Petri Games: Synthesis of Distributed Systems with Causal Memory
AAdriano Peron and Carla Piazza (Eds.):Proceedings of the Fifth International Symposium onGames, Automata, Logics and Formal Verification (GandALF 2014)EPTCS 161, 2014, pp. 217–230, doi:10.4204/EPTCS.161.19 c (cid:13)
B. Finkbeiner and E.-R. OlderogThis work is licensed under theCreative Commons Attribution License.
Petri Games:Synthesis of Distributed Systems with Causal Memory
Bernd Finkbeiner
Universit¨at des Saarlandes [email protected]
Ernst-R¨udiger Olderog
Carl von Ossietzky Universit¨at Oldenburg [email protected]
We present a new multiplayer game model for the interaction and the flow of information in a dis-tributed system. The players are tokens on a Petri net. As long as the players move in independentparts of the net, they do not know of each other; when they synchronize at a joint transition, eachplayer gets informed of the causal history of the other player. We show that for Petri games with asingle environment player and an arbitrary bounded number of system players, deciding the existenceof a safety strategy for the system players is EXPTIME-complete.
Games are a natural model of the interaction between a computer system and its environment. Specifica-tions are interpreted as winning conditions, implementations as strategies. An implementation is correctif the strategy is winning , i.e., it ensures that the specification is met for all possible behaviors of theenvironment. Algorithms that determine the winner in the game between the system and its environmentcan be used to determine whether it is possible to implement a specification (the realizability question)and, if the answer is yes, to automatically construct a correct implementation (the synthesis problem).We present a new game model for the interaction and the flow of information in a distributed system.The players are tokens on a Petri net. In Petri nets, causality is represented by the flow of tokens throughthe net. It is therefore natural to designate tokens also as the carriers of information. As long as differentplayers move in concurrent places of the net, they do not know of each other. Only when they synchronizeat a joint transition, each player gets informed of the history of the other player, represented by all placesand transitions on which the joint transition causally depends. The idea is that after such a joint transition,a strategy for a player can take the history of all other players participating in the joint transition intoaccount. Think of a workflow where a document circulates in a large organization with many clerks andhas to be signed by everyone, endorsing it or not. Suppose a clerk wants to make the decision whetheror not to endorse it depending on who has endorsed it already. As long as the clerk does not see thedocument, he is undecided. Only when he receives the document, he sees all previous signatures andthen makes his decision.We call our extension of Petri nets
Petri games . The players are organized into two teams, the systemplayers and the environment players, where the system players wish to avoid a certain “bad” place (i.e.,they follow a safety objective), while the environment players wish to reach just such a place. To partitionthe tokens into the teams, we label each place as belonging to either the system or the environment. Atoken belongs to a team whenever it is on a place that belongs to the team.In the tradition of Zielonka’s automata [28], Petri games model distributed systems with causalmemory , i.e., distributed systems where the processes memorize their causal history and communicateit to each other during each synchronization [10, 11, 16]. Petri games thus abstract from the concretecontent of a communication in that we assume that the processes always exchange the maximal possible18 PetriGamesinformation, i.e., their entire causal history. This is useful at a design stage before the details of theinterface have been decided and one is more interested in restricting when a communication can occur(e.g., when a device is connected to its base station, while a network connection is active, etc.) than what may be communicated. The final interface is then determined by the information actually used by thewinning strategies, which is typically only a small fraction of the causal history. Note that even thoughwe assume the players to communicate everything they know, the flow of information in a Petri gameis far from trivial. At any point, the players of the Petri game may have a different level of knowledgeabout the global state of the game, and the level of informedness changes dynamically as a result of thesynchronizations chosen by the players.Consider the development of a distributed se-curity alarm system. If a burglar triggers thealarm at one location, the alarm should gooff everywhere, and all locations should re-port the location where the original alarm oc-curred. This situation is depicted as a Petri netin Fig. 1. The token that initially resides onplace
Env represents the environment, whichis, in our example, the burglar, who can de-cide to break into our building either at loca-tion A or B. The tokens that initially reside onplaces A and B represent the distributed con-troller consisting of two processes, the one onthe left for location A and the one on the rightfor location B. In the following, we will re-fer to the Petri net of Fig. 1 as a Petri game ,to emphasize that the tokens in fact representplayers and that the nondeterminism presentin the net is to be restricted by the (yet to bedetermined) strategy of the system players. • Envt A t B EA • A • B EBt AA t BB pA pBAB AA BB BAA A A A B B B B ⊥ Figure 1: Introductory example of a Petri gamemodeling a distributed security alarm. Places be-longing to the system players A and B are shownin gray. In the Petri game, the transitions to the badplace ⊥ are shown with dotted lines.The system players and the environment players move on separate places in the net, the places be-longing to the system players are shown in gray. In the example, our goal is to find a strategy for thesystem players that avoids a false alarm , i.e., a marking where the environment token is still on Env andat least one system token is on one of the places at the bottom, i.e., AA , AB , etc., and a false report ,i.e., a marking where the environment token is on place EA and some system token is on AB or BB or amarking where the environment token is on EB and some system token is on AA or BA . To identify suchundesirable markings we introduce a distinguished place ⊥ . Fig. 1 shows (dashed) transitions towards ⊥ firing at two instances of false reports, when tokens are on both EA and BB or on both EB and AA .Similar transitions for other erroneous situations are omitted here to aid visibility.Suppose that, in our Petri game, the burglar breaks into location A by taking the left transition. Oncethe system token in A has recorded this via transition t A , it has two possibilities: either synchronizewith the system token in B by taking transition t AA , or skip the communication and go straight to pA viatransition A . Intuitively, only the choice to synchronize is a good move, because the system token in B has no other way of hearing about the alarm. The only remaining move for the system token in B wouldbe to move “spontaneously” via transition B to pB , at which point it would need to move to BA , because.Finkbeiner and E.-R.Olderog 219 • Envt A t B EA • A • B EBt AA t BB pA pA pA pA pB pB pB pBAB AA AB AA AB AA AB AA BB BA BB BA BB BA BB BAA A A A B B B B Figure 2: Unfolding of the Petri game in Fig. 1. To aid visibility, the transitions leading to ⊥ are omittedfrom the unfolding. If the transitions shown with dashed lines are removed from the unfolding, theresulting net is a winning strategy for the system players.the combination of BB and EA would constitute a false alarm. However, the token in pB has no way ofdistinguishing this situation from one where the environment token is still on Env ; in this situation, themove to EA would also reach a false alarm.Our definition of strategies is based on the unfolding of the net, which is shown for our examplein Fig. 2. By eliminating all joins in the net, net unfoldings [6, 8, 19] separate places that are reachedvia multiple causal histories into separate copies. In the example, place pB has been unfolded into fourseparate copies, corresponding to the four different ways to reach pB , via the transition arcs B through B . Each copy represents different knowledge: in B , only B knows that there has been a burglary atlocation B ; in B , B knows nothing; in B , B knows that A knows that there has been a burglary atposition B ; in B , B knows that there has been a burglary at location A . (Symmetric statements holdfor pA and the transition arcs A – A .) In the unfolding, it becomes clear that taking transition B isa bad move, because reaching the bad marking containing Env and either BA or BB has now becomeunavoidable. A strategy is a subprocess of the unfolding that preserves the local nondeterminism ofthe environment token. Fig. 2 shows a winning strategy for the system players: by omitting the dashedarrows, they can make the bad place ⊥ unreachable and therefore win the game.We show that for a single environment token and an arbitrary (but bounded) number of system tokens,deciding the existence of a safety strategy for the system players is EXPTIME-complete. This meansthat as long as there is a single source of information, such as the input of an algorithm or the sender ina communication protocol, solving Petri games is no more difficult than solving standard combinatorialgames under complete information [25]. The case of Petri games with two or more environment tokens,i.e., situations with two or more independent information sources, remains open.The remainder of the paper is structured as follows. In Section 3 we introduce the notion of Petrigames and define strategies based on net unfoldings. In Section 4 we show that for concurrency preserv-ing games every strategy can be distributed over local controllers. In Section 5 we introduce the newnotion of mcuts on net unfoldings. In Section 6 we show that the problem of deciding the winner of aPetri game is EXPTIME-complete. Related work and conclusions are presented in Sections 7 and 8. Dueto space limitations, proofs have been moved into the full version of this paper.20 PetriGames We recall concepts from Petri net theory [4, 6–8, 14, 18, 19, 23]. A place/transition ( P/T ) Petri net or sim-ply net N = ( P , T , F , In ) consists of possibly infinite, disjoint sets P of places and T of transitions,a flow relation F , which is a multiset over ( P × T ) ∪ ( T × P ) , and an initial marking In . In general,a marking of N is a finite multiset over P . It represents a global state of N . By convention, a netnamed N has the components N = ( P , T , F , In ) , and analogously for nets with decorated names like N , N , N U .The elements of P ∪ T are called nodes of N , thereby referring to the bipartite graphic repre-sentation of nets, where places are drawn as circles and transitions as boxes. The flow relation F isrepresented by directed arrows between places and transitions. An arrow from a place p to a transition t is decorated by a multiplicity k if F ( p , t ) = k , and analogously, an arrow from a transition t to a place p is decorated by a multiplicity k if F ( t , p ) = k . We use a double arrow arc between a place and a transitionif there are arcs in both directions. A marking M is represented by placing M ( p ) tokens in every place p . N is finite if it has only finitely many nodes, and infinite otherwise. For nodes x , y we write x F y if F ( x , y ) >
0. The precondition of y is the multiset pre ( y ) over nodes defined by pre ( y )( x ) = F ( x , y ) . The postcondition of x is the multiset post ( x ) over nodes defined by post ( x )( y ) = F ( x , y ) . When stressing thedependency on the net N , we write pre N ( y ) and post N ( x ) instead of pre ( y ) and post ( x ) . As in [6] werequire finite synchronization [4] and non-empty pre- and postconditions: pre ( t ) and post ( t ) are finite,non-empty multisets for all transitions t ∈ T .A transition t is enabled at a marking M if the multiset inclusion pre ( t ) ⊆ M holds. Executing or firing such a transition t at M yields the successor marking M ′ defined by M ′ = M − pre ( t ) + post ( t ) . Wedenote this by M [ t i M ′ . The set of reachable markings of a net N is denoted by R ( N ) and defined by R ( N ) = { M | ∃ t , . . . , t n ∈ T : In [ t i M [ t i . . . [ t n i M n = M } . A net N is k - bounded for a given k ∈ N if M ( p ) ≤ k holds for all M ∈ R ( N ) and all p ∈ P . It is bounded if it is k -bounded for some given k and safe if it is 1-bounded. F + denotes the transitive closure and F ∗ the reflexive, transitive closure of F . Nodes x and y are in conflict , abbreviated by x ♯ y , if there exists a place p ∈ P , different from x and y , from which one canreach x and y via F + , exiting p by different arcs. A node x is in self-conflict if x ♯ x .We use the notations ◦ N = { p ∈ P | pre ( p ) = /0 } and N ◦ = { p ∈ P | post ( p ) = /0 } for the sets ofplaces without incoming or outgoing transitions, respectively. For a multiset M over P let N [ M ] resultfrom N by changing its initial marking In to M . For a set X of nodes we define the restriction of N to X as the net N ↾ X = ( P ∩ X , T ∩ X , F ↾ ( X × X ) , In ↾ X ) .Consider two nets N and N . Then N is an initial subnet or simply subnet of N , denoted by N ⊑ N , if P ⊆ P , T ⊆ T , F ⊆ F , and In = In . A homomorphism from N to N is a mapping h : P ∪ T → P ∪ T with h ( P ) ⊆ P and h ( T ) ⊆ T , and with ∀ t ∈ T : h [ pre ( t )] = pre ( h ( t )) and h [ post ( t )] = post ( h ( t )) . If additionally h [ In ] = In , then h is called an initial homomorphism. An( initial ) isomorphism is a bijective (initial) homomorphism. Occurrence nets and unfoldings.
To represent the occurrences of transitions with both their causaldependency and conflicts (nondeterministic choices), we consider occurrence nets, branching processes,and unfoldings of Petri nets as in [6, 8, 14, 19]. We follow the axiomatic presentation in [6], taking [18]into account for dealing with P/T Petri nets.An occurrence net is a Petri net N , where ∀ t ∈ T : pre ( t ) and post ( t ) are sets, ∀ p ∈ P : | pre ( p ) | ≤ F − is well-founded, no transition t ∈ T is in self-conflict, and In = ◦ N . Notethat an occurrence net is a safe net. Two nodes x , y of an occurrence net are causally related if x F ∗ y or y F ∗ x . They are concurrent if they are neither causally related nor in conflict. If x F + y then x is called.Finkbeiner and E.-R.Olderog 221a causal predecessor of y , abbreviated x < y . We write x ≤ y if x < y or x = y . The causal past of a node y is the set past ( y ) = { x | x ≤ y } .A branching process of a net N is a pair b = ( N U , l ) , where N U is an occurrence net and l is a “labeling”, i.e., a homomorphism from N U to N that is injective on transitions with the sameprecondition: ∀ t , t ∈ T U : pre ( t ) = pre ( t ) ∧ l ( t ) = l ( t ) implies t = t . If l is initial, b is called an initial branching process . The unfolding of a net N is an initial branching process b U = ( N U , l ) thatis complete in the sense that every transition of the net is recorded in the unfolding: ∀ t ∈ T , ∀ C ⊆ P U :if C is a set of concurrent places and l [ C ] = pre ( t ) , then there exists a transition t U ∈ T U such that pre ( t U ) = C and l ( t U ) = t .Let b = ( N , l ) and b = ( N , l ) be two branching processes of N . A homomorphism from b to b is a homomorphism h from N to N with l = l ◦ h . It is called initial if h is initial; it isan isomorphism if h is an isomorphism. b and b are isomorphic if there exists an initial isomorphismfrom b to b . b approximates b if there exists an initial injective homomorphism from b to b . b is a subprocess of b if b approximates b with the identity on P ∪ T as the homomorphism. Thus N ⊑ N and l = l ↾ ( P ∪ T ) . If b approximates b then b is isomorphic to a subprocess of b .In [6] is shown that the unfolding b U = ( N U , l ) of a net N is unique up to isomorphism and thatevery initial branching process b of N approximates b U . Thus up to isomorphism we can assume that b is a subprocess of b U . Cuts and sequential composition. A cut of an occurrence net N is a maximal subset of the placesthat are pairwise concurrent. For a cut C let C − = { x ∈ P ∪ T | ∃ s ∈ C : x ≤ s } and C + = { x ∈ P ∪ T |∃ s ∈ C : s ≤ x } . A cut C splits N into the two nets N ↾ C − and ( N ↾ C + )[ C ] ; it also splits a branchingprocess ( N , l ) into two branching processes ( N , l ) and ( N , l ) , where N = N ↾ C − and N =( N ↾ C + )[ C ] and l = l ↾ C − and l = l ↾ C + .Two branching processes ( N , l ) and ( N , l ) of a given P/T Petri net are compatible if l [ N ◦ ] = l [ ◦ N ] . Given two compatible branching processes ( N , l ) and ( N , l ) , we can up to isomorphismsof N and of N assume that N ◦ = ◦ N and construct a unique branching process ( N , l ) with N ↾ C − = N and ( N ↾ C + )[ C ] = N , and l ↾ C − = l and l ↾ C + = l , for the cut C = N ◦ = ◦ N .This branching process is the sequential composition of ( N , l ) and ( N , l ) , denoted by ( N , l ) =( N , l ) ; ( N , l ) . If ( N , l ) is an initial branching process, then so is ( N , l ) . Causal nets and concurrent runs.
Executions of Petri nets are represented by causal nets andconcurrent runs as in [4, 19]. A causal net is an occurrence net N , where ∀ p ∈ P : | post ( p ) | ≤ concurrent ) run or process of N is a special caseof a branching process b R = ( N R , r ) , where N R is a causal net. If r is initial, b R is called an initialrun . Note that every initial run of N approximates the unfolding b U = ( N U , l ) of N . Thus up toisomorphism we can assume the an initial run of N is a subprocess of b U .The marking reached by a finite initial run b R = ( N R , r ) of N is denoted by [ b R i and defined as themultiset [ b R i = r [( N R ) ◦ ] . We remark that the set R ( N ) of reachable markings of N can be obtainedvia the runs as follows: R ( N ) = { [ b R i | b R is a finite initial run of N } . We wish to model games where the players proceed independently of each other, without information ofeach others state, unless they explicitly communicate. To this end, we introduce Petri games, defined asplace/transition (P/T) Petri nets, where the set of places is partitioned into a subset P S belonging to the system players and a subset P E belonging to the environment . Additionally, the Petri game identifies a22 PetriGamesset B of bad places (from the point of view of the system), which indicate a victory for the environment.Formally, a Petri game is a structure G = ( P S , P E , T , F , In , B ) , where the ( underlying ) Petri net ofthe game G is N = ( P , T , F , In ) with places P = P S ∪ P E . Players are modeled by the tokens of N . Throughout this paper we stipulate that there is only one environment player. Example 3.1
Fig. 3 shows the underlying P/T net N of asmall Petri game for two system players in place Sys andone environment player in place Env. Environment placesare white and system places are gray. The environmentchooses A or B by executing one of the transitions t or t .The goal of the system players is to achieve the same deci-sions as Env, i.e., both system players should choose A ′ ifEnv chooses A, and B ′ if Env chooses B. Without communi-cation, the system players do not know which decision theenvironment has taken. However, when both system play-ers and the environment communicate by synchronizing viathe transitions test or test , the system players learn aboutthe decision taken by the environment and can mimic it. Iftest was successful, they choose A ′ via transition t ′ , and iftest was successful, they choose B ′ via transition t ′ . (cid:3) Env • t t A test Sys •• test BEA t ′ t ′ EBA ′ B ′ Figure 3: Petri game for achievingsame decisions, where
Env and
Sys cansynchronize via two transitions test and test . Transitions from EA and B ′ and from EB and A ′ to a bad place havebeen omitted to aid visibility.We wish to model that players learn aboutprevious decisions of other players by com-munication. To this end, we use the unfold-ing of the net, where each place that is reach-able via several transition paths is duplicatedinto several copies of the place, each one rep-resenting its causal past. The unfolding ofa game G is the unfolding of the underly-ing net N , denoted by the branching process b U = ( N U , l ) , where N U is an occurrencenet and l is an initial homomorphism from N U to N , which “labels” the places andtransitions of N U with the places and tran-sitions of N . In the graphic representationof games and unfoldings gray places denoteelements of P S and white places elementsof P E . Example 3.2
Fig. 4 shows the unfolding ofthe Petri game in Fig. 3. (cid:3)
Env • t t A Sys • Sys • Bt ′ t ′ t ′ t ′ test test A ′ B ′ A ′ B ′ EA Sys Sys Sys Sys EBt ′ t ′ t ′ t ′ t ′ t ′ t ′ t ′ A ′ B ′ A ′ B ′ A ′ B ′ A ′ B ′ Figure 4: Unfolding of the Petri game in Fig. 3. Ifthe transitions shown with dashed lines are removedfrom the unfolding, the resulting net represents awinning strategy for the system players, i.e., on theleft-hand side, the system players choose A ′ , and onthe right-hand side, the system players choose B ′ .A global strategy is obtained from the unfolding by deleting some of the branches that are under con-trol of the system players. We call this a “global” strategy because it looks at all players simultaneously.Note that nevertheless a strategy describes for each place which transitions the player in that place cantake. Formally, this is expressed by the net-theoretic notion of subprocess..Finkbeiner and E.-R.Olderog 223An unfolded ( global ) strategy for the system players in G is a subprocess s = ( N s , l s ) of theunfolding b U = ( N U , l ) of N subject to the following conditions for all p ∈ P s :(S1) if p ∈ P s S then s is deterministic at p ,(S2) if p ∈ P s E then ∀ t ∈ T U : ( p , t ) ∈ F U ∧ | pre U ( t ) | = ⇒ ( p , t ) ∈ F s , i.e., at an environment placethe strategy does not restrict any local transitions.Here P s S = P s ∩ l − ( P S ) denotes the system places and P s E = P s ∩ l − ( P E ) the environmentplaces in P s . A strategy s is deterministic at a place p if for all M ∈ R ( N s ) , the set of reachablemarkings in N s : p ∈ M ⇒ ∃ ≤ t ∈ T s : p ∈ pre ( t ) ⊆ M . Due to the unfolding, a decision taken by s in a place p depends on the causal past of p , which maybe arbitrarily large. The adjective “global” indicates that s looks at all players simultaneously. Localcontrollers are discussed in Section 4. Example 3.3
Fig. 4 shows also a global strategy for the system players of the Petri game in Fig. 3. (cid:3)
A ( concurrent ) play of a Petri game G is an initial concurrent run p of the underlying net N . If p contains a place of B , the environment wins p . Otherwise, the system players win p . Note that upto isomorphism we can assume that p is a subprocess of the unfolding b U . A play p conforms to astrategy s if p is a subprocess of s . A strategy s for the system players is winning if the system playerswin every play that conforms to s .Since the winning condition of a game is a safety objective , the system players can satisfy it by doingnothing. To avoid such trivial solutions, we look for strategies s that are deadlock avoiding in the sensethat ∀ M ∈ R ( N s ) : ∃ t ∈ T U : pre ( t ) ⊆ M ⇒ ∃ t ∈ T s : pre ( t ) ⊆ M , i.e., if the unfolding can execute atransition the strategy s can as well, thus avoiding unnecessary deadlocks. A marking where there is noenabled transition in the unfolding either is not a deadlock. Then we say that the game has terminated .A ( global ) strategy for the system players in G is a pair s = ( N s , h s ) consisting of a safe net N s and an initial homomorphism h s from N s to N that is injective on transitions with the same preset,i.e., ∀ t , t ∈ T U : pre ( t ) = pre ( t ) ∧ l ( t ) = l ( t ) implies t = t , subject to the conditions (S1) and(S2) above. A global strategy s may have cycles and thus be finite, i.e., have a finite set P s ∪ T s . We show that for Petri games with a concurrency preserving underlying net, every global strategy s isdistributable over local controllers. A net N is concurrency preserving if every transition t ∈ T satisfies | pre ( t ) | = | post ( t ) | . The parallel composition N || N of two nets N i = ( P i , T i , F i , In i ) , i = ,
2, with P ∩ P = /0 is defined as the Petri net N || N = ( P ∪ P , T ∪ T , F ∪ F , In ∪ In ) obtained bytaking the componentwise union. The two nets synchronize on each common transition t ∈ T ∩ T asin the process algebra CSP [13, 20].Let N = ( P , T , F , In ) be a concurrency preserving, safe net with the places partitioned into systemand environment places P = P S ∪ P E . A slice of N describes the course of one token in N . Formally,it is a net S = ( P S , T S , F S , In S ) , where P S ⊆ P S or P S ⊆ P E , T S ⊆ T , F S ⊆ F , In S ⊆ In areminimal subsets satisfying • | In S | = ∀ p ∈ P S : post N ( p ) ⊆ T S and ∀ t ∈ T S : | pre S ( t ) | = | post S ( t ) | = • F S = F ↾ ( P S × T S ) ∪ ( T S × P S ) .24 PetriGamesThe net N is called reachable if every place and transition of N is reachable from its initial marking. Lemma 4.1 (Parallel Composition of Slices)
Every safe reachable net N which is concurrency pre-serving is the parallel composition of slices: N = k S ∈ S S , where S is a family of slices of N suchthat { P S | S ∈ S } is a partition of P . A local controller specifies the moves of a single player in a Petri game. It is a pair C = ( N C , h C ) consisting of a safe net N C with one token, i.e., | In C | = ∀ t ∈ T C : | pre C ( t ) | = | post C ( t ) | = weak homomorphism h C from N C to N , the underlying net of the Petri game. A local controller C is finite if P C ∪ T C is a finite set. It may have nondeterministic choices of transitions that areresolved (later) by synchronization with other controllers working in parallel. Unfolding N C yields abranching process b C = ( N CU , l C ) , where l C is an initial homomorphism from N CU to N C . Then C U = ( N CU , h C ◦ l C ) is an unfolded local controller .A (n unfolded) strategy s is distributable if s can be represented as the parallel composition of(unfolded) local controllers for the environment and the system players in the sense that the reachablepart of the parallel composition is isomorphic to s . Using Lemma 4.1 we show: Lemma 4.2 (Distribution)
Every unfolded global strategy for a concurrency-preserving Petri game isdistributable.
Example 4.3
The global strategy of Fig. 4 can be distributed into the local controllers of Fig. 5. (cid:3) • C E : • C S : • C S : t t test test test test A Btest test EA EB A ′ B ′ A ′ B ′ Figure 5: The local controllers C E for the environment and C S , C S for the system players work inparallel and synchronize on the transitions test and test . Applying the parallel composition k to thethree controller nets yields the winning strategy of Fig. 4. Theorem 4.4
If the system players in a bounded and concurrency preserving Petri game have a winningstrategy, then they have a finite distributable winning strategy.
In an unfolded strategy s , a decision taken by s in a place p depends on the causal past of p , whichmay be arbitrarily large. Similar to model checking approaches based on net unfoldings [7], we use cuts (maximal subset of pairwise concurrent places) as small summaries of the causal past. The standardnotion of cuts is, however, problematic for games with multiple players, because it collects places withoutregard for the (possibly different) knowledge of the individual players about the causal past. To solvethis problem, we introduce a new kind of cut, called mcut , which guarantees that the system players canbe considered to be perfectly informed about the environment decisions.Throughout this section, we consider a Petri game G with underlying net N , unfolding b U =( N U , l ) , and an unfolded strategy s = ( N s , l s ) , so N s ⊑ N U and l s = l ↾ ( P s ∪ T s ) . Since.Finkbeiner and E.-R.Olderog 225in N s the nondeterminism of N U has been restricted, we distinguish for a node x ∈ P s ∪ T s the postconditions post s ( x ) and post U ( x ) taken in the nets N s and N U , respectively. Note that post s ( x ) ⊆ post U ( x ) . For preconditions we have pre s ( x ) = pre U ( x ) . Thus, while the postconditionsof nodes may be different in N s and N U , their preconditions are identical. Futures, mcuts and ecuts.
For a cut C of an occurrence net let C + = { x ∈ P ∪ T | ∃ s ∈ C : s ≤ x } , where ≤ denotes the reflexive causal predeces-sor relation given by F ∗ . For a subnet N ′ ⊑ N U and a cut C of N ′ we write N ′ C + = ( N ′ ↾ C + )[ C ] .Note that ( N UC + , l ↾ C + ) is an initialbranching process of the net N [ l [ C ]] ,which is like N but starts at the initialmarking l [ C ] . For cuts C and C ′ we write C ≤ C ′ if ∀ x ∈ C ∃ y ∈ C ′ : x ≤ y , and C < C ′ if C ≤ C ′ and C = C ′ .The future in N s of a node x in N s isthe set fut s ( x ) = { y ∈ P s ∪ T s | x ≤ y } . A p - cut is a cut containing the place p .For an environment place p ∈ P s we in-troduce now mcut ( p ) as the w.r.t. ≤ mini-mal p -cut C such that for all places q ∈ C ,either the system players have maximallyprogressed at q , in the sense that any fur-ther system transition would require anadditional environment transition startingfrom place p , or the future starting at q does not depend on the environment. s : p • q • q • pmcut ( p ) = qecut ( p , tt ) = mcut ( q ) = t t p p tt tt p q q q q p t ′ t ′ t ′ t ′ q q q q t t p q q q q p Figure 6: Shown is an initial part of an unfolding. Considerthe places p and q both labeled with p . Then mcut ( p ) contains the upper places labeled p , q , q and ecut ( p , tt ) contains the places labeled p , q , q in the middle, whereas mcut ( q ) contains the places labeled p , q , q , with the sys-tem players maximally progressed. Both mcuts have onlyplaces of type 1.The formal definition is as follows: For a p -cut C and a place q ∈ C we define type ( q ) = ∀ t ∈ post s ( q ) : ( t reachable in N s C + ⇒ p ≤ t ) and type ( q ) = ∀ t ∈ fut s ( q ) : ( t reachable in N s C + ⇒ p t ) . Note that type ( p ) =
1. By type-1(C) we denote the set of all places in C that have type 1, and analo-gously for type-2(C) . Then we define: mcut ( p ) = min ≤ { C | C is a p -cut of N s ∧ ∀ q ∈ C : type ( q ) = ∨ type ( q ) = } . For an example, see Fig. 6.
Lemma 5.1 (Existence of mcuts)
For every environment place p ∈ P s , mcut ( p ) is well-defined. An ecut results from an mcut by firing a single environment transition. Formally, given an environ-ment place p ∈ P s and a transition t ∈ post s ( p ) with environment participation let ecut ( p , t ) be the cut C obtained by firing t at mcut ( p ) , formally mcut ( p )[ t i C . For an example, see Fig. 6. We now reduce Petri games to games over finite graphs, which can subsequently be solved by a standardfixed point construction. Unlike the Petri game, the finite-graph game has only two players, Player 0 and26 PetriGamesPlayer 1, which both act on complete information. We construct a finite-graph game that is equivalentto the Petri game in the sense that the system players have a deadlock-avoiding and winning strategy inthe Petri game iff Player 0 has a winning strategy in the finite-graph game. The key idea is that Player 1,representing the environment, is only allowed to make a decision at mcuts, which guarantees that thesystem players learn about the decision before they have to make their next choice. In this way, thesystem players can be considered to be perfectly informed.A finite-graph game ( V , V , V , I , E , W , W ) consists of a finite set V = V ∪ V of states, partitionedinto Player 0’s states V and Player 1’s states V , a set of initial states I ⊆ V , an edge relation E ⊆ V × V ,and disjoint sets of winning states W , W ⊆ V for Player 0 and Player 1, respectively. A play is a possiblyinfinite sequence of states, constructed by letting Player 0 choose the next state from the E -successorswhenever the play is in V and letting Player 1 choose otherwise. Player 0 wins if the play reaches W orforever avoids visiting W .A strategy for Player 0 is a function f : V ∗ · V → V that maps a prefix of a play ending in a stateowned by Player 0, i.e., a sequence of states that ends in a V state, to some successor state according to E . A play conforms to a strategy f , if all successors of V states in the play are chosen according to f .A strategy is winning for Player 0 if there is an initial state v ∈ I such that all plays that start in v andconform to f are won by Player 0.To simulate a Petri game G = ( P S , P E , T , F , In , B ) , we build a finite-graph game where the statesare multisets consisting of triples ( p , type , T ) , where p ∈ P is a place, type is a type, i.e., 1 or 2, and T ∈ T ∪ {⊤} is either a set of transitions representing the transitions chosen by a token in p or a specialsymbol ⊤ , indicating that a new choice needs to be made. We call these multisets decision sets . For k -bounded Petri games, we limit the cardinality of the decision sets to | P | · k . A state belongs to Player 1if the decision set corresponds to an mcut, and to Player 0 otherwise; i.e., the states of Player 1 consistof all decision sets where there is no ⊤ symbol and the outgoing transitions from type-1 places are eitherdisabled or have an environment place in their precondition, the states of Player 0 consist of all otherdecision sets. The game starts with some initial marking, which fixes an arbitrary classification of types,all outgoing transitions for the environment places and an arbitrary selection of transitions for the systemplaces. When there is a ⊤ symbol, Player 0 makes a choice for the transition set. In other situations, thegame continues by Player 0 choosing transitions from system places and Player 1 choosing transitionsthat involve an environment place. The choices of both players are restricted to the transitions allowed inthe decision set. There is an additional restriction based on the type of the places, which we will discussbelow. Whenever a transition has fired, Player 0 chooses a new set of transitions for the newly reachedsystem places. (In environment places, all outgoing transitions are always allowed.)If no more transitions from type-1 places are enabled, the game ends. If this is due to termination, orif the decision set includes type-2 places, Player 0 wins. Player 1 wins if the game ends due to deadlock,if nondeterminism is encountered (i.e., two separate transitions, or two separate instances of the sametransition, are enabled that share some system place in their precondition and have no environment placesin their precondition), or if a bad place is visited. Example 6.1
Figure 7 shows (a part of) the finite-graph game corresponding to the Petri game fromFig. 3. In Fig. 3, the transitions leading to bad places have been omitted. For the purposes of thisexample, we assume that there is one additional transition t ⊥ , which takes one token each from placesEA and B ′ and puts one token on the bad place ⊥ and one token back on EA. States of Player 0 are shownas rectangles, states of Player 1 as diamonds. Winning states for Player 0 are shown with double lines,winning states for Player 1 with bold lines. In addition to the initial state v shown in Fig. 7, the gamehas further initial states that are omitted here. Player 0 has a winning strategy from v (following the .Finkbeiner and E.-R.Olderog 227 (cid:18) Env , , { t , t } (cid:19) :1 , Sys , , { test , test } :2 v : (cid:18) EA , , { t ⊥ } (cid:19) :1 , (cid:18) Sys , , ⊤ (cid:19) :2 (cid:18) A , , { test } (cid:19) :1 , Sys , , { test , test } :2 (cid:18) B , , { test } (cid:19) :1 , Sys , , { test , test } :2 ... v : EA , , { t ⊥ } :1 , Sys , , /0 :2 EA , , { t ⊥ } :1 , Sys , , { t ′ } :2 EA , , { t ⊥ } :1 , Sys , , { t ′ } :2 EA , , { t ⊥ } :1 , Sys , , { t ′ } :1 , Sys , , /0 :1 EA , , { t ⊥ } :1 , Sys , , { t ′ , t ′ } :1 , Sys , , /0 :1 v : ... (cid:18) EA , , { t ⊥ } (cid:19) :1 , (cid:18) Sys , , { t ′ } (cid:19) :1 (cid:18) A ′ , , /0 (cid:19) :1 v : (cid:18) EA , , { t ⊥ } (cid:19) :1 , (cid:18) A ′ , , /0 (cid:19) :2 v : (cid:18) EA , , { t ⊥ } (cid:19) :1 , (cid:18) Sys , , { t ′ } (cid:19) :1 (cid:18) B ′ , , /0 (cid:19) :1 (cid:18) EA , , { t ⊥ } (cid:19) :1 , (cid:18) B ′ , , /0 (cid:19) :2 EA , , { t ⊥ } :1 , B ′ , , { t ⊥ } :2 EA , , { t ⊥ } :1 , Sys , , { t ′ } :1 , B ′ , , { t ⊥ } :1 v : EA , , { t ⊥ } :1 , B ′ , , { t ⊥ } :1 , B ′ , , /0 :1 EA , , { t ⊥ } :1 , ⊥ , , /0 :1 , B ′ , , /0 :1 EA , , { t ⊥ } :1 , Sys , , { t ′ } :1 , ⊥ , , /0 :1 EA , , { t ⊥ } :1 , ⊥ , , /0 :1 , B ′ , , { t ⊥ } :1 v : v : ... Figure 7: Part of the finite-graph game corresponding to the Petri game from Fig. 3. edges shown with solid lines). In state v , Player 0 wins, because the game terminates. In states v andv , Player 1 wins, because a deadlock is reached. In state v , Player 1 wins, because nondeterminism isencountered. In states v , v , and v , Player 1 wins, because the bad place ⊥ is reached. The finite-graph game as described so far does not yet ensure the correctness of the classification ofthe places into types 1 and 2. We need to make sure that the Petri game can indeed continue from type-2places without dependencies on the environment and without visits to bad places. For this purpose, weidentify, in a preprocessing step, the largest subset D of the set of decision sets that consists of onlythose decision sets that are either terminating or have at least one transition from type-2 places to anotherdecision set in D that does not contain a bad place. We restrict the game to D and only allow (for bothplayers) transitions that originate from type-1 places. Lemma 6.2 (Reduction to Finite-Graph Games)
The system players have a deadlock-avoiding win-ning strategy in the Petri game iff Player 0 has a winning strategy in the finite-graph game.
28 PetriGamesTo prove Lemma 6.2, we translate a winning strategy for Player 0 in the finite-graph game into adeadlock-avoiding winning strategy for the system players in the Petri game and vice versa.Given a winning strategy f of the finite-graph game, we inductively build a strategy s for the Petrigame following the tree structure given by the possible choices of the environment token. In this way,we construct for each environment place in s a unique mcut, and for each subsequent ecut a causal netconnecting the type-1 places of the ecut to the next mcut. The strategy is deadlock-avoiding because thedecision sets of mcuts with deadlocks are winning for Player 1. The strategy is winning, because theplays that conform to f avoid bad places. If the play in the finite-graph game is infinite, then the playin the Petri game is also infinite, traversing an infinite sequence of mcuts. If the play in the finite-graphgame is finite, then this may be due to termination, in which case the play in the Petri game terminatesas well; otherwise, the play must have reached a decision set with type-2 places, from which the play inthe Petri game continues infinitely.Given a deadlock-avoiding winning strategy s of the Petri game and a prefix w ∈ V ∗ · V of a play ofthe finite-graph game, we compute the choice f ( w ) of the strategy for the finite-graph game by simulating w in s : starting with the initial marking and firing the transitions of w in s , we arrive at a cut of s which isnot an mcut; we choose an arbitrary enabled system transition and choose the decision set of the resultingcut as f ( w ) . For a cut C in s , the decision set is the multiset dec [ C ] = { ( l ( p ) , type ( p ) , l ( post s ( p ))) | p ∈ C } . The resulting strategy f is winning from the decision set of the initial cut of s .The size of the finite-graph game is exponential in the size of the Petri game; the Petri game cantherefore be solved in single-exponential time. A matching lower bound follows from the EXPTIME-hardness of combinatorial games [25]. Theorem 6.3 (Game Solving)
For bounded Petri games with one environment player and a boundednumber of system players, the question whether the system players have a winning strategy is EXPTIME-complete. If a winning strategy for the system players exists, it can be constructed in exponential time.
Although the reachability problem is decidable also for unbounded Petri nets [17], we cannot de-cide unbounded Petri games. This is an immediate consequence of the undecidability of VASS (VectorAddition Systems with States) games [2].
Theorem 6.4
For unbounded Petri games, the question whether the system players have a winning strat-egy is undecidable.
There is a significant body of work on synthesis and control based on Petri nets (cf. [5,12,22,27]). Theseapproaches differ from ours in that they solve supervisory control problems or two-player games on thestate space created by the Petri net. Hence, these approaches solve the single-process synthesis problem,as opposed to the multi-process synthesis problem for concurrent systems considered in this paper.For distributed systems, much work has focused on finding architectures for which the realizabil-ity question is decidable. Most research on this problem is in the setting of synchronous processes with shared-variable communication, introduced by Pnueli and Rosner. A general game model for these typesof realizability problems are Walukiewicz and Mohalik’s distributed games [26]. While undecidable ingeneral [21], the distributed synthesis problem can be solved in the Pnueli/Rosner setting for a numberof interesting architectures, including pipelines [24], rings [15], and generally all architectures wherethe processes can be ordered according to their informedness [9]. Unfortunately, all these decision pro-cedures have nonelementary complexity. For the asynchronous games based on Zielonka’s automata,.Finkbeiner and E.-R.Olderog 229decidability has been also been established for specific classes of architectures such as trees [11]. An-other important line of work concerns the alternating-time temporal logics, which are interpreted overconcurrent game structures [3]. The difference between Petri games and these approaches is that Petrigames link informedness to causality instead of referring to a separate, static, specification of the relativeinformedness in an architecture.In the literature on Petri nets, unfoldings have been used conceptually to connect Petri net theorywith event structures [4, 6, 18, 19] and practically to obtain algorithms for deciding reachability. Thesealgorithms are based on constructing a finite canonical prefix of the in general infinite net unfolding thatcontain all reachable markings [7, 8, 14]. We use net unfoldings as a uniform conceptual basis to definestrategies and plays as well as suitable cuts for analyzing the strategies. Net unfoldings enable us toformalize the intended degree of informedness of each player at a given place: it is the causal past of thatplace, concurrent activities beyond that past are not visible. Such a causal view is also chosen in [10],for the setting of Zielonka’s automata [28].
We have introduced Petri games, an extension of Petri nets where the tokens represent players whomake individual, independent decisions. Using tokens as the carriers of information, Petri games linkinformation flow to causality: decisions may only use information resulting from decisions that theyalso depend on causally. This makes Petri games a convenient formalism to reason about asynchronousconcurrent programs as well as manufacturing cells [27], business work flows [1], and other distributedapplications. Our synthesis algorithm is applicable to Petri games where the number of system tokensis bounded by some arbitrary number, and the number of environment tokens is bounded by 1. Thisleaves two important open problems. The first open problem is whether Petri games with more thanone environment token are decidable; if so, what is the precise complexity? The decidability resultfor tree architectures [11] is both encouraging and discouraging; encouraging, because at least somearchitectures that are undecidable in the Pnueli/Rosner setting are decidable for distributed systems withcausal memory. Discouraging, because the complexity of the synthesis algorithm is nonelementary. Thesecond open problem is to find synthesis methods for unbounded Petri games. While we have shownthat the problem is in general undecidable, it is an interesting challenge for future research to developsemi-algorithms for unbounded Petri games and to find other restrictions besides boundedness that makethe synthesis problem decidable.
References [1] W.M.P.v. Aalst (1998):
The application of Petri nets to workflow management . J. of Circuits, Systems andComputers8, pp. 21–66, doi:10.1142/S0218126698000043.[2] P.A. Abdulla, A. Bouajjani & J. d’Orso (2003):
Deciding Monotonic Games . In: Proc. CSL, LNCS 2803,Springer-Verlag, pp. 1–14, doi:10.1007/978-3-540-45220-1 1.[3] R. Alur, T.A. Henzinger & O. Kupferman (2002):
Alternating-time temporal logic . Journal of the ACM49(5), pp. 672–713, doi:10.1145/585265.585270.[4] E. Best & C. Fern´andez (1988):
Nonsequential Processes . Springer, doi:10.1007/978-3-642-73483-0.[5] U. Buy, H. Darabi, M. Lehene & V. Venepally (2005):
Supervisory Control of Time Petri Nets UsingNet Unfolding . Annual International Computer Software and Applications Conference 2, pp. 97–100,doi:10.1109/COMPSAC.2005.148.
30 PetriGames [6] J. Engelfriet (1991):
Branching processes of Petri nets . Acta Informatica 28(6), pp. 575–591,doi:10.1007/BF01463946.[7] J. Esparza (1994):
Model checking using net unfoldings . ScienceofComputerProgramming23, pp. 151–195,doi:10.1016/0167-6423(94)00019-0.[8] J. Esparza & K. Heljanko (2008):
Unfoldings – A Partial-Order Approach to Model Checking . Springer,doi:10.1007/978-3-540-77426-6.[9] B. Finkbeiner & S. Schewe (2005):
Uniform Distributed Synthesis . In: Proc.LICS, IEEE Computer SocietyPress, pp. 321–330, doi:10.1109/LICS.2005.53.[10] P. Gastin, B. Lerman & M. Zeitoun (2004):
Distributed Games with Causal Memory Are Decidable forSeries-Parallel Systems . In: Proc.FSTTCS, pp. 275–286, doi:10.1007/978-3-540-30538-5 23.[11] B. Genest, H. Gimbert, A. Muscholl & I. Walukiewicz (2013):
Asynchronous Games over Tree Architectures .In: Proc.ICALP’13,PartII, LNCS 7966, Springer, pp. 275–286, doi:10.1007/978-3-642-39212-2 26.[12] A. Giua (1992):
Petri Nets as Discrete Event Models for Supervisory Control . Ph.D. thesis, RensselaerPolytechnic Institute.[13] C.A.R. Hoare (1985):
Communicating Sequential Processes . Prentice Hall, doi:10.1145/359576.359585.[14] V. Khomenko, M. Koutny & W. Vogler (2003):
Canonical prefixes of Petri net unfoldings . ActaInformatica40, pp. 95–118, doi:10.1007/3-540-45657-0 49.[15] O. Kupferman & M.Y. Vardi (2001):
Synthesizing Distributed Systems . In: Proc. LICS, IEEE ComputerSociety Press, pp. 389–398, doi:10.1109/LICS.2001.932514.[16] P. Madhusudan, P.S. Thiagarajan & S. Yang (2005):
The MSO Theory of Connectedly Communicating Pro-cesses . In: Proc.FSTTCS’05, LNCS 3821, Springer, pp. 201–212, doi:10.1007/11590156 16.[17] E.W. Mayr (1981):
An algorithm for the general Petri net reachability problem . In: Proc.13thACMSTOC,ACM, pp. 238–246, doi:10.1145/800076.802477.[18] J. Meseguer, U. Montanari & V. Sassone (1996):
Process versus unfolding semantics for Place/TransitionPetri nets . TCS 153, pp. 171–210, doi:10.1016/0304-3975(95)00121-2.[19] M. Nielsen, G.D. Plotkin & G. Winskel (1981):
Petri Nets, Event Structures and Domains, Part I . Theor.Comput.Sci. 13, pp. 85–108, doi:10.1016/0304-3975(81)90112-2.[20] E.R. Olderog (1991):
Nets, Terms and Formulas: Three Views of Concurrent Processes and Their Relation-ship . Cambridge University Press, doi:10.1017/CBO9780511526589.[21] A. Pnueli & R. Rosner (1990):
Distributed Reactive Systems are Hard to Synthesize . In: Proc.FOCS, IEEEComputer Society Press, pp. 746–757, doi:10.1109/FSCS.1990.89597.[22] J.F. Raskin, M. Samuelides & L.V. Begin (2003):
Petri Games are Monotone but Difficult to Decide . Tech-nical Report, Universit´e Libre De Bruxelles.[23] W. Reisig (1985):
Petri Nets – An Introduction . Springer, doi:10.1007/978-3-642-69968-9.[24] R. Rosner (1992):
Modular Synthesis of Reactive Systems . Ph.D. thesis, Weizmann Institute of Science,Rehovot, Israel.[25] L.J. Stockmeyer & A.K. Chandra (1979):
Provably Difficult Combinatorial Games . SIAMJ. Comput. 8(2),pp. 151–174, doi:10.1137/0208013.[26] I. Walukiewicz & S. Mohalik (2003):
Distributed Games . In: Proc.FSTTCS’03, LNCS 2914, pp. 338–351,doi:10.1007/978-3-540-24597-1 29.[27] Q. Zhou, M. Wang & S.P. Dutta (1995):
Generation of optimal control policy for flexible manufactur-ing cells: A Petri net approach . Intern. Journal of Advanced Manufacturing Technology 10, pp. 59–65,doi:10.1007/BF01184279.[28] W. Zielonka (1995):