An Operational Semantics of Graph Transformation Systems Using Symmetric Nets
MM. Marin, A. Cr˘aciun (Eds.):Working Formal Methods Symposium 2019 (FROM 2019)EPTCS 303, 2019, pp. 107–119, doi:10.4204/EPTCS.303.8 c (cid:13)
L. CapraThis work is licensed under theCreative Commons Attribution License.
An Operational Semantics of Graph Transformation SystemsUsing Symmetric Nets
Lorenzo Capra
Dipartimento di InformaticaUniversit`a degli Studi di MilanoMilan, Italy [email protected]
Graph transformation systems (GTS) have been successfully proposed as a general, theoreticallysound model for concurrency. Petri nets (PN), on the other side, are a central and intuitive formalismfor concurrent or distributed systems, well supported by a number of analysis techniques/tools. SomePN classes have been shown to be instances of GTS. In this paper, we change perspective presentingan operational semantics of GTS in terms of Symmetric Nets, a well-known class of Coloured Petrinets featuring a structured syntax that outlines model symmetries. Some practical exploitations of theproposed operational semantics are discussed. In particular, a recently developed structural calculusfor SN is used to validate graph rewriting rules in a symbolic way.
Graph transformation systems (GTS) are widely recognized as a general, well established formal modelfor concurrency. Petri nets (PN) [14], on the other side, are a central model for concurrent or distributedsystems. Their success is due to several reasons, mostly, the fact that they can describe in a natural waythe evolution of systems whose states have a distributed nature (this maps to the notion of PN marking ),and the availability of a number of tools/techniques supporting the editing/analysis of PN models.Petri nets are a reference model for any formalism meant to describe concurrent or distributed sys-tems, including GTS. It is well known that GTS are a generalization of some PN classes, as shown byKreowsky in its pioneering work [13] using the double-pushout approach. Basically, the idea is to repre-sent a marked PN as a graph with three different types of nodes (for places, transitions, and tokens) anddescribe the firing of a PN transition thorough a rule (derivation). Since then, several encodings of PNclasses in terms of GTS have been presented, among which Place/Transitions nets, Condition/Event nets,Elementary Net Systems, Consume-Produce-Read nets. Some net variants with extra features such asread/reset/inhibitor arcs have been also encoded. It is impossible to exhaustively list all these proposals,let us refer to [8] (and included references) for the earliest and [2],[10] for more recent ones.In this paper we consider the relationship between GTS and PN from a new perspective: we providea formalization of Graph Transformation Systems (GTS) based on Symmetric Nets (SN) [6], a typeof Coloured Petri nets [12],[11] featuring a particular syntax that outlines model symmetries and isexploited both in state-space based and structural analysis. The idea is simple: each rule (derivation)of a GTS corresponds to a SN transition which is properly connected to a couple of SN places whosemarking encodes a graph. In the paper we refer to simple directed graphs, even if the approach might begeneralized to any category of (hyper)graphs.The advantages of this approach are numerous, and the aim of the paper is to illustrate some of themthough some examples: we can exploit well established tools supporting the editing/analysis of SN, like formerly known as Well-formed Nets, or WN An Operational Semantics of GTS the GreatSPN package [1]; an operational interleaving semantics for GTS is provided in a natural waybuilding the state-transition system of a SN; a compact state-transition system -called symbolic reacha-bility graph [7], in which states (markings) representing isomorphic graphs are folded, can be directlyderived once an initial symbolic graph encoding is set; some recent advances in SN (symbolic) structuralanalysis [4], [3], implemented in the SNExpression tool ( ) maybe exploited to check some conditions ensuring rule well-definiteness, validate rules, and verify theirpotential concurrency; in particular, a fully automated calculus of symbolic structural relations in SNmodels may be profitably used. All these concepts are instantiated on a few, though significant, exam-ples of graph rewriting rules, and a simple GTS. All the examples used in the paper are available inGreatSPN format at https://github.com/lgcapra/GTS-SN .The GTS formalization based on SN may be considered as an alternative to classical approaches,in particular the algebraic ones based on single and double pushout. The strengths of this new pro-posal are a more intuitive definition of derivations, and the availability of well established tools for theediting/validation/analysis of models. The relationship between SN rules and single/double pushoutderivations, however, is not treated in this paper, and deserves further investigations.The balance of the paper is as follows: Section 2 introduces SN and related background notions;Section 3 presents the encoding of a GTS as a SN, and its operational semantics; symbolic structuralconditions for rule well-definiteness are also set up; Section 4 shows an application of SN structuralcalculus for verifying rule concurrency in a GTS; finally, Section 5 contains the conclusion and describesongoing work
In this section we present the SN formalism and a few preliminary concepts and notations used in thesequel. We let the reader refer to [14] and [6] for a complete treatment of Petri nets and SNs, respectively.
A multiset (or bag ) over a domain D is a map b : D → N , where b ( d ) is the multiplicity of d in b . The support b is the set { d ∈ D | b ( d ) > } : we write d ∈ b to mean d ∈ b . A multiset b may be denoted by aweighted formal sum of b elements where coefficients represent multiplicities. The null multiset (over agiven domain), i.e., the multiset with an empty support, is denoted (with some overloading) /0. The set ofall bags over D is denoted Bag [ D ] . Let b , b ∈ Bag [ D ] . The sum ( b + b ) ∈ Bag [ D ] and the difference ( b − b ) ∈ Bag [ D ] are defined as: ( b + b )( d ) = b ( d ) + b ( d ) ; ( b − b )( d ) = max ( , b ( d ) − b ( d )) .Also relational operators are defined component-wise, e.g., b < b if and only if ∀ d , b ( d ) < b ( d ) .The scalar product k · b , k ∈ N , is b (cid:48) ∈ Bag [ D ] , s.t. b (cid:48) ( d ) = k · b ( d ) . Let b ∈ Bag [ A ] , b ∈ Bag [ B ] , andso forth: the Cartesian product b × b × . . . ∈ Bag [ A × B × . . . ] is defined as ( b × b × . . . )( (cid:104) a , b , . . . (cid:105) ) = b ( a ) · b ( b ) · . . . Multiset functions
All the operators on multisets straightforwardly extend to functions mapping tomultisets. Let f , f : D → Bag [ D (cid:48) ] ; if op is a binary operator on bags, then f op f is defined as f op f ( a ) = f ( a ) op f ( a ) . Analogously if op is a unary operator: e.g., f is a function D → D (cid:48) such that f ( a ) = f ( a ) . As for relational operators, f < f if and only if ∀ a , f ( a ) < f ( a ) . With someoverloading, the symbol /0 will denote a constant null multiset function.Let f : D → Bag [ A ] , f : D → Bag [ B ] , and so forth: the product f × f × . . . : D → Bag [ A × B × . . . ] is . Capra f × f × . . . ( d ) = f ( d ) × f ( d ) × . . . . In the following a function-tuple (cid:104) f , f , . . . (cid:105) will denotethe function Cartesian product f × f × . . . Let f : D → Bag [ D (cid:48) ] : the transpose f t : D (cid:48) → Bag [ D ] is defined as: f t ( x )( y ) = f ( y )( x ) , ∀ x ∈ D (cid:48) , y ∈ D ; the linear extension f ∗ : Bag [ D ] → Bag [ D (cid:48) ] is defined as f ∗ ( b ) = ∑ x ∈ b b ( x ) · f ( x ) . The composition operatoris extended accordingly: let h : A → Bag [ B ] , g : B → Bag [ C ] , then g ◦ h : A → Bag [ C ] is defined as g ◦ h ( a ) = g ∗ ( h ( a )) . For simplicity, we will use the same symbol for a function and its linear extension. Symmetric Nets (SN) [6] are a high-level Petri Net formalism featuring a particular syntax for places,transitions, and arc annotations: such syntax has been devised to make the symmetries present in model’sstructure and behaviour explicit. This formalism is thus convenient from the point of view of modelrepresentation as well as from that of its analysis. Efficient methods have been proposed to performSN state-space based analysis [7], or structural analysis [4],[3]. Many of these algorithms have beenimplemented in GreatSPN [1], whereas the most recent developments on structural analysis have beenimplemented in SNexpression ( ).SN are a particular flavour of Colored
Petri nets (PN), originally introduced in [11]. Like in anyPetri net, the SN underlying structure is a kind of (finite) directed bipartite graph, where the set of nodesis P ∪ T , P and T being non-empty, disjoint sets, whose elements are called places and transitions ,drawn as circles and bars, respectively. The former represent system state variables, whereas the latterevents causing (local) state changes: what characterizes Petri nets in fact is a distributed notion of state,called marking . As in any high-level PN model, both places and transitions are associated with (colour)domains. Edges are annotated by (colour) functions mapping the domain of the incident transition to thedomain of the incident place.This section introduces the SN formalism exemplifying some key concepts by means of the modelsused in the rest. SN places are associated with a color domain ( cd ) defining the type of tokens a place may hold. A colordomains is a Cartesian product of finite, non-empty, pair-wise disjoint basic color classes , denoted bycapital letters (e.g., C). Basic color classes may be partitioned into static subclasses (denoted by capitalletters with a subscript, e.g., C ), or, in alternative, circularly ordered.The SN models defined later build on a single basic color class: N= { nd i } . The place color domainsare N and E = N × N (or N ) . Transitions have a color domain as well, since they specify parametric events. The color domain of atransition is implicitly determined by transition’s parameters ( variables ) that annotate incident edges andtransition’s guard, denoted in this paper by lower-case letters with a subscript, e.g. c i . By convention,the letter used for a variable implicitly defines its type, i.e., the color class denoted by the correspondingcapital letter. Subscripts are used to distinguish variables of a given type associated with a transition. Asan example, the colour domain of transition R1 (Figure 1a) is N × N × N.If no variable symbols surround a given transition, its domain is implicitly defined by a singleton neutral color . Introduced with the name of Well-formed Nets, later renamed SNs. An Operational Semantics of GTS
Transitions may have guards , consisting of boolean predicates defined on transition domains: • [ c = ( (cid:54) =) c ] is true when the same/a different color is assigned to c and c ; • [ c ∈ C j ] is true when the color assigned to c belongs to subclass C j ; • [ d ( c ) = d ( c )] is true when the colors assigned to c and c belong to the same subclass.A transition instance is a pair ( t , b ) , where b ( binding ) is an assignment of colors to the transition’svariables. For instance, a possible binding for R1 is n = nd , n = nd , n = nd . A transition instanceis valid if it satisfies the transition’s guard. From now on with transition color domain we will mean theset of valid transition instances.A transition guard is omitted if and only if it is the constant true . A marking m provides a distributed notion of system state. Formally, a marking maps every place toa multiset on its domain: m ( p ) ∈ Bag [ cd ( p )] is the marking of place p . The elements of one such amultiset are called tokens . An arc form a place p to a transition t is called input arc, whereas one in the opposite direction is called output arc. A place and a transition may be also connected by an inhibitor arc , drawn with an endingsmall circle instead of an arrow. Arcs are annotated by corresponding arc functions , denoted by I [ p , t ] ,O [ p , t ] and H [ p , t ] , respectively. An arc function is a map F : cd ( t ) → Bag [ cd ( p )] , formally expressed asa linear combination: F = ∑ i λ i . T i , λ i ∈ N , (1)where T i is a tuple (i.e., a Cartesian product) of class functions (cid:104) f , . . . , f k (cid:105) .A class-C function f i is a map cd ( t ) → Bag [ C ] , expressed in turn as a linear combination of functionsin an elementary set: f i = ∑ h α h . e h , α h ∈ Z , (2)where (referring to class C) e h ∈ { c j , ++ c j , C q , All } : • c j (previously called variable) is actually a projection , i.e, given a tuple of colours in cd ( t ) mapsto the j th occurrence of color C; if class C is ordered, then ++ c j denotes the successor mod | C | ofthe element that c j maps to; • C q and All are diffusion (or constant) functions mapping any color in cd ( t ) to ∑ x ∈ C q · x and ∑ x ∈ C · x , respectively.Scalars α h in (2) must be such that no negative coefficients result from the evaluation of f i for any legalbinding of t . Both function-tuples and class-functions may be suffixed by a guard defined on cd ( t ) ,acting as a filter: f [ g ]( a ) = f ( a ) if g ( a ) , otherwise f [ g ]( a ) = /0. If t has an associated guard g ( t ) then weassume g ( t ) implicitly spans over all surrounding arc functions.AS an example of arc function, consider the function on the inhibitor arc connecting transition R2 to place Edge (Figure 1b). The transition’s domain is cd ( R2 ) = N , because only variable n occurs in . Capra nd i ∈ N results in the (multi)set composed ofall pairs with the first element equal to nd i and all pairs with the 2nd element equal to nd i and the firstone other than nd i .The only basic class used in the SN models of the paper is neither partitioned nor ordered. Arcfunctions, moreover, map to multisets with multiplicities ≤
1. i.e., sets.
The interleaving semantics of a SN is fully defined by the firing rule . Assuming that missing arcs (ofany type) between SN nodes are arcs annotated by the null function /0, an instance ( t , b ) is enabled inmarking m iff: • ∀ p ∈ P : I [ p , t ]( b ) ≤ m ( p ) • ∀ p ∈ P , x ∈ H [ p , t ]( b ) : H [ p , t ]( b )( x ) > m ( p )( x ) An instance ( t , b ) enabled in m may fire by withdrawing from each input place p the bag I [ p , t ]( b ) and adding to each output place p the bag O [ p , t ]( b ) . We get a new marking m (cid:48) , formally defined as: ∀ p : m (cid:48) ( p ) = m ( p ) − I [ p , t ]( b ) + O [ p , t ]( b ) We say that m (cid:48) is reachable from m through ( t , b ) , and this is denoted m [ t , b > m (cid:48) .Once an initial marking m of a SN is set, it is possible to build the state-transition system (oftencalled reachability graph , or RG) describing a SN model’s behaviour. The RG is a (edge-labelled)directed multi-graph inductively defined as follows: m ∈ RG ; if m ∈ RG , and m [ t , b > m (cid:48) , also m (cid:48) ∈ RG and there is an edge (cid:104) m , m (cid:48) (cid:105) with label ( t , b ) .If a symbolic initial marking is set, a quotient graph called symbolic reachability graph is directlybuilt, that retains all the information of the ordinary reachability graph. We will get to that later. In this section we show how to encode a Graph Transformation Systems through Symmetric nets. Graphrewriting rules are formalized in terms of SN transitions connected to a couple of shared places. Theywill be illustrated by a few examples. For the sake of simplicity we refer to simple directed graphs, evenif this approach may be extended to any category of (hyper)graphs.A directed graph (form now on simply graph) is composed of a (finite) set N of nodes and a set E ⊆ N × N of edges. A (total) morphism between graphs G = ( N , E ) and G = ( N , E ) is a pair offunctions f E : E → E , f N : N → N such that ∀(cid:104) n , n (cid:105) ∈ E , f E ( (cid:104) n , n (cid:105) ) = (cid:104) F N ( n ) , F N ( n ) (cid:105) . The graph encoding through SN builds on a couple of places,
Node and
Edge , whose associated colourdomain are the basic colour class N = { nd i } , and the product E = N × N, respectively. We assume thatclass N holds enough elements to cover all possible evolutions of a graph.A graph G = ( N , E ) is straightforwardly encoded by a SN marking, denoted m G : letting l be aninjective labelling N → N, m G ( Node ) = ∑ n ∈ N · l ( n ) , m G ( Edge ) = ∑ (cid:104) n , n (cid:105)∈ E · (cid:104) l ( n ) , l ( n ) (cid:105) .The other way round, a SN marking m is a graph-encoding if and only if both m ( Node ) and m ( Edge ) are multisets whose elements have multiplicities ≤ nd i occurring in m ( Edge ) also occurs in m ( Node ) (there are no dangling edges).12 An Operational Semantics of GTS
A graph rewriting rule (or derivation) is formalized by a SN transition R i properly connected to places Node and
Edge . The colour domain of R i depends on how many variables (projections) n i occur on theincident arcs and transition’s guard: in general, cd ( R i ) = N k , k > [ Node , R i ] , I [ Edge , R i ] (assumed non both null), and theinhibitor arc function H [ Edge , R i ] , when evaluated on an enabled instance of R i in a graph-encodingmarking m , match a subgraph of the encoded graph which is rewritten according to the SN firing rule:the matched subgraph is atomically removed from the encoded graph and replaced with the subgraphyielded by evaluating the output arc functions on the same instance. Inhibitor arc functions, even ifnot directly involved in the firing, play a crucial role both in the matching step and in setting structuralconditions for rule correctness, as explained below.Some representative examples of rules are shown in Figure 1. Rule 1a allows the transitive closureof a graph be incrementally computed. Rule 1b represents the removal of isolated nodes of a graph. Rule1c may be used to derive a Kripke structure from a graph: in fact, a self-loop is created for nodes withoutsuccessors. Rule 1d transforms a self-loop involving node nd i into a pair of edges from/to nd j , where nd j is a new node. Rule 1e is matched by a node nd i having as only successor nd j , which has no otherlink but a self-loop: in that case nd j is removed, and a self-loop involving nd i is created. Finally, Rule 1ftranslates a loop between nd i and nd j into a loop involving these two nodes and a newly inserted one. We have to establish some conditions ensuring that a rewriting rule is well-defined , that is, any instanceof the rule (transition) rewrites a (simple) directed graph into another one. By exploiting the calculusfor SN introduced in [3], [4], it is possible to characterize these rules as structural conditions on the arcfunctions annotating the corresponding transition, that may be checked in a fully symbolic and automatedway, e.g., by using the SNexpression ( ) toolset.The calculus for SN has been developed to check basic structural properties (conflict, causal connec-tion, mutual exclusion) on SN without any net unfolding. It builds on the ability to solve in a symbolicway expressions whose terms are the elements of a language L and involving a specific set of functionaloperators (in this context, the difference, the composition, and the support). The terms of L are a smallextension of the SN arc functions, but the language restriction used here exactly matches SN arc func-tions. The calculus has been implemented as a rewriting system that, given any structural expression,reduces it to a normal form in L . In particular, if e ≡ /0 then e → /0.In the following, the expressions W + [ p , t ] and W − [ p , t ] stand for O [ p , t ] − I [ p , t ] and I [ p , t ] − O [ p , t ] ,respectively: they map any transition instance ( t , b ) to the (multi)set of coloured tokens that (upon itsfiring) are added/withdrawn to/from place p .Two type of terms are used: functions mapping to multisets, and their supports, mapping to sets. Ac-cording to the type of operands, ’ − ’,’ + ’ will denote the multiset difference/sum or the set difference/sum.The same for the Cartesian product. These equivalences are exploited (with an obvious overloading ofsymbol ’ /0’): F ≤ G ⇔ F − G ≡ /0; F ⊆ G ⇔ F − G ≡ /0. . Capra (a) Rule 1 (b) Rule 2(c) Rule 3 (d) Rule 4(e) Rule 5 (f) Rule 6 Figure 1: Examples of graph rewriting rules14
An Operational Semantics of GTS
Let R be the transition encoding a rule. The conditions below ensure that R is well defined:1 ) H [ Edge , R ] ≤ (cid:104) All , All (cid:105) ∧ H [ Node , R ] ≤ (cid:104) All (cid:105) ) W + [ Edge , R ] ≤ (cid:104) All , All (cid:105) ) W + [ Node , R ] ≤ H [ Node , R ] ) let NA = ( (cid:104) n + n (cid:105) ◦ O [ Edge , R ] − (cid:104) n + n (cid:105) ◦ I [ Edge , R ]) − I [ Node , R ] : NA ⊆ O [ Node , R ] ) W + [ Edge , R ] − ( (cid:104) NA , All (cid:105) + (cid:104) All , NA (cid:105) ) ⊆ H [ Edge , R ] ) (( (cid:104) All − n , n (cid:105) + (cid:104) n , All (cid:105) ) ◦ W − [ Node , R ]) − W − [ Edge , R ] ⊆ H [ Edge , R ] Conditions 1,2) are related to simplicity (these conditions alone, however, doesn’t ensure it); 1)means that inhibitor arc functions map to multisets with multiplicities ≤
1, i.e., we can only check forthe absence of nodes/edges in a graph-encoding; 2) means that new edges are inserted with multiplicity1; 3) avoids node duplication. Conditions 4-6) avoid (among others) the creation of dangling edges, andare a bit more complex, involving the composition operator: 4) means that the nodes incident to newlyadded edges, but that do not exist yet (this set of nodes is denoted NA ), must be contextually inserted: itbuilds on the assumption that, in the current graph encoding, there are no dangling edges; 5) is related,again, to simplicity: whenever a new edge is added, we must check its absence unless one of its incidentnodes belongs to the precomputed set NA ; finally, 6) deals with node removal: the inhibitor arc functionmust ensure that, for every withdrawn node, there are no edges incident to it, but for those edges that arecontextually removed by the rule.A few remarks have to be done. In condition 4), the domain of projections n , n is N × N, whereasin 6) the domain of n is N. The use of support operator in 4-6) is due to the fact that a composition mayresult in ordinary multisets, with multiplicities greater than one. The parametric set NA is computed byseparately considering the output and the input arc functions to/from place Edge , instead of consideringW + [ Edge , R ] : in fact, (cid:104) n + n (cid:105) ◦ O [ Edge , R ] − (cid:104) n + n (cid:105) ◦ I [ Edge , R ] ⊆ (cid:104) n + n (cid:105) ◦ W + [ Edge , R ] , thereforethe condition we set is more general. Property 1.
If a rule/transition R meets conditions 1-6), then the firing of any instance ( R ,b) in a graph-encoding marking generates a graph-encoding marking. The proof is just a direct consequence of the explanation above. We can easily check that all rules shownin Figure 1 are well defined.
A Graph Transformation System (or GTS) may be very simply defined by bringing together a set of well-defined rules (transitions) sharing places
Node and
Edge , and setting an initial graph-encoding marking.The induced state-transition system corresponds to the SN reachability graph.As an example, consider the SN in Figure 2. It comes from the combination of Rules 1,3) describedabove. Given a graph G encoded by the initial marling m G , the derived RG describes the sequenceof transformations that G undergoes by applying either Rule 1 or Rule 3. The resulting RG has an absorbing state, i.e. a dead home-state, which corresponds to the transitive closure of m G where nodeswithout proper predecessors are sources/targets of self-loops.Let m G ( Edge ) = (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) , and m G ( Node ) = (cid:104) nd + nd + nd + nd (cid:105) :the corresponding RG (built with the GreatSPN package) holds 16 nodes, one of which absorbing; thisfinal node encodes the graph (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) . Capra A Symbolic State-transition System
During the construction of the SN reachability graph some mark-ings encoding isomorphic graphs may be reached. Consider the example above: from the initial marking,we can reach the two markings below by firing R with the bindings n = nd , n = nd , n = nd and n = nd , n = nd , n = nd , respectively: i ) (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) ii ) (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) + (cid:104) nd , nd (cid:105) Observe that i ) and ii ) are isomorphic since can be obtained from one another by swapping nd with nd . Recognizing isomorphic graph-encodings is for free in SN, if the initial marking is symbolic . A symbolic marking (cid:98) m [7] is an equivalence class of ordinary markings: { m , m } ⊆ (cid:98) m if and only if theycorrespond, up to a permutation on colour classes (preserving the possible partitions in subclasses)A symbolic marking (or SM) is syntactically expressed using dynamic subclasses instead of ordinarycolours. Dynamic subclasses define parametric partitions of basic colour classes: each dynamic subclassis associated with a colour class (or a static subclass, if the class is split) and has a cardinality. As anexample, the initial symbolic marking encoding (among others) graph G above is: (cid:98) m ( Edge ) = (cid:104) znd , znd (cid:105) + (cid:104) znd , znd (cid:105) , (cid:98) m ( Node ) = (cid:104) znd + znd + znd (cid:105) where all symbols (dynamic subclasses) refer to class N, and | znd | = | znd | = | znd | =
2. This sym-bolic marking represents six ordinary markings, including m G . A symbolic reachability graph (or SRG)is directly built from an initial symbolic marking, by means of a symbolic firing rule (and a canonicalrepresentative for SM). Skipping the technical details, a symbolic instance of R folding the two bindingsabove is enabled in (cid:98) m ; this symbolic instance may fire, leading to a new symbolic marking representing(among others) the ordinary markings i ) and ii ) .The SRG built (with the GreatSPN package) from (cid:98) m is a quotient-graph of the RG, retaining livenessand safety properties: in the simple example we are considering, the SRG holds 9 nodes plus an absorbingone, each encoding a class of isomorphic graphs. When huge graphs are encoded with SN, the reductionachieved with the SRG in terms of generated states/arcs may be dramatic (e.g., a symbolic instanceof transition R may fold up to | N | ordinary instances), even if bringing a SM to a canonical form iscomparable to checking graph isomorphism. In Section 3.3 we have established some conditions on arc functions making a SN transition specify awell-defined graph rewriting rule. These conditions involve functional operators that can be solved in afully automated/symbolic way through the SNexpression tool, implementing the computation of a baseset of structural properties [9] directly on SN models, without any unfolding. Each structural propertymay be expressed in terms of language L , which is a small extension of arc functions.Let us discuss now about the exploitation of these properties for validating rules, e.g., to figure outwhich rules of a GTS might concurrently apply. Concurrent graph rewriting issues have been widelytackled in literature: we do not want to go into the details of a theoretical discussion, rather we aim atshowing the potential of SN structural analysis in this field.Symbolic structural relations are computed by properly combining arc functions through some oper-ators: transpose, sum, difference, support, and composition. A relation is a map R ( t , t (cid:48) ) : cd ( t (cid:48) ) → cd ( t ) we refer to place Edge , because the marking of
Node doesn’t change An Operational Semantics of GTS
Figure 2: a simple GTS composed of Rules 1,3that when applied to an instance c (cid:48) of t (cid:48) gives the set of instances of t that are in such a relation with ( t (cid:48) , c (cid:48) ) . Symbolic relations build on a couple of auxiliary ones, involving a pair place/transition, bothwith arity cd ( p ) → cd ( t ) : Rb [ t , p ] = W − [ p , t ] t ( Removed by ), given a color c of p provides the set ofinstances of t that withdraw c from p ; Ab [ t , p ] = W + [ p , t ] t ( Added by ), given a color c of p provides theset of instances of t that add c to p . Table 1 reports the definitions of base structural relations. (Asymmetric) Structural Conflict : Two transition instances ( t , c ) and ( t (cid:48) , c (cid:48) ) are in conflict in a givenmarking m if the firing of the former disables the latter. The structural conflict ( SC ) relation defines thenecessary conditions that may lead to an actual conflict in some marking. The symbolic relation SC ( t , t (cid:48) ) maps a an instance c (cid:48) of t (cid:48) to the set of colour instances of t that may disable ( t (cid:48) , c (cid:48) ) : this happens eitherbecause ( t , c ) withdraws a token from an input place which is shared by the two transitions, or because itadds a token into an output place which is connected to t (cid:48) through an inhibitor arc. These two cases arereflected in the SC formula, which is is obtained by summing up over all shared input places and sharedoutput-inhibitor places. Observe that different instances of the same transition may be in conflict (autoconflict): the same expression can be used, but one must subtract from the set of conflicting instances theinstance itself to which SC applies (using the identity function). Structural Causal Connection : Two transition instances ( t , c ) and ( t (cid:48) , c (cid:48) ) are in causal connection ifthe firing of the former in a given marking m causes the enabling of the latter. The structural causalconnection ( SCC ) relation defines the necessary conditions that may lead to an actual causal connectionin some marking. The symbolic relation
SCC ( t , t (cid:48) ) , when applied to an instance c (cid:48) of t (cid:48) , provides the setof instances ( t , c ) that may cause the enabling of ( t (cid:48) , c (cid:48) ) . This happens if some output places of t are inputplaces for t (cid:48) and some input places of t are inhibitor places for t (cid:48) . . Capra SC ( t , t (cid:48) ) = (cid:83) p Rb [ t , p ] ◦ I [ t (cid:48) , p ] ∪ Ab [ t , p ] ◦ H [ t (cid:48) , p ] SCC ( t , t (cid:48) ) = (cid:83) p Ab [ t , p ] ◦ I [ t (cid:48) , p ] ∪ Rb [ t , p ] ◦ H [ t (cid:48) , p ] SME ( t , t (cid:48) ) = (cid:83) p I [ t , p ] t ◦ H [ t (cid:48) , p ] ∪ H [ t , p ] t ◦ I [ t (cid:48) , p ] Structural Mutual Exclusion : Two transition instances ( t , c ) and ( t (cid:48) , c (cid:48) ) are in (structural) mutual exclu-sion ( SME ) if the enabling of ( t (cid:48) , c (cid:48) ) in any m implies that ( t , c ) is not enabled, and viceversa. Thissituation arises when a place p does exist which is input for t and inhibitor for t (cid:48) , and the number oftokens (of any color) required in p for the enabling of t is greater than or equal to the upper bound onthe number of tokens (of the same color) in p imposed by the inhibitor arc connecting p and t (cid:48) . The(symmetric) symbolic relation SME ( t , t (cid:48) ) maps an instance ( t (cid:48) , c (cid:48) ) to the set of instances of t that aresurely disabled in any marking where ( t (cid:48) , c (cid:48) ) is enabled. If all functions on input and inhibitor arcs weremappings onto sets (i.e., on multisets with multiplicities ≤ SME relation corresponds to the expression in Table 1, that applies also when t and t (cid:48) coincide . Application example
Structural relations can be used to validate the rules of a GTS formalized interms of SN. In particular, it is possible to check which rules may concurrently apply, in the event a trueconcurrent semantics were used. Using the structural calculus for SN we can -in a way, parametrically(i.e., symbolically) partition the set of instances of a given transition (rule) on the basis of a given relationwith the instances of the other (or even the same) rule(s).In order to illustrate these concepts, let us consider the GTS in Figure 2. The two rules are potentiallyin conflict due to place
Edge , which is simultaneously an output place for one rule and an inhibitor placefor the other. Instead, there are no potential conflicts due to the sharing of input places, since we caneasily check that the expressions Rb [ t , p ] are null (by the way, a composition involving a null functionresults in /0). As for the added by expressions, we got the following non-null entries (in the sequel,function supports are implicitly used):Ab [ R , Edge ] = (cid:104) n , All , n (cid:105) Ab [ R , Edge ] = (cid:104) n (cid:105) [ n = n ] The first expression says that a color (token) (cid:104) c , c (cid:105) may be pushed into place Edge by any instanceof R (a triplet of colours) whose 1st and 3rd elements are equal to c and c , respectively. The otherexpression says that a color (cid:104) c , c (cid:105) , with c = c , may be pushed into place Edge by the instance (cid:104) c (cid:105) of R . Then, according with Table 1 we obtain: SC ( R , R ) = (cid:104) n , All , n (cid:105) ◦ (cid:104) n , All (cid:105) = (cid:104) n , All , All (cid:105) SC ( R , R ) = (cid:104) n (cid:105) [ n = n ] ◦ (cid:104) n , n (cid:105) = (cid:104) n (cid:105) [ n = n ] Again, the interpretation of these symbolic expressions is quite intuitive: SC ( R , R ) says that an instance (cid:104) c (cid:105) of Rule 3 might be in conflict with (i.e., disabled by) any instance of Rule 1 having color c as firstelement; SC ( R , R ) instead says that an instance (cid:104) c , c , c (cid:105) of Rule 1, such that c = c , might be inconflict with the instance (cid:104) c (cid:105) of Rule 3. we refer to [3] for a general treatment of SME all the calculus were done with SNExpression tool An Operational Semantics of GTS
The SC relation, however, just outlines potential conflicts. The previous outcome may be refined bycomputing SME : in fact, we observe that place
Edge is both input and inhibitor for R , and inhibitor for R . Then, according with Table 1 we obtain: SME ( R , R ) = (cid:104) All , n , All (cid:105) + (cid:104) n , All , All (cid:105)
SME ( R , R ) = (cid:104) n (cid:105) + (cid:104) n (cid:105) Notice that, according with the transpose rules and the relation’s symmetry:
SME ( R , R ) t = SME ( R , R ) .What is interesting, however, is that SC ( R , R ) ⊂ SME ( R , R ) and SC ( R , R ) ⊂ SME ( R , R ) , i.e., po-tentially conflicting instances of Rules 1 and 3 are in structural mutual exclusion. In other words, thesetwo rules are potentially concurrent.The same check may be done on instances of the same rule. Consider R : potential auto-conflictsdue to place Edge correspond to the symbolic expression: SC ( R , R ) = (cid:104) n , All − n , n (cid:105) + (cid:104) n , All − n , n (cid:105) [ n = n ] + (cid:104) n , All , n (cid:105) [ n (cid:54) = n ] + (cid:104) n , n , n (cid:105) [ n (cid:54) = n ] The mutually exclusive instances of the same transition correspond to the symbolic expression:
SME ( R , R ) = (cid:104) n , All , n (cid:105) + (cid:104) n , All , n (cid:105) + (cid:104) n , n , All (cid:105) + (cid:104) All , n , n (cid:105) Also in this case, SC ( R , R ) ⊂ SME ( R , R ) , i.e., the instances of R are potentially concurrent. A similarcheck may be done for R instances.In general, checking whether the rules of a GTS may concurrently take place (possibly identifyingparametric concurrent subsets of rule instances) involves more complex calculations: think, e.g., of indirect conflicts arising between non conflicting rule instances ( R , b ) and ( R (cid:48) , b (cid:48) ) enabled in marking m : we fall in such a situation, e.g., if the firing of ( R , b ) triggers a sequence of causally connected ruleinstances ending with an instance ( R (cid:48)(cid:48) , b (cid:48)(cid:48) ) which is actually in conflict with (disables) ( R (cid:48) , b (cid:48) ) . Computingthe transitive closure of a structural relation [3] is necessary to recognize indirect conflicts. We have presented a formalization of Graph Transformation Systems (GTS) based on Symmetric Nets(SN), a type of Coloured Petri nets featuring a particular syntax that outlines model symmetries. Eachrule of a GTS corresponds to a transition of a SN which is properly connected to a couple of placesencoding a graph. The advantages of this approach are numerous: we can exploit well established toolssupporting the editing/analysis of SN, like the GreatSPN package; an operational interleaving semanticsfor GTS is provided in a natural way building the state-transition system of a SN; a compact state-transition system -called symbolic reachability graph, in which states (markings) representing isomorphicgraphs are folded, can be directly derived once an initial symbolic graph encoding is set; some recentadvances in SN (symbolic) structural analysis, implemented in the SNExpression tool, may be exploitedto check some conditions ensuring rule well-definiteness, to validate rules, and to check their potentialconcurrency; in particular, a fully automated calculus of symbolic structural relations in SN models maybe profitably used. All these concepts have been instantiated on a few, though significant, examplesof graph rewriting rules, and a simple GTS. Throughout the paper we refer to the encoding of simpledirected graphs.Ongoing work is in two main directions. The presented approach is general, we are therefore ex-tending the class of encodable graphs to multigraphs (this extension is for free, it only requires that some . Capra
References [1] S. Baarir, M. Beccuti, D. Cerotti, M. De Pierro, S. Donatelli & G. Franceschinis (2009):
The GreatSPN Tool:Recent Enhancements . SIGMETRICS Perform. Eval. Rev.
From Petri Nets to Graph TransformationSystems . ECEASST
26, doi:10.14279/tuj.eceasst.26.368.[3] L. Capra, M. De Pierro & G. Franceschinis (2015):
Computing structural properties of symmetric nets , pp.125–140. 9259, Springer International Publishing, doi:10.1007/978-3-319-22264-6 9.[4] L. Capra, M. De Pierro & G. Franceschinis (2005):
A High Level Language for Structural Relations inWell-Formed Nets . In:
Proc. of the 26th Int. Conf. ATPN 2005 , LNCS 3536, Springer, pp. 168–187,doi:10.1007/11494744 11.[5] L. Capra, M. De Pierro & G. Franceschinis (2013):
A Tool for Symbolic Manipulation of ArcFunctions in Symmetric Net Models . In:
Proceedings of the 7th International Conference on Per-formance Evaluation Methodologies and Tools , ValueTools ’13, ICST, Torino, Italy, pp. 320–323,doi:10.4108/icst.valuetools.2013.254407.[6] G. Chiola, C. Dutheillet, G. Franceschinis & S. Haddad (1993):
Stochastic well-formed colored netsand symmetric modeling applications . IEEE Transactions on Computers
A symbolic reachability graph for colouredpetri nets . Theoretical Computer Science
Concurrent graph and term graph rewriting . pp. 438–464, doi:10.1007/3-540-61604-7 69.[9] C. Dutheillet & S. Haddad (1993):
Conflict Sets in Colored Petri Nets . In: proc. of Petri Nets and PerformanceModels , pp. 76–85, doi:10.1109/PNPM.1993.393433.[10] H. Ehrig & J. Padberg (2003):
Graph Grammars and Petri Net Transformations . pp. 496–536,doi:10.1007/978-3-540-27755-2 14.[11] K. Jensen (1997):
Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use.
Volume 1,Basic Concepts. Monographs in Theoretical Computer Science, Springer-Verlag, 2nd corrected printing 1997.ISBN: 3-540-60943-1., doi:10.1007/978-3-662-03241-1.[12] K. Jensen & G. Rozenberg, editors (1991):
High-level Petri Nets: Theory and Application . Springer-Verlag,London, UK, doi:10.1007/978-3-642-84524-6.[13] H.J. Kreowski (1980):
A Comparison Between Petri-Nets and Graph Grammars.