G-Nets: A petri net based approach for logical and timing analysis of complex software systems
42
Transcript of G-Nets: A petri net based approach for logical and timing analysis of complex software systems
G-Nets: A Petri Net Based Approach for Logicaland Timing Analysis of Complex Software SystemsAngelo Perkusichy and Jorge C.A. de FigueiredozyDepartment of Electrical EngineeringzDepartment of Computer ScienceUniversidade Federal da Para��baCaixa Postal 1010558109-970 - Campina Grande - PB - BrazilFone: +55 83 333 1000 R-412, Fax: +55 83 333 1650e-mail: [email protected] specifying, designing and analyzing complex systems, it is necessary to adopta modular or compositional methodology. This methodology shall allow the designerthe ability to verify local logical and timing properties of individual modules or com-ponents in the system, and also shall allow the veri�cation of the correct behavior ofinteracting components. The application of Petri nets for the modeling and veri�cationof systems, at speci�cation and design levels are well know. Despite of powerful struc-turing mechanisms available in the Petri nets theory for the construction of the modelof complex systems, the designer is still likely to face the problem of state explosion,when analyzing and verifying large systems. In this work we introduce a modular logi-cal and timing analysis methodology for a kind of high level Petri nets named G-Nets,that can be applied for complex software systems.1
1 IntroductionThe application of a distributed approach has been increasingly adopted in the design ofcomplex, large software systems. A distributed software is composed of communicatingprocesses, or components, that solve cooperatively a common problem [27]. The design ofa distributed software system, as in the case of many others, presents many di�culties.Modeling formalisms for the speci�cation and design of distributed software system mustsupport the coordination and communication of activities at di�erent levels of abstraction.One of the most important aspect that must be considered when specifying and designinga complex distributed software system is its inherent concurrency. Besides this, one mustconsider structural properties of the system, as well as the behaviors of the componentsand the communication messages exchanged among these components. Moreover, formaltechniques must be employed, because formal techniques allow the speci�er to write unam-biguous, clear, and concise speci�cations, providing a foundation for analyzing speci�cationsfor correctness, so that errors can be detected early in the design process.The problem to manage large systems is mainly a question of modularity. Therefore, itwould be desirable to compose larger nets from smaller nets such that the semantics of thelarger net could be deduced from the semantics of the smaller nets. Intuitively, this can becharacterized by the ability to hide internal details of the nets and take into account onlythe necessary ones.This work explores the possibility of using the natural decomposition of distributed sys-tems to introduce a modular logical and timing analysis methodology for a class of high-levelobject oriented Petri nets named G-Nets. A system modelled by a set of G-Nets is nameda G-Net system. To accomplish this task, we �rst formalize the concept of G-Nets andG-Net systems, as well as their decomposition. We introduce structural and behavioral re-strictions in the communication among G-Nets in a G-Net system. These restrictions allowus to employ the so called assume/guarantee paradigm [16] to develop a modular analysismethodology for G-Net systems. These modular analysis methodology allows the designerto reason about components, processes or software modules, and their interactions with anenvironment. When designing a component, assumptions are made about the behavior of2
the environment so that the local behavior of a component can be speci�ed and veri�ed.When designing the components that compose the environment of another component, thedesigner must guarantee that these components behave as assumed. Indeed, the designerguarantees the commitment of the environment with respect to the assumed environmentalbehavior.Considering real time systems, besides the logical analysis, the analysis of timing aspectsmust be taken into account. A variety of modi�cations have been proposed in order to extendPetri nets [2, 12, 17, 26, 30, 32] and/or stochastic [1, 14, 18]. One of the major problem withthis approaches when analysing complex systems is the lack of modular techniques.In order to perform timing analysis of complex real-time software systems, we introducedan extension for the Petri Net model in order to characterize timing constraints. In thisextension, the positive aspects of the deterministic and stochastic approaches are combinedin a complementary fashion, i.e., the proposed extended Petri net is amenable to modelreal-time systems and to make performance analysis of systems. The proposed extension,called Fuzzy Time Petri Net (FTPN), uses a fuzzy approach based in the fuzzy set theoryintroduced by Zadeh [31]. In this fuzzy approach, the tokens carry a fuzzy time functionthat characterizes the possibility of there being a token in a place in a given instant oftime. Also, fuzzy time intervals are associated with the transitions to provide ability torepresent timing restrictions. The fuzzy time intervals associated with the transitions allowsthe representation of the three general categories of timing constraints that are considering inreal-time systems: maximumtiming constraints, minimumtiming constraints and durationaltiming constraints. This extension is good to evaluate performance of systems modeled by aPetri net. For example, for a given system it is possible to compute the minimum,maximumand most probable response time needed to reach a given state from an initial state. Also,aggregate performance indices may be computed.On the other hand, we integrate the proposed FTPN together with G-Nets, in order tode�ne a modular approach to perform timing analysis of systems. The integration is calledFuzzy Time G-Nets. Then, using the concept of Fuzzy Time G-Nets, we can divide a complexsystem in subsystems which are studied in isolation and the results later combined in order3
to compute the global solution for the entire system [8].The rest of this paper is structured as follows. Section 2 presents the background on G-Nets and G-Net systems. Section 3 introduces the decomposition and structural propertiisfor G-Net systems. In Section 4 we detail the modular analysis methodology for logicalproperties of G-Nets. In Section 5 we introduce the basics of Fuzzy Time Petri Nets. InSection 6 we brie y intruduce a veri�cation environment for G-Net systems. And �nally, inSection 7 we present some discussion and the conclusion of this paper.2 G-Nets and G-Net SystemsIn [9] the concept of G-Nets and G-Net systems were introduced. G-Nets are a Petri netbased framework for the modular design and speci�cation of distributed information sys-tems. The framework is an integration of Petri net theory with the object oriented softwareengineering approach for system design. The motivation of this integration is to bridge thegap between the formal treatment of Petri nets and a modular, object-oriented approach forthe speci�cation and prototyping of complex software systems. The G-Net notation incorpo-rates the notions of module and system structure into Petri nets; and promotes abstraction,encapsulation and loose coupling among the modules.A speci�cation or design based on G-Nets consists of a set of independent and loosely-coupled modules (G-Nets) organized in terms of various system structures. A G-Net isencapsulated in such a way that a module can only access another module through a wellde�ned mechanism called G-Net abstraction, avoiding interference in the internal structureof another module.A G-Net G, is composed of two parts: a special place called Generic Switch Place (GSP)and an Internal Structure (IS). The GSP provides the abstraction of the module, and servesas an interface between the G-Net and other modules. The internal structure is a modi�edPetri net, and represents the detailed internal realization of the modeled application. Thenotation for G-Nets is very close to the Petri net notation [19]. Among other features thisnotation allows the user to indicate communication among G-Nets and termination. The4
GSP(net_name)
GOAL PLACE NAME
PLACE NAME
transition name
inscriptions
<method_name><description>={[<p1:description,...,pn:desc>](<sp>)}<attribute_name>={<type>}
isp(G’.mi)
OTHER ELEMENTS
OF THE INTERNAL
STRUCTURE
internal structure boundary
<arc expression>
Figure 1: Notations used to represent a G-Netnotation for G-Nets is shown in Figure 1, and is explained as follows:1. The IS of the net is enclosed by a rounded corner rectangle, de�ning the internalstructure boundary.2. The GSP is indicated by the ellipse in the left upper corner of the rectangle de�ningthe IS boundary. The inscription GSP (net name) de�nes the name of the net to bereferred by other G-Nets.3. The rounded corner rectangle in the upper right corner of the IS boundary is used toidentify the methods and attributes for the net, where:� hattribute namei = fhtypeig de�nes the attribute for the net where:hattribute namei is the name of the attributes, andhtypei is a type for the attribute.� hmethod namei is the name for a method, hdescriptioni is a description for themethod. hp1 : description ; � � � ; pn : descriptioni is a list of arguments for themethod. Finally, hspi is the name of the initial place for the method.4. A circle represents a normal place. 5
5. An ellipse in the internal structure represents an instantiated switching place (isp).The isp is used to provide inter-G-Net communication. The inscription isp(G0:mi)indicates the invocation of the net G0 with method mi.6. A rectangle represents a transition, that may have an inscription associated with it.This inscriptions may be either an attribution or a �ring restriction. We will use thestandard Language C notation for both attributions and �ring restrictions.7. A double circle represents the termination place or goal place.8. Places and transitions are connected through arcs that may carry an expression.The GSP of a G-Net G, denoted by GSP (net name) in the ellipse of Figure 1, uniquelyidenti�es the module. The rounded-corner rectangle in the GSP side contains a descriptionof one or more methods, which specify the functions, operations or services de�ned by the net,and a set of attributes specifying the passive properties of the module (if any). The detailedstructures and information ows of each method are de�ned by a modi�ed high-level net inthe internal structure. More speci�cally, a method de�nes the input parameters, the initialmarking of the corresponding internal high-level net (the initial state of the execution). Thecollection of the methods and the attributes (if any) provides the abstraction or the externalview of the module.In the internal structure, places represent primitives, and transitions, together with arcs,represent connections or relations among the primitives. These primitives may be actions,predicates, data entities, and instantiated switch places (isp's). A set of special places calledGoal Places represents the �nal state of the execution, and the results (if any) to be returned.A transition, together with arcs, de�nes the synchronization and coordinates the informationtransfer between its input and output places. A formal introduction to G-Nets can be foundin [9].Given a G-Net G, an isp of G is denoted by isp(Gname:mtd) (or simply isp(G) if noambiguity occurs), where Gname is the unique identi�cation of G, and mtd is a de�nedmethod for G. An isp(Gname:mtd) denotes an instantiation of the G-Net G, i.e., an instanceof invocation of G based on the method mtd. Therefore, executing the isp primitive implies6
invoking G (by sending a token to G) based on the speci�ed method. This token containsthe parameters needed to de�ne the tokens for the initial marking of the invoked net. Thisinteraction betweenG-Nets can be compared to the mechanismof remote procedure call. Theisp notation serves as the primary mechanism for specifying the connections or relationshipsbetween di�erent G-Nets (modules). Embedding an isp of a lower level G-Net into theinternal structure of a higher level G-Net speci�es a hierarchical con�guration.2.1 An Example Based on the Producer/Consumer ProblemThe producer/consumer problem is a well known problem. It consists of the synchronizationbetween one or more producers and one or more consumers. In the example that will beshown we assume, initially, that one producer is capable of producing n items, and that aconsumer is able to consume one item at a time.In Figure 2 the G-Net model G(P ) for the producer is shown. For this net one method isde�ned and namedmp. The function of the methodmp is to produce n items to be consumed.When G(P ) is invoked through GSP(P) one token together with a �eld n, expressing thenumber of items to be produced, is deposited in place PR. The action associated with thisplace simply decrements the �eld n. If n < 0, transition pr �res and the invocation of G(P )returns when the goal place GP is reached. Otherwise, that is n � 0, transition rs �res, thetoken reaches isp(C.ms), and the net C is invoked using method ms. This invocation is toinquire net G(C) to ascertain whether it is ready consume an item or not. If G(C) is notready, transition nr �res, and the net G(C) is inquired again. Otherwise, the consumer isready and transition cr �res. After the �ring of cr a token is deposited in isp(C.mc) and netC is invoked with the method mc together with the item to be consumed. When the tokenis returned from net C transition co �res and a token is put in place PR again.The G-Net for the consumer G(C), is presented in Figure 3. Two methods are de�nedfor G(C): method status (ms), and method consume (mc). When G(C) is invoked throughGSP(C), if the method is ms a token is put on place IN. Depending on the state of G(C),which could be either consuming or ready to consume, transitions na or sa will �re. Thechoice between na and sa is based on the states represented by place RC (ready to consume)7
GSP(P)
PR: producer ready
GP: goal place
rs: request status consumer
nr: consumer not ready
cr: send to consumer
co: consumed
pr: producer resumes
mp:produce={[n:integer �number of items](PR}}
PR
GP
nr
pr co rs
cr
n=n-1
nn
n
n
nn
n
isp(C.ms)isp(C.mc) r==nak
r==ack
n >=0n<0
n,r n,rFigure 2: G(P ) G-Net modeling the producerand place CO (consuming). If RC is marked, transition sa �res and a token reaches the goalplace GPS with an acknowledge associated with the returning token r (r = ack). Otherwise,a �eld not acknowledge is associated with the token (r = nak). After �ring of sa, a tokenis put in place WP, and the consumer is ready to consume. When G(C) is invoked with amethod consume, mc, a token is put in place TC. Since WP was previously marked aftera successful execution of method ms, transition sc �res and place CO is marked. At thispoint G(C) indicates to the consumer that the requested action may be either �nished orin processing. This is because when transition sc �res a token is deposited in place CO andother in the goal place GPC. It must be noted that transition ac can or can not �re beforethe producer receives the returning token from GPC. After �ring ac, a token is removedfrom CO and another one from RC', and one token is deposited in RC. And G(C) is readyto consume another item.2.2 Formal De�nition of G-Nets and G-Net SystemsFormally a G-Net system is de�ned as follows:De�nition 2.1 G-Net systemA G-Net system (GNS) is a triple GNS = (TS;GS;AS), where8
GSP(C)
RC’IN RC WP TC ready to consume
IN : inquire net C
RC:
trigger consumerTC:
WP: waiting producer
GPS: end status
GPC: item accepted
CO: consuming
<ret>
COGPS
GPC
na sa sc acack=F ack=T
<ack>
ms:status={[nil](IN)}mc:consume={[item:data](SC)}
<ack>
ac: already consumed
sc: start consuming
na: not available
sa: send acknowledgeFigure 3: G(C) G-Net modeling the consumer1. TS is a collection of tokens dynamically generated during of the execution of thesystem;2. GS is a set of G-Nets; and3. AS is a set of decentralized, concurrent computational agents executing the G-Netsystem.De�nition 2.2 G-NetA G-Net is a tuple G = (GSP; IS), where1. GSP is a Generic Switch Place (GSP ) providing an abstraction for the G-Net; and2. IS is the Internal Structure, which is a modi�ed Predicate/Transition Net.De�nition 2.3 Generic Switching PlaceLet GSP 2 G be a generic switching place. A GSP is de�ned by (NID;MS;AS), where1. NID is a unique identi�cation (name) of G-Net G;2. MS is set of methods; and8mtdi 2MS, mtdi = (m namei;m argumentsi;m initiatori), wherem namei is a name for the mtdi. 9
m argumentsi is a tuple of variables specifying the input token for the mtdi.m initiatori is mapping from m argumentsi to the initial marking of the net belongingto the internal structure associated with the method mtdi.3. AS is a set of attributes, and 8asi 2 AS; asi 2 IN.From De�nition 2.3 we say that a GSP is uniquely identi�ed by a name denoted byNID that abstracts a set of methods denoted by MS. The methods de�ne how the internalstructure may be executed. In other words, the set of methods de�nes all the possible sets ofinitial markings, and resulting in di�erent behaviors of the internal structure. In De�nition2.3 m initiator de�nes how the information on m arguments are transformed into tokens ofthe corresponding type. These tokens will be deposited, in the case that more than oneargument is de�ned, in the initial place for the method.De�nition 2.4 Internal StructureThe internal structure of a G-Net, G:IS, is a net structure, that is, a bipartite directed graphde�ned by G:IS = (�; P; T; I;O), where1. � is a structure consisting of some sorts of predicates together with a set of relationsand operations de�ned over these predicates.2. P is a set of �nite and non-empty set of places, denoted by circles.3. T is a �nite set of transitions, denoted by rectangles.4. I : T ! P1 is called input function, which de�nes inscriptions on transitions incomingarcs.5. O : T ! P1 is called the output function, which assigns inscriptions on transitionsoutgoing arcs.We have three di�erent types of places in the internal structure of a G-Net, as de�ned asfollows. 10
De�nition 2.5 Set of placesLet G:IS be the internal structure of a G-Net. The set of places P 2 G:IS is de�ned byP = (ISP;NP;GP), where1. ISP is a subset of instantiated switching places.2. NP is a subset of normal places.3. GP is a subset of goal placesThe above de�nition for the set of places P 2 G:IS is necessary because each subset ofplaces has di�erent semantics. Now, we will detail the meaning of each one of these subsetof places.An isp 2 ISP provides the mechanism used in G-Nets systems to implement inter-G-Netconnection. An isp de�ned in a net G and invoking a net G0 is denoted by isp(G0m) and isde�ned as a quadruple:isp(G0m) = (NID;mtd; action before; action after)NID is the unique identi�er of G0, mtd 2 G0:GSP:MS, action after and action before areprimitive actions, whose function is to update the so called token propagation sequence,which will be introduced below. More speci�cally, a method mtd 2 G:MS de�nes the inputparameters, the initial marking of the corresponding internal Petri net (the initial state of theexecution). The set of Goal Places represents �nal states of the execution of each method,and the results (if any) to be returned. The collection of methods and attributes (if any)provides the abstraction or the external view of the module. We impose the restriction thatthe set of goal places must not be empty.De�nition 2.6 TokenLet G be a G-Net, and tkn be a token, then1. tkn is a tuple of items of the form tkn = hseq; scolor; d1; � � � ; dqi, where tkn:seq is thepropagation sequence of the token, tkn:scolor 2 (before; after) is the status color ofthe token, and tkn:di, i 2 IN, is the message part of the token. The item tkn:seq is11
a sequence of hNID; isp; PIDi, where NID is the identi�cation of the G-Net, isp isthe name of an ISP and PID is a unique process identi�cation. The token is onlyavailable for enabling and �ring of transitions when scolor = after.2. If tkn = !, it can be matched with any sequence.The propagation sequence of a token is only changed when it reaches an ISP or a GSP .When a G-Net G is invoked from an ISP ispi in another G-Net G0 (when ispi receives atoken), a triple hG0; ispi; P idG0i, where PidG0 is the identi�er of the process executing G0, isappended to the propagation sequence of the token before it is sent to G-Net G. This tripleindicates that when the execution of G is over, the resulting token should be returned tothe place identi�ed by ispi in G-Net G0. The process identi�er is needed to distinguish towhich instance of the execution of G0 the returning token belongs to. When the input tokenis received at the GSP G, a triple h0; 0; P idGi is appended to the end of its propagationsequence, indicating that the agent responsible for executing the invocation is identi�ed byPidG. Because PidG is unique, the propagation sequence is also unique. The token structurein the G-Net framework thus not only guarantees that all tokens belonging to an instanceof a G-Net execution have the same and unique propagation sequence, but also containsthe complete propagation history of the tokens, which governs the interactions between theprocesses executing a G-Net speci�cation.Due to the sequence �eld associated with a token, more than one invocation of a G-Netcan be executed simultaneously. This is because di�erent executions (invocations) can beuniquely identi�ed by the propagation sequence. Indeed tokens carry the execution historyof a G-Net system.As mentioned above, the status color of a token has two possible values, either beforeor after. A token is said to be available if its scolor = after. Otherwise, it is said to beunavailable. When a new token is received at a place, its status color is set to be before, andafter the primitive action (if any) at the place is taken, the status color of the token is set tobe after, indicating that the token is ready to be used in subsequent transition �ring. Themessage �eld of a token is a list of application speci�c values.12
A normal place NP 2 NP has the rules to manipulate the token. When a token is theentry parameters speci�ed by the �eld msg. The result of the action is associated with the�eldmsg of the token and a �eld called branch color of the token is de�ned. The branch colorof the token serves to de�ne to which output transition the token is available. Thereforethe action associated with a normal place performs the same function as arc expressionsand transition inscriptions of PrT nets. Finally the �eld scolor of the token is updated toscolor after, and the token is available for transitions enabling and �ring.A goal place GPi 2 GP must belong to the �nal marking of G:IS. For each method,mtd, the goal places must be reachable and must be unique for each method. Therefore, theinformation resultant from the execution can be returned to the invoking G-Net.The G-Net transition �ring mechanism is de�ned by the following transition �ring rules:De�nition 2.7 Transition �ring rulesLet G be a G-Net, the transition �ring rules are de�ned as1. A transition t is said enabled i� every place p 2 I(t) holds at least one token, its contentsatis�es the condition de�ned by I(p; t), and(a) all the tokens stated have the same propagation sequence;(b) all the tokens stated in have their scolor = after;(c) the number of tokens in O(t) is smaller than the capacities of the places.2. An enabled transition t may �re and when �ring t:(a) a token which satis�es I(p; t) is removed from every p 2 I(t);(b) a token whose propagation sequence is the same as the one in tokens removed fromI(t), whose scolor = before, and whose message part is determined by O(t; p) isdeposited to every place p 2 O(t).The invocation of a G-Net de�nes the mechanism to start the execution of the internalstructures based on the message associated with the token.13
De�nition 2.8 Invocation of a G-NetLet G be a G-Net, the invocation of the net G based on a method mtd 2 G:MS is carriedout in the following way1. Determine the initial marking of G based on the de�nition of mtd (the content of thetokens depends on the content of the input token);2. Fire enabled transitions, if any;3. Invoke enabled primitives, if any;4. Repeat (2)-(3) until a Goal Place is reached;5. Send the result of the execution (if de�ned by mtd) to the invoker.3 Decomposition and Structural Properties of G-NetSystemsIn this section we introduce a decomposition approach for G-Nets. The decompositionapproach that will be introduced avoids structural problems in the interface between G-Nets, and allows formal analysis. For this decomposition to allow composition in a modularfashion, we have to de�ne mechanisms by which it is possible to consider di�erent componentsof a model, based on a rigorous structure, allowing the designer to have a better control ofthe complexity of the system. Hence, di�erent parts of the model might be independentlyconsidered. Moreover, analysis, reuse, and correction should be localized and performed atthe component level, as long as the component interface remains unchanged. To be able totake advantage of the bene�ts of such a modular approach, a component must present twocharacteristics:� The external view of the components must be loosely coupled, so that independenceamong components can be as high as possible and only a few well de�ned relationshipsare allowed. 14
� Externally a component must present a very high-level of functional cohesion, so thatthe role and the contribution of each component to the entire system are clearly de�ned.G-Nets and G-Net systems possess the above characteristics. In order to take advantageof the above two general concepts, inherent to G-Nets, we have to de�ne how G-Nets com-municate with each other by means of a high-level protocol, which determines how G-Netsare connected. Net systems can be connected either by fusing transitions, fusing places, orby arcs [3]. As is well known, transition fusing facilitates the analysis of the model, becausemany properties are preserved in this case [28, 29]. On the other hand, the nets are verytightly coupled, hence its is not possible to consider each net as an autonomous system,mainly because the behavior of the nets are mixed together, and in consequence it is notpossible to locally decide whether a transition is or not enabled, based only on the local stateof the net. Composition of nets by places fusing corresponds to communication by variablesharing. Although this method for composing nets does not present the disadvantages oftransition fusing, it is necessary to provide additional synchronization among the fused nets.This additional synchronization, provided either by extra places or transitions, may lead toa global analysis of the role system, mainly because new �ring transitions sequences mayappear, although previous �rings sequences are preserved. The third method to composenets, that is by arcs, corresponds to message passing.Another approach for composing nets is the use of another net as a communication media.The advantage of using this approach is that restrictions can be imposed to the net, or part ofthe invoked nets, representing the communication media, instead of applying restrictions tothe composed ones. To allow this kind of composition the nets involved in the communicationmust have some structural and behavioral restrictions to allow proper behavior preserving.Also, we assume only static process creation. This assumption is necessary to de�ne a priorithe connections among nets.The elements used as the basis for the decomposition of a G-Net are the GSP , isp andgoal places. A decomposition for each one of these elements is introduced. We also de�nethe concept of reentrance for a decomposed G-Net. The decomposition approach not onlyallows the introduction of the concept of reentrance, but it also allows the possibility to15
apply formal analysis to verify the behavior of a G-Net and a G-Net system.The approach we will introduce to decompose G-Nets follows the basic principles of theobject oriented approach. Hence, the functional unity of the nets may be de�ned duringtheir design, in such a way that they are components providing some services to other nets,and apply to other nets the services they o�er. As discussed before, the GSP of a G-Netprovides the abstraction with explicit de�nition of the methods (services) available to othernets. Also the isp and the goal places provide means by which a G-Net can be invoked andthe processed result (if any) is returned. The general principles that must be satis�ed whenG-Nets are communicating is very similar to the client-server protocol, and consists of thefollowing steps:1. The requester G-Net requests a service.2. The called G-Net accepts or not the requested service.3. Upon acceptance of the service, the called G-Net attends the request and provides theresults, otherwise the requester G-Net must issue another request.4. The requester G-Net retrieves the result.In fact, in step 4 the processed result is sent back to the requester, that should be waitingfor this result. The requester G-Net may be viewed as a client and the called G-Net as aserver.In the sections that follows we detail the concepts of decomposed G-Nets as well asreentrant decomposed G-Nets. Considering that each G-Net interacts with other nets, wede�ne the concept of environment. To analyze the behavior of a G-Net we will assumethe behavior of the environment as imposing some restriction on the local behavior. Onthe other hand each G-Net will export some of its properties to the environment. Theseproperties should be veri�ed latter when analyzing the environment interacting with theanalyzed G-Net. The basic principle to be adopted is the natural partition of the statespace problem and then apply an assume/guarantee like paradigm to verify the behavior ofthe G-Net system. Computation Tree Logic (CTL)[11] is employed as a query language toextract the abstraction of a G-Net and to express the properties of the environment.16
3.1 G-Net DecompositionThe objective to decompose a G-Net is to provide a clear structural coupling among G-Nets.This structural coupling imposes restrictions in the communication among G-Nets. Also withthe decomposition of the interface elements we allow the designer to incrementally designand analyze a system by adding new components. To do so the composition of G-Nets mustbe a stable operation. Therefore, the composition of a requester G-Net with a service G-Netmust, after the composition, still be a requester-service G-Net. This can be accomplishedthrough the preservation of the general properties of the components, G-Nets, so that theproperties of the whole system may be deduced from the properties of its components.The decomposition of a G-Net G results in a reentrant decomposed net Gd. The conceptof reentrant nets was introduced by [4] and the basic requirements that Gd must ful�llare structural, i.e., graphical constraints and other are behavioral, i.e. home spaces andreversibility [19].Before de�ning the decomposition of the elements of a G-Net we formally introduce theconcept of decomposed G-Net.De�nition 3.1 Decomposed G-NetThe decomposition of a G-Net G is a tuple Gd = (IS;GSP;GP;ISP), whereIS is the internal structure represented by a modi�ed Petri/Net.GSP is the decomposition for the GSP.GP is the set of goal places.ISP is the decomposition of the set of instantiated switching places.As the reader can verify the tuple formed by (GSP;GP;ISP), corresponds to the ele-ments involved in the interaction among G-Nets. The decomposition for the GSP (GSP)de�nes which places of the internal structure receive tokens when a G-Net is invoked witha de�ned method. The set of decomposed instantiated switching places (ISP) de�nes theplaces responsible to initiate a communication with other G-Net and receive back the result,17
G’ : invoke net G’
si: start invocation
ra: reply acknowledged
RI
rasi
RIm RRRC
SI
G’
isp(G’m)
Wi
RI: ready to invoke
SI: sequence id generator
RIm: ready to invoke with method m
RR: reply received
Wi: waiting invocation reply
RC: returned from net invokedFigure 4: Decomposition of an isp(G0m)when existent. The set of goal places (GP) represents the places that must be marked when aG-Net completes an invocation, therefore they are responsible for returning back the results.These sets of places are interface places of a G-Net, IE for short.3.2 Decomposition of G-Net elementsIn this section we introduce the decomposition of each one of the elements of a G-Net.An isp(G0:m), representing the invocation of net G0 using method m is decomposed asshown in Figure 4. Place RI receives the token from the input transition(s), not representedin Figure 4, then transition si �res and the propagation sequence of the token is updatedbased on the integer value n, where n 2 IN, of the token in place SI, which is increased byone each time si �res. The output token will be put in RIm. This token will have a uniquesequence identi�er together with the set of tokens de�ning the initial marking of net G0.Also, a token will be put in Wi. Transition G' then can �re. This �ring corresponds to theinvocation of net G0. When net G0 reaches its goal place the returning token(s) is(are) thenput in place RC and transition sa �res resulting in a token in place RR. The place Wi alsois used to maintain state information about the net, which can be used for fault-toleranceand error-recovery [22].For the GSP (G0) the decomposition is shown in Figure 5. The starting place, SP receivesall the tokens that will correspond to the initial marking for the places corresponding tomethod n. The transition corresponding to the speci�ed method will �re and the tokens willbe put in the set of initial places, this set of places is represented by the dotted rectangles18
tm1 tm2 tmn
initial placesfor method m2 for method mn
initial places
SP
GSP(G’)
for method m1initial places
<m1><m2>
<mn>Figure 5: Decomposition of a GSP (G0)in Figure 5.3.3 Structuring Inter-G-Nets CommunicationConsidering a decomposed G-Net Gd and an initial marking M0, de�ned by Gd =(IS;GSP;GP;ISP;M0) (see de�nition 3.1, the following notations and de�nitions will beused:De�nition 3.2 Number of Occurrences of a TransitionGiven a transition �ring sequence � 2 T �, �(�; t) is the number of occurrences of transitiont in the transition �ring sequence �.De�nition 3.3 Marking SuccessorM �!M 0 if there exists � 2 T � such that M [�iM 0.De�nition 3.4 Set of Fireble Transitions Constrained to a MarkingGiven a decomposed G-Net Gd, L(Gd;M) = f� 2 T �;M [�ig, and L(Gd;M)jT 0 = f�jT 0;� 2L(Gd;M)g.De�nition 3.5 Pre�x of a Firing SequenceLet � 2 T � and T 0 � T , then:� j T 0 2 T � is the substring of � obtained by removing occurrences of elements TnT 0.19
if �, �0 2 T �, �0 � � if �0 is a pre�x of �, i.e. if there exists �00 2 T � such that �0:�00 = �.De�nition 3.6 Set con ict-free transitionsLet Tm1 and Tm2 and Gd = (IS;IP;GP;ISP), with Tm1 2 IS and Tm2 2 IS, and Tm1 andTm2 be the sets of transitions belonging to method1 and method2 respectively, these two setsof transitions are called set con ict-free i��t \ �t0 = ;, with t 6= t0, 8 t 2 Tm1 and 8 t0 2 Tm2.Informally de�nition 3.6 guarantees that each method in a G-Net is not in con ict withothers.3.4 Structural and Behavioral PropertiesReentrance is one of the key concepts we introduced for G-Nets. The objective of introducingreentrance in G-Nets is to permit properties preserving when composing nets. The basicproperties that must be satis�ed by a decomposed G-Nets are reversibility1 and home states[19].De�nition 3.7 Reentrant Decomposed G-NetLet G be a G-Net and Gd = (IS;GSP;GP;ISP) be its decomposition. Gd is reentrant i�:P1 �SP = ;, with SP 2 GSP, that is, there is no incoming arc to a SP .P2 8GPi 2 GP; GPi� = ;, that is, there is no outgoing arcs from the goal places.P3 For any two methods mi and mj we have that, GSPmi 6= GSPmj , that is, each methodde�ned for a G-Net terminates in a di�erent goal place.P4 8GSPmi 2 GP 9�mi : M0[�miiM(GSPmi , that is, for a given method its goal place isalways be reachable.1A Petri net (N;M0) is reversible if for each markingM in R(M0),M0 is reachable fromM , where R(M0)is the set of all possible markings reachable from M0 for the net (N;M0). Therefore, in a reversible net itis always possible to reach the initial marking. A markingM 0 is said a home state if for each M in R(M0),M 0 is reachable fromM . 20
P5 It is always the case that the net is reversible.P6 The sets of transitions belonging to each method are set con ict-free.Property P1 guarantees that when a G-Net G is invoked with method mi only the initialplaces associated with the method will be marked when transition tmi 2 Tmethods �res in thedecomposed G-Net Gd, see Figure 5.Property P2 guarantees that a decomposed G-Net Gd has no more transitions to �re,for a de�ned method, when a goal place is reached, for a speci�c invocation identi�ed by the�eld tkn:seq associated with the token.Property P3 restricts the existence of one and only one goal place for each method.This restrictions is necessary to guarantee that the result is always returned to the correctrequester. Also, as will be shown in Section 4, this restriction is also necessary for theanalysis approach that will be introduced.Property P4 guarantees that the invocation of a decomposed G-Net always terminates,and considering properties P2 and P3, the invocation always terminates and the result isreturned to the requester.Property P5 is very important, because it must be the case that a decomposed G-Netalways returns to its initial state, so that new invocation of a de�ned method can take place.Property P6 has a very important signi�cance for the analysis methodology that willbe introduced in Section 4. It guarantees that the execution of the de�ned methods for adecomposed G-Net can be treated as independent.If the properties P1 to P7 are veri�ed for a decomposed G-Net, we say that it is reentrant.Based on this de�nition of reentrance we can clearly de�ne how the communication amongG-Nets will take place. The set of interface elements (IE) implements the communicationfunctions.Based on the decomposition of an isp, as shown in Section 3.1, we de�ne the concept ofa service request, or for simplicity requester G-Net as follows.De�nition 3.8 Requester G-NetLet GdR = (ISR;GSPR;GPR;ISPR) be a requester decomposed G-Net. Also, let us con-21
sider the request of a service of a decomposed G-Net GdS, and that ispi 2 GdR is an ispinvoking GdS with method mGdSi , we have that:1. For any invocation of GdS with method mi through ispi 2 GdR there exists a waitinginvocation reply place Wi 2 ispi such that:Wi 2 si�, �Wi = fsig, andWi 2 �ra, �ra = fWig.2. M is marking of GdR such that M(Wi) = 0 for any waiting invocation reply place Wi.The waiting place Wi of an isp corresponds to the state of the requester decomposedG-Net GdR, is waiting for the invoked decomposed service G-Net GdS, represented bytransition G0 in the isp, to complete the requested service and return the result.It is very important to de�ne when an isp will complete its execution, representing thatthe requested service was successfully executed, and how the control is passed back to theIS of the requester.Lemma 3.1 Clear Termination of a Decomposed G-NetA decomposed G-Net clearly terminates its execution, independently of the number ofinvocations.Proof.The proof is direct, based on reentrance properties P4, P5 and P6 of De�nition 3.7, De�nition3.6 and the fact that the tkn:seq is unique. 2Proposition 3.1 isp CompletionLet GdR, and GdS be a requester and service decomposed G-Nets respectively, and letispRS 2 PGdR be an isp invoking GdS with method mi. If GdS is reentrant the isp alwaysreceives the result back.A serviceG-Net is one that o�ers services to requesters, hence it is able to accept requests,to process them and to provide results. The interface places of a service net matches with22
the requesters places, that is, it matches with the decomposition of the isp of the requester.The starting place (SP ) in the decomposed GSP and the goal places are used to be mergedwith places si and ra, in the decomposed isp when substituting the abstracted transition G0in the isp.Provided that the decomposed service G-Net is reentrant we can de�ne the requester.De�nition 3.9 Service G-NetLet GdS be a decomposed G-Net, with starting place SP and goal place GPmi for methodi,it is a service net i� for all de�ned methods:1. GdS is reentrant.2. There exists one minimal place invariant I such that I(SP ) = I(GPmi) = 1, 8 mi 2methods.3. M0 is a marking of GdS such that 8 p 2 P [I(p) > 0 =)M0(p) = 0].4. For any markingsM andM 0 such that M(p) = M0(p) for p 2 PnfSPg andM �!M 0,there exists M 00 such that M 0 �! M 00, M 00(SP ) = 0 and M 00(GPmi) = M(SP ),8mi 2 methods.In the above de�nition P 2 ISGdS. Condition 4. in De�nition 3.9 guarantees that thesequence identi�er of the incoming token is safely propagated through the service net, andreaches the goal place with the same propagation sequence.A service decomposed G-Net can put a token in its goal places only after removing atoken from its starting place, and it can move any number of tokens from its starting placetowards its goal places.Proposition 3.2 Service NetLet GdS = (IS;GSPS;GPS;ISPS;M0) be a decomposed service G-Net, M be a marking ofGdS such that M(SP ) > 0 and M(p) = M0(p) for p 2 PnfSPg, mi is the method invokedwith transition tmi as the method transition, �GPmi = ftGPmig the input transition of goalplace associated to method mi, and � 2 L(GdS;M).23
1. �(�; tGPmi) � �(�; tmi).2. 9 �0 2 T �[�:�0 2 L(GdS;M) ^ �(�:�0(tGPmi � �(�; tmi)].Proof.1. Considering that I:M0 = 0, we have I:M = I:M(SP ). Let M 0 be such that M [� > M 0.Thus �(�; tmi) = M(GPmi )�M 0(GPmi) = I:M�M 0(SP ) = I:M 0�M 0(SP ) �M 0(GPmi) =�(�; tmi).2. results from point 4) of De�nition 3.9, since M 00(GPmi) = M(GPmi ) is equivalent to�(�:�0; tGPmi) = �(�:�0; tmi), and we may consider that M(SP ) = �(�; tmi) = �(�:�0; tmi).2We can see the service net as a set of nets providing some services (expressed by themethods) together with the interface places. Therefore, the interface places together withthe method transitions (tmi), and the goal places, and their respective input transitions,coordinate the accepting of a request and how the information is sent back to the requester.4 Logical Analysis of G-Net SystemsFor analysis purpose a G-Net system will be considered as obtained by composing certainnumber of G-Nets. Having in mind the objective of avoiding state explosion, an evidentmethod to analyze G-Net systems is decomposition. The intent is to verify properties ofindividual components, validate if these properties hold for the entire system, and use themto deduce additional properties of the system.The methodology that will be shown is a combination of behavioral and logical analysis.Behavioral analysis is applied for veri�cation of local behavior. In this step we can either useinvariant analysis or reachability tree analysis. We will prefer the application of reachabilitytree analysis for the reason that we can also extract from the reachability tree the externalor observed behavior of a G-Net.Logical analysis is based on the so called assume/guarantee paradigm for transition sys-tems [25]. The objective is to avoid state explosion by taking advantage of the natural24
decomposition of the system. The objective is to verify properties of individual components,infer if these properties hold in the complete system, and use them to deduce additionalproperties of the system. Furthermore when verifying properties of the components, it mayalso be necessary to make assumptions about the behavior of the environment.A decomposed G-Net Gd consists of two parts: the interface and the internal realization.The interface part describes the behavior visible from outside, the abstraction, and the secondpart describes how methods de�ned for a given G-Net are implemented by means of a Petrinet. As G-Nets interacts in a G-Net system, the behavior of a G-Net, or its decomposed view,is dependent on the reaction of other G-Nets, forming its environment. Thus the interfaceor abstraction may contain some constraints on the expected reactions of the environment.Hence interfaces will be de�ned by a pair (assm, comm), where comm describes properties ofthe services (commitment) which will be guaranteed by the G-Net, provided the environmentsatis�es the assumptions given by assm. As the interface or abstraction is the visible orobserved behavior of a given G-Net, the internal part (its realization) must satisfy thisbehavior. Hence, in a design process the correctness of the implementation has to be veri�ed.Assumptions and commitments may be given by temporal logic formulae. Generally �rstorder temporal logic is necessary to describe the services of a G-Net, as the realization ofthe methods are given by a modi�ed PrT net, but we may separate the pure interaction (theprotocol), which may be described using only propositional temporal logic, from the properservice speci�cation dealing with the computation of data, where �rst order logic is necessary.Thus in most cases its is possible to separate the propositional part, describing the pureinteraction, and the �rst order part describing the data transformations. Then the analysisor correctness veri�cation can be done in two steps: �rst verifying the pure interaction, e.g.by applying a model checking procedure, and second verifying the correctness of the datatransformations by the realization of the internal structure by applying well know analysismethodologies for PrT nets like reachability and invariant analysis.Based on this two step analysis each G-Nets is locally analyzed under environmentalassumptions and global properties, like deadlock, can be globally veri�ed.In order to analyze a G-Net system we propose another level of decomposition apart25
from the decomposition already introduced. At this level the starting places, goal placesand instantiated switching places will be unfolded. By unfold we mean replace places inthe interface of a G-Net in a way that we can eliminate the inscriptions associated to thearcs. For example for each inscription associated to the outgoing arcs in the starting placein a GSP we will create a corresponding place, in a way that the inscriptions will no longerbe necessary. This unfolding process is necessary to eliminate inscriptions from the arcsbelonging to the interface places. Also, we have to associate a proposition to each place inthe interface of a G-Net.To verify whether the implementation part satis�es the properties imposed in the interac-tion between a G-Net and its environment, we have to construct a model (in the this case theabstracted reachability graph) representing the implementation, in which the speci�cationor the desired properties can be interpreted.Our target is to consider software components modeled by means of G-Nets, we considerthat these G-Nets are asynchronous components that communicates by means of synchro-nized actions as in CSP. Therefore, we assume that there is no dependency among the clockunits of di�erent components, i.e., there is no global clock.The local analysis of a decomposed G-Net system is carried out based on the followingprocedure: 1. decompose each isp and GSP ; 2. decompose, if necessary, the places in theinternal structure so that transitions model actions and places states; 3. verify if all theproperties for the net are satis�ed based on the constructed reachability tree, and; 4. verifyin the reachability tree if the reentrance properties are satis�ed.The interaction analysis is performed according the following procedure: 1. unfold thenet interface elements for the decomposed G-Nets in a G-Net system; 2. extract from eachnet the external view corresponding to the interface behavior of each decomposed G-Net; 3.introduce an extra state to each isp output place corresponding to the labels in the outputarcs; 4. introduce an extra state to each isp output place corresponding to each �rebletransition before reaching an interface element, and; 5. verify if the interaction properties,expressed in CTL, are satis�ed.The objective of Step 4. is to identify which transition �res before an interface element is26
RI
rasi
RIm RRRC
SI
G’
Wi
rgig
G’
si riFigure 6: Unfolding of G0 and association of propositionsreached. The unfolding of each decomposedG-Net de�nes the labeling of interface transitionsand association of proposition to interface places. Labeling of transitions helps on de�ning acomposition operator to fuse transitions with same labels. The association of proposition tointerface places is necessary to extract the external view characterizing the external behaviorof each decomposed G-Net. The objective is to de�ne an abstraction for the behavior of eachdecomposed G-Net and apply a temporal logic based veri�cation, to verify the compositebehavior of a G-Net system.4.0.1 Unfolding Net Interface ElementsFor the unfolding procedure we de�ne a set, of propositions PL and a set of labels TL to beassociated to places and transitions in the interface elements of a decomposed G-Net.For the isp transition G0 will be unfolded in two, as shown in Figure 6. Transition igrepresenting the invocation of net G0 and transition rg representing the end of the invocationof net G0. For each isp in a set of decomposed G-Nets a di�erent label, from TL, will beassociated to the corresponding ig and rg transitions. We also associate propositions, de�nedin PL, to places RIm and RG.We also unfold the starting place of each GSP as shown in Figure 7. We unfold thestarting place SP according to the inscriptions in the outgoing arcs. This unfolding will27
tm1 tm2 tmn
initial placesfor method m2 for method mn
initial places
t1 t2 tn
mnm2m1
for method m1initial places
SP
Figure 7: Unfolding a starting placec1 c2 cn
t1 t2 tn
gsp
<c1> <c2> <cn>
gfFigure 8: Unfolding of a goal placeresult in one place for each method. To each of these places a proposition, over PL, is asso-ciated. We also introduce one transition and an incoming arc to each of these places. Thesetransitions are labeled, over TL, with the same labels used in the transitions representingthe invocation of a decomposed G-Net. For example, transition t1 in a decomposed GSPwill have the same label as transition ig in an isp.The last unfolding is related to the goal places. We present in Figure 8 the generalunfolding of a goal place. We will assume an arbitrary number, n, of incoming arcs toa goal place. We will also assume that each method �nishes in one and only one goalplace. In this case for each method we have to de�ne a di�erent goal place. In Figure 8inscriptions hc1i; hc2i � � � hcni de�ne which will be the message associated to the returningtoken. Recalling the producer/consumer problem, they can be for method status either hackior hnaki, indicating whether the consumer is or not ready to receive an item to be consumed.The decomposition will be constituted of one place and one transition for each condition.28
mp
pr
nr
ra1
rs
cr
ra2
si2
tr
tc ts
gpc
tf
isp(C.ms)
SI1
RC1
RI1
RR1
<ack>
<nak>
RIs
RP
W1
co
RC2
R Ic
SI2isp(C.mc)
RI2
RR2
W2si1
tpSP GSP(P)
GP
C.ms
C.mc si
ra
mp
sr
rr
pf
Figure 9: Decomposition with unfolding of the ProducerEach one of these transition will be connected to a place as shown in Figure 8. Also eachone of these places will have a proposition associated to them. A transition with incomingarc from these place will be introduced. This transition will be labeled with the same labelas the transition rg representing the end of the invocation of net G0 in the unfolded isp.4.0.2 Analysis of the Interaction BehaviorThe interaction behavior analysis is based on the temporal logic queries to the reachabil-ity graph of the target G-Net and in the unfolding procedure previously introduced. Thepropositions associated to the interface place, as for example ms and nak in Figure 12, arebe used to generate the external view representing the external behavior of the G-Net. Theexternal views are then used to verify interaction properties between G-Nets expressed astemporal logic formulas.In order to exemplify the decomposition and analysis of G-Net systems, we show inFigures 9 and 10 the decomposition and unfolding of the interface elements, that is goal29
ts tc
mcms
gpc
gpc
nak ack
RC’IN RC WP TC
ms : method status
mc : method consume
: not available
: item accepted
: request acknowledged
nak
ack
ret
ms mc
SCGSP(C)
nak ack ret
ret
gps
gps GPS GPC
CO
na sa sc acr=ackr=nak
Figure 10: Decomposition with unfolding of the Consumerplaces, starting places and invocation transition G0, for the producer and the consumerrespectively.Figures 11 and 12 present the abstracted behavior for the producer/consumer problem.These structures are extracted in the Step 2. of the interaction analysis procedure. Itshould be emphasized that states nak and ack are intruced by appliyng Step 3. of analysisprocedure. Also, states pr and rs are introduced according step 4. of analysis procedure.In this case is clear that transitions pr and rs are the ones the are �red before the interfaceplaces isp(C:ms) and GP are reached.In the case of the producer/consumer problem two properties de�ning the interactionbetween the producer and consumer can be informally written as:only send an item if an acknowledge is receivedalways after getting an acknowledge send an item30
sr
mp
rr
rasi
ack
mp
pfpr pr
nak
rs
nak
rsFigure 11: Abstracted behavior of the Producernak
ms
ack ret
mc
nakackFigure 12: Abstracted behavior of the Consumer31
The previous statements are expressed in CTL using the propositions associated to in-terface elements in Figures 9 and 10 by:1. AG(srU nak): it is always the case that sr (status request) occurs until nak (notacknowledge) occurs.2. AG(ack ! si): it is always the case that if an ack (acknowledge) occurs an si (senditem) occurs.Properties (1) and (2) can be veri�ed to hold for the abstracted behaviors for the producerand the consumer (Figures 11 and 12 respectively). For instance property (2) guaranteesthat no producer will obtain the right to send an item to the producer and will not send. Ifproperty (2) is not satis�ed a producer can cause a dead-lock in the consumer.5 Timing AnalysisFor timing analysis we use Fuzzy Time Petri Nets, that are an extension of Petri nets whichuse a fuzzy approach to introduce time into Petri nets. The model is intended to serve as atool which is suitable for modeling real-time systems and for computing selected performanceindices, i.e., this model combines the ability to model real-time systems of the deterministicextensions and the ability to make performance evaluation of stochastic extensions. Asshown later, this is accomplished through the combination of time intervals and fuzzy settheory [10].In the Fuzzy Time Petri Net model, tokens carry a fuzzy time function representing thepossibility of there being a token in a given place from a reference set. Besides the fuzzytime function, two fuzzy intervals are associated with each transition. The enable intervalE represents the minimum and maximum time that must elapse between the enabling of atransition and its �ring time. The delay interval D represents the �ring time, i.e., the delaynecessary to execute the action represented by the corresponding transition. The existence ofthese time intervals associated with transitions is necessary in order to allow the modeling oftwo di�erent timing concepts: time-outs and processing delays. Moreover, these two types32
of intervals are important when dealing with real-time systems. We can represent threegeneral categories of timing constraints for real-time systems, that are: maximum timingconstraints, minimum timing constraints and durational timing constraints [7].The timing analysis is based on the fuzzy time function associated with the tokens. Theidea is to use the fuzzy reachability graph, where we have the complete state space, in orderto compute the FTF s.The fuzzy reachability graph is a modi�ed reachability graph which incorporates thefuzzy time concepts de�ned in the FTPN model. The basic idea is to extend the concept ofreachability graph to include the Fuzzy Time Function (FTF ) carried by the token, which iscomputed after each transition �ring, starting from the initial marking. Also, the modi�edreachability graph considers the fuzzy time intervals associated with the transitions. Thus,the fuzzy reachability graph is characterized by:1) Assigning a FTF to each token on places in a given state.2) Attaching to each edge of the graph the timing intervals associated with the corresponding�ring transition representing the time restrictions when �ring a transition.5.1 Timing Analysis IssuesWe assume that the FTF s associated with the initial tokens are known2 and de�ned inthe fuzzy reachability graph by the FSET assigned to the root (initial state). Thus, fromthe initial state in the fuzzy reachability graph and the initial fuzzy time functions, wecan compute the FTF s in the others states of the fuzzy reachability graph. Informallyspeaking, to compute these functions, it is necessary identify di�erences among the FSET sof immediate reachable states. Considering two connected states in the FRG and theirrespective FSET s, we have to consider two cases during the analysis:1. common elements between FSET s.2. di�erent elements between FSET s.2The initial FTF can be set to compute speci�c indices or may represent some di�erent situations.33
Focusing on the dynamic behavior of a FTPN, item 1 indicates that tokens were not re-moved after �ring a transition. Item 2 may represent two things: tokens removed from inputplaces and tokens deposited in output places. According to the fuzzy function computationrule, input tokens are combined to determine the FTF of the output tokens.5.2 Timing Analysis Using Fuzzy Time G-NetsFor timing analysis purpose, we assume that the internal structure of a G-Net will be aFTPN. When one G-Net invokes another G-Net with a given method m, this method de�nesthe initial marking for the invoked net. Since the internal structure is a Fuzzy Time PetriNet, the token that arrives in an isp is a fuzzy token. Thus, the initial marking for theinvoked net should be composed by fuzzy tokens. Once our main objective is the modularanalysis, we have to have conditions to study each G-Net in isolation, i.e., the individualG-Net timing analysis must be independent of the analysis of the G-Net which is invokingit. Due to the commutativity and distributivity properties of fuzzy sets, it is possible tostudy each invoked G-Net considering that the tokens of the initial marking for the invokednet are not fuzzy. The results are then combined via the isp, i.e., a fuzzy interval thatcorresponds to the minimum and maximum execution time of the invoked net is computedby combining the enable and delay intervals attached to its transitions. The computationof this fuzzy interval resumes when a goal place is reached, indicating that the invocation�nished. Finally, this fuzzy interval is combined with the fuzzy time function assigned to theisp0s token. The analysis of the invoked net depends of the method used in the invocation.In order to de�ne the Fuzzy Time G-Net (FTG-Net), we consider the elements that takepart in the interaction among G-Nets, that are the isp and the GSP , and the fuzzy timeintervals, de�ned delays, associated with the �ring of transitions.6 Veri�cation Environment and ApplicationIn this section we introduce the veri�cation environment developed for G-Net systems. Thesystem was implemented in language C, and is portable to di�erent machines. The actual34
reachability
tree
reachability
graph
reeentrance
verification
G-Net
behavioral analysis performance analysis
reachability
analysis
throughput
analysis
reachability graph computation graph
local structureand behaviorverification
interaction
verification
specification
Figure 13: Block diagram of the veri�cation systemimplementation runs on DECStations and SPARCstations under UNIX. The interface wasimplemented based on the XWindows system.In Figure 13 the block diagram of the veri�cation system is shown. From this �gure,we can identify the execution of two di�erent kind of analysis: performance analysis andbehavioral analysis.As we show in Figure 13, the veri�cation system has as input a G-Net speci�cation,actually this is a text description as introduced by Chen in [5]. This text description is loadedby the reachability tree generator, and is used to generate the reachability tree. Based onthis reachability tree and some additional information, we generate the reachability graphfor the speci�ed net. The reachability graph is then used to perform re-entrance veri�cation,local structure and behavior veri�cation, and interaction analysis. The performance analysisis performed based on the concepts previously introduced for Fuzzy Time G-Nets Systems,and the fuzzy reachability graph is derived from the reachability graph, generated in thelogical analysis.The approach introduced in this paper has been used to model two di�erent kind ofsystems: a track vehicle transport system [20, 21] and for a exible manufacturing systems35
Figure 14: Screen dump for the consumer net showing the analysis[24].In Figure 14 we show the screen-dump for the execution of the analysis procedure. Notethat not all of the analysis are implemented. We show in this �gure the transitive closure forthe reachability graph. Based on the transitive closure we perform behavioral and structuralveri�cation of the internal net implementing each method. At the end of the window wepresent the places belonging to the interface of the net. With these information one canverify the external behavior of one G-Net, and can also, based on the reachability tree andreachability graph verify the internal behavior of the net.The screen-dump depicted in Figure 15, presents a screen with the analytical resultsobtained from the timing analysis algorithm as well as the corresponding Timing G-Nets36
Figure 15: Screen-dump for the timing analysis of the producerInteraction Graph (TGIG) [8]. The TGIG is a 2D graph that depicts the timing and in-teraction aspects between di�erent G-Nets in a G-Net system. The TGIG can be used asan alternative approach in order to determine some performance indices. From these twoscreens, we can see that the time chart re ects the results obtained by using the algorithm.For example, the FTF value associated with isp(C:ms) can be derived from the TGIG byobserving maximum values in the horizontal lines corresponding to the best and worst casesfor G-Net/method G(C):ms.The approach introduced in this paper has been used to model two di�erent kind ofsystems: a track vehicle transport system [20] and for a exible manufactuting systems [23].Also, the veri�cation system outlined in this section has been very helpfull in the logical and37
temporal analysis of this two systems.7 ConclusionIn this paper we have introduced a modular analysis methodology for a class of high-levelPetri net named G-Nets. We described the motivation for such a modular analysis approach:the necessity to avoid the state explosion problem when analyzing a large complex softwaresystem.We formalized the concepts of G-Nets allowing the application of modular analysis andveri�cation. We also de�ned structural and behavioral properties for G-Nets. When thesestructural and behavioral properties are satis�ed, it is possible to apply a behavioral/logicalveri�cation approach to avoid the state explosion problem.The introduction of the concept of reentrance as well as the de�nition of the propertiesrelated to this concept, and the application of them to G-Nets give to the designer a verywell structured way to design a complex system. Indeed, with the introduction of theconcept of reentrance, together with a proper decomposition approach methodology for theG-Net interface elements, a well de�ned and structured way to compose G-Nets in a G-Net system was de�ned, allowing the application of a modular analysis methodology basedon an assume/guarantee paradigm. This approach have demonstrated that it is possible tosuccessfully adopt a modular approach for the analysis and veri�cation of a complex softwaresystem. The external behavior or abstraction of G-Net can then be extracted, and, basedon this abstraction, it possible to de�ne which of the local properties of G-Net will be partof the environment of other G-Nets in a G-Net system. Moreover, we can, based on thisabstract view, verify whether the assumptions made about the environment of a G-Net areor not being satis�ed.We have to say that the emphasis given on this paper is on the engineering aspects ofthe methodology. Theoretical matters are introduced to give a formal basis for the claims.Moreover, we believe that the marriage between formal methods and engineering approachesis the best way to face the di�culties associated with the design and veri�cation of complex38
software systems. The advantages of this convenient marriage are evident. From one aspectit is possible to share the methodological aspects inherent to an engineering approach forthe design and veri�cation of complex software systems. On the other hand, powerful formalmethods are then available for the designer, so that early in the design phase of a system itis possible to verify whether the system possesses or not the speci�ed properties.References[1] M. Ajmone Marsan, D. Balbo, and G. Conte. A class of generalised stochastic petri netsfor the performance evaluation of multiprocessor systems. ACM Transactions on ComputerSystems, 2(2):93{122, May 1984.[2] I.I. Bestuzheva and V.V. Rudnev. Timed petri nets: Classi�cation and comparative analysis.Automation and Remote Control, 51(10):1303 { 1318, October 1990.[3] M. Broy and T. Streicher. Modular functional modelling of petri nets with individual tokens. InG. Rozenberg, editor, Advances in Petri Nets 1992, volume 609 of Lecture Notes in ComputerScience, pages 70{88. Springer-Verlag, 1992.[4] G. Chehaibar. Use of reentrant nets in modular analysis of colored nets. In G. Rozemberg,editor, Advances in Petri Nets 1991, volume 524 of Lecture Notes in Computer Science, pages58{77. Springer-Verlag, 1991.[5] T.C. Chen, Y. Deng, and S.K. Chang. A simulator for distributed systems using g-nets. InProceedings of 1992 Pittsburgh Simulation Conference, Pittsburgh, PA, USA, May 1992.[6] W. Damm, G. D�ohmen, V. Gerstner, and B. Josko. Modular veri�cation of petri nets: Thetemporal logic approach. In Stepwise Re�nement of Distributed Systems, volume 430 of LectureNotes in Computer Science, pages 180{207. Springer-Verlag, 1989.[7] B. Dasarathy. Timing constraints of real-time systems: Constructs for expressing them, meth-ods of validating them. IEEE Transactions on Software Engineering, 11(1):80 { 86, January1985. 39
[8] J.C.A. de Figueiredo, A. Perkusich, and S.K. Chang. Timing analisys of real-time softwaresystems using fuzzy time petri nets. In Proc. of The Sixth International Conference on SoftwareEngineering and Knowledge Engineering, pages 243{253, Riga, Latvia, June 1994.[9] Y. Deng, S.K. Chang, J.C.A. de Figueiredo, and A. Perkusich. Integrating software engineeringmethods and petri nets for the speci�cation and prototyping of complex software systems. InM. Ajmone Marsan, editor, Application and Theory of Petri Nets 1993, volume 691 of LectureNotes in Computer Science, pages 206 { 223. Springer-Verlag, Chicago, USA, June 1993.[10] D. Dubois and H. Prade. Processing fuzzy temporal knowledge. IEEE Transactions on Sys-tems, Man, and Cybernetics, 19(4):729{744, July 1989.[11] E.A. Emerson and J. Srinivasan. Branching time temporal logic. In J.W. Bakker, W.-P.de Roever, and G. Rozenberg, editors, Linear Time, Branching Time and Partial Orderin Logics and Models for Concurrency, volume 354 of Lecture Notes in COmputer Science.Springer-Verlag, 1988.[12] C. Ghezzi, D. Mandrioli, S. Morasca, and M. Pezze. A general way to put time in petri net.In 5th International Workshop on Software Speci�cations and Design, pages 60{66, May 1989.[13] O. Grumberg and D.E. Long. Model checking and modular veri�cation. In K. Baeten, editor,CONCUR'91, volume 458 of Lecture Notes in Computer Science, pages 250{265. Springer-Verlag, 1991.[14] P.J. Haas and G.S. Shedler. Regenerative stochastic petri nets. Performance Evaluation,6(3):189{204, September 1986.[15] B. Josko. A context dependent equivalence relation between kripke structures. In E.M. Clarkeand R.P. Kurshan, editors, 2nd International Conference on Computer Aided Veri�cationCAV'90, volume 531 of Lecture Notes in Computer Science, pages 204{213. Springer-Verlag,1991.[16] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. SpringerVerlag, New York, NJ, 1992. 40
[17] P.M. Merlin and D.J. Farber. Recoverability of communication protocols - implications of atheoretical study. IEEE Transactions on Communication, COM-24(9):1036{1043, September1976.[18] M.K. Molloy. On the Integration of Dealy and Throughput Measures in Distributed ProcessingModels. PhD thesis, UCLA, 1981.[19] T. Murata. Petri nets: Properties, analysis and applications. Proc. of the IEEE, 77(4):541{580,April 1989.[20] A. Perkusich and J.C.A de Figeiredo. Object oriented design of a track-vehicle system. Into appear in Proc. of The Seventh International Conference on Software Engineering andKnowledge Engineerinag, SEKE'95, June 1995.[21] A. Perkusich and J.C.A. de Figeiredo. A petri net based approach to model objects for a trach-vehicle control system. In to appear in Proc. of 7th International Conference on Computingand Information, ICCCI'95, Trent University, Peterborough, Canada, July 1995.[22] A. Perkusich, J.C.A. de Figueiredo, and S.K Chang. Embedding fault-tolerant properties inthe design of complex systems. Journal of Systems and Software, 2(25):23{37, 1994.[23] M.L.B Perkusich, A. Perkusich, and U. Schiel. Integrated design of object-oriented real-timecontrol and database systems. In to appear in Proc. of The Seventh International Conferenceon Software Engineering and Knowledge Engineerinag, SEKE'95, June 1995.[24] M.L.B. Perkusich, A. Perkusich, and U. Schiel. Object-oriented real-time database design andhierarchical control systems. In to appear in Proc. of International Workshop on Active andReal-Time Databases, ARTDB-95, Skovde, SE, June 1995.[25] A. Pnueli. In transition from global to modular temporal reasoning about programs. In K.R.Apt, editor, Logics and Models of Concurrent Systems, NATO ASI series, Series F, Computerand Systems Sciences, volume 13. Springer-Verlag, 1984.[26] C. Ramchandani. Analysis of asynchronous concurrent systems by petri nets. Technical ReportProject MAC-TR120, M.I.T., Cambridge, MA, 1974.41
[27] S.M. Shatz. Development of Distributed Software. Macmillan Publishing Company, New York,1993.[28] I. Suzuki and T. Murata. A method for stepwise re�nement and abstraction of petri nets.Journal of Computer and System Sciences, 27:61{76, 1983.[29] R. Valette. Analysis of petri nets by stepwise re�nements. Journal of Computer and SystemsSciences, 18:35{46, 1979.[30] W.M.P. van der Aalst. Interval timed coloured petri nets and their analysis. In M. Aj-mone Marsan, editor, Application and Theory of Petri Nets 1993, volume 691 of Lecture Notesin Computer Science, pages 453 { 472. Springer-Verlag, June 1993.[31] L.A. Zadeh. Fuzzy sets. Information and Control, 8:338{353, 1965.[32] W.M. Zuberek. Timed petri nets: De�nitions, properties, and applications. Microelectronicsand Reliability, 31(4):627 { 644, 1991.
42
