key: cord-0048940-fd48ydmx authors: Dixon, Alex; Lazić, Ranko title: KReach: A Tool for Reachability in Petri Nets date: 2020-03-13 journal: Tools and Algorithms for the Construction and Analysis of Systems DOI: 10.1007/978-3-030-45190-5_22 sha: 3ab06f0eebf598123f3f127ec9ac5a03ffdefe74 doc_id: 48940 cord_uid: fd48ydmx We present KReach, a tool for deciding reachability in general Petri nets. The tool is a full implementation of Kosaraju’s original 1982 decision procedure for reachability in VASS. We believe this to be the first implementation of its kind. We include a comprehensive suite of libraries for development with Vector Addition Systems (with States) in the Haskell programming language. KReach serves as a practical tool, and acts as an effective teaching aid for the theory behind the algorithm. Preliminary tests suggest that there are some classes of Petri nets for which we can quickly show unreachability. In particular, using KReach for coverability problems, by reduction to reachability, is competitive even against state-of-the-art coverability checkers. Petri nets [26] (equivalently, Vector Addition Systems with States [12, 14] ) are one of the best-known formalisms in concurrency theory. They form a highly expressive model which is applicable in a broad range of domains including software and hardware verification [5, 6] , chemical modelling [3] , and business processes [22] . Two of the most studied decision problems on Petri nets are those of coverability and reachability. Coverability is the central decision problem for verifying safety properties on Petri nets. The coverability problem asks, given a starting configuration m 0 and a target m, whether we can reach, by some sequence of valid transitions (i.e. by a run), any configuration m ′ ≥ m. The problem is known to be EX-PSPACE-complete [23, 27] . Coverability has seen considerable study in recent years, in particular with a view towards minimising the running time of coverability decision procedures [2, 11] . The reachability problem, to which coverability is easily reducible, can capture both safety and liveness properties of systems [13] . Formally, the reachability problem asks if we can, by some run, get from a starting configuration m 0 to the target configuration m exactly. Historically, there has been a wide gap between the upper and lower bounds, but recently these have been improved to a non-elementary lower bound [7] and an Ackermannian upper bound [21] . The first complete algorithm for reachability is due to Mayr [24] , since further developed and simplified by Kosaraju [17] and Lambert [18] . More recently, a strikingly simple but not yet practical algorithm was obtained by Leroux [20] , based on enumerating Presburger-definable invariants. In this paper we will focus on Kosaraju's algorithm. The latter is the subject of an entire book by Reutenauer [29] , since translated into English [28] , and more recently presented in a novel, readable format with contemporary notation by Lasota [19] . In spite of these substantial and sustained theoretical developments, the area has seen little in the way of practical implementation. We seek to address this gap by making the following contributions: -We present a tool, KReach, which we believe to be the first complete implementation of a decision procedure for the general Petri net reachability problem. -Noting that the reachability problem is infamous for its complexity-both in terms of its worst-case runtime, and the impenetrability of its decision procedures for newcomers-we offer an accessible implementation of Kosaraju's algorithm, which can be used as a detailed learning aid. -We have designed the implementation in a modular and extensible way which is conducive to development of future improvements to the algorithm. -We include a number of parameterised example nets which demonstrate correctness and performance, and can be used to assess further work. -We provide a full suite of libraries which aid programming with Vector Addition Systems (with States) in the Haskell programming language. Algorithm We will now give a brief overview of Kosaraju's classic reachability algorithm for Petri nets, and explain the translation into code. Note that Kosaraju's algorithm operates over VASS-the translation between the two is immediate, and can be performed while parsing the problem instance. (b) Gex after SCC decomposition. We now have two components, the second of which is trivial. The adjoinment is marked by a dashed arrow. The shaded rectangles are separate components. The procedure revolves around Generalized VASS (GVASS), an extension of VASS. A GVASS G is a sequence (C 1 , .., C n ), of VASSs annotated with metadata, most notably constraints on their entry and exit configurations. The exit state of C i is adjoined to the entry state of C i+1 by a transition. Reachability in our original VASS V is implied by reachability in an induced GVASS G(V ), a singleton sequence where we constrain the entry and exit configurations as being equal to our initial m 0 and target m. Figure 1a gives an example. In outline, Kosaraju's algorithm operates as follows. At each step, given a strongly-connected GVASS G: -either G fulfils θ; -or G violates θ, in which case we can refine G into a finite (possibly empty) set of modified GVASSs. This produces a finitely-branching tree of GVASSs in which every branch forms a strictly descending chain with respect to a well-quasi-ordering [21] . The algorithm therefore always terminates, and m is reachable from m 0 in the root GVASS G if and only if some GVASS in the tree satisfies θ. The θ Condition Kosaraju's main predicate comprises two parts. θ 1 is a global property of the system, while θ 2 must hold for each component. θ 1 : There exist pseudo-runs through the GVASS which use every edge in every component unboundedly many times, and attain unboundedly large values for every unconstrained coordinate (here a pseudo-run is a run over Z d rather than over N d ). This condition can be formulated as an integer linear programming problem. From this we obtain a semilinear set of vectors of variables representing counts of transition occurrences and values of unconstrained coordinates. If there is no bounded variable then θ 1 holds. Otherwise, one such bounded variable is "refined" by either constraining the associated coordinate's value or by unfolding the associated transition. For example, we may deduce that the number of firings of t 0 never exceeds 1 in our example GVASS G ex ; we generate the refinements as in Figure 2 . (b) Refinement when t0 is activated 1 time. Fig. 2 : Refinement of G ex by removing bounded transition t 0 . We are able to reduce from the coverability problem to the reachability problem in the following way. Suppose we are intending to cover some vector m-that is, we wish to reach any vector m ′ such that m ′ ≥ m. We introduce a new state ∆, and add a transition δ from the final state of the original VASS to ∆, which subtracts m on activation. As ∆ can only be reached by subtracting m from our current vector, reaching a vector m ′ ≥ m (i.e. covering m) is equivalent to reaching state ∆. For each vector coordinate we introduce a looping transition on ∆ which reduces the value of that coordinate by 1. This ensures that (0, ..., 0) can be reached from any configuration in state ∆. As a result, covering m in the original net is equivalent to reaching (∆, (0, ..., 0)) in the augmented version. Implementation KReach is implemented in the Haskell programming language. This is a strongly-typed, functional language with lazy evaluation. The language was chosen for its high level of expressiveness, type-safety, and the ease of translation between algorithm and implementation. We represent the algorithm as a function which takes a list of GVASSs, and returns a KosrajuResult. We perform a depth-first search of the refinement tree, either finding a refinement which permits reachability (KosarajuHolds) or exhausting all possibilities (KosarajuDoesNotHold). The algorithm is guaranteed to terminate [17] , and so constitutes a full decision procedure for reachability. The ILP subproblem (θ 1 ) is solved with the SBV (SMT Based Verification) package, an interface to a variety of SMT solvers. We formulate all the constraints as an integer linear program, and evaluate with the ldn function (Linear Diophantine equations over Naturals). The coverability subproblem (θ 2 ) is solved by an implementation of the standard Karp-Miller algorithm for Vector Addition Systems [16] . This algorithm computes the coverability set-the upward closure of the set of all vectors that are reachable in a net from some starting vector. The extensible nature of the code allows the basic implementation to be swapped out for a more optimised one (e.g. based on [10] ) at a later stage. We ensure that the strongly connected property holds by decomposing the original GVASS via the SCC implementation found in the Data.Graph module. Optimisations In spite of the ominous non-elementary complexity lower bound, some effort was still undertaken to improve the runtime of test cases. A number of minor improvements have been made over the standard algorithm which remove unneccessary computations. For example, when constructing refinements for a GVASS G, when a variable is bounded above by some constant c, Kosaraju suggests to generate refinements R i (G) for every i from {0, . . . , c}. Instead, we refine only to R i (G) for values i that feature in the corresponding semilinear set. The algorithm has also been multithreaded with Haskell's lightweight concurrency toolkit [1], so that it evaluates refinements in parallel rather than sequentially. Any return value of KosarajuHolds will terminate the program. The program uses the vass library (released as part of this publication) to parse file formats. By default a parser for MIST's .spec format 1 is provided. This format is traditionally a representation of coverability problems; KReach translates these to reachability problems by replacing p ≥ n constraints by p = n in target places. Installation The KReach tool is available from a public GitHub repository. One can clone the repository in full with the following command: The program is built against the Haskell stack toolchain 2 . In order to build the tool, a locally installed version of stack is required. The tool can be compiled and locally installed by running stack install in the cloned directory. One must also ensure that an SMT solver is installed and accessible on the user's binary path; z3 3 and cvc4 4 are supported. A compiled program binary, along with benchmarks, is provided on the "Releases" section of the GitHub page. Usage The compiled kosaraju tool can be interacted with through the command line. Simple wrapper scripts are provided; the standard invocation is kreach FILENAME to check reachability, and kcover FILENAME for coverability. Intermediate output can be hidden by providing the -q (quiet) flag. Figure 3b shows the relative performance of z3 against cvc4 for growing inputs. cvc4 tends to far outperform z3 on the constructed ILP problems. KCover allows us to use benchmarks for the coverability problem as a source of test cases for the reachability algorithm. The suite provided with the tool includes also a number of test cases for various aspects of the implementation, as well as examples from the non-elementary lower bound construction [7] . KReach was evaluated against many problems and solvers from the literature on coverability. QCover [4] implements coverability based on relaxation to continuous coverability; ICover [11] refines this further with inductive invariants. Table 1 includes some specific instances which are representative of the broader trends in experimental results. On many safe cases, such as Kanban and Bingham, KReach is able to determine safety faster than state of the art coverability solvers by finding zero valid refinements (terminating the search immediately). On some safe nets such as Manufacturing, KReach cannot immediately rule out coverability in this way, and the refinement tree must be explored. The Bug_Tracking examples induced intractably large ILP problems. Unsafe cases such as PNCSACover induced large refinement trees, which were unable to be explored fully within the time limit. Outcome MIST (s) Qcover (s) Icover (s) KReach (s) Kanban safe 404 TLE TLE 1 Bingham_h150 safe TLE TLE TLE 533 Manufacturing safe 1 0 0 4 Bug_Tracking_x0 safe MLE 13 33 TLE PNCSACover unsafe 3 27 59 TLE The experimental results suggest that KReach may be a fruitful source of static invariants for ruling out coverability on some classes of Petri nets. One line of further work may be to attempt to formally classify those nets for which Kosaraju's algorithm is effective in practice. Further work may also include optimisations based on the novel theoretical developments in the Ackermannian upper bound proof [21] , and building parsers to enable experiments on instances of problems that are known to reduce to reachability in Petri nets (e.g., in logic [15, 8] , concurrent systems [9] or process calculi [25] ). The data analyzed here are available in the Figshare data repository: https://doi.org/10.6084/m9.figshare.11887956 Mist -a safety checker for Petri nets (and monotonic extensions Persistence results for chemical reaction networks with time-dependent kinetics and no global conservation laws Approaching the coverability problem continuously Analysis of recursively parallel programs WCET analysis of Superscalar Processors using Simulation with coloured Petri nets. Real-Time Systems The reachability problem for Petri nets is not elementary Reasoning about data repetitions with counter systems Verification of population protocols Minimal coverability tree construction made complete and efficient Occam's razor applied to the petri net coverability problem Remarks on blind and partially blind one-way multicounter machines The recursive equivalence of the reachability problem and the liveness problem for petri nets and vector addition systems On the reachability problem for 5-dimensional vector addition systems Petri nets, Horn programs, linear logic and vector games Parallel program schemata Decidability of reachability in vector addition systems (preliminary version) A structure to decide reachability in Petri nets VASS reachability in three steps The general vector addition system reachability problem by Presburger inductive invariants Reachability in vector addition systems is primitive-recursive in fixed dimension VERIFAS: A practical verifier for artifact systems The reachability problem requires exponential space An algorithm for the general petri net reachability problem A theory of structural stationarity in the pi-calculus The covering and boundedness problems for vector addition systems The mathematics of Petri nets Aspects Mathématiques des Réseaux de Petri