Unfolding based model checking Javier Esparza Faculty of Computer - PowerPoint PPT Presentation

The Unfolding s 1 r 1 s 1 r 1 t 1 1 2 t 2 3 u 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 5 , ǫ � � ǫ, u 3 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � 4 5 � t 3 , u 2 � � t 4 , u 2 � r 3 r 3 s 4 s 4 u 3 t 5 t 5 6 7 8 9 u 3 s 4 r 3 r 1 s 1 s 1 r 1 ◮ Transitions of the unfolding t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 are called events. s 2 s 3 r 2 s 2 s 3 r 2 They are labelled with � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � transitions of the net s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 s 1 r 1 t 1 t 2 u 1 1 2 3 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 5 , ǫ � � ǫ, u 3 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � 4 5 � t 3 , u 2 � � t 4 , u 2 � r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 s 4 r 3 r 1 s 1 s 1 r 1 ◮ Reachable markings t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 of the unfolding s 2 s 3 r 2 s 2 s 3 r 2 are labeled with � t 3 , u 2 � � t 4 , u 2 � � t 3 , u 2 � � t 4 , u 2 � 16 17 18 19 global states of the product s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 s 1 r 1 t 1 t 2 u 1 1 2 3 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 5 , ǫ � � ǫ, u 3 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � 4 5 � t 3 , u 2 � � t 4 , u 2 � r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 s 4 r 3 r 1 s 1 s 1 r 1 ◮ Product, net and t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 unfolding are s 2 s 3 r 2 s 2 s 3 r 2 beh. equivalent � t 3 , u 2 � � t 4 , u 2 � � t 3 , u 2 � � t 4 , u 2 � 16 17 18 19 for all the usual equivalence notions s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 No cycles No place with two t 1 1 2 t 2 3 u 1 or more input arcs s 2 s 3 r 2 No disjoint paths � t 3 , u 2 � � t 4 , u 2 � 4 5 from same place to same transition r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 No cycles No place with two t 1 1 2 t 2 3 u 1 or more input arcs s 2 s 3 r 2 No disjoint paths � t 3 , u 2 � � t 4 , u 2 � 4 5 from same place to same transition r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 No cycles No place with two t 1 1 2 t 2 3 u 1 or more input arcs s 2 s 3 r 2 No disjoint paths � t 3 , u 2 � � t 4 , u 2 � 4 5 from same place to same transition r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

The Unfolding s 1 r 1 No cycles No place with two t 1 1 2 t 2 3 u 1 or more input arcs s 2 s 3 r 2 No disjoint paths � t 3 , u 2 � � t 4 , u 2 � 4 5 from same place to same transition r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

Unfoldings are synchronisations of trees s 1 r 1 No cycles No place with two t 1 1 2 t 2 3 u 1 or more input arcs s 2 s 3 r 2 No disjoint paths � t 3 , u 2 � � t 4 , u 2 � 4 5 from same place to same transition r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

Causality, conflict, and concurrency Let x and y be two nodes of an unfolding. ◮ x is a causal predecessor of y , denoted by x < y , if there is a (non-empty) path from x to y . ◮ x and y are in conflict, denoted by x # y , if there are proper paths from some place z to x and y that exit z by different arcs. ◮ x and y are concurrent, denoted by x co y , if neither x ≤ y nor x > y nor x co y . Proposition A set of places of an unfolding can be simultaneously marked if and only if its elements are pairwise concurrent.

Causality, conflict, and concurrency s 1 r 1 t 1 1 2 t 2 3 u 1 s 2 s 3 r 2 ≤ 1 12 � t 3 , u 2 � � t 4 , u 2 � 4 5 10 # 15 11 co 7 r 3 s 4 r 3 s 4 u 3 t 5 t 5 6 7 8 9 u 3 r 1 s 1 s 1 r 1 t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

Configurations A set C of events is a configuration if ◮ it is causally closed (if e ∈ C and e ′ < e then e ′ ∈ C ), and ◮ conflict-free (no two events of C are in conflict) Proposition A set of events of an unfolding can be fired if and only if it is a configuration. The set of causal predecessors of an events is its past. The past of an event is a configuration, also called the local configuration of the event.

Configurations s 1 r 1 Examples: t 1 1 2 t 2 3 u 1 { 1 , 4 , 6 , 7 } s 2 s 3 r 2 { 2 , 3 , 5 } � t 3 , u 2 � � t 4 , u 2 � 4 5 Counterex.: r 3 s 4 r 3 s 4 { 4 } u 3 t 5 t 5 6 7 8 9 u 3 { 1 , 2 , 3 , 4 } r 1 s 1 s 1 r 1 { 1 , 4 , 6 } t 1 t 2 u 1 t 1 t 2 u 1 10 11 12 13 14 15 s 2 s 3 r 2 s 2 s 3 r 2 � t 3 , u 2 � 16 17 � t 4 , u 2 � � t 3 , u 2 � 18 19 � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 s 4 r 3

Checking properties

Model checking The model checking problem: Does some run of the system satisfy a given property ψ ? Some important instances: (1) Executability: Does some run contain a given transition? (2) Repeated executability: Does some run contain a given transition infinitely often? (3) Livelock: Does some run contain an infinite tail of “silent” transitions? Fact: The model-checking problem for next-free LTL-formulas can be reduced to (2) and (3), for safety properties to (1).

Program for the rest of the tutorial Unfolding-based algorithms for ◮ Executability (long) ◮ Search procedures ◮ Adequate strategies ◮ Repeated executability (1 slide) ◮ Model checking (2 slides) More on checking safety properties: ◮ Designing unfolders ◮ Compressing the state space: canonical prefixes ◮ Deciding properties with canonical prefixes

Executability

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Executability in transition systems s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Search procedures The executability problem for transition systems can be solved by depth-first-search (DFS), breadth-first-search (BFS), or some other search procedure. Conducting a DFS or BFS amounts to exploring a prefix of the computation tree. The executability problem for products can also be solved by search procedures that explore a prefix of the Unfolding. We need a formalization of search procedure.

Search procedures A search procedure consists of: (1) a search scheme ◮ Termination condition: Determines which leaves of the current prefix are terminals, i.e., nodes whose successors need not be explored. (Terminals are also called cut-offs.) ◮ Success condition: Determines which terminals are successful, i.e., terminals proving that ψ holds. (2) a search strategy ◮ determines which possible extension of the current prefix is added to it. (nondeterministic search strategies allowed!).

Search procedure for executability in transition systems Search procedure to decide if some run executes a goal transition g . ———————————————————————————- Search scheme: An event is a terminal if (1) it is labeled by g or, (2) it leads to the same state as some other event already explored A terminal is successful if it is of type (1). Search strategy: Any. ———————————————————————————- Easy to show: All these search procedures (different strategies, same scheme) are correct (terminate with the right outcome, but may explore different sets of nodes).

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Example (again) s 1 s 1 s 2 s 3 s 2 s 3 s 2 s 3 g g s 2 s 4 s 4

Second example with g = { t 5 } s 1 t 1 t 2 t 3 s 2 s 3 t 4 t 5 s 4

Second example: Two prefixes s 1 s 1 t 1 t 2 1 5 t 1 t 2 1 2 s 1 s 3 s 2 s 2 s 3 t 1 t 2 t 3 t 3 2 t 3 t 4 t 5 4 3 5 s 2 s 3 t 4 t 5 s 3 s 3 s 2 s 4 s 4 ( b ) t 4 3 4 t 5 s 4 s 2 ( a )

Search procedure for executability in transition systems Search procedure to decide if some run executes a goal transition g . ———————————————————————————- Search scheme: An event is a terminal if (1) it is labeled by g or, (2) it leads to the same state as some other event already explored A terminal is successful if it is of type (1). Search strategy: Any. ———————————————————————————- Easy to show: All these search procedures (different strategies, same scheme) are correct (terminate with the right outcome, but may explore different sets of nodes).

Generalization to products: search scheme We want something like this: ———————————————————————————- Search scheme: An event is a terminal if (1) it is labeled by g (and then it is successful) or, (2) it leads to the same global state (marking) as some other event already explored. A terminal is successful if it is of type (1). ———————————————————————————- But what does it mean “it leads to the same marking as some other event already explored”? An event does not always leads to only one marking!

s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � r 3 s 4 r 3 s 4 Solution: attach to an event the global state reached by “executing its past”. (McMillan ’92,’95) This is the global state reached by firing the local configuration of the event.

s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � r 3 s 4 r 3 s 4 Solution: attach to an event the global state reached by “executing its past”. (McMillan ’92,’95) This is the global state reached by firing the local configuration of the event.

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 4 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 3 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 3 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 3 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 3 � � s 4 , r 4 � r 3 s 4 r 3 s 4

r 1 s 1 s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � � s 2 , r 1 � � s 3 , r 1 � � s 1 , r 2 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � s 2 s 3 r 2 s 4 r 3 s 4 r 3 � s 4 , r 3 � � s 4 , r 3 � r 3 s 4 r 3 s 4

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consists of many transition sequences! Solution: these sequences are a Mazurkiewicz trace. ———————————————————————————- (partial) order ≺ on Mazurkiewicz traces Search strategy: that refines the prefix order. ———————————————————————————-

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consists of many transition sequences! Solution: these sequences are a Mazurkiewicz trace. ———————————————————————————- (partial) order ≺ on Mazurkiewicz traces Search strategy: that refines the prefix order. ———————————————————————————-

s 1 s 1 t 1 t 2 t 1 t 2 s 2 s 3 t 5 s 2 s 3 t 3 t 4 t 3 t 4 s 4 s 4 t 5 t 5 s 4 s 1 s 1 t 1 t 2 t 1 t 2 Two search strategies for w , w ′ ∈ T ∗ : s 2 s 3 s 3 s 2 ◮ w ≺ w ′ if | w | < | w ′ | ◮ w ≺ w ′ if w is lexicographically smaller than w ′

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consist of many transition sequences! Solution: these sequences are a Mazurkiewicz trace. ———————————————————————————- Search strategy: (partial) order ≺ on Mazurkiewicz traces that refines the prefix order. ———————————————————————————-

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consist of many transition sequences! Solution: these sequences build a Mazurkiewicz trace. ———————————————————————————- Search strategy: (partial) order ≺ on Mazurkiewicz traces that refines the prefix order. ———————————————————————————-

s 1 r 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � s 2 s 3 r 2 � t 3 , u 2 � � t 4 , u 2 � r 3 s 4 r 3 s 4 The past of event labelled � t 3 , u 2 � are the transition sequences: ◮ w 1 = � t 1 , ε � � ε, u 1 � � t 3 , u 2 � ◮ w 2 = � ε, u 1 � � t 1 , ε � � t 3 , u 2 �

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consist of many transition sequences! Solution: these sequences build a Mazurkiewicz trace. ———————————————————————————- Search strategy: (partial) order ≺ on Mazurkiewicz traces that refines the prefix order. ———————————————————————————-

Generalization to products: search strategies A search strategy determines which possible extension is added to the current prefix. Mathematical definition? Transition systems: an event is characterized by its past, the unique transition sequence leading to it. ———————————————————————————- Search strategy: (partial) order ≺ on transition sequences that refines the prefix order. ———————————————————————————- Products: an event is also characterized by its past, but the past may consist of many transition sequences! Solution: these sequences build a Mazurkiewicz trace. ———————————————————————————- Search strategy: (partial) order ≺ on Mazurkiewicz traces that refines the prefix order on traces. ———————————————————————————-

Mazurkiewicz traces ◮ Two global transitions of a product are independent if no component participates in both of them. ◮ Example: � t 1 , ǫ � and � ǫ, u 1 � are independent, � t 1 , ǫ � and � t 3 , u 2 � are not. ◮ Two sequences of global transitions are equivalent if the one can be obtained from the other by repeatedly swapping adjacent independent transitions. ◮ Example: � t 1 , ǫ � � ǫ, u 1 � � t 3 , u 2 � ∼ � ǫ, u 1 � � t 1 , ǫ � � t 3 , u 2 � ◮ Mazurkiewicz trace: equivalence class of sequences. � � t 1 , ǫ � � ǫ, u 1 � � t 3 , u 2 � , � ◮ Example: [ � t 1 , ǫ � � ǫ, u 1 � � t 3 , u 2 � ] = � ǫ, u 1 � � t 1 , ǫ � � t 3 , u 2 �

Search procedure for executability of � t 5 , ǫ � s 1 r 1 s 1 r 1 t 1 t 2 u 1 � t 1 , ǫ � � t 2 , ǫ � � ǫ, u 1 � 2 3 1 s 2 s 3 r 2 � t 5 , ǫ � s 2 s 3 r 2 � ǫ, u 3 � � t 3 , u 2 � � t 4 , u 2 � 4 7 � t 3 , u 2 � � t 4 , u 2 � s 4 r 3 s 4 r 3 s 4 r 3 t 5 u 3 8 5 Search strategy: s 1 r 1 [ w ] ≺ [ w ′ ] ⇔ | w | < | w ′ | t 1 t 2 u 1 9 10 6 (well defined because equivalent sequences s 2 s 3 r 2 have the same length) � t 3 , u 2 � � t 4 , u 2 � 11 12 s 4 r 3 s 4 r 3

Are these search procedures correct? Not for every strategy!!

s 1 t 1 u 1 v 1 a 1 b 1 a 2 b 2 a 3 b 3 a 4 b 4 s 2 s 3 t 2 t 3 u 2 u 3 v 2 v 3 c 1 e 1 e 2 d 3 f 3 d 4 f 4 c 2 s 4 t 4 u 4 v 4 g 1 h 2 g 3 h 4 s 5 t 5 u 5 v 5 i 1 i 2 i 3 i 4 s 6 t 6 u 6 v 6 T = { a = � a 1 , a 2 , a 3 , a 4 � , b = � b 1 , b 2 , b 3 , b 4 � , c = � c 1 , c 2 , ǫ, ǫ � , d = � ǫ, ǫ, d 3 , d 4 � , e = � e 1 , e 2 , ǫ, ǫ � , f = � ǫ, ǫ, f 3 , f 4 � , g = � g 1 , ǫ, g 3 , ǫ � , h = � ǫ, h 2 , ǫ, h 4 � , i = � i 1 , i 2 , i 3 , i 4 �} G = { i }

s 1 t 1 u 1 v 1 s 1 t 1 u 1 v 1 a b a b 1 2 s 2 t 2 u 2 v 2 s 3 t 3 u 3 v 3 s 2 t 2 u 2 v 2 s 3 t 3 u 3 v 3 c d e f c d e f 3 4 5 6 s 4 t 4 u 4 v 4 s 4 t 4 u 4 v 4 s 4 t 4 u 4 v 4 g h g h 8 g h 7 10 9 s 5 t 5 u 5 v 5 s 5 t 5 u 5 v 5 s 5 t 5 u 5 v 5 i i i 11 12 s 6 t 6 u 6 v 6 s 6 t 6 u 6 v 6 s 6 t 6 u 6 v 6

s 1 t 1 u 1 v 1 s 1 t 1 u 1 v 1 a b a b 1 2 s 2 t 2 u 2 v 2 s 3 t 3 u 3 v 3 s 2 t 2 u 2 v 2 s 3 t 3 u 3 v 3 c d e f c d e f 3 4 5 6 s 4 t 4 u 4 v 4 s 4 t 4 u 4 v 4 s 4 t 4 u 4 v 4 g h g h 8 g h 7 10 9 s 5 t 5 u 5 v 5 s 5 t 5 u 5 v 5 s 5 t 5 u 5 v 5 i i i 11 12 s 6 t 6 u 6 v 6 s 6 t 6 u 6 v 6 s 6 t 6 u 6 v 6

Which are the correct strategies? Sufficient condition: adequate strategies Mazurkiewicz traces can be concatenated in the obvious way: [ w ] [ w ′ ] def = [ w w ′ ] A strategy ≺ on Mazurkiewicz traces is adequate if it is (1) well-founded (no infinite descending chain [ w 0 ] ≻ [ w 1 ] ≻ [ w 2 ] ≻ · · · ) (2) preserved by extensions ( [ w ′ ] ≺ [ w ] implies [ w ′ ] [ w ′′ ] ≺ [ w ] [ w ′′ ] for every [ w ′′ ] ). (Lemma [Chatain and Khomenko]: (1) → (2).)

Which are the correct strategies? Sufficient condition: adequate strategies Mazurkiewicz traces can be concatenated in the obvious way: [ w ] [ w ′ ] def = [ w w ′ ] A strategy ≺ on Mazurkiewicz traces is adequate if it is (1) well-founded (no infinite descending chain [ w 0 ] ≻ [ w 1 ] ≻ [ w 2 ] ≻ · · · ) (2) preserved by extensions ( [ w ′ ] ≺ [ w ] implies [ w ′ ] [ w ′′ ] ≺ [ w ] [ w ′′ ] for every [ w ′′ ] ). (Lemma [Chatain and Khomenko]: (1) → (2).)

Theorem: The search procedure is correct for every adequate strategy. Proof idea: To prove: if g can be executed, then the search procedure explores some trace [ u g ] . If g can be executed, then the Unfolding has some trace [ w g ] . If [ w g ] is explored, we are done. Otherwise, w contains a terminal event. Let [ w 1 ] be its past. There exists another trace [ w ′ 1 ] ≺ [ w 1 ] such that: [ w g ] = [ w 1 w 2 g ] , [ w 1 ] leads to the same global state as [ w ′ 1 ] . Since ≺ is preserved by extensions, [ w ′ 1 w 2 g ] ≺ [ w 1 w 2 g ] . Iterating the procedure, and by well-foundedness of ≺ , we eventually reach some trace [ u g ] that is explored.

Theorem: The search procedure is correct for every adequate strategy. Proof idea: To prove: if g can be executed, then the search procedure explores some trace [ u g ] . If g can be executed, then the Unfolding has some trace [ w g ] . If [ w g ] is explored, we are done. Otherwise, w contains a terminal event. Let [ w 1 ] be its past. There exists another trace [ w ′ 1 ] ≺ [ w 1 ] such that: [ w g ] = [ w 1 w 2 g ] , [ w ′ 1 ] leads to the same global state as [ w 1 ] Since ≺ is preserved by extensions, [ w ′ 1 w 2 g ] ≺ [ w 1 w 2 g ] . Iterating the procedure, and by well-foundedness of ≺ , we eventually reach some trace [ u g ] that is explored.

Theorem: The search procedure is correct for every adequate strategy. Proof idea: To prove: if g can be executed, then the search procedure explores some trace [ u g ] . If g can be executed, then the Unfolding has some trace [ w g ] . If [ w g ] is explored, we are done. Otherwise, w contains a terminal event. Let [ w 1 ] be its past. There exists another trace [ w ′ 1 ] ≺ [ w 1 ] such that: ◮ [ w g ] = [ w 1 w 2 g ] , ◮ [ w ′ 1 ] leads to the same global state as [ w 1 ] . Since ≺ is preserved by extensions, [ w ′ 1 w 2 g ] ≺ [ w 1 w 2 g ] . Iterating the procedure, and by well-foundedness of ≺ , we eventually reach some trace [ u g ] that is explored.

Theorem: The search procedure is correct for every adequate strategy. Proof idea: To prove: if g can be executed, then the search procedure explores some trace [ u g ] . If g can be executed, then the Unfolding has some trace [ w g ] . If [ w g ] is explored, we are done. Otherwise, w contains a terminal event. Let [ w 1 ] be its past. There exists another trace [ w ′ 1 ] ≺ [ w 1 ] such that: ◮ [ w g ] = [ w 1 w 2 g ] , ◮ [ w ′ 1 ] leads to the same global state as [ w 1 ] . Since ≺ is preserved by extensions, [ w ′ 1 w 2 g ] ≺ [ w 1 w 2 g ] . Iterating the procedure, and by well-foundedness of ≺ , we eventually reach some trace [ u g ] that is explored.

Search procedure for executability in products Search procedure to decide if some run executes a goal transition g . ———————————————————————- Search strategy: Any adequate strategy ≺ . Search scheme: An event e is a terminal if (1) it is labeled by g or, (2) some event e ′ ≺ e satisfies St ( e ′ ) = St ( e ) . A terminal is successful if it is of type (1). ————————————————————————