Translation validation of coloured Petri net models of programs on integers | Acta Informatica Skip to main content
Log in

Translation validation of coloured Petri net models of programs on integers

  • Original Article
  • Published:
Acta Informatica Aims and scope Submit manuscript

Abstract

Programs are often subjected to significant optimizing and parallelizing transformations based on extensive dependence analysis. Formal validation of such transformations needs modelling paradigms which can capture both control and data dependences in the program vividly. Being value-based with an inherent scope of capturing parallelism, the untimed coloured Petri net (CPN) models, reported in the literature, fit the bill well; accordingly, they are likely to be more convenient as the intermediate representations (IRs) of both the source and the transformed codes for translation validation than strictly sequential variable-based IRs like sequential control flow graphs (CFGs). In this work, an efficient path-based equivalence checking method for CPN models of programs on integers is presented. Extensive experimentation has been carried out on several sequential and parallel examples. Complexity and correctness issues have been treated rigorously for the method.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. http://www.informatik.uni-hamburg.de/TGI/PetriNets/tools/db/samatulyata.html.

  2. http://www.informatik.uni-hamburg.de/TGI/PetriNets/tools/db/samatulyata.html.

References

  1. Coq. https://coq.inria.fr/

  2. Bacon, D.F., Graham, S.L., Sharp, O.J.: Compiler transformations for high-performance computing. ACM Comput. Surv. 26, 345–420 (1994)

    Article  Google Scholar 

  3. Bandyopadhyay, S.: Path based equivalence checking of petri net representation of programs for translation validation. PhD thesis, I.I.T Kharagpur, India, (2016)

  4. Bandyopadhyay, S., Sarkar, D., Mandal, C.: Equivalence checking of petri net models of programs using static and dynamic cut-points. Acta Informatica 56(4), 321–383 (2019)

    Article  MathSciNet  Google Scholar 

  5. Bandyopadhyay, S., Sarkar, D., Mandal, C.A., Banerjee, K., Duddu, K.R.: A path construction algorithm for translation validation using PRES+ models. Parallel Process. Lett. 26(2), 1–25 (2016)

    Article  MathSciNet  Google Scholar 

  6. Banerjee, K., Karfa, C., Sarkar, D., Mandal, C.: Verification of code motion techniques using value propagation. IEEE TCAD, 33(8), (2014)

  7. Banerjee, K., Sarkar, D., Mandal, C.: Deriving bisimulation relations from path extension based equivalence checkers. IEEE Trans. Software Eng. 43(10), 946–953 (2017)

    Article  Google Scholar 

  8. Bell, C.J.: Certifiably sound parallelizing transformations. In: Certified Programs and Proofs - Third International Conference, CPP 2013, Melbourne, VIC, Australia, December 11-13, 2013, Proceedings, pages 227–242, (2013)

  9. Bondhugula, U., Hartono, A., Ramanujam, J., Sadayappan, P.: Pluto: A practical and fully automatic polyhedral program optimization system. In: PLDI 08, (2008)

  10. Cortés, L.A., Eles, P., Peng, Z.: Modeling and formal verification of embedded systems based on a Petri net representation. JSA 49(12–15), 571–598 (2003)

    Google Scholar 

  11. Edwards, S., Lavagno, L., Lee, E.A., Sangiovanni-Vincentellni, A.: Design of embedded systems: Formal models, validation and synthesis. DAC ’99, pp. 296–299, (1999)

  12. Gupta, S., Dutt, N., Gupta, R., Nicolau, A.: Spark: a high-level synthesis framework for applying parallelizing compiler transformations. In: Proc. of Int. Conf. on VLSI Design, pp. 461–466, Washington, DC, USA, Jan (2003). IEEE Computer Society

  13. Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978)

    Article  Google Scholar 

  14. Jensen, K., Kristensen, L.M.: Coloured Petri Nets - Modelling and Validation of Concurrent Systems. Springer, Berlin (2009)

    Book  Google Scholar 

  15. Jensen, K., Kristensen, L.M., Wells, L.: Coloured Petri nets and CPN tools for modelling and validation of concurrent systems. Int. J. Softw. Tools Technol. Transf. 9(3), 213–254 (2007)

    Article  Google Scholar 

  16. Karfa, C., Mandal, C., Sarkar, D.: Formal verification of code motion techniques using data-flow-driven equivalence checking. ACM Trans. Design Autom. Electr. Syst. 17(3), 30 (2012)

    Google Scholar 

  17. Kundu, S., Lerner, S., Gupta, R.: Validating high-level synthesis. In Proceedings of the 20th international conference on Computer Aided Verification, CAV ’08, pp. 459–472, Berlin, Heidelberg, (2008). Springer-Verlag

  18. Lidman, J., Quinlan, D.J., Liao, C., McKee, S.A.: Rose: Fttransform-a source-to-source translation framework for exascale fault-tolerance research. In: DSN workshop, pp. 1–6, (2012)

  19. Lime, D., Roux, O.H., Seidner, C., Traonouez, L.: Romeo: A parametric model-checker for Petri nets with stopwatches. In: Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22-29, 2009. Proceedings, pp. 54–57, (2009)

  20. Manna, Z.: Mathematical Theory of Computation. McGraw-Hill Kogakusha, Tokyo (1974)

    MATH  Google Scholar 

  21. Milner, R.: Communication and Concurrency. Prentice-Hall, Inc., (1989)

  22. Necula, G.C.: Translation validation for an optimizing compiler. In: PLDI, pp. 83–94, (2000)

  23. Paulin, P.G., Knight, J.P.: Force-directed scheduling for the behavioural synthesis of asics. IEEE Trans. CAD of ICS 8(6), 661–679 (1989)

    Article  Google Scholar 

  24. Pnueli, A., Siegel, M., Singerman, E.: Translation validation. In: TACAS, pp. 151–166, (1998)

  25. Raghavan, V.: Principles of Compiler Design. Tata McGraw Hill Education Private Limited, New Delhi (2010)

    Google Scholar 

  26. Rinard, M., Diniz, P.: Credible compilation. Technical Report MIT-LCS-TR-776, MIT, (1999)

  27. Sevcik, J., Vafeiadis, V., Zappa Nardelli, F., Jagannathan, S., Sewell, P.: CompCertTSO: a verified compiler for relaxed-memory concurrency. J. ACM (JACM) 60(3), 22–50 (2013)

    Article  MathSciNet  Google Scholar 

  28. Singh, K.: Construction of Petri net based models for C programs, M.Tech. Dissertation, Dept. of Computer Sc. & Engg., I.I.T., Kharagpur, INDIA. https://cse.iitkgp.ac.in/~chitta/pubs/rep/thesisKulwant.pdf, https://github.com/soumyadipcsis/Equivalence-checker/blob/master/thesisKulwant.pdf, May (2016)

  29. Smith, M.D., Horowitz, M., Lam, M.S.: Efficient superscalar performance through boosting. In: ASPLOS-V: Proceedings of the fifth international conference on Architectural support for programming languages and operating systems, pp. 248–259, New York, NY, USA, (1992). ACM Press

  30. Suzuki, I., Murata, T.: A method for stepwise refinement and abstraction of Petri nets. J. Comput. Syst. Sci. 27(1), 51–76 (1983)

    Article  MathSciNet  Google Scholar 

  31. Zhang, J., Cheng, B.H.C.: Model-based development of dynamically adaptive software. In: Proceedings of the 28th International Conference on Software Engineering, ICSE ’06, pp. 371–380, New York, NY, USA, (2006). ACM

Download references

Acknowledgements

The authors are grateful for the valuable feedback given by the reviewer which has improved the readability of the paper immensely. We would also like to thank Mr. Rakshit Mittal for useful discussion.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Soumyadip Bandyopadhyay.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Paths of a CPN model

Definition 4

(Static cut-point (SCP) [5]) A place p of a model is designated as a static cut-point with respect to an arbitrary DFS traversal of the model graph starting from some in-port and covering all the in-ports if (i) p is an in-port, or (ii) p is an out-port or (iii) there is an edge \(\langle t, p\rangle \) which is a back edge with respect to that DFS traversal.

Definition 5

(Paths in a CPN model) A finite path \(\alpha \) in a CPN model from a set \(T_1\) of transitions to a transition \(t_j\) is a finite sequence of distinct sets of parallelizable transitions of the form \(\langle T_1 = \{t_1, t_2, \ldots , t_k\}, T_2 = \{t_{k+1}, t_{k+2}, \ldots , t_{k+l}\}, \ldots , T_{n} = \{t_j\} \rangle \) satisfying the following properties:

  1. 1.

    \(^{\circ }T_{1}\) contains at least one cut-point or one co-place of a cut-point.

  2. 2.

    \(T_{n}^{\circ }\) contains at least one cut-point.

  3. 3.

    There is no cut-point in \(T_{m}^{\circ }\), \(1 \le m < n\).

  4. 4.

    \(\forall i, 1 < i \le n, \forall p \in \) \(^{\circ }T_{i}\), if p is neither a cut-point nor a co-place of a cut-point, then \(\exists k, 1 \le k \le i-1, p \in T_{i-k}^{\circ }\); thus, any pre-place of a transition set in the path which is neither a cut-point nor a co-place of a cut-point must be a post-place of some preceding transition set in the path.

  5. 5.

    There do not exist two transitions \(t_{i}\) and \(t_{l}\) in \(\alpha \) such that \(^{\circ }t_{i} \cap {}^{\circ }t_{l} \ne \emptyset \). Thus, no two transitions in a path can have a common pre-place.

  6. 6.

    \(\forall i, 1 \le i \le n\), \(T_i\) is maximally parallelizable within the path, i.e. \(\forall l \ne i, \forall t \in T_l\) in the path, \(T_{i} \cup \{t\}\) is not parallelizable.

The fact that every set \(T_i\) succeeds all the transitions \(T_1\) through \(T_{i-1}\) follows from clauses 4 and 6 of the above definition; otherwise, if there exists some set \(T_{i-m}\), \(m \ge 1\), such that \(T_i\) does not succeed \(T_{i-m}\), then \(T_{i}\) can be parallelized with \(T_{i-m}\) but clause 6 indicates that both \(T_{i-m}\) and \(T_i\) are maximally parallelizable within the path. The set \(^{\circ }T_1\) of places is called the pre-places of the path \(\alpha \), denoted as \(^{\circ }\alpha \); similarly, the post-places \(\alpha ^{\circ }\) of the path \(\alpha \) is \(T_{n}^{\circ }\). We can synonymously denote a path \(\alpha = \langle T_1, T_2, \ldots , T_n \rangle \) as the sequence \(\langle {}^{\circ }T_{1}, {}^{\circ }T_{2}, \ldots , {}^{\circ }T_{n}, T_{n}^{\circ } \rangle \) of the sets of places from the place(s) \(^{\circ }T_{1}\) to the place(s) \(T_{n}^{\circ }\).

A path is obtained by constructing an inverted cone having as its vertex a cut-point which is either an out-port or a place with a back edge. The construction proceeds by traversing backward from the vertex encompassing sets of parallel transitions in a reverse sequence till the most recently included set have pre-places which are all cut-points; it is also ensured that no cut-points or co-places of a cut-point are included. The detailed algorithm and its correctness and complexity issues are available in [3].

Similar to the succeeds relation \(\succ \) over the set of transitions, we can define succeeds relation (denoted again as \(\succ \)) over the set of paths and also we can define parallelizable pairs of paths and set of parallelizable paths.

Definition 6

(Concatenation of paths [4]) A path \(\alpha '\) can be concatenated with a set \(Q_p = \{\alpha _1, \ldots , \alpha _k\}\) of parallelizable paths if \(\forall i, 1 \le i \le k, \alpha _i^{\circ } \subseteq {}^{\circ }\alpha '\). Such a concatenation of paths \(\alpha \), say, is denoted as \((\alpha _1 \Vert \ldots \Vert \alpha _k).\alpha '\).

Model computations as concatenations of Paths

Proofs of Theorems 1 and 2 of Sect. 3.4 (reproduced here for ready reference as Theorems 1 and 2, respectively) are as follows.

Theorem 4

Let \(\alpha _1 = \langle T_{1,1}, T_{2,1}, \ldots , T_{m,1}\rangle \) and \(\alpha _2 = \langle T_{1,2}, T_{2,2}, \ldots , T_{n,2}\rangle \) be two paths such that their last sets of transitions \(T_{m,1}\) and \(T_{n,2}\) are parallelizable. Then, \(\alpha _1\) and \(\alpha _2\) are parallelizable.

Proof

Let it not be so. From Definition of parallelizable pairs of paths [4], we have the following cases:

  • \({\hbox {Case 1}:}\) \(\alpha _1 \succ \alpha _2\). From Definition of successor relation between two paths [4], there exist at least one set of paths \(\alpha _{k_1}, \alpha _{k_2}, \ldots ,\) \(\alpha _{k_n}\) and a set of places \(p_1 \in {}^{\circ }\alpha _1\) and \(p_{k_m} \in {}^{\circ }\alpha _{k_m}, 1 \le m \le n\), such that \(\langle \) last(\(\alpha _2),p_{k_1}\rangle \), \(\langle \) last(\(\alpha _{k_1}), p_{k_2}\rangle , \ldots ,\) \(\langle \) last(\(\alpha _{k_n}), p_{1}\rangle \in O \subseteq T \times P\), \(n \ge 0\), and none of them is a back edge. Therefore, using the fact that last(\(\alpha \)) \(\succ \) first(\(\alpha \)), for any path \(\alpha \), and reading the above sequence of edges backward, we have last(\(\alpha _1\))=\(T_{m,1} \succ \) first(\(\alpha _1\)) \(\succ \) last(\(\alpha _{k_n}\)) \(\succ \) first(\(\alpha _{k_n}\)) \(\succ \) last(\(\alpha _{k_{n-1}}\)) \(\succ \ldots \succ \) first(\(\alpha _{k_{2}}\)) \(\succ \) last(\(\alpha _{k_{1}}\)) \(\succ \) first(\(\alpha _{k_1}\)) \(\succ \) last(\(\alpha _2\)) \(=T_{n,2}\). Hence, \(T_{m,1} \succ T_{n,2} \Rightarrow T_{n,2} \not \asymp T_{m,1}\) (Contradiction).

  • \({\hbox {Case 2}:}\) \(\alpha _2 \succ \alpha _1\). Following the same argument, as for Case 1, by symmetry with \(\alpha _1\) and \(\alpha _2\) interchanged, we again obtain the refutation of the hypothesis \(T_{m,1} \asymp T_{n,2}\).

  • \({\hbox {Case 3:}}\) \(\exists \alpha _k, \alpha _l, (\alpha _k \ne \alpha _l \wedge \alpha _1 \succeq \alpha _k \wedge \alpha _2 \succeq \alpha _l \wedge {}^{\circ }\alpha _k \cap \) \(^{\circ }\alpha _l \ne \emptyset )\). \(^{\circ }\alpha _k \cap \) \(^{\circ }\alpha _l \ne \emptyset \Rightarrow \exists t_{i,k} \in \alpha _k, \exists t_{j,l} \in \alpha _l\) such that \(^{\circ }t_{i,k} \cap {}^{\circ }t_{j,l} \ne \emptyset \). Let the last transitions of the paths \(\alpha _k\) and \(\alpha _l\) be \(t_{r,k}\) and \(t_{s,l}\), respectively. Since \(\alpha _1 \succeq \alpha _k\), \(T_{m,1} \succeq t_{r,k} \succeq t_{i,k}\); (recall that \(T_{m,1} =\{t_{m,1}\}\)). Similarly, since \(\alpha _2 \succeq \alpha _l\), \(T_{n,2} \succeq t_{s,l} \succeq t_{j,l}\). Thus, \(T_{m,1} \succeq t_{i,k}\), \(T_{n,2} \succeq t_{j,l}\) and \(^{\circ }t_{i,k} \cap ^{\circ }t_{j,l} \ne \emptyset \). Therefore, \(T_{m,1}\) is not parallelizable with \(T_{n,2}\) (from Definition 4 of [4]).

\(\square \)

Theorem 5

Let \(\varPi \) be the set of all paths of a CPN model obtained from a set of static cut-points. For any computation \(\mu _p\) of an out-port p of the model, there exists a reorganized sequence \(\mu _{p}^{r}\) of paths of \(\varPi \) such that \(\mu _p \simeq _c \mu _{p}^{r}\).

Proof

Construction of a sequence \(\mu _{p}^{r}\) of (concatenation of) paths from \(\mu _{p}\):

Algorithm 1 (constructPathSequence) describes a recursive function for constructing from a given computation \(\mu _{p}\) and a set \(\varPi \) of paths the desired reorganized sequence \(\mu _{p}^{r}\) of paths of \(\varPi \) such that \(\mu _{p}^{r} \simeq _c \mu _{p}\). If \(\mu _{p}\) is not empty, then a path \(\alpha \) is selected from \(\varPi \) such that last(\(\alpha ) \cap \) last\((\mu _{p}) \ne \emptyset \); if all its transitions are found to occur in \(\mu _p\), then it is put as the last member in the reorganized sequence; the member transitions of \(\alpha \) are deleted from \(\mu _p\) examining the latter backward; the transitions in the last member of \(\alpha \) are always deleted from \(\mu _p\); each of the other transitions of \(\alpha \) is deleted from \(\mu _p\) only if it does not occur in any other path in \(\varPi \). If |last(\(\mu _p\))\(| >1\), then each member transition of last\((\mu _p)\) will result in one path which has to be processed separately through above steps. Once all these paths are processed, the last(\(\mu _p)\) will get deleted from \(\mu _p\). The resulting \(\mu _{p}\) is then reordered recursively; the process terminates when the input \(\mu _p\) becomes empty.

Proof

(\(\mu _{p}^{r} \simeq _c \mu _{p}\)): We first prove that Algorithm 1 terminates; this is accomplished in two steps; first, it is shown that each invocation comprising four loops terminate; we next show that there are only finitely many recursive invocations.

Termination of the while loop comprising lines 16-18 is obvious; either i becomes less than one or a member \(\mu _{p}.T_{i}\) is found to contain last(\(\alpha ^{'}\)) (for some \(i>1\)). The for loop comprising lines 22-26 iterates only finitely many times because the number of transitions in any member set of a path (and hence \(\mu _{p}^{'}.T_{i}\)) is finite; the while loop comprising lines 15-29 terminates, because in every iteration, it is examined whether the computation \(\mu _{p}^{'}\) contains the last member of \(\alpha ^{'}\); if so, \(\alpha ^{'}\) loses this member in line 27 and the next iteration of the loop executes with \(\alpha ^{'}\) having one member less. Finally, the for loop comprising lines 10-35 terminates because the set last(\(\mu _p)\) of transitions (before entering the loop), and hence the set \(\varPi _{last(\mu _p)}\) of paths are finite.

The second step follows from the fact that in each recursive invocation, \(\mu _p\) has one member (namely, its last member) less than the previous invocation (line 40 in the if statement comprising lines 37-41). Hence, if \(\mu _p\) has n members, then there are n total invocations (\(n-1\) of them being recursive).

Now, for proving \(\mu _{p}^{r} \simeq _c \mu _{p}\), let the first parameter \(\mu _p\) for the \(k^{th}\) invocation be designated as \(\mu _{p}^{(k)}\), \(1 \le k \le n\); the second parameter \(\varPi \) remains the same for all invocations; let the value returned by the \(k^{th}\) invocation be \(\mu _{p}^{r(k)}\); specifically, \(\mu _{p} = \mu _{p}^{(1)}\); \(\mu _{p}^{(n-1)}\) comprises just one member and \(\mu _{p}^{(n)} = \langle \rangle \); \(\mu _{p}^{r(n)} = \langle \rangle \) and \(\mu _{p}^{r(1)}\) is the final reordered sequence of paths \(\mu _{p}^{r}\).

We prove \(\mu _{p}^{(n-m)} \simeq _c \mu _{p}^{r(n-m)}, 0 \le m \le n-1\), by induction on m. Note that specifically for \(m=n-1\), \(\mu _{p}^{(n-m)}=\mu _{p}^{(1)} = \mu _{p}\) and \(\mu _{p}^{r(n-m)}=\mu _{p}^{r(1)} = \mu _{p}^{r}\) (by line 41 of the first invocation). Hence, the inductive proof would help us establish that \(\mu _{p}^{r} \simeq _c \mu _{p}\).

Basis \(m=0\): \(\mu _{p}^{(n)} = \langle \rangle = \mu _{p}^{r(n)}\) (by line 2 of the \(n^{th}\) invocation)

Induction Hypothesis: Let for \(m= k-1\), \(\mu _{p}^{(n-k+1)} \simeq _c \mu _{p}^{r(n-k+1)}\)

Induction step: Let m be k. Let us assume that

\(\mu _{p}^{(n-k)} \simeq _c \mu _{p}^{(n-k+1)}.\mu _{l}^{r(n-k)}\) (Lemma 1—proved subsequently)

\(\simeq _c \mu _{p}^{r(n-k+1)}.\mu _{l}^{r(n-k)}\) ( by induction hypothesis)

\(\simeq _c \mu _{p}^{r(n-k)}\) (by line 40 (return statement) for the \((n-k)^{th}\) invocation) \(\square \)

Lemma 1

\(\mu _{p}^{(n-k)} \simeq _c \mu _{p}^{(n-k+1)}.\mu _{l}^{r(n-k)}\)

Proof

We mould the lemma for the \(k^{th}\) invocation directly as

$$\begin{aligned} \mu _{p}^{(k)} \simeq _c \mu _{p}^{(k+1)}.\mu _{l}^{r(k)} \simeq _c \mu _{p}^{(k+1)}.\langle \alpha _{1,k}, \alpha _{2,k}, \ldots , \alpha _{s,k} \rangle , 1 \le k \le n, \end{aligned}$$
(2)

assuming that \(\langle \alpha _{1,k}, \alpha _{2,k}, \ldots , \alpha _{s,k}\rangle \) is what is extracted as \(\mu _{l}^{r(k)}\) from \(\mu _{p}^{(k)}\) in line 40 of the kth iteration. Now, by step 6, the last transition of all the paths in the sequence \(\mu _{l}^{r(k)}\) are parallelizable; hence, from Theorem 4, the paths of \(\mu _{l}^{r(k)}\) are parallelizable. We prove that their transitions can be suitably placed in the member sets of \(\mu _{p}^{(k+1)}\) (as larger sets of parallelizable transitions) to get back \(\mu _{p}^{(k)}\).

In the \(k^{th}\) invocation, \(\mu _{p}^{(k)}\) is the value of \(\mu _{p}\) before entry to the for-loop comprising lines 10-35 and \(\mu _{p}^{(k+1)}\) is the value of \(\mu _p\) at the exit of this loop. Since we are speaking about only the \(k^{th}\) invocation, we drop the superfix k for clarity. Instead, we depict \(\mu _{p}^{(k)}\) as \(\mu _{p}^{-}\), \(\mu _{p}^{(k+1)}\) as \(\mu _{p}^{+}\) and \(\mu _{l}^{r(k)}\) as \(\mu _{l}^{r}\). So we have to prove that \(\mu _{p}^{-} \simeq _c \mu _{p}^{+}.\mu _{l}^{r}\).

Let \(\mu _{l}^{r} = \langle \alpha _1, \alpha _2, \ldots , \alpha _s\rangle \) before line 37 just after the end of the for-loop comprising lines \(10-35\), where s is the cardinality \(|\varPi _{last}(\mu _p)|\) before entry to the loop (because any path has only one unit set of transitions as its last member). Thus, the for-loop comprising lines \(10-35\) executes s times visiting step 33; let \(\mu _{p}^{-(i)}\), \(\mu _{p}^{+(i)}\), respectively, denote the values of \(\mu _p\) before and after the \(i^{th}\) iteration of the loop. Let \(\mu _{l}^{r(i)}\) be the value of \(\mu _{l}^{r}\) after the \(i^{th}\) execution of the loop. We have the following boundary conditions: \(\mu _{p}^{-} = \mu _{p}^{-(1)}, \mu _{p}^{+} = \mu _{p}^{+(s)}, \mu _{l}^{r(1)} = \langle \alpha _1 \rangle \) and \(\mu _{l}^{r} = \mu _{l}^{r(s)} = \langle \alpha _1, \alpha _2, \ldots , \alpha _s \rangle \). The \(i^{th}\) iteration of the for-loop comprising lines \(10-35\) starts with \(\mu _{l}^{r(i-1)}\) and obtains \(\mu _{l}^{r(i)}\), \(1 \le i \le l\), so let \(\mu _{l}^{r(0)} = \langle \rangle \) be the value of \(\mu _{l}^{r}\) with which the first execution of the loop takes place. We prove that \(\mu _{p}^{-(i)} \simeq _c \mu _{p}^{+(i)}.\alpha _i, 1 \le i \le s\). If this relation indeed holds, then specifically for \(i=1\), \(\mu _{p}^{-(1)} \simeq _c \mu _{p}^{+(1)}.\alpha _1\); for \(i=2\), \(\mu _{p}^{-(2)} (= \mu _{p}^{+(1)}) \simeq _c \mu _{p}^{+(2)}.\alpha _2\). Combining these two, therefore, \(\mu _{p}^{-} = \mu _{p}^{-(1)} \simeq _c \mu _{p}^{+(1)}.\alpha _1 \simeq _c (\mu _{p}^{+(2)}.\alpha _2).\alpha _1 \simeq _c \mu _{p}^{+(2)}.(\alpha _2.\alpha _1) \simeq _c \mu _{p}^{+(2)}.(\alpha _1.\alpha _2) \simeq _c \mu _{p}^{+(2)}.\mu _{l}^{r(2)}\). Proceeding this way, we have \(\mu _{p}^{-} = \mu _{p}^{-(1)} \simeq _c \ldots \simeq _c \mu _{p}^{+(l)}.\mu _{l}^{r(l)} = \mu _{p}^{+}.\mu _{l}^{r}\). Now, let \(\mu _{p}^{-(i)} = \langle T_{1,i}, T_{2,i}, \ldots , T_{k_i,i}\rangle \), \(\alpha _i = \langle T_{1,i}^{'}, T_{2,i}^{'}, \ldots , T_{l_{i},i}^{'}\rangle \) and \(\mu _{p}^{+(i)} = \langle T_{1,i}^{+}, T_{2,i}^{+}, \ldots ,\) \(T_{n,i}^{+}\rangle \). Note that \(\{\alpha _i \mid 1 \le i \le s\} \subseteq \varPi _{last(\mu _p)}\) and unless all the paths are extracted out, \(T_{k_i,i}\) does not become empty and hence \(\mu _{p}^{-(i)}, 1 \le i \le s\), do not change in length. For each transition set \(T_{j,i}'\) of \(\alpha _i\), \(1 \le j \le n\), there exists some transition set \(T_{k,i}\) of \(\mu _{p}^{-(i)}\), \(1 \le k \le k_i\), such that \(T_{j,i}^{'} \subseteq T_{k,i}\). Specifically, for \(j=l_i\), \(T_{l_{i},i}^{'} \subseteq T_{k_{i},i}\), since \(\alpha _i \in \varPi _{last(\mu _{p}^{-})}\) as ensured in step 6. For other values of \(j, 1 \le j < l_i\), the while-loop in steps 16-18, identifies proper \(T_{k,i}\) in \(\mu _{p}^{-(i)}\) such that \(T_{j,i}^{'} \subseteq T_{k,i}\); note that since \(\alpha _i\) has figured in \(\mu _{l}^{r}\), step 32 is surely executed for \(\alpha _i\), so \(\alpha '\) has been rendered empty (\(\langle \rangle \)) through execution of step 27 and hence the while-loop in steps 16-18 does not exit with \(i=0\). Now, step 13 and the for-loop in steps 22-26 ensure that \(T_{k,i}^{+} \cup T_{j,i} = T_{k,i}\).

figure a

Let \(T_{j,i}^{'} \subseteq T_{n_{j},i}, 1 \le j \le l_i\). So, \(T_{k,i} = T_{k,i}^{+}\), for \(k \ne n_j\), for any j, \(1 \le j \le l_i\).

$$\begin{aligned} \mu _{p}^{+}(i).\alpha _i= & {} \langle T_{1,i}^{+}, T_{2,i}^{+}, \ldots , T_{n,i}^{+}\rangle . \langle T_{1,i}', T_{2,i}', \ldots , T_{l_{i},i}'\rangle \\= & {} \langle T_{1,i}, \ldots , (T_{n_{1},i}^{+} \parallel T_{1,i}'), \ldots (T_{n_{2},i}^{+} \parallel T_{2,i}'), \ldots , (T_{n_{l_{i}-1},i}^{+} \parallel T_{l_{i},i}'), \ldots , \\&(T_{n_{i},i}^{+} \parallel T_{l_{i},i}')\rangle (\hbox {by commutativity of independent transitions})\\= & {} \langle T_{1,i}, \ldots , T_{n_{1},i}, \ldots , T_{n_{2},i}, \ldots , T_{n_{l_{i}-1},i}, \ldots T_{n,i}\rangle \\= & {} \mu _{p}^{-(i)}. \end{aligned}$$

\(\square \)

Corollary 1

If \(\mu _{p}^{r}\) is of the form \(\langle \alpha _1, \alpha _2, \ldots , \alpha _k\rangle \), then for all \(j, 1 \le j \le i-1, \alpha _{j}\nsucc \alpha _i\).

Validity of Path-based equivalence checking

Before describing our path-based equivalence checking method, we first prove the validity of any path-based equivalence checking method. Proof of Theorems 3 of Subsect. 3.5 (reproduced here for ready reference as Theorem 6) is as follows.

Theorem 6

For any two models \(N_0\) and \(N_1\), if there exists a finite path cover \(\varPi _0 = \{\alpha _1, \alpha _2, \ldots , \alpha _m \}\) of \(N_0\) for which there exists a set \(\varPsi _1 = \{\varGamma _1, \varGamma _2, \ldots , \varGamma _m\}\) of sets of paths of \(N_1\) such that for all \(i, 1 \le i \le m\), \(\alpha _i \simeq _{\varPi } \beta \), for all \(\beta \in \varGamma _i\), then \(N_0\) is contained in \(N_1\) (\(N_0 \sqsubseteq N_1\)).

Proof

Let \(\varPi _0\) be the set of SCP-induced paths of \(N_0\). From Theorem 5, \(\varPi _0\) is a path cover of \(N_0\). Consider any computation \(\mu _{0,p}\) of an out-port p of \(N_0\). From Theorem 5, corresponding to \(\mu _{0,p}\), there exists a reorganized sequence \(\mu _{0,p}^{r} = \langle \alpha _1^p, \alpha _2^p, \ldots , \alpha _n^p \rangle \), say, of not necessarily distinct paths of \(N_0\) such that (i) \(\alpha _j^p \in \varPi _0\), \(1 \le j \le n\), (ii) for each occurrence of a transition t in \(\mu _{0,p}\), there exists exactly one path in \(\mu _{0,p}^{r}\) containing that occurrence, (iii) \(p \in (\alpha _n^p)^\circ \) and (iv) \(\mu _{0,p} \simeq _c \mu _{0,p}^{r}\).

Let us now construct from the sequence \(\mu _{0,p}^{r}\), a sequence \(\mu _{1,p'}^{r} = \langle \varGamma _1^{p'}, \varGamma _2^{p'}, \ldots , \varGamma _n^{p'} \rangle \) of not necessarily distinct sets of paths of \(N_1\), where \(\varGamma _n^{p'} = \{\beta _l\}\) and \(p' \in \beta _l^\circ \), and for all \(j, 1 \le j \le n\), for each \(\beta \in \varGamma _j^{p'}\), \(\beta \simeq _{\varPi } \alpha _j^p\). It is required to prove that (1) \(p' =f_{out}(p)\) and (2) there exists a computation \(\mu _{1,p'}\) of \(N_1\) such that \(\mu _{1,p'} \simeq _c \mu _{1,p'}^{r}\).

The proof of (1) is as follows. Since \(p' \in \beta _l^\circ \) and \(\beta _l \simeq _{\varPi } \alpha _n\), from hypothesis (iii) of the theorem, \(p'\) has correspondence with p; since the place \(p \in P_0\) is an out-port and the place \(p' \in P_1\), \(p'\) must be an out-port of \(N_1\) and \(p' = f_{out}(p)\) (because an out-port of \(N_0\) has correspondence with exactly one out-port of \(N_1\) specifically, its image under the bijection \(f_{out}\)).

For the proof of (2), we first give a mechanical construction of \(\mu _{1,p'}\) from \(\mu _{1,p'}^{r}\); we then show that they are equivalent; finally, we argue that \(\mu _{1,p'}\) is a computation of \(p'\) in \(N_1\).

Construction of \(\mu _{1,p'}\) from \(\mu _{1,p'}^{r}\):

figure b

Algorithm 2 describes the construction method of \(\mu _{1,p'}\) from \(\mu _{1,p'}^{r}\) (and hence will be invoked with its input \(\mu _{p}^{r}\) instantiated with \(\mu _{1,p'}^{r}\)). The parallelized version of the input \(\mu _{p}^{r}\) is computed in \(\mu _{||}\) which is to be assigned to \(\mu _{1,p'}\) on return. In the initialization step (step 1), a working set \(\varGamma \) of paths is initialized to the first member of \(\mu _p^r\) and the latter is removed from \(\mu _p^r\). In step 2, some path \(\beta \) is taken from \(\varGamma \) and put into \(\mu _{||}\). In the outermost while-loop (steps 3-26), member sets of \(\varGamma \) are taken one by one (in steps 4-6) from \(\mu _p^r\); for each chosen set, its member paths are taken in the loop comprising steps 7-25; for each chosen path \(\beta \), its member sets (of maximally parallelizable transitions) are examined one after another and checked against the members of \(\mu _{||}\) from the beginning for fusion with them to construct larger sets of parallelizable transitions (steps \(9-24\)). For each chosen set \(T_p\) of transitions of \(\beta \), one of the following two situations may arise:

  • \({\hbox {Case 1:}}\) The member \(T_p\) of the chosen path \(\beta \) of \(\mu _{p}^{r}\) is found to succeed all the members in \(\mu _{||}\), i.e. \(T_p\) is not parallelizable with any member of \(\mu _{||}\). In this case, all the remaining members (including \(T_p\)) of \(\beta \) is concatenated at the end of \(\mu _{||}\) [Steps 18-20] .

  • \({\hbox {Case 2:}}\) The member \(T_p\) of \(\beta \) is found not to succeed the \(c^{th}\) member \(\mu _{||,c}\) of \(\mu _{||}\), i.e. \(T_p\) is parallelizable with \(\mu _{||,c}\), as argued later. In this case, \(T_p\) is combined (through union) with \(\mu _{||,c}\); the successor transition sets of \(\beta \) need to be compared with only the subsequent members of \(\mu _{||}\), i.e. with \(\mu _{||,c+1}\) onwards [Step 22] .

Termination: The algorithm terminates because all the three while loops and the for-loop terminate as given below:

The outer loop (steps 3-26) terminates because \(\mu _{p}^{r}\) is finite to start with; (step 1 outside the loop reduces its length by one;) step 5 inside the loop reduces its length by one on every iteration of the loop. The for-loop (steps 7-25) terminates because the set \(\varGamma \) contains a finite number of paths and loses the chosen path in each iteration as per the semantics of the for-construct. The loop comprising steps 9-24 terminates because every path \(\beta \) in \(\mu _{p}^{r}\) contains a finite number of sets of transitions and step 12 reduces the length by one in every iteration of the loop; if, however, any of these iterations do visit steps 19-20, then in step 20, \(\beta \) becomes empty and hence, this will be the last iteration of the while loop comprising steps 9 to 24. The loop comprising steps 13-17 terminates because at any stage, and hence on entry to the loop, \(\mu _{||}\) has only a finite number of sets of transitions and in every iteration c increases by one; so finally, the second condition \(c \le \) length(\(\mu _{||}\)) is bound to become false if the first condition does not become false by then.

Proof of \(\mu _{1,p'} \simeq _c \mu _{1,p'}^{r}\): Let the initial value of \(\mu _{p}^{r}\) (with which the function in Algorithm 2 is invoked), denoted as \(\mu _{p}^{r}(-1)\), be of the form \(\mu _{p}^{r}(-1) = \langle \varGamma _1, \varGamma _2, \ldots , \varGamma _n \rangle \), where, for all \(i, 1 \le i \le n, \varGamma _i = \{\beta _{1,i}, \beta _{2,i}, \ldots , \beta _{t_i,i}\}\). So the outermost while-loop (steps 3-26) executes n times; for the \(i-th\) execution of this loop, the inner for-loop executes \(t_i\) times; together, there are \(t_1 \times t_2 \times \ldots \times t_n = t\), say, iterations in each of which a path \(\beta _{j,i}\) is accounted for. The algorithm treats these paths identically without making any distinction among paths from the same set or different sets. Hence we can treat the members of \(\mu _p^r\) as a flat sequence of paths of the form \( \langle \beta _1, \beta _2, \ldots \beta _t \rangle \). Let \(\mu _{p}^{r}(i)\) and \(\mu _{||}(i)\), respectively, indicate the values of \(\mu _{p}^{r}\) and \(\mu _{||}\) at step 8 after the \(i-th\) path \(\beta _i\) in the above sequence has been treated. So, the first time step 8 is executed, the value of \(\mu _{||}\) is \(\mu _{||}(0)\) = the first member \(\beta _1\) of \(\mu _{p}^{r}(-1)\) and \(\mu _{p}^{r}(0)\) contains all the remaining members \(\beta _2, \ldots , \beta _t\) of \(\mu _{p}^{r}(-1)\). The final value returned by the algorithm (step 27) is \(\mu _{||}(t)\) and \(\mu _p^r (t) = \emptyset \) (by negation of the condition of the outermost while loop (steps 3-26)). We have to prove that \(\mu _{1,p'} =\mu _{||}(t) \simeq _c \mu _{p}^{r}(-1) = \mu _{1,p'}^{r} \simeq _c \mu _{0,p}^{r} \simeq _c \mu _{0,p}\). We prove the invariant

$$\begin{aligned} \mu _{||}(i).\mu _{p}^{r}(i) \simeq _c \mu _{p}^{r}(-1), \forall i, 0 \le i \le t \ldots \ldots Inv (1) \end{aligned}$$
(3)

by induction on i, where the operator \('.'\) stands for concatenation of two sequences. Note that in this invariant, for \(i=t\),

\(\mu _{||}(t).\mu _{p}^{r}(t) \simeq _c \mu _{p}^{r}(-1) \Rightarrow \mu _{1,p'}. \emptyset \simeq _c \mu _{p}^{r} \Rightarrow \mu _{1,p'} \simeq _c \mu _{1,p'}^{r},\) which would accomplish the proof as \(\mu _{1,p'}^r \simeq _c \mu _{0,p}^r\) holds because the former has been obtained by equivalence substitution of each member in the latter and \(\mu _{0,p}^r \simeq _c \mu _{0,p}\) by Theorem 5.

Basis (\(i=0\)): \(\mu _{||}(0).\mu _{p}^{r}(0) = \langle \beta _1 \rangle .\langle \beta _2, \ldots , \beta _t \rangle \) = \(\langle \beta _1,\beta _2, \ldots , \beta _t \rangle \simeq _c \mu _{p}^{r}(-1)\).

Induction Hypothesis: Let \(\mu _{||}(i).\mu _{p}^{r}(i) \simeq _c \mu _{p}^{r}(-1)\), for \(i=m-1\).

Induction step (\(i=m)\): R.T.P \(\mu _{||}(m).\mu _{p}^{r}(m) \simeq _c \mu _{p}^{r}(-1)\). Let the \(m^{th}\) path chosen be \(\beta _m =\langle T_{1,m},T_{2,m}, \ldots , T_{l_{m},m}\rangle \). Let \(\mu _{\Vert }(m-1) = \langle T_1, T_2,\ldots ,T_k\rangle \). For \(T_{1,m} (=T_p)\), comparison starts with the first member \(T_1 =T_c\) of \(\mu _{||}(m-1)\).

Now we need to consider the inner while loop comprising steps 9-24, where the members of \(\beta _m\), i.e. \(T_{j,m}\), \(1 \le j \le l_m\), are taken one by one and compared with the members of \(\mu _{||}(m-1)\). Note that the inner loop need not always execute \(l_m\) times. Let it execute \(n_m \le l_m\) times. Let \(\mu _{p}^{r}(m-1)(j)\), \(1 \le j \le n_m\), represent the value of \(\mu _{p}^{r}(m-1)\) after the \(j^{th}\) iteration of this loop for the path \(\beta _m\). Thus, \(\mu _{p}^{r}(i-1)(0)\) is the value of \(\mu _{p}^{r}(i-1)\) at step 8 when no members of \(\beta _i\) have yet been considered. Hence, \(\mu _{p}^{r}(m-1)(0) = \mu _{p}^{r}(m-1)\). Also, \(\mu _{p}^{r}(i-1)(n_i) = \mu _{p}^{r}(i)\). Let \(\beta _{m}(j)\) be the value of \(\beta _m\) and \(\mu _{||}(m-1)(j)\) be the value of \(\mu _{||}(m-1)\) after the \(j^{th}\) execution of the inner while loop (steps 9-24) for the path \(\beta _m\). We prove the invariant

$$\begin{aligned} \mu _{||}(m-1).\beta _m \simeq _c \mu _{||}(m-1)(j).\beta _{m}(j), \forall j, 0 \le j \le n_m \ldots \ldots Inv (2) \end{aligned}$$
(4)

Let us first examine how the Inv (2) helps us accomplish the proof of the induction step of Inv (1). Putting \(j= n_m\) in Inv (2),

$$\begin{aligned}&\mu _{||}(m-1).\beta _m \simeq _c \mu _{||}(m-1)(n_m).\beta _m(n_m) = \mu _{||}(m).\emptyset \\&\quad (\hbox {since }, \mu _{||}(m-1)(n_m)= \mu _{||}(m) \hbox { and}\\&\beta _{m}(n_m)= \emptyset \hbox { from the termination} \\&\quad \hbox {condition of the loop comprising steps } 9-24). \end{aligned}$$

Also, \(\beta _m.\mu _{p}^{r}(m)= \mu _{p}^{r}(m-1)\) [when \(\beta _m\) is chosen at step 7]. So for the inductive step proof goal,

$$\begin{aligned}&\mu _{||}(m).\mu _{p}^{r}(m)= (\mu _{||}(m-1).\beta _m).\mu _{p}^{r}(m)\\&\quad =\mu _{||}(m-1).(\beta _m.\mu _{p}^{r}(m)) [\hbox {by associativity of concatenation operation} '.']\\&\quad =\mu _{||}(m-1).\mu _{p}^{r}(m-1) \simeq _c \mu _{p}^{r}(-1) [\hbox {by induction hypothesis}] \end{aligned}$$

We now carry out the inductive proof of Inv (2) by induction on j.

Basis \((j=0)\): The basis case holds because \(\mu _{||}(i-1)(0) = \mu _{||}(i-1)\) and \(\beta _{i}(0)=\beta _{i}\).

Induction Hypothesis: Let the invariant Inv (2) is true for \(j= k-1\), i.e.

$$\begin{aligned} \mu _{||}(m-1).\beta _m \simeq _c \mu _{||}(m-1)(k-1).\beta _{m}(k-1). \end{aligned}$$

Induction step \((j=k)\) : R.T.P \(\mu _{||}(m-1).\beta _m \simeq _c \mu _{||}(m-1)(k).\beta _{m}(k)\). Let \(\beta _{m}(k-1) = \langle T_{k,m}, T_{k+1, m},\ldots , T_{l_{m},m}\rangle \). Without loss of generality, let the iterations \(1, \ldots , k-1\) of the loop of steps 9-24 did not visit step 20; otherwise, the loop will not be executed \(k^{th}\) time. In the \(k^{th}\) iteration of the loop, \(T_{k,m}\) is compared with some \(T_c \in \) \(\mu _{||}(m-1)(k-1)\). We have the following two cases:

  • \({\hbox {Case 1:}}\) \(T_{k,m}\) is found to succeed all the members of \(\mu _{||}(m-1)(k-1)\) from \(T_c\) onwards—Hence, \(T_{k,m}\) is parallelizable with no members of \(\mu _{||}(m-1)(k)\). In this case, step 20 is executed resulting in concatenation of all the transition sets of \(\beta _{m}(k-1)\) with \(\mu _{||}(m-1)(k-1)\) and \(\beta _{m}(k)\) becomes empty. So, \(\mu _{||}(m-1)(k) = \mu _{||}(m-1)(k-1).\beta _{m}(k-1)\);

    hence,

    $$\begin{aligned}&\mu _{||} (m-1).\beta _{m} \simeq _c \mu _{||}(m-1)(k-1). \beta _{m}(k-1)\\&\qquad [\hbox {by Induction hypothesis}]\\&\quad = \mu _{||}(m-1)(k).\beta _{m}(k) (\hbox {since} \beta _{m}(k) = \emptyset ) \end{aligned}$$
  • \({{\hbox {Case 2:}}}\) \(T_{k,m} \nsucc T_c\)—This implies \(T_{k,m} \asymp T_c\), as argued below. Note that between the two transition sets \(T_{k,m}\) and \(T_c\), there can be three mutually exclusive relations possible, namely, \(T_{k,m} \succ T_c, T_{c} \succ T_{k,m}\) and \(T_{k,m} \asymp T_c\). It is given that \(T_{k,m} \nsucc T_c\); now, let \(T_c \succ T_{k,m}\). The transition set \(T_c\) in \(\mu _{||}(m-1)\) is contributed to by paths which precede the path \(\beta _{m}\) in \(\mu _{p}^{r}\). Hence \(T_c\) does not succeed \(T_{k,m}\). Therefore, \(T_{k,m} \asymp T_{c}\). Let \(\mu _{||}(m-1)=\langle T_1, T_2, \ldots , T_c, T_{c+1}\), \(\ldots , T_k, \ldots T_{k_{m-1}}\rangle \). For all \(s, 1\le s \le k_{m-1}-c\), \(T_c \nsucc T_{c+s}\). By an identical reasoning, \(T_{k,m}\) does not also succeed \(T_{c+s}\) because otherwise \(T_{c+s}\) would have preceded in the path \(\beta _m\). Therefore, \(T_{c+s}.T_{k,m} \simeq _c T_{k,m}.T_{c+s}\). So, the concatenation \(\langle T_{c+1}, \ldots , T_{k_{m-1}}\rangle . \langle T_{k,m},T_{k+1,m},\) \(\ldots ,\) \(T_{l_{m},m}\rangle \) is computationally equivalent to

    $$\begin{aligned} \langle T_{k,m}, T_{c+1}, \ldots , T_{k_{m-1}} \rangle . \langle T_{k+1,m}, \ldots , T_{l_{m},m}\rangle . \end{aligned}$$

    Now,

    $$\begin{aligned}&\mu _{||}(m-1).\beta _m \simeq _c \mu _{||}(m-1)(k-1).\beta _{m}(k-1)\\&\qquad [\hbox {by induction hypothesis}]\\&\quad = \langle T_1, T_2, \ldots T_c, T_{c+1}, \ldots T_{k_{m}-1}\rangle . \langle T_{k,m},T_{k+1,m}, \ldots , T_{l_{m},m}\rangle \\&\quad \simeq _c \langle T_1, T_2, \ldots T_c, T_{k,m}, T_{c+1}, \ldots T_{k_{m}-1}\rangle . \langle T_{k+1,m}, \ldots , T_{l_{m},m}\rangle \\&\quad \simeq _c \langle T_1, T_2, \ldots T_c \cup T_{k,m}, T_{c+1}, \ldots T_{k_{m}-1}\rangle . \beta _{m}(k)\\&\qquad [\hbox {since, by step} 12, \beta _{m}(k) = \langle T_{k+1,m}, \ldots , T_{l_{m},m}\rangle ]\\&\quad = \mu _{||}(m-1)(k).\beta _{m}(k) [\hbox {by step 22}]. \end{aligned}$$

    Note that since \(T_{k,m} \succ T_{c-1}\) in \(\mu _{||}(m-1)(k-1)\), as identified in the loop steps 13-17, \(T_c\) cannot be combined with \(T_{c-1}\) through union.

Proof of \(\mu _{1,p'}\) being a computation: Recall that \(\mu _{1,p'}\) is obtained from the sequence \(\mu _{1,p'}^{r} = \langle \varGamma _1^{p'}, \varGamma _2^{p'}, \ldots , \varGamma _n^{p'} \rangle = \langle \{\beta _{1,1},\beta _{2,1},\ldots ,\beta _{l_1,1}\} \{\beta _{1,2},\beta _{2,2},\ldots ,\beta _{l_2,2}\},\ldots , \{\beta _n\} \rangle \) of sets of paths of \(N_1\), which, in turn, was constructed from the sequence \(\mu _{0,p}^{r} = \langle \alpha _1^p,\alpha _2^p,\ldots ,\alpha _n^p\rangle \) of paths of \(\varPi _{0}\) satisfying the condition: for all \(j, 1 \le j \le n\), for all \(k, 1 \le k \le l_j, \beta _{k,j} \simeq _{\varPi } \alpha _j^p\). From Definition 3 of path equivalence, the above set of equivalences imply the following properties: (i) \(p' = \beta _n^{\circ }\), (ii) each of the places in \(^{\circ }\varGamma _j^{p'}\) has correspondence with some place in \(^{\circ }\alpha _{j}^{p}\) and (iii) all the places in \(\varGamma _j^\circ \) have correspondence with all the places in \((\alpha _{j}^{p})^\circ \).

Let \(\mu _{1,p'}\) be \(\langle T_1, T_2, \ldots , T_l\rangle \), where \(T_1\) is the first member of \(\beta _{1,1}\) (by step 1 and first time execution of steps 7 and 11 of Algorithm 2). By property (ii) above, the places in \(^{\circ }\beta _{1,1} \supseteq {}^{\circ }T_{1}\) have correspondence with those in \(^{\circ }\alpha _1^{p} \subseteq inP_0\). Since only the input places of \(N_1\) have correspondence with the input places of \(N_0\), \(^{\circ }T_1 \subseteq {}^{\circ }\beta _{1,1} \subseteq inP_1\). It has already been proved that \(p' = f_{out}(p) \in outP_1\). Since Algorithm 2 introduces the transition sets of the paths strictly in order from \(\varGamma _{1}^{p'}\) to \(\varGamma _n^{p'}\), \(T_l\) is a unit set containing the last transition of \(\beta _n\) and hence, \(p' \in T_{l}^{\circ }\). Now, consider any \(T_i \in \mu _{1,p'}\), \(1 \le i < l\); \(T_{i+1} \succ T_i\) as ensured by the condition \(T_p \succ T_c\) associated with the while loop of steps 13-17. For any \(i, 1 \le i < l\), let \(T_{i+1}^{\circ } \subseteq P_{M_{i+1}}\) and \(T_{i}^{\circ } \subseteq P_{M_i}\). It is required to prove that \(M_{i+1} = M_{i}^{+}\), where \(P_{M_{i}^{+}} = \{p \mid p \in t^{\circ } \wedge t \in T_m\} \cup \{p \mid p \in P_M \wedge p \notin ^{\circ }T_m\}\), by first clause of successor marking given in Definition 1 of [4]. We have the following two cases:

  • \({\hbox {Case 1}:}\) \(p_1 \in T_{i+1}^{\circ } \subseteq P_{M_{i+1}}\)\(p_1 \in T_{i+1}^{\circ } \Rightarrow \exists t_1 \in T_{i+1}\) such that \(p \in t_{1}^{\circ }\). Now, \(T_{i+1} = T_{M_{i}}\), the set of enabled transitions for the marking \(M_i\). So, \(p_1 \in t_{1}^{\circ }\) and \(t_{1} \in T_{i+1} = T_{M_{i}} \Rightarrow p_1 \in P_{M_{i}^{+}}\) by virtue of its being in the first subset of \(P_{M_{i}^{+}}\).

  • \({\hbox {Case 2}:}\) \(p_1 \notin T_{i+1}^{\circ }\) but \(\in P_{M_{i+1}}\)– So, \(p_1 \notin T_{i+1}^{\circ } = T_{M_i}\). Hence, \(p_1 \in P_{M_{i}}\) because \(p_1 \in T_{i-k}^{\circ }\) for some \(k\ge 1\). So \(p_1 \in P_{M_{i}^{+}}\) by virtue of its being in the second subset of \(P_{M_{i}^{+}}\). Therefore, \(M_{i+1} = M_{i}^{+}\)\(\square \)

Equivalence checking algorithm—its complexity and correctness

The module-wise functional description of the equivalence checking mechanism is captured through Algorithms 3 and 4. The chkEqvSCP function is the central module for the method. The inputs to this function are the CPN models, \(N_0\) and \(N_1\), with their in-port and out-port bijections \(f_{in}\) and \(f_{out}\). The outputs are two sets \(\varPi _0\) of \(N_0\) and \(\varPi _1\) of \(N_1\) comprising the respective paths of \(N_0\) and \(N_1\) which are equivalent, a set E of ordered pairs of equivalent paths of \(N_0\) and \(N_1\), the set \(\eta _t\) of corresponding transition pairs and the sets of paths \(\varPi _{n,0}\) of \(N_0\) and \(\varPi _{n,1}\) of \(N_1\) comprising member paths for which no equivalent is found (in the other CPN model).

The function starts by initializing the set \(\eta _p\) of ordered pairs of corresponding places of \(N_0\) and \(N_1\) to the in-port bijection \(f_{in}\) and out-port bijection \(f_{out}\); the set \(\eta _t\) of ordered pairs of corresponding transitions of \(N_0\) and \(N_1\) and the sets \(E, \varPi _{n,0}\) and \(\varPi _{n,1}\) are initialized to empty. It then constructs the set \(\varPi _{0}\) of paths of \(N_0\) and the set \(\varPi _{1}\) of paths of \(N_1\) by introducing static cut-points at places at which some back edges terminate. For each path \(\alpha \) in \(\varPi _{0}\) (of \(N_0\)), the algorithm calls findEqvSCP function which tries to find an equivalent path from \( \varPi _{1}\) of \(N_1\) starting from the place which have pairwise correspondence with those of \(^{\circ }\alpha \). The function findEqvSCP returns a set \(\varGamma \) of paths. If the set \(\varGamma \) has more than one member \((|\varGamma | > 1)\), then it implies that for a path \(\alpha \) in \(N_0\), there are more than one equivalent path in \(N_1\), all of them originating from the same set of places and having identical conditions of execution (as that of \(\alpha \)); the following entities are updated: For each \(\beta \in \varGamma \), (1) the set \(\eta _t\) of corresponding transitions by adding the pair comprising the last transition of the path \(\alpha \) and that of \(\beta \); (2) the set E of ordered pairs of equivalent paths by adding the ordered pair \(\langle \alpha , \beta \rangle \); (3) The set \(\eta _p\) of corresponding places by adding the pair comprising the post-places of the last transition of the path \(\alpha \) and that of \(\beta \). If \(\varGamma \) is empty, the module updates \(\varPi _{n,0}\) by adding the path \(\alpha \) to it.

When all the paths in the path cover \(\varPi _{0}\) of \(N_0\) have been examined exhaustively, all the paths in \(\varPi _{1}\), which were not identified to be equivalent with any path in \(\varPi _0\), are put in \(\varPi _{n,1}\). The function then checks \(\varPi _{n,0}\) and \(\varPi _{n,1}\); we have the following four cases:

Case 1: \(\varPi _{n,0},\varPi _{n,1} =\emptyset \) \(\Rightarrow \) \(N_0 \equiv N_1\); Case 2: \(\varPi _{n,0}=\emptyset ,\varPi _{n,1} \ne \emptyset \) \(\Rightarrow \) \(N_0 \sqsubseteq N_1\) but may be that \(N_1 \not \sqsubseteq N_0\); Case 3: \(\varPi _{n,0} \ne \emptyset ,\varPi _{n,1} = \emptyset \) \(\Rightarrow \) \(N_1 \sqsubseteq N_0\) but \(N_0 \not \sqsubseteq N_1\); Case 4: \(\varPi _{n,0}, \varPi _{n,1} \ne \emptyset \) \(\Rightarrow \) neither \(N_0 \sqsubseteq N_1\) nor \(N_1 \sqsubseteq N_0\).

figure c
figure d

1.1 Complexity analysis of the equivalence checking algorithm

We discuss the complexity of the equivalence checking algorithm in a bottom-up manner.

Complexity of Algorithm 4 (findEqvSCP): Step 1 is an initializing step which takes in \(O\left( 1\right) \) time. Step 2 takes \(O\left( |\varPi _1|\right) = O\left( |P|^3\right) \) time, which is the complexity of path construction as explained in literature [5]. Step 4 compares the condition of execution and the data transformation for each path. Hence the complexity for each of this comparison is \(O\left( \left| F\right| \right) \), where |F| is the maximum of the lengths of the formulae representing the data transformations and conditions of execution of paths of \(N_0, N_1\). Computation of such formulae is exponential in the number of variables which, in turn, is upper-bound by the number of places, i.e. \(O\left( |F|\right) \) is \(O\left( 2^{|P|}\right) \). Step 5 is a union operation needing just \(O\left( 1\right) \) time with \(\beta \) being blindly put at the end of \(\varGamma \). The loop iterates as many times as \(O\left( \left| \varPi _1\right| \right) = O\left( |P|^3\right) \). Hence, the overall complexity is = \(O\left( \left| P\right| ^3+2^{\left| P\right| }.\left| P\right| ^3\right) = O\left( 2^{|P|}.|P|^3\right) \).

Complexity of Algorithm 3 (chkEqvSCP): In step 1, construction of \(\eta _p\) takes \(O\left( |P|\right) \) time. In the same step, the function constructs all the paths for the two CPN models in \(O\left( \left| P\right| ^3\right) \) time as given in [5]. The complexity of each iteration of the loop of step 2 is as follows. Step 3 uses findEqvSCP function and takes \(O\left( 2^{|P|}.|P|^3\right) \) time as explained above. \(\varPi _1\) is updated by the set minus operation in \(O(|P|^3)\) time. So step 3 takes \(O\left( 2^{|P|}.|P|^3\right) \) time. Checking of the condition \(\varGamma \ne \emptyset \) in step 4 takes \(O\left( 1\right) \) time. The complexity of the inner loop starting at step 5 is as follows. The update operations of \(\eta _t\) and E in step 6 take \(O\left( 1\right) \) time whereas that of \(\eta _p\) takes \(O\left( |P|^2\right) \) time. So the body of the loop (step 6) takes \(O\left( |P|^2\right) \) time; the loop executes \(O(|P|^3)\) time; hence it takes \(O\left( |P|^5\right) \) time. Step 9 takes \(O\left( 1\right) \) time. So, the if-statement comprising 4-10 takes \(O\left( |P|^5\right) \) time. Thus, the body of the outer loop (steps 2-11) takes \(O\left( 2^{|P|}.|P|^3\right) \) (step 3) + \(O\left( |P|^5\right) = O\left( 2{|P|}.|P|^3\right) \) time. The loop executes \(O\left( |P|^3\right) \) time. So the complexity of the loop is \(O\left( \left( 2^{|P|}.|P|^3\right) .|P|^3\right) = O\left( 2^{|P|}.|P|^6\right) \). Step 12 takes \(O\left( |P|^3\right) \) time and step 13 takes O(1) time. So the overall complexity of this module is \(O\left( 2^{|P|}.|P|^6\right) \).

1.2 Correctness of equivalence checking algorithm

Theorem 7

If the function chkEqvSCP (Algorithm 3) reaches step 14 and (a) returns \(\varPi _{n,0} = \emptyset \), then \(N_0 \sqsubseteq N_1\) and (b) if it returns \(\varPi _{n,1}=\emptyset \), then \(N_1 \sqsubseteq N_0\).

Proof

Let the function chkEqvSCP reach step 14 and \(\varPi _{n,0} = \emptyset \). It is required to prove that \(N_0 \sqsubseteq N_1\), i.e. for any computation \(\mu _{0,p}\) of \(N_0\), there exists a computation \(\mu _{0,p'}\) of \(N_1\) such that \(\mu _{0,p} \simeq _c \mu _{1,p'}\) and \(p ' = f_{out}(p)\). The fact that if the function chkEqvSCP reaches step 14 and \(\varPi _{n,1} =\emptyset \), then \(N_1 \sqsubseteq N_0\) can be proved identically.

Consider any computation \(\mu _{0,p}\) of \(N_0\). Step 2 of the function chkEqvSCP calls the function constAllPathsSCP and yields the set \(\varPi _0\) of paths of \(N_0\) from the set of cut-points. From Theorem 5, there exists a reorganized sequence of \(\mu _{0,p}^{r}\) of paths of \(\varPi _0\) such that \(\mu _{0,p}^{r} \simeq _c \mu _{0,p}\). Hence, \(\varPi _0\) is a path cover of \(N_0\). So, from Theorem 6, it is required to prove that for every member \(\alpha \) in \(\varPi _{0}\), there is a path \(\beta \) of \(N_1\) such that (i) \(\alpha \simeq _{\varPi } \beta \), (ii) the pre-places of \(\alpha \) have correspondence with the pre-places of \(\beta \) and (iii) the post-places of \(\alpha \) have correspondence with those of \(\beta \). It may be noted that the algorithm chkEqvSCP finds a path \(\beta \) of \(\varPi _{1}\) by calling the function findEqvSCP such that conditions (i) and (ii) are satisfied (as ensured by steps 2 and the loop comprising steps 3-7). Condition (iii) is satisfied by step 6 in chkEqvSCP. \(\square \)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bandyopadhyay, S., Sarkar, D., Mandal, C. et al. Translation validation of coloured Petri net models of programs on integers. Acta Informatica 59, 725–759 (2022). https://doi.org/10.1007/s00236-022-00419-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00236-022-00419-z

Navigation