues)

and

V

asetofvariables. For

A

⊆

S

and

X

⊆

D

∪

V

,wedenoteby

A

⊗

X

theset

{a

(

x

)

|

a

∈

A, x

∈

X}

. Then, wedene

A

df

=

S

_⊗

₍

D

_∪

V

₎

asthesetofations (withparameters).Thesefoursetsareassumedpairwisedisjoint. Definition2.1. AlabelledmarkedPetrinetisatuple

N

= (

S, T, ℓ, M

)

where:

•

S

isanonempty niteset of plaes;

•

T

isanonempty niteset of transitions,disjoint from

S

;

•

ℓ

denes the labellingof plaes, transitionsand ars,i.e., elementsof

(

S

×

T

)

∪

(

T

×

S

)

,asfollows: for

s

∈

S

,thelabellingis

ℓ

(

s

)

⊆

D

whih denesthetokensthattheplaeisallowedtoarry(often

alledthe typeof

s

),

for

t

∈

T

, the labelling is

ℓ

(

t

)

df

=

α

(

t

)

γ

(

t

)

where

α

(

t

)

∈

A

and

γ

(

t

)

is aboolean expression alled the guardof

t

,

for

(

x, y

)

∈

(

S

×

T

)

∪

(

T

×

S

)

, the labelling is

ℓ

(

x, y

)

∈

mult(

D

∪

V

)

whih denotes the tokens owing onthe arduring the exeutionof the attahed transition. The empty multiset

∅

denotes theabsene ofar;

•

M

isa markingfuntionwhih assoiatestoeahplae

s

∈

S

amultisetin

mult(

ℓ

(

s

))

representingthe tokensheldby

s

.

Notie that

α

(

t

)

ould be a nite multiset of ations. This would be a trivialextension but would lead to more ompliated denitions; we hoose to restrit ourselves to single ations in order to streamline the

presentation.

WeadoptthestandardrulesaboutrepresentingPetrinetsasdiretedgraphswiththefollowing

simplia-tions: thenamesofsomenodes(espeiallyplaes)maynotbegiven;thetwoomponentsoftransitionlabelsare

depitedseparately;trueguardsareomittedaswellasbraketsaroundsets;arsmaybelabelledbyexpressions

asashorthand(seetheexamplegivenin thegure2.1).

0

0,...,η

t τ

(

x

)

x

+ 1

x

0

0,...,η

t τ

(

x

)

y

=

x

+ 1

y x

Fig.2.1. Ontheleft,a Petrinetwhihatuallydenotesthatgivenontheright,with

η

≥

0

,

{

0

, . . . , η

} ⊆

D

,

{

x, y

} ⊆

V

and

2.3. Step sequene semantis. Abinding is afuntion

σ

:

V

→

D

whih assoiatesonrete valuesto the variables appearing in a transition and its ars. We denote by

σ

(

E

)

the evaluation of the expression

E

boundby

σ

.

Let

(

S, T, ℓ, M

)

beaPetrinet,and

t

∈

T

oneofits transitions. Abinding

σ

isenabling for

t

at

M

ifthe guardevaluatestotrue,i.e.,

σ

(

γ

(

t

)) =

⊤

,andiftheevaluationoftheannotationsontheadjaentarsrespets thetypesoftheplaes,i. e.,forall

s

∈

S

,

σ

(

ℓ

(

s, t

))

∈

mult(

ℓ

(

s

))

and

σ

(

ℓ

(

t, s

))

∈

mult(

ℓ

(

s

))

.

Astep orrespondstothesimultaneousexeutionofsometransitions, itisamultiset

U

=

{

(

t

1

, σ

1

)

, . . . ,

(

t

k

, σ

k

)

}

suhthat

t

i

∈

T

and

σ

i

is anenablingbindingof

t

i

,for

1

≤

i

≤

k

.

U

isenabled ifthemarkingis suientto allowtheowoftokensrequiredbytheexeutionofthestep,i. e., forall

s

∈

S

M

(

s

)

≥

X

(t,σ)

∈

U

U

((

t, σ

))

∗

σ

(

ℓ

(

s, t

))

.

Itisworthnotingthat ifastep

U

isenabledatamarking,thensois anysub-step

U

′

_≤

U

. Astep

U

enabled

by

M

maybeexeuted,leadingtothenewmarking

M

′

dened forall

s

∈

S

by

M

′

(

s

)

=

df

M

(

s

)

−

X

(t,σ)

∈

U

U

((

t, σ

))

∗

σ

(

ℓ

(

s, t

)) +

X

(t,σ)

∈

U

U

((

t, σ

))

∗

σ

(

ℓ

(

t, s

))

.

Thisisdenotedby

M

[

U

iM

′

andthisnotationnaturallyextendstosequenesofsteps. Theemptystep,denoted

by

∅

, is alwaysenabled andwehave

M

[

∅iM

. A marking

M

′

is reahable from a marking

M

iftheirexists a sequeneofsteps

ω

suh that

M

[

ωiM

′

; wewillsayin thisasethat

M

enables

ω

. Notiethat

M

isreahable fromitselfthroughasequeneofemptysteps.

Thestepsequenesemantisisdenedasthesetontainingallthesequenesofstepsenabledbyanet. This

semantisisbasedontransitionsidentities buttherelevantinformationisgenerallythelabelsoftheexeuted

transitions. Thelabelled step assoiatedto astep

U

is dened as

P

(t,σ)

∈

U

U

((

t, σ

))

∗

σ

(

α

(

t

))

, whih allowsto naturally dene the labelled step sequene semantis of a Petri net. In the sequel we will onsider only this

semantisandomitthewordlabelled.

2.4. Safety. APetrinet

(

S, T, ℓ, M

)

issafe ifanymarking

M

′

reahablefrom

M

issuhthat,forall

s

∈

S

and all

d

∈

ℓ

(

s

)

,

M

′

(

s

)(

d

)

≤

1

,i. e., anyplae holds atmostonetoken ofeahvalue. Thelass of safePetri nets(inludingmodelsabbreviatingthem)isveryinteresting:

•

fromatheoretialpointofview,safePetrinetsneverhaveauto-onurrenyoftransitions,whihallows foreientveriationtehniques[8℄;

•

from apragmatialpointofview,safePetri netsorrespondstothelass ofnitestatePetrinets(as shown in [4℄, bounded Petri netsan be redued to safePetri nets while preserving theironurrent

semantis), whih orrespondto realisti systems,i. e., those that anbe implementedon aonrete

omputer;

•

from a pratial point of view, this lass was shown expressive enough to model most interesting problemsfrom therealworld. Forinstane, thesemantisproedures,exeptionsortaskspreemption

inthelanguageB(PN) 2

donotrequiremorethansafePetrinet.

Anothernie propertyof safePetrinets, diretly related to our purpose, is that they havenitely many

reahable markings, eah of whih enabling nitely many steps whose sizes are bounded by the number of

transitions in the net. For all these reasons, as in the previous works about ausal time [15, 6, 13, 14℄, we

restritourselvestosafePetrinets.

3. Petri netswith ausal time: CT-nets. Wearenowin position todenethelass ofPetri netswe

areatuallyinterestedin;itonsists insafePetrinets, withseveralrestritions,forwhihwewill denesome

speivoabularyrelatedtotheourreneoftiks. Weassumethat thereexists

τ

∈

S

,usedin thelabelling ofthetiktransition.

Definition 3.1. A Petrinetwith ausal time (CT-net) is a safe labelled Petri net

N

df

= (

S, T, ℓ, M

)

in

whih thereexistsaunique

t

τ

∈

T

,alledthe tiktransition of

N

,suhthat:

•

α

(

t

)

∈ {τ} ⊗

/

(

D

_∪

V

₎

for all

t

∈

T

\ {t

τ

}

;

•

t

τ

has atleastoneinomingarlabelledby asingleton.

Atik-stepisastep

U

of

N

whih involves thetik transition,i.e., suhthat

τ

(

d

)

∈

U

for a

d

∈

D

.

Thanks to the safety and the last restrition on

t

τ

, any tik-stepontains exatly oneourrene of the tiktransition. Ontheotherhand,onemaynotiethat thisdenition isveryliberal andallowsto denenets

in whih the tik transition is nottight to inrementounters but may produe anyother eet not related

to time. Fortunately, we donot need amorerestritivedenition, whih letsus free to experiment dierent

approahesinthefuture.

The gure 3.1 shows a toy CT-net that will be used asa running example. In this net, the role of the

tiktransition

t

τ

isto inrementaounterloatedin thetop-rightplae. Whenthetransition

t

1

is exeuted, it resetsthis ounter and piksin thetop-left plae avalue whih isbound to thevariable

m

. This value is transmittedtothetransition

t

2

whihwillbeallowedtoexeutewhenatleast

m

tikswillhaveourred. Thus,

m

speiestheminimumnumberoftiksbetweentheexeutionof

t

1

andthatof

t

2

. Atanytime,thetransition

t

3

mayrandomly hange the valueof this minimum while emittinga visible ation

u

(

x

)

where

x

is the new

value. Notiethat themaximumnumberoftiksbetweentheexeutionof

t

1

andthatof

t

2

isenforedbythe typeoftheplaeonnetedto

t

τ

whihspeies thatonlytokensin

{

0

, . . . , η}

areallowed(given

η >

0

).

0

0,...,η

t

1

a

1

(

m

)

t

2

c

≥

m

a

2

(

c

)

0

0,...,η

t

3

u

(

x

)

t

τ

τ

(

n

)

0,...,η

•

•

•

m

m

0

y

c

c

x

y

n

n

+ 1

m

m

Fig.3.1. AnexampleofaCT-net,where

η >

0

,

{

a

1

, a

2

, u, τ

} ⊆

S

,

{

c, n, m, x, y

} ⊆

V

and

{

0

, . . . , η

} ∪ {•} ⊆

D

.

Assuming

η

≥

5

,apossibleexeutionofthis CT-netis:

{τ

(0)

} {u

(2)

} {a

1

(2)

} {τ

(0)

, u

(1)

} {τ

(1)

} {u

(5)

} {τ

(2)

} {τ

(3)

} {a

2

(4)

, u

(0)

} {τ

(4)

}

.

3.1. Tratability. A CT-net

(

S, T, ℓ, M

)

is tratable if there exists an integer

δ

≥

2

suh that, for all marking

M

′

reahablefrom

M

,anysequeneofatleast

δ

nonemptystepsenabledby

M

′

ontainsat leasttwo

tik-steps. In other words, the length of an exeution between two onseutive tiks is bounded by

δ

whose smallestpossiblevalueisalledthemaximaldistanebetween tiks.

Thisnotionoftratablenetsisimportantbeauseitallowstodistinguishthosenetswhihanbeexeuted

on a realisti mahine: indeed, an intratable net may have potentially innite runs between two tiks (so

alledZenoruns),whihannotbeexeutedonanitelyfastomputerwithoutbreakingtheevennessoftiks

ourrenes.

Forexample, theCT-net ofour runningexampleisintratablebeausethetransition

t

3

anbe exeuted innitelyoftenbetweentwotiks: in theexeutiongivenabove,thestep

{u

(5)

}

ouldberepeatedanarbitrary numberoftimes. Intherest ofthispaper,werestritourselvestotratableCT-nets.

3.2. Input and output. The ommuniationbetweena CT-net and itsenvironmentis modelled using

someof the ations in transitions labels. Wedistinguish for this purpose two nite disjoint subsets of

S

:

S

i

isthe set ofinput ation symbols and

S

o

is that of output ations symbols. Weassume that

τ /

∈

S

i

∪

S

o

. We alsodistinguishanonemptyset

D

io

⊆

D

representingthevaluesallowedforinputandoutput. Intuitively,the distinguishedsymbolsorrespondtoommuniationportsonwhihvaluesfrom

D

io

maybeexhangedbetween

Anaivewaytoahievethisresultistouseself-loops,likethetransition

t

3

inthegure3.1. Inthisexample, ifweassume

u

∈

S

i

and

{

0

, . . . , η} ⊇

D

io

, anyrequestedommuniationon

u

analwaysbe handled. Unfor-tunately,self-loopsleadtointratablenetssinesuhtransitionsanalwaysbearbitrarilyrepeated(remember

the step

{u

(5)

}

above). Atually, a self-loopindiates that theCT-net isexpeted to be ableto respond in-stantaneouslyto allthe messagesthat theenvironmentwould sendonthe orrespondingport, whih isnota

realistiassumption. Indeed,ifthenumberofsuhmessagessentinagivenamountofrealtimeisnotbounded,

then a nitely fast omputer annot avoid to miss some of them. So, in the following, we assume that the

environmentmaynotproduemorethanonemessageoneahinputportbetweentwotiks,whihwillleadto

thenotionoftik-reativeness.ThisassumptionisequivalenttosaythatwerequiretheCT-nettobeexeuted

onaomputerfast enoughwithrespetto itsenvironment;so, thisis atuallyoneof thelassialonditions

thatmustbeassumedwhiledeninganexeutionmahine.

Let

A

⊆

S

i

beanonemptysetofinputationsymbols,wedenoteby

req(

A

)

thesetofpotentialrequestson

A

, whihontainsallthesetsoftheform

{a

1

(

d

1

)

, . . . , a

k

(

d

k

)

}

where

{a

1

, . . . , a

k

} ⊆

A

and

(

d

1

, . . . , d

k

)

∈

D

io

k

forall

k

≥

1

. Eahelementof

req(

A

)

ispotentiallyastepofaCT-net.

ACT-net

(

S, T, ℓ, M

)

isone-reative to

A

⊆

S

i

i: either,itenablesonlytheemptystep;or,there exists astep

U

′

/

∈

req

(

A

)

suhthat

M

[

U

′

_iM

′′

and,forall

U

∈

req

(

A

)

, wehave

M

[

U

iM

′

andtheCT-net

(

S, T, ℓ, M

′

)

is one-reativeto

A

\ {a

∈

A

| ∃d

∈

D

io

, a

(

d

)

∈

U

}

. Intuitively, this indutivedenition states that,for all inputport

a

i

∈

S

i

,theCT-netan reattoanyrequeston

a

assoonasitomes,afterwhatitmaymissthem. Ontheotherhand,theCT-netisneverforedtoexeuteanationinvolvinganinputportin

A

(thankstothe step

U

′

). Atanytime,theCT-netmayterminateitsexeutionwithadeadlok.

A CT-net

(

S, T, ℓ, M

)

is tik-reative to

A

⊆

S

i

i it is one-reative to

A

and, for allsequene of steps

U

1

· · ·

U

k

suh that

U

k

is a tik-stepand

M

[

U

1

· · ·

U

k

iM

′

, then theCT-net

(

S, T, ℓ, M

′

)

is tik-reativeto

A

.

Thisdenitionisalsoindutiveandstatesthat atik-reativeCT-netisalmostlikeaone-reativenetexept

thatitsapabilitytoreatisfullyrestoredafter eahtik. Thisguaranteesthatonemessageon

a

mayalways behandledbetweentwotiks,whihexatlymathesourassumption. Itturnsoutthatitiseasytotransforma

reativeCT-netwithself-loopsintoatik-reativeone. Itisenoughtoaddoneplaeforeahself-loopwiththe

type

{◦,

•}

andmarkedwith

•

,andarssuhthat eahourreneoftheself-looponsumesthe

•

andreplae itwitha

◦

,soitannotourtwie; ontheotherhand,eahourreneofthetik-transition mustresetto

•

thetoken in theadded plaes. Thisway,self-loopsannot be repeatedwith at leastone tikin between. As

we ansee, it is easyto onstrut atik-reativenet; for instane, the gure3.2 showsa modiedversionof

ourrunningexamplewhihistik-reativeto

{u}

andtratable(now,thestep

{u

(5)

}

ouldnotberepeatedat will).

0

0,...,η

t

1

a

1

(

m

)

t

2

c

≥

m

a

2

(

c

)

0

0,...,η

t

3

u

(

x

)

t

τ

τ

(

n

)

0,...,η

•

◦

,

•

•

•

•

m

m

0

y

c

c

z

•

◦

•

x

y

n

n

+ 1

m

m

Fig.3.2.Thetik-reativeversionoftherunningexample,where

z

∈

V

and

{◦

,

•} ⊂

D

.

3.3. Consisteny. Wedenoteby

U

[

a

]

thenumberofourrenesoftheationsymbol

a

inastep

U

,i.e.,

U

[

a

]

df

=

P

_a(x)

∈

U

U

(

a

(

x

))

. A step

U

is onsistent if

U

[

a

]

≤

1

for all

a

∈

S

i

∪

S

o

. A CT-net is onsistent if itsstepsequene semantisonlyinvolveonsistentsteps. Inonsistentsteps arethose duringtheexeution of

whihseveralommuniationstakeplaeonthesameport. Sinethetransitionsexeutedbyasinglestepour

simultaneously,thismeansthatseveralvaluesmaybesentorreeivedonthesameportatthesametime. This

isertainlysomethingwhihisnotrealistiandso,werestritourselvestoonsistentCT-netsinthefollowing.

4. Compilation of CT-nets: CT-automata. Theaim of this setion is to show how to transform a

tratable and onsistentCT-net into a form moresuitable for theexeution mahine. This orresponds to a

ompilationproduinganautomaton(non-deterministiin general),alled aCT-automaton,whose statesare

thereahablemarkingsofthenetandwhosetransitionsorrespondtothestepsallowingtoreahonemarking

fromanother. It shouldberemarkedthatthisompilationisnotstritlyrequiredbutallowstosimplify things

a lot, in partiular in an implementation of the mahine: with respet to its orresponding CT-net, a

CT-automatonhasnonotionofmarkings,bindings,enabling,et.,whihresultsinamuhsimplermodel. Another

reasontointroduethis ompilationstage isthat itanbeused tohekifthenetofinterestis reallyasafe,

tratableandonsistentCT-net;moreover,itisanalmostneessarysteptoomputethevalueof

δ

(themaximal distanebetweentiks)whihwillbeusedduringtheexeution. So,asweannotavoidaomputationatleast

equivalentto this ompilationstage,weturnit into anadvantagefortheexeution whih anbe mademuh

simplerandmoreeient.

Inordertoreordonlytheinputandoutputationsinastep

U

ofaCT-net,wedenethesetofthevisible ations in

U

by

⌊U⌋

df

=

U

∩

(((

S

_i

_∪

S

_o

₎

_⊗

D

io

)

∪

(

{τ} ⊗

D

))

. Beause of the onsisteny,

⌊U

⌋

ould not be a multiset.

Definition4.1. Let

N

= (

S, T, ℓ, M

)

beatratableandonsistentCT-net,the CT-automatonof

N

isthe niteautomaton

A

(

N

)

df

= (

S

A

, T

A

, s

A

)

where:

•

S

A

istheset ofstatesdenedasthe setof allthe reahable markingsof

N

;

•

the set of transitions is

T

A

⊆

S

A

×

L

A

×

S

A

,where

L

A

df

=

{A

⊆

((

S

_i

_∪

S

_o

₎

_⊗

D

io

)

∪

(

{τ} ⊗

D

)

}

, and isdenedasthe setofall thetriples

(

M

′

, A, M

′′

)

suhthat

M

′

, M

′′

∈

S

A

andthere existsanonempty step

U

of

N

suhthat

M

[

U

iM

′

and

A

=

⌊U

⌋

;

•

s

A

df

=

M

∈

S

A

isthe initial stateof

A

(

N

)

,i.e., theinitial markingof

N

.

ThefollowingholdsbydenitionbutshouldbestressedsineitstatesthataCT-netandtheorresponding

CT-automatonhaveexatlythesameexeutions.

Proposition4.2. Let

N

df

= (

S, T, ℓ, M

)

bea tratable and onsistent CT-net,

M

′

be areahable marking

of

N

and

(

S

A

, T

A

, M

)

df

=

A

(

N

)

. 1. If

M

′

[

U

iM

′′

for anonemptystep

U

then

(

M

′

,

⌊U

⌋, M

′′

)

∈

T

A

. 2. Conversely, if

(

M

′′

, A, M

′′′

)

∈

T

A

then there exists a nonempty step

U

suh that

M

′′

[

U

iM

′′′

and

⌊U

⌋

=

A

.

Asanexample, thegure4.1showstheCT-automatonwhihorrespondsto thetratableversionofour

runningexample(givenin thegure3.2). For thesakeofompatness,weassumed

η

df

= 1

(the automatonfor

η

= 2

has105statesandthisnumbergrowsto277for

η

= 3

). Moreover,weassumed

{a

1

, a

2

, u} ⊆

S

i

∪

S

o

.

5. Theexeutionmahine. Wenowdesribetheexeutionmahine. Inordertoommuniatewiththe

environment,asymbol

a

o

∈

S

o

isonsideredasaportonwhihavalue

d

∈

D

io

maybewritten,whihisdenoted by

a

←

d

(more generally,this isusedforanyassignment). Similarly,asymbol

a

i

∈

S

i

isonsidered asaport onwhih suhavalue, denoted by

a

i

?

, mayberead;weassumethat

a

i

? =

∅

∈

/

D

io

whennoommuniation isrequested on

a

i

. Moreover,in order toindiate to theenvironmentifaommuniationhavebeenproperly handled,wealsoassumethateah

a

∈

S

i

maybemarkedaepted(denotingthattheommuniationhasbeen orretlyhandled),refused (denotingthattheommuniationouldnotbeenhandled),erroneous(denoting

thataommuniationonthisportwaspossiblebutwithanothervalue,orthataommuniationwasexpeted

but not requested)or notmarked, whih is representedby no mark. We also use the notation

a

i

←

mark

whenaninputportisbeingmarked.

Let

(

S

A

, T

A

, s

A

)

beaCT-automatonandlet

∆

beaonstantamountoftime; wewillsee lateronhow

∆

isdenedsineitdepends onthedenitionof theexeutionmahine. Wewillusethreevariables:

•

Θ

isatimeorrespondingtotheourrenesoftiks;

•

s

∈

S

A

istheurrentstate;

•

I

⊆

S

_i

istheset ofportsonwhihtheenvironmentasksaommuniation.

Thebehaviourof the mahine is desribed bythe algorithm givenon theleft of the gure4.2 where the

exeutionofastep(line 13)is detailed ontherightofthegure. Severalaspets ofthis algorithmshould be

ommented:

•

thestatementnow evaluatestotheurrenttimewhenitisexeuted;

•

theforall loopsareparallelloops;

0

1

2

3

4

5

6

7

8

9

10

11

13

12

14

15

16

17

18

19

20

21

22

23

24

25

26

27

u(0)

u(1)

a

1

(0)

_τ(0)

a

1

(0)

τ(0)

a

1

(1)

a

1

(0)

u(0)

u(1)

u(0)

u(1)

a

1

(1)

u(1)

a

2

(0)

u(0)

a

1

(0)

a

1

(1)

u(1)

u(0)

a

2

(0)

τ(0)

u(1)

u(0)

τ(0)

a

2

(0)

τ(0)

τ(0)

τ(0)

a

2

(1)

u(0)

u(1)

u(0)

u(1)

a

2

(1)

τ(0)

a

2

(1)

u(0)

u(1)

a

2

(1)

u(0)

u(1)

u(0)

a

2

(1)

u(1)

a

2

(1)

u(0)

u(1)

a

2

(1)

a

2

(1)

u(0),a

2

(1)

u(1),a

2

(1)

u(0),a

2

(1)

u(1),a

2

(1)

u(0),a

2

(1)

u(1),a

2

(1)

u(0),a

2

(1)

u(1),a

2

(1)

Fig.4.1.TheCT-automatonoftheCT-netgiveninthegure3.2(with

η

df

= 1

),theinitialstateisnumbered 0andlled in

blak.

1:

s

←

s

A

2:

Θ

←

now

3: while

s

hassuessorsdo 4: for all

a

∈

S

i

do 5:

a

←

nomark 6: endfor

7:

I

← {a

∈

S

i

|

a

?

6

=

∅

}

8: hooseatransition

(

s, A, s

′

₎

9: if

A

isatik-stepthen 10: waituntilnow

= Θ + ∆

11:

Θ

←

now 12: endif

13: exeute(

A, I

) 14:

s

←

s

′

15: endwhile

proedureexeute(

A, I

): 17: forall

a

(

d

)

∈

A

(

a

6

=

τ

)do 18: if

a

∈

S

o

then

19:

a

←

d

20: elseif

a

∈

S

i

and

a

? =

d

then 21:

a

←

aepted

22: else

23:

a

←

erroneous 24: end if

25:

I

←

I

\ {a}

26: endfor

27: forall

a

∈

I

do 28:

a

←

refused 29: endfor

Fig.4.2. Themainloopoftheexeutionmahine(ontheleft)andtheexeutionofastep

A

withrespettorequestedinputs givenby

I

(ontheright).

•

eah exeution of the while loop performs a bounded amount of work, in partiular the following numbers are bounded: the number of ports; the number of transitions outgoing from a state; the

numberof ationsin eahstep. Assuming that hoosing atransition requiresaxed amountof time

(seebelow),

∆

isthemaximumamountoftimerequiredtoexeutethewhileloop

δ

−

1

times;

Proposition5.1. The algorithm presentedin thegure4.2 ensuresaneven ourreneofthe tiks.

Proof. Let

θ

be thevalueassigned to

Θ

when theline 2is exeuted. A numberof transitions (at most

δ

−

2

) is exeuted until atiktransition is hosen. All together, the durationof these exeutionsrequires is

D

≤

∆

sotheline10waitsduring

∆

−

D

. Thus,theline11,whihorrespondstothetik,isexeutedattime

θ

+

D

+ (∆

−

D

) =

θ

+ ∆

. Byindution,weobtainthattiksareexeutedattimes

θ

+

k

∆

for

k

≥

1

.

5.1. Choosinga transition. Westillhavetodene howatransitionmaybehosen,in axedamount

oftime,inordertomarkaeptedasmuhaspossibleinputportsintheset

I

ofrequestedommuniations. Inordertodene ariterionof maximality,weassumethat thereexists atotalorder on

S

i

. This orresponds to aprioritybetweentheports: when several ommuniationsare requested but notallare possible,werst

hoose to servethose on theports with thehighest priorities. Then, given

I

, wedene apartial order

≺

on thetransitions outgoingfrom astateand themahine hoosesoneof thesmallesttransitionsaordingto

≺

. Thishoiemayberandomordrivenbyasheduler. Forinstane,wemayhoosetoexeutestepsaslargeas

possible,orstepsnolargerthanthenumberofproessors,et. Thedenition ofashedulingstrategyisoutof

thesopeofthispaper;wejust needtoassumethatthetimeneededtohooseatransitionisbounded(whih

shouldholdin thereasonableases).

Foreahstep

A

appearingonatransitionoutgoingfromtheurrentstate,wedeneavetor

V

A

∈ {

0

,

1

,

2

}

S

i

whih represents themarks on theinput ports after

A

would be exeuted: the value

0

standsfor aepted ornomark,the value

1

forrefused andthevalue

2

forerroneous. Thus, thevalueof

V

A

(

a

)

anbefound usingthefollowingtable,where

d

and

d

′

aredistintvaluesin

D

io

:

A

[

a

] = 0

a

(

d

)

∈

A

a

(

d

′

₎

_∈

_A

a

? =

d

1

0

2

a

? =

∅

₀

₂

₂

Then,

A

1

≺

A

2

if

V

A

₁

< V

A

₂

aordingtothelexiographiorderonthesevetors.

Again,itislearthatbuildingthese vetorsandhoosing thesmallestoneisfeasibleinaxedamountof

timesinethenumberoftransitions outgoingfrom astateisbounded. This isalsofeasiblein parallel: allthe

V

A

's an be omputed in parallel (as well asall theiromponents) and the seletion of thesmallest one is a

logarithmiredution.

Notiethat if

≺

allowsto dene atotalorder onsteps, itis notthease forthe transitionssineseveral transitionsmaybelabelledbythesamestep. Forinstane, assuming

u /

∈

S

i

∪

S

o

,therunningexamplewould giveaCT-automatonsimilartothatofthegure4.1butinwhihalltheations

u

(0)

or

u

(1)

wouldhavebeen deleted. Inthisase,thestate13wouldhavetwooutgoingtransitionslabelledby

∅

andthreelabelledby

a

2

(1)

. Proposition5.2. Let

a

∈

S

i

beaninputationsymboland

N

beaCT-netwhih istik-reativeto

R

∋

a

. Then,the exeutionof

A

(

N

)

willnever mark

a

aserroneous norrefused.

Proof. Let

s

betheurrentstateof

A

(

N

)

and

(

s, A, s

′

)

bethetransitionhosenbytheexeutionmahine.

Therearethreeases.

(1) If

a

? =

∅

, then it may be marked erroneous ornot marked. In the former ase, this means that

a

(

d

)

∈

A

for a

d

∈

D

io

. Then, if

A

=

{a

(

d

)

}

, beause of the tik-reativeness,there must exist atransition

(

s, U

′

_{, s}

′′

₎

whihdoesnotinvolve

a

(tik-reativenessneverforestheourreneofaninputation),otherwise, thetransition

(

s, A

′

_{, s}

′′

₎

with

A

′

df

=

A

\ {a

(

d

)

}

must exists(sine it orrespondsto asub-step). Inbothases, we have

(

s, U

′

_{, s}

′′

₎

_≺

₍

_{s, A, s}

′

₎

or

(

s, A

′

_{, s}

′′

₎

_≺

₍

_{s, A, s}

′

₎

heneaontradition with thefat that

(

s, A, s

′

₎

was

hosen. So,

a

mustbenotmarkedin thisase.

(2) If

a

? =

d

6

=

∅

and the ommuniationon

a

is markedrefused, this meansthat

A

[

a

] = 0

. The tik-reativeness ensuresthat there mustexist atransition

(

s, A

∪ {a

(

d

)

}, s

′′

)

(byassumption,

a

annothavebeen

requestedbeforesinetheprevioustik),heneagainaontradition. So,

a

mustbemarkedaeptedinthis ase.

(3) If

a

? =

d

6

=

∅

and the ommuniationon

a

is marked erroneous, this means that

a

(

d

′

)

∈

A

for a

d

′

∈

D

io

\ {d}

. But there must exist atransition

(

s,

(

A

∪ {a

(

d

)

}

)

\ {a

(

d

′

)

}, s

′′

)

(tik-reativeness allows the

ourreneforanyvaluein

D

io

),heneagainaontradition. So,

a

isalsomarkedaepted here.

Then,thenextresultshowsthataommuniationrequestedonaporttowhihtheCT-netistik-reative

Proposition5.3. Let

a

∈

S

i

beaninputationsymboland

N

beaCT-netwhih istik-reativeto

R

∋

a

. If

a

? =

d

6

=

∅

before the exeutionof the line7inthe gure4.2, then

a

ismarkedaepted after theline 13 has exeuted.

Proof. Diretlyfollowsfromhowthemahinehoosesatransitionandfromtheproposition5.2.

6. Conluding remarks. Wedened aparallel exeutionmahine whih shows theadequayof ausal

and real time by allowing time-onsistent exeutions of ausally timed Petri nets (CT-nets) in a real-time

environment. Wealsoshownthatitwaspossibletoensurethatthemahineeientlyreatstothesoliitation

ofitsenvironmentbydesigningCT-netshavingthepropertyoftik-reativeness,whihiseasytoonstrut. In

ordertoobtaintheseresults,severalrestritionshavebeenadopted:

•

onlysafe Petrinetsareonsidered;

•

thenetsmustbetratable,i.e., theyarenotallowedto haveunboundedruns betweentwotiks;

•

the nets must be onsistent, i. e., theyannot perform several simultaneous ommuniationson the sameport;

•

theexeutionmahinemustberunonaomputerfastenough toensurethattheenvironmentannot attemptmorethanoneommuniationonagivenportbetweentwotiks.

Wedonotonsiderthetratabilityandonsistenyrequirementsastruerestritionssinetheyatually

orre-spondto whatanbeperformedonarealistimahine. Thelastrestritionisatuallyapresription: inorder

toensureaorretommuniation,onehastoruntheexeutionmahineonaomputerfastenoughtoexeute

tiksmoreoften thanthe environmentan produe input. Moreover,it should benotied that thefrequeny

of tiksis arbitrary. So, ifthetiks ofa CT-net aretoomuh sparse with respetto the requestedinputs, it

iseasy tomultiplybyaonstant

k

allitstiming onstraintsin thenetso tikswill our

k

timesmoreoften. Usingnon-safePetrinetsmaybeonsideredinthefuture,however,thiswouldleadtothelassofinnitestate

systemswhihdoesnotseemrealistiforthepurposeof exeution.

6.1. Future work. Petri netslike CT-nets havebeen used for a longtime asa semantial domain for

high-levelprogramminglanguagesandproessalgebraswithstepbasedsemantis(see,e.g., [3,14℄)andthese

tehniquesouldbediretlyappliedtomassivelyparallellanguagesorformalisms. Inthisdiretion,weenvisage

toombinea

n

-ary parallelomposition operationwith symmetryredutions [9℄ allowingto theveriationof verylargesystemswhilegivingmodellingsupportforkindsofSPMD systems.

6.2. Implementationissues. Apreliminaryversionofthisworkproposedasequentialexeutionmahine

andaprototypehasbeensuessfullyimplementedin Ada;thisallowedtoshowthattheevennessoftikswas

not only possible in the theory but also easyto ahieve in an implementation. (The only diulty was to

obtains

∆

usingtestrunsatthestartingofthemahine.) Aparallelimplementationoftheversionpresentedhere

hadbeenstartedbuthadtobedelayedsineitturnedoutthattherewerestillneedforagroundstudy. Indeed,

several open questions are atually ritial ones. Notie that if ourgoal is to perform testing or simulation,

an implementation an be naive and may even be sequential. But in the perspetive of diret exeution of

the modelled systems, the speedup beomes ruial and atually depends on the interation between several

parameters: the model of omputation, the family of parallel mahine targeted and the sheduling strategy

(as disussed in the setion 5.1). All these questions were left out of the urrent paper; we thus envisage

further researhon this subjetwith thegoalto identify goodombinationsallowingto produehigh-quality

implementations of our exeution mahine. In partiular: how to exploit the parallelism in the presented

algorithm strongly depends on the omputational model envisaged (whih may itself depend on the target

arhiteture);thequestionofstoring theCT-automatonis alsoimportantifone targetsadistributed memory

arhiteture. Taking all these parameters into aount may lead to several very dierent renements of the

algorithm proposed above, eah speially dediated to a partiular lass of parallel omputer and parallel

programminglanguageormodel.

Related to the goalof eient exeutions,another interesting problem isto onnetthe input/output of

themahine to theonrete omputerinorder todelegate someomputation. Indeed, outputationsmaybe

onsidered as alls to omputationalprimitives, while input ations ould orrespond to the reeiving of the

omputedvalues. Thisintroduesdelays,externalstothemodel, whih mustbetakeninto aount. Thisan

bemadebyintroduingfurthertimingonstraintsinthemodelinordertoreettheexeutiontimesobtained

6.3. Conlusion. We believethat theframework proposed in this paperan be used to build onrete

parallelappliationsinwhihtheontrolowouldbeensuredbyPetrinetswhilealargepartoftheomputation

wouldbedelegatedtodediated primitiveswithknownperformanes. UsingPetrinetsforboththemodelling

andtheexeutionallowstoverifyandrunthesameobjet,savingfromtherisktointrodueerrorsontheway

fromamodeltoitsimplementation,whileallowingexeutionsevenduringtheearlystagesofthedesign.

REFERENCES

[1℄ C.AndréF.Boulanger,A.Girault,SoftwareImplementationofSynhronousPrograms,ICACSD'2001,IEEEComputer

Soiety,2001.

[2℄ G.Berry,ThefoundationsofEsterel,LanguageandInteration: EssaysinHonourofRobinMilner.MITPress,1998.

[3℄ E.BestandR.P.Hopkins,B(PN) 2

AbasiPetrinetprogramming notation.PARLE'93.LNCS694,Springer,1993.

[4℄ E. Best and H. Wimmel,Reduing

k

-safe Petri nets topomset-equivalent 1-safe Petri nets, ICATPN'00. LNCS 1825, Springer,2000.

[5℄ E.Boufaïd,Mahinesd'ex'eutionpourlangages synhrones,PhDThesis,UniversityofNie-SophiaAntipolis,1998.

[6℄ C. BuiThanh,H.KlaudelandF. Pommereau,Petrinetswithausal timeforsystem veriation,MTCS'02.ENTCS,

Elsevier,2002.

[7℄ R. Durhholz,Causality,time,anddeadlines,Data&KnowledgeEngineering,6.North-Holland,1991.

[8℄ J.Esparza,Modelhekingusingnetunfoldings,SieneofComputerProgramming,Elsevier,1994.

[9℄ T.Junttila,OntheSymmetryRedutionMethodforPetriNetsandSimilarFormalisms,PhDThesis,HelsinkiUniversity

ofTehnology,2003

[10℄ H.Klaudel,CompositionalHigh-LevelPetrinetsSemantisofaParallelProgrammingLanguagewithProedures,Sienes

ofComputerProgramming41,Elsevier,2001.

[11℄ H. Klaudel and F. Pommereau, A onurrent semantis of stati exeptions in a parallel programming language,

ICATPN'01.LNCS2075,Springer,2001.

[12℄ H.KlaudelandF.Pommereau,Alassofomposableandpreemptiblehigh-levelPetrinetswithanappliationto

multi-taskingsystems,FundamentaInformatiae,50(1):3355.IOSPress,2002.

[13℄ F.Pommereau,Modèlesomposablesetonurrentspourletemps-re'el,PhD.Thesis,UniversityParis12,Frane,2002.

[14℄ F.Pommereau,CausalTimeCalulus,FORMATS'03.LNCS2791,Springer,2004.

[15℄ G.Rihter,Countinginterfaesfordisretetimemodeling,Tehnialreport26,GMD.September1998.

Editedby: FrédériLoulergue

Reeived: June8,2004