DDEPARTMENT OF COMPUTER SCIENCE
Reversible Computation in Petri Nets
Kyriaki Psara
A dissertation submitted to the University of Cyprusin partial fulfillment of the requirementsfor the degree of Doctor of PhilosophyDecember, 2020 a r X i v : . [ c s . L O ] J a n Kyriaki Psara, 2020
ALIDATION PAGE
Doctoral Candidate:
Kyriaki Psara
Doctoral Dissertation Title:
Reversible Computation in Petri Nets
The present Doctoral Dissertation was submitted in partial fulfillment of the requirementsfor the Degree of Doctor of Philosophy at the Department of Computer Science and wasapproved on
December 18, 2020 by the members of the Examination Committee.
Examination Committee:
Research Supervisor Associate Professor Anna PhilippouCommittee Chair Associate Professor Chryssis GeorgiouCommittee Member Professor Yannis DimopoulosCommittee Member Professor Maciej KoutnyCommittee Member Associate Professor Ivan Lanese iii
ECLARATION OF DOCTORAL CANDIDATE
The present Doctoral Dissertation was submitted in partial fulfillment of the requirementsfor the degree of Doctor of Philosophy of the University of Cyprus. It is a product of originalwork of my own, unless otherwise mentioned through references, notes, or any other state-ments.
Kyriaki Psara. . . . . . . . . . . . . . . . . . . . iv ερίληψη
Ο αναστρέψιμος υπολογισμός είναι μια μη συμβατική μορφή υπολογισμού που επεκτείνειτον τυπικό τρόπο υπολογισμού με τη δυνατότητα αντίστροφης εκτέλεσης λειτουργιών.Η αναστρεψιμότητα προσέλκυσε πρόσφατα αυξανόμενη προσοχή σε διάφορες ερευνητικέςκοινότητες καθώς από τη μία υπόσχεται υπολογισμούς χαμηλής ισχύος και, από την άλλη,είναι εφαρμόσιμη σε μια ποικιλία εφαρμογών.Η διερεύνηση της αναστρεψιμότητας μέσω τυπικών μοντέλων καθορίζει τα θεωρητικάθεμέλια για το τι είναι η αναστρεψιμότητα, ποιο σκοπό εξυπηρετεί, και πως ωφελεί ταφυσικά και τεχνητά συστήματα. Ως εκ τούτου, προτείνουμε μια αναστρέψιμη προσέγγισηγια τα δίκτυα Πέτρι, εισάγοντας μηχανισμούς και σχετική λειτουργική σημασιολογία γιατην αντιμετώπιση των προκλήσεων που έχουν οι κύριες μορφές αναστρεψιμότητας.Τα δίκτυα Πέτρι είναι μια μαθηματική γλώσσα για μοντελοποίηση και συλλογισμό κα-τανεμημένων συστημάτων. Η πρόταση μας αφορά μία παραλλαγή των δικτύων Πέτρι, πουονομάζεται Αναστρέψιμα Δίκτυα Πέτρι, όπου τα διακριτικά ενός δικτύου ξεχωρίζουν μετα-ξύ τους με μοναδικές ταυτότητες. Δείχνουμε τη δυνατότητα εφαρμογής της προσέγγισήςμας σε ένα μοντέλο μεταβολικής διαδρομής και ένα σύστημα επεξεργασίας συναλλαγώνόπου και τα δύο εκδηλώνουν αναστρέψιμη συμπεριφορά.Μια άμεση επέκταση του αρχικού μοντέλου συμπεριλαμβάνει την παροχή πολλαπλώνδιακριτικών που εκπροσωπούν τον ίδιο τύπο. Μία τέτοια επέκταση σε ένα μοντέλο όπωςτα δίκτυα Πέτρι, έχει ως αποτέλεσμα αντίστροφες συγκρούσεις όπου ένα διακριτικό μπο-ρεί να έχει τοποθετηθεί σε μία θέση από διαφορετικές μεταβάσεις. Προτείνουμε λοιπόν μιαεπέκταση των αναστρέψιμων δικτύων Πέτρι που επιτρέπει πολλαπλά διακριτικά του ίδιουτύπου σε ένα μοντέλο, ενώ παράλληλα διασφαλίζεται ο ντετερμινισμός κατά την αναστρο- i ή. Συγκεκριμένα, στην προσέγγιση την οποία διερευνούμε, διαφορετικά διακριτικά πουβρίσκονται στην ίδια θέση μπορούν να διακριθούν με βάση την πορεία που έχουν ακολου-θήσει στο δίκτυο. Αποδεικνύουμε ότι η εκφραστική ισχύς των αναστρέψιμων δικτύωνΠέτρι με πολλαπλά διακριτικά είναι ισοδύναμη με εκείνη των αναστρέψιμων δικτύων Πέτριμε μοναδικά διακριτικά. Προτείνουμε επίσης την αντίθετη προσέγγιση, η οποία θεωρεί ότιόλα τα διακριτικά ενός συγκεκριμένου τύπου είναι πανομοιότυπα, αγνοώντας την πορείαπου ακολούθησαν κατά την εκτέλεση του δικτύου. Δείχνουμε την ευρωστία αυτής τηςπροσέγγισης ως τεχνική μοντελοποίησης συστημάτων που αφορούν πόρους μέσω ενόςπαραδείγματος από τη βιοχημεία, γνωστό ως αυτοπροτόλυση του νερού.Και τα δύο προτεινόμενα μοντέλα αναστρέψιμων δικτύων Πέτρι (με μοναδικά ή πολ-λαπλά διακριτικά) επιτρέπουν την αναστροφή μεταβάσεων χωρίς περιορισμούς ως προς τοπότε και αν θα αναστραφεί η εκτέλεση ή όχι. Με στόχο να περιορίσουμε την αναστρε-ψιμότητα, επεκτείνουμε τη σημασιολογία μας συσχετίζοντας τις μεταβάσεις με συνθήκεςτων οποίων η ικανοποίηση επιτρέπει την εκτέλεση μεταβάσεων προς τα εμπρός/πίσω.Καταλήγοντας, για να διευκολύνουμε την ανάλυση της συμπεριφοράς μοντέλων ανα-στρέψιμου υπολογισμού διατυπώνουμε στο πλαίσιο μας βασικές ιδιότητες όπως η ασφάλειακαι η προσβασημότητα όταν εφαρμόζονται διαφορετικές στρατηγικές αναστρεψιμότητας.Παρουσιάζουμε το πλαίσιο μαζί με τις σχετικές ιδιότητες με ένα μοντέλο ενός καινοτόμου,κατανεμημένου αλγορίθμου που επιλέγει κεραίες σε κατανεμημένες σειρές κεραιών. ii bstract Reversible computation is an unconventional form of computing that extends the standardforward-only mode of computation with the ability to execute a sequence of operations inreverse at any point during computation. Reversibility has recently been attracting increas-ing attention in various research communities, as on the one hand it promises low-powercomputation, and on the other hand it is inherent or of interest in a variety of applications.Exploring reversibility through formal models formulates the theoretical foundations ofwhat reversibility is, what purpose it serves, and how it benefits natural and artificial sys-tems. As such, in this thesis we propose a reversible approach to Petri nets by introducingmachinery and associated operational semantics to tackle the challenges of the main formsof reversibility. Petri nets are a mathematical language for modelling and reasoning aboutdistributed systems. Our proposal concerns a variation of cyclic Petri nets, called Revers-ing Petri Nets (RPNs) where tokens are persistent and distinguished from each other by anidentity. We demonstrate the applicability of our approach with a model of the ERK sig-nalling pathway and an example of a transaction-processing system both featuring reversiblebehaviour.An immediate extension of the original model includes allowing multiple tokens of thesame base/type to occur in a model. The addition of token multiplicity into a model like Petrinets results in various backward conflicts where a token can be generated in a place becauseof different transition firings. We therefore propose an extension of reversing Petri netsthat allows multiple tokens of the same base/type to occur in a model while still ensuringbackward determinism. Specifically, we explore the individual token interpretation whereone distinguishes different tokens residing in the same place by keeping track of where theyiiiome from. We prove that the expressive power of RPNs with multi tokens is equivalent tothat of RPNs with single tokens, and we measure the expressiveness in terms of LabelledTransition Systems (LTSs) up to isomorphism of reachable parts that can be denoted bynets of the respective RPN models. We also propose the collective token interpretation, asthe opposite approach to token ambiguity, which considers all tokens of a certain type tobe identical, disregarding their history during execution. We show the robustness of thisapproach as a modelling technique for resource-aware systems by modelling an examplefrom biochemistry, known as the autoprotolysis of water.Both of the proposed models of RPNs (with single or multi tokens) implement the no-tion of uncontrolled reversibility, meaning that it specifies how to reverse an execution andallows to do so freely, yet it places no restrictions as to when and whether to prefer backwardexecution over forward execution or vice versa. In this respect, a further aim is to controlreversibility by extending our formal semantics where transitions are associated with condi-tions whose satisfaction allows the execution of transitions in the forward/reversed direction.Finally, in order to facilitate the analysis of the behaviour of reversible models, we for-mulate the basic properties of our framework such as safety, reachability, precedence andexception when different notions and strategies of reversibility are applied. We illustrate theframework along with the associated properties with a model of a novel, distributed algo-rithm for antenna selection in distributed antenna arrays. iv cknowledgments
Undertaking this PhD has been a truly life-changing experience for me and it would nothave been possible to do without the support and guidance that I received from many people.I would like to thank the following people, without whom I would not have been able tocomplete this research.I would like to start by expressing my sincere gratitude and my indebtedness to mysupervisor Dr. Anna Philippou, for giving me the opportunity to do a PhD thesis underher guidance. Her continuous support, inspiring guidance, invaluable encouragement, andimmense knowledge pushed me to sharpen my way of thinking and brought my work toa higher standard. I would like to thank her for all the practical and financial support, andparticularly, for the precious time that she invested in me. As a token of my gratitude I wouldlike to expose her virtues of patience, kindness and hard work.I would also like to offer my heartfelt thanks to Kamila Barylska, Anna Gogolinska,Lukasz Mikulski, and Marcin Piatkowski for hosting me at the University of Torun, andwhose ideas and guidance helped me to accomplish an important part of this work. I also ap-preciate the valuable contribution of my co-authors Bogdan Aman, Gabriel Ciobanu, YiannisDemopoulos, Eleutheria Kouppari, Stefan Kuhn, Harun Siljak, and Irek Ulidowski. Manythanks to the committee members Chryssis Georgiou, Yiannis Demopoulos, Maciej Koutny,and Ivan Lanese for accepting to review my thesis, as without them I could not have com-pleted this dissertation. I would also like to thank the EU COST ACTION IC1405 and itsparticipating members that gave me the opportunity to present preliminary results of mythesis in order to receive constructive feedback.I am very thankful to the team members of the “Foundations of Computing Systems andvheoretical Computer Science Laboratory” at the University of Cyprus for being around attimes of very intense effort, expressing their support, and providing useful feedback. I amthankful to the members of the faculty of the department of Computer Science with whom Ihave collaborated over these years as part of my teaching assistance duties, and for alwaysdisplaying a constructive high standard of professionalism in their duties. Similarly, I wouldalso like to thank the Department’s staff who willingly and patiently provided their importantservices whenever required.To conclude, I would like to say a heartfelt thank you to my family for all the supportthey have shown me, for their wise counsel and sympathetic ear, for always believing in meand encouraging me through this research. I cannot forget to thank my friends, for providingstimulating discussions as well as happy distractions to rest my mind outside of my research.vi hesis Contributions
The following papers were published as a result of the research done for the requirements ofthis dissertation and are its primary contributing sources.1. Philippou A. and
Psara K. , 2018. Reversible computation in Petri nets. In Proceedingsof the 10th International Conference on Reversible Computation (pp. 84-101). LectureNotes in Computer Science volume 11497. Springer.2. Barylska K., Gogolinska A., Mikulski L., Philippou A., Piatkowski, M. and
Psara.K. , 2018. Reversing computations modelled by coloured Petri nets. In Proceedings ofthe International Workshop on Algorithms & Theories for the Analysis of Event Data2018 (pp. 91–111). CEUR Workshop Proceedings volume 2115. CEUR-WS.org.3. Philippou A.,
Psara K. and Siljak H., 2019. Controlling reversibility in reversingPetri nets with application to wireless communications. In Proceedings of the 11thInternational Conference on Reversible Computation (pp. 238-245). Lecture Notes inComputer Science volume 11497. Springer.4. Siljak H.,
Psara K. and Philippou A., 2019. Distributed antenna selection for massiveMIMO using reversing Petri nets. IEEE Wireless Communications Letters, volume8(5), pp.1427-1430.5. Dimopoulos Y., Kouppari E., Philippou A. and
Psara K. , 2020. Encoding Revers-ing Petri Nets in Answer Set Programming. In Proceedings of the 12th InternationalConference on Reversible Computation (pp. 264-271). Lecture Notes in ComputerScience volume 12227. Springer.6. Kuhn S., Aman B., Ciobanu G., Philippou A.,
Psara K. and Ulidowski I., 2020. Re-versibility in Chemical Reactions. In Reversible Computation: Extending Horizonsof Computing - Selected Results of the COST Action IC1405 (pp. 151-176), LectureNotes in Computer Science volume 1270. Springer. vii ontents ist of Figures σ = (cid:104) t , t , t , t , t (cid:105) . . . . . . . . . . . . . . 493.7 RPN with overlapping cycles σ = (cid:104) t , t , t , t , t , t (cid:105) and σ = (cid:104) t , t , t , t (cid:105) ,and the state arising after the forward execution of σ = σ σ . . . . . . . . 533.8 Causally dependent cycles, where σ = (cid:104) t , t , t , t (cid:105) . . . . . . . . . . . . . 543.9 Causal-order example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573.10 Causal execution where σ = (cid:104) t , t , t , t (cid:105) . . . . . . . . . . . . . . . . . . . 583.11 Causal paths in the context of dependent cycles, where σ = (cid:104) t , t , t , t (cid:105) and σ = (cid:104) t , t , t , t (cid:105) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603.12 Causal paths in the context of independent cycles, where σ = (cid:104) π , π (cid:105) suchthat π = t , t , π = t , t and σ = (cid:104) π , π (cid:105) such that π = t , t , π = t , t σ = (cid:104) t , t , t , t , t (cid:105) . . . . . . . . . . 723.16 Reactions in the ERK -pathway where F denotes Raf*-1 , M denotes MEK , E denotes ERK , R denotes RKIP , and P denotes the phosphorylation of thebonded molecule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823.17 ERK-pathway example in reversing Petri nets . . . . . . . . . . . . . . . . 833.18 Transaction processing - forward execution . . . . . . . . . . . . . . . . . 85x.19 Transaction processing: out-of-causal-order execution . . . . . . . . . . . 864.1 Reversible chemical reaction . . . . . . . . . . . . . . . . . . . . . . . . . 904.2 Forward execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924.3 Backtracking execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924.4 Causal-order execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944.5 Out-of-causal order paradox . . . . . . . . . . . . . . . . . . . . . . . . . 964.6 Out-of-causal order execution . . . . . . . . . . . . . . . . . . . . . . . . 974.7 Individual token interpretation . . . . . . . . . . . . . . . . . . . . . . . . 994.8 Forward execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1054.9 Backtracking execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074.10 Causal-order execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114.11 Equivalent markings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1134.12 Non-equivalent transition firings . . . . . . . . . . . . . . . . . . . . . . . 1144.13 Updating the memories of tokens in out-of-causal-order reversibility . . . . 1254.14 Out-of-causal order execution . . . . . . . . . . . . . . . . . . . . . . . . 1264.15 Transaction processing with multitokens . . . . . . . . . . . . . . . . . . . 1314.16 Equivalent RPNs with multi and single tokens . . . . . . . . . . . . . . . . 1354.17 Labelled transition systems for the reversing Petri nets in Figure 4.16 . . . . 1364.18 Students buying present for their teacher . . . . . . . . . . . . . . . . . . . 1374.19 Chemical reaction for the creation of water molecules . . . . . . . . . . . . 1384.20 Forward execution under the collective token interpretation . . . . . . . . . 1404.21 Forward execution under the collective token interpretation. . . . . . . . . . 1434.22 Autoprotolysis of water . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1434.23 RPN model of the formation of a water molecule . . . . . . . . . . . . . . 1464.24 RPN model of the execution of the autoprotolysis of water . . . . . . . . . 1475.1 Forward execution in CRPNs . . . . . . . . . . . . . . . . . . . . . . . . . 1545.2 Reverse execution in CRPNs . . . . . . . . . . . . . . . . . . . . . . . . . 1565.3 Ammonium chloride chemical reaction . . . . . . . . . . . . . . . . . . . . 1575.4 Reachability property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1585.5 Home state property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1605.6 Liveness property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1615.7 Deadlock property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1625.8 Coverability property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163xi.9 Persistence property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1655.10 Antenna selection on massive-MIMO . . . . . . . . . . . . . . . . . . . . 1675.11 CRPN for antenna selection in DM MIMO (large antenna array) . . . . . . 1696.1 Translation from reversing Petri nets to coloured Petri nets . . . . . . . . . 176xii hapter Introduction
Reversible computation bi [40] is an unconventional form of computing where computationcan be executed in the backward direction as effortlessly as it can be executed in the stan-dard forward direction. In particular, individual operations can be carried out reversibly andthus, at any point of the execution we are able to uniquely identify the forward or backwardstate. Hence, every reversible computation process can be traced backward uniquely fromend to start whilst exhibiting both forward and backward determinism. Its characteristicsmake reversibility a very promising paradigm that extends the current irreversible mode ofcomputation by delivering novel computing devices and software.The study of reversibility originated in the 1960s when scientists and mathematiciansstarted to be concerned with energy efficient computation. In particular, Landauer [75] an-swered many questions by proving that logically irreversible operations result in bit erasurethat causes heat dissipation and, in general, loss of energy. In particular, a proportion of elec-trical power consumed by current computers is lost in the form of heat because every timea computer throws away bits of information it generates at least kTln ( k is the Boltzmannconstant which is approximately . × − J / K , T is the temperature of the heat sink inkelvins, and ln is the natural logarithm of 2 which is approximately 0.69315) of entropy foreach bit of information it erases.Reversibility offers the potential for computationally proceeding in the forward direc-tion as well as in reverse resulting in going back to states visited before or even states thatcannot be reached by going forwards alone. It is encountered in a wide range of systems.For instance, it is a property of biochemical systems [118], where reactions can be executed1n both the forward and backward direction based on the imposed physical conditions. An-other application is quantum computing which in contrast to classical computing is alwaysreversible [44]. At the same time, it is on many occasions a desirable system property. Tobegin with, reversible computing comes to solve the miniaturisation limitations of currenttechnology that aim to increase the speed and capacity of circuits. recovery from failuressuch as corrupted data, deadlocked programs and breached security is crucial and could beeffortlessly obtained in the presence of reversibility. Further applications are encountered inprogramming languages and concurrent transactions.One line of work in the study of reversible computation has been the investigation ofits theoretical foundations [83]. Understanding the role that reversibility plays in naturalsystems calls for the development of realistic formal models for concurrent and distributedsystems. Reversible models can be based on already existing abstract formalisms or spe-cially proposed languages, and can be used not only for modelling reversible systems butalso for investigating suitable notions of behavioural equivalences, logics and other analy-sis techniques. Furthermore, the study of reversible formalisms may aid the understandingof the foundation of reversibility and can help towards the understanding, modelling andimplementing reversible actions as a feature of computation.In the context of the theoretical study of reversible computation, the different strategiesof reversing and their relationships are being investigated and have led to the definition ofdifferent forms of reversibility: While in the sequential setting reversibility is generally un-derstood as the ability to execute past actions in the exact inverse order in which they haveoccurred, a process commonly referred to as backtracking , in a concurrent scenario it can beargued that reversal of actions can take place in a more liberal fashion. The main alternativesproposed are those of causal order reversibility [83], a form of reversing where an actioncan be undone provided that all of its effects (if any) have been undone beforehand, and out-of-causal order reversibility [119], a form of reversing featured most notably in biochemicalsystems. Even though reversing computational processes in concurrent and distributed systems hasmany promising applications, it also has many technical and conceptual challenges. Themain challenge being the ability to identify the legitimate backward moves by maintainingthe information needed to reverse executed computation, e.g., to keep track of the history2f execution and the choices that have not been made. In contrast to the sequential settingthat is well understood, the concurrent setting poses the conceptual question of how do wedefine a causally-respecting order of execution.
Causal-consistent reversibility [83] is themost common notion of reversibility in the concurrent and distributed setting. Since its defi-nition, various approaches in formal models and applications of causal-consistent reversibil-ity have been considered. The first works handling reversibility in process calculi are theChemical Abstract Machine [19], a calculus inspired by reactions between molecules whoseoperational semantics define both forward and reverse computations, and RCCS [31], an ex-tension of the Calculus of Communicating Systems (CCS) [97] equipped with a reversiblemechanism that uses memory stacks for concurrent threads, further developed in [32, 33].This mechanism was represented at an abstract level using categories with an application toPetri nets [34]. Subsequently, a general method for reversing process calculi with CCSK be-ing a special instance of the methodology was proposed in [117]. This proposal introducedthe use of communication keys to bind together communication actions as needed for iso-lating communicating partners during action reversal. Reversible versions of the π -calculusinclude ρπ [79] and R π [29].While all the above concentrate on the notion of causal reversibility, approaches con-sidering other forms of reversibility have also been proposed. Consider every state of theexecution to be a result of a series of actions that have causally contributed to the existenceof the current state. If the actions were to be reversed in a causally-respecting manner thenwe would only be able to move back and forth through previously visited states. Therefore,one might wish to apply out-of-causal-order reversibility in order to create fresh alterna-tives of current states that were formerly inaccessible by any forward-only execution path.This has been achieved in [70] by introducing a new operator for modelling local reversibil-ity, a form of out-of-causal-order reversibility, whereas a mechanism for controlling out-of-causal reversibility has also been considered in [118]. The modelling of bonding withinreversible processes and event structures was considered in [119], whereas a reversible com-putational calculus for modelling chemical systems composed of signals and gates was pro-posed in [27]. The study of reversible process calculi has also triggered research on variousother models of concurrent computation such as reversible event structures [136].A distinguishing feature between the cited approaches is that of controlling reversibility :while various frameworks make no restriction as to when an action can be reversed (un-controlled reversibility), it can be argued that some means of controlling the conditions ofreversal is often useful in practice. For instance, when dealing with fault recovery, reversal3hould only be triggered when a fault is encountered. Based on this observation, a numberof strategies for controlling reversibility have been proposed: [32] introduces the concept ofirreversible actions, and [80] introduces compensations to deal with these irreversible actionsand to avoid repeating past errors. Another approach is that of [118] which proposes the us-age of an external entity for capturing the order in which transitions can be executed in theforward or the backward direction. In another line of work, [78] defines a roll-back primitivefor reversing computation, and in [76] roll-back is extended with the possibility of specifyingthe alternatives to be taken on resuming the forward execution. Finally, in [9] the authorsassociate the direction of action reversal with energy parameters capturing environmentalconditions of the modelled systems.Research on reversible models from process calculi continues in Petri nets, the first ap-proach being that of [15, 16] which implemented a liberal way of reversing computation inPetri nets by introducing additional reversed transitions. In these works, the authors inves-tigate the effects of adding reversed versions of selected transitions in a Petri net and theyexplore decidability problems regarding reachability and coverability in the resulting Petrinets. Towards examining causal consistent reversibility in Petri nets, the work in [96] inves-tigates whether it is possible to add a complete set of effect-reverses for a given transitionwithout changing the set of reachable markings. The authors show that this problem is ingeneral undecidable however it can be decidable in cyclic Petri nets where with the additionof new places these non-reversible Petri nets can become reversible while preserving theirbehaviour. Recently, an alternative approach [93, 94] on reversing Petri nets introduces re-versibility in Petri nets by unfolding the original Petri net into occurrence nets and colouredPetri nets . The authors encode causal memories while preserving the original computationby adding for each transition its reversible counterpart. In [35], the authors examine thepossibility of reversing the effect of the execution of groups of various transitions (steps).They then present a number of properties which arise in this context and show that there is acrucial difference between reversing steps which are sets and those which are true multisets. In this thesis, we shall consider a particular model of computation, known as
Petri nets , thatwill be extended to a reversible variant. Petri nets are a basic model of parallel and distributedsystems, designed by Carl Adam Petri in 1962 in his PhD Thesis: "Kommunikation mitAutomaten” [110, 122]. They constitute a graphical mathematical language that can be used4or the specification and analysis of discrete event systems and they support both action-based and state-based modelling and reasoning.In contrast to the extensive research carried out in process calculi and event structures,work done on reversing Petri nets is still at an initial stage. Thus, a first aim of this thesis isexploring the several results discussed in process calculi, such as the flexibility of reversibleactions allowed in causal reversibility, within Petri nets. This enables us to investigate howand whether these can be embedded within the Petri net model. At the same time, whileunderstanding the theoretical properties of reversibility within Petri Nets, an extension ofPetri nets with reversibility offers an added benefit. Petri nets can be applied informally toany area or system that needs some means of representing parallel or concurrent activities aswell as systems that can be described graphically like flow charts. The easy applicability ofPetri nets is inherent due to their generality and permissiveness [110]. Since Petri nets arevisually comprehensible and simple in their application, they can be used for modelling byboth practitioners and theoreticians.However, classical Petri nets are not reversible by nature, in the sense that every transitioncannot be executed in both directions. The reason being the nondeterministic nature of Petrinets. Specifically, by observing the state of a Petri net with tokens scattered along its places itis not possible to discern the history that led to the specific state and consequently the precisetransitions that can be undone. Therefore, an inverse action in classical Petri nets, needs to beadded as a supplementary forward transition for achieving the undoing of a previous action.This explicit approach of modelling both forward and reverse transitions can prove cumber-some in systems that express multiple reversible patterns of execution, resulting in largerand more complex systems. Furthermore, it fails to capture reversibility as a mode of com-putation. Motivated by this, our intention is to study an approach for modelling reversiblecomputation that does not require the addition of new, reversed transitions but instead allowsto execute transitions in both the forward as well as the backward direction. This frameworkshould be able to identify at each point in time the history of execution, a necessary aspect forall forms of reversibility. As such, this thesis aims to propose a reversible approach to Petrinets which introduces machinery and associated operational semantics where executed tran-sitions can be reversed according to three different semantic relations capturing the notionsof backtracking, causal reversibility and out-of-causal-order reversibility.Reversible formal models used to model reversible systems need to be able to identifythe legitimate backward moves according to forward execution. When it comes to Petri nets,the ability to formally express causal dependencies based on an appropriate causality based5oncept is one of the most well-known concepts of Petri net theory [138]. As such, whenproposing a reversible variant of Petri nets the interplay between reversibility and concur-rency should be investigated. Specifically, investigating the notion of causal dependence inPetri nets equipped with the ability to reverse is one of the primitive aims of this thesis.At the same time, out-of-causal reversibility has been observed in many important re-versible examples where concurrent systems violate causality. Nonetheless, this body ofresearch is still at a preliminary stage, and while interesting ideas have been discovered, asystematic study of the related problems and of the possible application areas is still missing.This means that research on how to generalise causality or how it relates to out-of-causal re-versibility, in order to deal with such systems, deserves much further investigation. Forexample, studying the properties of out-of-causal reversibility could potentially prove thatboth backtracking and causal reversibility are in some essence subsets of out-of-causal-orderreversibility, which could potentially yield a universal approach on the strategy used for re-versing. Since out-of-order reversibility comes with its own peculiarities that need to betaken into consideration while modelling reversible systems, this thesis aims to understandthese peculiarities and obtain an approach that addresses out-of-causal reversibility withinPetri nets.Understanding the basics of reversibility through reversible models of concurrent compu-tation is useful but it is not directly suitable for most applications, since they do not determinewhen and whether to prefer a forward over a backward action. One of the objectives of thisthesis is to consider a strategy for controlling reversibility in Petri nets which along with thewide use of Petri nets can find application in various domains. The resulting framework willenable us to study and understand reversibility through various case studies thus overcomingsome limitations in the understanding, modelling and implementing reversible actions as afeature of computation.
In Chapter 3 we propose the first reversible approach to Petri nets which introduces reversingPetri nets (RPNs), a variation of cyclic Petri nets where executed transitions can be reversedaccording to three different semantic relations capturing the notions of backtracking , causalreversibility and out-of-causal-order reversibility . Furthermore, during a transition firing,tokens can be bonded with each other. The creation of bonds is considered to be the effectof a transition, whereas their destruction is the effect of the transition’s reversal. 6 ausality. When it comes to causality, cyclic structures make causality quite non-trivialsince the presence of cycles exposes the need to define causality of actions within repeatedexecutions of transitions. Indeed there are different ways of introducing reversible behaviourdepending on how causality is defined. In our approach, we follow the notion of causalityas defined by Carl Adam Petri for one-safe nets that provides the notion of a run of a systemwhere causal dependencies are reflected in terms of a partial order [110]. A causal link isconsidered to exist between two transitions if one produces tokens that are used to fire theother. In this partial order, a causal dependence relation is explicitly defined as an unfoldingof an occurrence net which is an acyclic net that does not have backward conflicts. Based onthis notion of causality we handle cyclic structures by adopting “lists of histories" associatedwith each transition recording all of its previous occurrences. Also, additional machinery hasbeen necessary that captures the causal dependencies in the presence of cycles. We provethat the amount of flexibility allowed in causal reversibility indeed yields causally consistentsemantics.
Out-of-causal order.
Until the proposal of RPNs, it had yet to be proposed a reversibleapproach to Petri nets which introduces machinery and associated operational semantics totackle the challenges of all three forms of reversibility. We therefore propose the reversiblesemantics of out-of-causal-order reversibility and demonstrate that this form of reversing isable to create new states unreachable by forward-only execution. Additionally, we establishthe relationship between the three forms of reversing and define a transition relation that cancapture each of the three strategies modulo the enabledness condition for each strategy. Thisallows us to provide a uniform treatment of the basic theoretical results.
Multiple tokens.
The proposed model of reversing Petri nets considers tokens to bedistinct from each other and assigns unique names to them. Hence, a natural extensionis to allow multiple tokens of the same base/type to occur in a model. Allowing multipleinstances of identical tokens results in ambiguities when it comes to causal dependencies.Depending on how we treat these ambiguities we define two different approaches when itcomes to causal-order reversibility, the first one being the individual token interpretation andthe second one the collective token interpretation [24, 137, 139].In chapter 4 we explore the individual token interpretation of reversing Petri nets wheretokens of the same type are distinguished as individual. The model keeps track of wherethe tokens come from and therefore causal dependencies between transitions are reflected interms of a partial order similar to the partial order of reversing Petri nets with single tokens.Thus, we allow identical tokens to fire the same transition when going forward, however7hen going backwards tokens are able to reverse only the transitions that they have fired.Additionally we provide the reversible semantics for out-of-causal-order reversibility in thepresence bond destruction. We then proceed to translate reversing Petri nets into labelledtransition systems (LTSs) as an event-oriented representation of the operational behaviourof the model. We compare the expressive power offered by multi tokens against that ofsingle tokens, in terms of the associated Labelled Transition Systems, denoted up to isomor-phism of reachable parts. As a result, we find that reversing Petri nets with single tokensare equally expressive as reversing Petri nets with multi tokens. As an alternative direction,we then propose the collective token interpretation of reversing Petri nets which is inspiredfrom biochemical reactions and resource allocation systems. In this approach all tokens of acertain type are identical, disregarding their history during execution and therefore assumingthe ambiguities between them to be equivalent.
Controlled reversibility.
The framework of reversing Petri nets has been extended witha mechanism for controlling reversibility in Chapter 5. In our model control is enforced withthe aid of conditions associated with transitions, whose satisfaction acts as a guard for execut-ing the transition in the forward/backward direction. The conditions are enunciated withina simple logical language expressing properties relating to available tokens. The mecha-nism may capture environmental conditions, e.g., changes in temperature, or the presence offaults. We present a reversible semantics of the resulting framework. The resulting model isgeneral enough to capture a wide range of systems, in this context we give an overview ofseveral properties of reversing Petri nets that could be used to analyse the behaviour of thesesystems.
Case studies.
Our approach is motivated by applications from biochemistry, but it canbe applied to a wide range of problems featuring reversibility. Specifically, we demonstratethe original RPN framework with various examples including a model of the ERK pathway,and a model of a transaction processing system, examples that inherently feature (out-of-causal-order) reversibility. We then show the same transaction processing system modelledby RPNs with multiple tokens under the individual token interpretation. Multi tokens arealso demonstrated under the collective token interpretation by modelling a case study frombiochemistry, known as the autoprotolysis of water, where instances of the same atom are in-distinguishable. Finally, we show the robustness of our control mechanism by modelling anexample from telecommunications of a distributed algorithm for antenna selection illustrat-ing the ability of RPNs to not only formalise complex distributed systems but also naturallycapture reversible, controlled execution and conservation of information in a system. 8 .5 Document Outline
In Chapter 2 we present the basic background theory for reversible computation, Petri nets,and reversible models of concurrency. This chapter presents an overview of the main ap-proaches, results, potential benefits, and applications of reversible computation. In partic-ular, we focus on reversible formal models of concurrency used for modelling reversiblesystems or developing techniques to analyse descriptions of reversible protocols. Further-more, we provide an overview of the traditional model of Petri nets. We present the mainextensions of Petri nets and discuss techniques for system validation and verification for themodel. Finally, we discuss causality, a concept of high relevance in the context of Petri netsemantics.In Chapter 3 we propose the formalism of reversing Petri nets by introducing machinery,associated operational semantics and results for transition enabledness as captured by for-ward execution, backtracking, causal and out-of-causal-order reversibility. We illustrate theRPN framework with a model of the ERK pathway and a transaction processing system.In Chapter 4 we extend this formalism by allowing multiple tokens of the same typeto occur in a system as well as the ability of forward transitions to break bonds. We thencompare the two models and show that the expressive power of RPNS with multi tokens isequivalent to the expressive power of RPNs with single tokens. The final contribution ofthis chapter is a demonstration of a biological case study, namely the autoprotolysis of waterreaction.In Chapter 5 we introduce another extension of the RPN model with a mechanism forcontrolling reversibility. We use the resulting formalism of Controlled RPNs to model anovel distributed algorithm for antenna selection.The last part of the thesis, Chapter 6, concludes this work by comparing the results ofthis proposal with the related literature and proposing the current and future work after thecompletion of this thesis. 9 hapter Background
Mechanical Computing essentially dates back to the 1800s, followed by Electronic Com-puting, starting at least six decades ago, and ever since both of them have been supportingand enhancing all aspects of our lives [109]. Forward-only computing has been extensivelyresearched, developed and analysed in academia, industry and government across the globe.Forward direction is the standard kind of execution whereas backward direction is the abilityto go back to previous states by undoing previously executed actions.Since current technology is not invertible, it leads to loss of information where previ-ous states cannot be recovered from the current state. It follows an irreversible computationparadigm where ordinary computer chips do not qualify for reversible operations. For exam-ple, a simple standard operation, like the logical AND, illustrates that given the output 0 itis impossible to determine the input values as one of combinations of 1 and 0, 0 and 1 or 0and 0 [40]. Therefore, such logically irreversible operations lack determinism due to the factthat the partial function that maps each machine state onto its successor generates more thanone inverse values.This entails that, if there is a logic gate that generates an output from a given input, thegate is reversible only when there is an inverse operation that performs a bijective transfor-mation of its local configuration space. Crucially, the ability to have two-way determinismrequires an one-to-one mapping, where each input produces a unique output. These bijectivereversible operations have at most one previous configuration giving the ability to uniquelyidentify the forward or backward state at any point of the execution. Such backward de-terministic systems are the foundations of an alternative computation paradigm, called
Re- ersible Computation [40]. As such, a computation is logically reversible if it is alwayspossible to efficiently reconstruct the previous state of the computation from its current state.Reversible computation is an emerging paradigm that extends the standard forward-onlymode of computation by allowing one to execute programs in the backward direction aseffortlessly as it can be executed in the standard forward direction. In particular, individualoperations become time reversible that can easily and exactly be reversed, or undone atany point of the execution. Computer scientists believe that reversible computation is anunconventional but promising form of computing, which is able to deliver novel computingdevices and software [40]. More importantly, reversibility is emerging as one of the mostexciting new dimensions in computing for the future, positioned for inevitable progress andexpansion in the coming decades. Reversible computing combines thermodynamics and information theory in order to reflectphysical reversibility one of the fundamental microscopic physical properties of Nature.Since all successful fundamental physical theories share the property of reversibility, fu-ture computing could also follow rather trivially certain basic facts of fundamental physics.Such properties can be effectively used in computing in order to create an interface be-tween computation and the laws of physics where logical reversibility implements physicalreversibility [99].Back to the 1960’s, three foundational studies of information lossless computations madetheir appearance. Having different motivations, Huffman studied finite state machines thatdo not erase information [62], Lecerf studied the theoretical properties of reversible Turingmachines [86] and Landauer studied the thermodynamics of reversible logics. Of these stud-ies, Landauer’s work is the most prominent, but the other two have laid the foundation of thetheoretical study of reversible computing.Physicist Rolf Landauer was the first to argue the relation between thermodynamics andthe irreversible character of conventional computers. Specifically, reversible computationoriginated in the 60’s when Landauer published a paper titled “Irreversibility and Heat Gen-eration in the Computing Process" [75], where he attempted to apply the most fundamental,reversible laws of physics to digital computers. Landauer’s key insight follows directly asan immediate logical consequence of our most thorough, battle-tested understanding of fun-damental physics. He noted that, while classical mechanics and quantum mechanics are11undamentally reversible [1] by obeying the laws of motion, their logical state often evolvesirreversibly since it is not backward deterministic. This means that since all of the fundamen-tal laws of physical dynamics are reversible, then conceptually any machine should be ableto run the laws of physics backwards and thus be able to determine the system’s backwardstates.Specifically, Landauer observed the direct implications on the thermodynamic behaviourof a device that is carrying out irreversible operations. His reasoning can be understood byrealising that reversibility at the lowest level of physics means that we can never truly eraseinformation in a computer. He notes that for the entire history of computers, our computingmachines have been erasing bits of information in the process of performing irreversiblecomputations.If we return to the example of the logic gate AND, we can observe that given the out-put 0, the input 1 has been erased after the execution of the operation. Whenever a bit ofinformation gets overwritten by a new value or whenever a logic gate produces several un-used outputs, the previous information might get lost but it will not be physically destroyed.Instead, bit erasure pushes bits out into the computer’s thermal environment, where they be-come entropy causing heat dissipation and, in general, loss of energy. This is known as thevon Neumann-Landauer (VNL) principle [133] where one bit’s worth of lost logical infor-mation always leads to at least kTln ( k is the Boltzmann constant which is approximately . × − J / K , T is the temperature of the heat sink in kelvins, and ln is the naturallogarithm of 2 which is approximately 0.69315) amount of physical energy dissipation.This result is of great interest because it makes plausible the existence of thermodynam-ically reversible computers which could perform computations while dissipating consider-ably less energy per logical step. The energy used in reversible bit operations can be fullyrecovered and reused for subsequent operations so that every computation can be performedwithout bit erasures. This means that a computation is physically reversible when it can becarried out without loss of energy or, more formally, with no increase in physical entropyand it is thus energy efficient.Landauer’s theoretical lower bound has since been experimentally confirmed and it hasbeen argued many times that efficient operations of future computers require them to bereversible [20]. In the scenario of low-energy computing, the gap between computation andreality needs to be bridged by introducing the reversible or possibly the quantum mechanicalmode of computation. Currently, computers are commonly irreversible with their technologyrapidly approaching the elementary particle level extrapolating towards Landauer’s limit. 12n particular, based on Moore’s law, computer power roughly doubles every 18 monthsfor the last half century [25]. The miniaturisation of transistors increases their per-area leak-age current and standby power; meanwhile, the reduction of signal energies, causes signif-icant thermal fluctuations which eventually prevent any further progress within the tradi-tional computing paradigm [47]. Efforts are being made within the semiconductor industryin order to try to reduce and forestall these problems, but the solutions are becoming evermore expensive to deploy where eventually no level of spending can ever defeat the lawsof physics. Smaller transistors in new conventionally-designed computers would no longerbe any cheaper, faster, or more energy-efficient than any predecessors, and at that point, theprogress of conventional semiconductor technology will stop being any longer economicallyjustifiable. Landaure’s limit threatens to end improvements in practical computer perfor-mance within the next few decades and to avoid this a solution could be to avoid losing trackof logical information.However, for several decades now, we have known that reversible computing is a theo-retically possible alternative paradigm which is in fact the only possible way, within the lawsof physics, to have energy and cost efficient computers. However, when reversible computa-tions are implemented on the right hardware, they should be able to circumvent Landauer’slimit. The technical motivation given by Landauer has inspired theoretical work in the areaof computational models. Lecerf [86] was the first to describe reversible computations exe-cuted on reversible Turing machines, and invented the Lecerf reversal technique to uncom-pute histories, but he was unaware of Landauer’s thermodynamic applications, and thereforehis machines did not save their outputs. Bennett [18] then reinvented Lecerf’s reversal basedon Landauer’s point of view that any desired logically irreversible computational operationcould be embedded in a reversible one, by simply saving aside any information that it wouldotherwise erase. For example, the machine might be given an extra tape to record each op-eration as it was being performed, in order to be able to uniquely determine the precedingstate by the present state and the last record on the tape. However, Landauer noted that thismethod was only going to postpone the inevitable, because the tape would still need to beerased eventually, when the available memory filled up.Bennet managed to prove that it is possible to construct fully reversible Turing machinescapable of performing any computation whilst erasing garbage information on its tape whenit halts and therefore leaving behind only the desired output and the originally furnishedinput. The trick is to decompute the operations that produced the intermediate results andtherefore erasing the temporary data from the memory. This would allow any temporary13emory to be reused for subsequent computations without ever having to erase or overwriteit. He also pointed out the possibility of a physically reversible computer where dissipationof energy is arbitrarily small.However Bennett’s construction only addressed the logical level where any argumentsbased on thermodynamics needed to be applied on specific hardware technologies. Toffoliand Fredkin [49] were the first to address precisely how to construct a practical physicalmechanism for computation that would also be physically reversible. They have reinventedreversible computing in the form of conservative logic circuits, and proved their universal-ity. Toffoli [134] invented the Toffoli gate which is perhaps the most convenient universalreversible logic primitive. All these pioneering developments together incrementally set thestage for the field of reversible computing.As a result, reversible computing has the potential to alleviate the ever-increasing demandfor electricity by designing revolutionary reversible logic gates and circuits that lead to low-power computing. Hardware-wise, the potential benefits of reversible computing come tosolve the miniaturisation limitations of current technology that aim to increase the speedand capacity of circuits. On the other hand, there already exist various occasions wherereversibility is naturally embedded in computation. For example, recovery from failuressuch as corrupted data, deadlocked programs and breached security is crucial and could beeffortlessly obtained in a reversible manner. Hence, such a mode of computation alignsnaturally with many computational tasks such as the treatment of faults and recovery indistributed systems, coding and decoding and many others.So far, it is considered to be highly challenging to implement reversibility effectively,because it comes with many underlying problems and the alternative of advancing conven-tional technology is much easier. Even though it comes with many promising benefits andapplications it also comes with its own limitations. Since, the theory of reversible computa-tion is based on the idea of computing and uncomputing operations, it means that arbitrarilylarge computations executed in reverse would result in almost twice as many steps as an or-dinary computation and may require a large amount of temporary storage. This means thatthere is an underlying trade-off between the efficiency of such recovery and the speed ofcomputation.On a practical level achieving efficient reversible computing will likely require new hard-ware materials, new design tools and device structures, new hardware description languageswith the supporting software and overall a thorough remodelling of the entire computer de-sign infrastructure. This also means that a large part of computer scientists and digital engi-14eering workforce will have to be trained to use novel reversible design methodologies.Nevertheless, the upside potential of reversible computing has attracted many researchersthat made significant conceptual progress over the past few decades. This effort of address-ing the challenges of reversible computation is highly worthwhile, because with the currentrapidly advancing technology, it is now time to focus on reversible computing, and begincollaborative effort to materialise this idea. Committed attention can eventually improvecurrent information technology by making it many orders of magnitude greater than anyexisting irreversible technology [135]. As discussed above, computer scientists, mathematicians and physicians believe that re-versible computation will be a key technique in the not so distant future of computer models.As such, it attracts much interest for its potential in a growing number of application areasranging from cellular automata, software architectures, reversible programming languages,digital circuit design to quantum computing. Below we present the main advances in thesefields.There exist several notions of logical reversibility on computing models with a finitenumber of discrete internal states that evolve in discrete time. Their precise impact on thecomputational capacities and decidability properties of devices has been considered fromdifferent points of view. In the literature there exist various models, including the mas-sively parallel model of cellular automata, the weakly parallel model of multi-head finiteautomata [8,72,100,120] as well as sequential models such as Turing machines [7,18], push-down [71, 74] and queue automata [73], and finite state machines [60]. In order to examinewhether reversibility increases computational capacities it is useful to study the propertiesand the impact on suitable models when different notions of reversibility are applied. Thesemodels have been equipped with additional resources or structural properties in order toexamine whether a computational model can be made reversible and the associated costs.A number of interesting reversible programming languages have been developed since1986. The first reversible programming language follows the imperative paradigm [142,143]followed by another simple reversible imperative languages named R [46]. Other gen-eral purpose functional programming languages are RFUN [144], muOz [88] the causal-consistent reversible extension of Oz and Theseus [63]. The family of quantum programminglanguages consists of languages based on the imperative paradigm such as QCL (Quantum15omputation Language) [104], LanQ [98] and languages based on the functional paradigmsuch as cQPL [92], and QML [2]. Research on compiler technology for reversible languageshas also progressed in the last several years [6, 46]. The main challenge in this area is thatthese languages are still prototype languages. Thus, the code base for each of these languagesis limited, and the languages do not offer many of the usual programming abstractions. Thisin turn has hindered the developments of reversible algorithms and useful data structures.Persistent (immutable) data structures [103] offer more efficient storing of multiple versionsof a data structure, sharing structure where possible.The idea of using reversibility for the development of reliable software is quite naturalsince backward recovery is an instance of reversible computation in which errors triggerinverse actions. In case of trouble fault treatment seeks to handle certain system errors af-ter their occurrence and therefore stop them from causing a failure. Then the system cango backwards to a past safe state of the system and try to explore new directions, avoidingthe troublesome actions and therefore bringing the system to a consistent state. If a faultis detected, checkpointing can be used as a recovery mechanism that restores the systemto a previously saved state which is essentially a snapshot of the entire system that is safefrom errors [22, 45, 147]. The past 40 years reversibility has also been naturally applied inthe area of debugging [56, 146] because it gives the ability to explore the computation inboth forward and backward, and therefore assisting the programmer in the search of possi-ble misbehaviours. Indeed, many reversible debugging tools exist [28, 42, 67, 87] and somereversible debugging features are available in mainstream debuggers. There have also beenproposed reversible process calculi used to build constructs for reliability, and in particu-lar communicating transactions with compensations [36] where interacting transactions withcompensations have been mapped into a reversible calculus with alternatives in [76]. Be-havioural equivalences for communicating transactions with compensation have been stud-ied in [37, 68].Another area that can benefit from reversibility is that of control systems and robotics.Robots are generic mechatronic devices controlled by a computer that can essentially bemade reversible. Reversibility plays vital role in different programming paradigms that areused to operate robots. Many operations in the field of robotics are naturally reversibleboth for single robots as well as multi-robot swarms. These operations assist systems thatcan autonomously accumulate and revise knowledge from their own experience via self-programming [124, 125]. Control systems operate concurrently during forward executionin order to predict the behaviour of the environment under constrains of limited time and16omputational resources. Whereas, during backward execution they retrieve the goals thesystem was designed to achieve. Another operation is that of reversing the forward executionof an assembly sequence in order to generate the backward disassembly process as well aschanging the direction of a mobile robot from forward to backward. The increase likelihoodof errors in industrial robots can be addressed using reverse execution in order to withdrawan erroneous situation and thereafter automatically retry the assembly operation [85, 126].As motivated by Landauer [75], reversible circuits have several promising applicationssuch as low-power circuit design and quantum computing. The inherent properties of re-versibility can be exploited in the design of conventional circuits with many advantages.One of them is the ability to undo operations in case the system reaches an erroneous stateas well as full connectivity which detects errors by applying randomly generated stimuli.Conventional computing also benefits from reversibility by achieving perfect observabilityand controllability which provides easy testability. Another application of reversible circuitsis quantum computing [66] which is inherently reversible and allows reversible computationto be exploited as a subset of quantum operations. The goal of conventional circuit designis to find a logic circuit that implements the Boolean function and minimises the number ofgates or the circuit depth. Reversible circuit synthesis is a special case of conventional cir-cuit design where all gates are made reversible by disallowing any fanout. In order to avoidany fanout, it must be that the number of input wires of a gate is the same as the number ofoutput wires [108]. The most well known gates in reversible and quantum computing are theFredkin gate [48] together with Toffoli [134] and Feynman [44] gates.
There exist many questions that need to be addressed when it comes to reversible com-puting, including what are the main approaches, results, potential benefits, and applications.Exploring reversibility through formal models formulates the theoretical foundations of whatreversibility is, what purpose it serves, and how it benefits natural and artificial systems.In particular, reversible formal models can be used for modelling reversible systems ordeveloping techniques to analyse them. In order to comprehend the way reversibility works,it is useful to study the properties of these models when different notions and strategies of re-versibility are applied. Understanding reversibility through various case studies could poten-tially propose a unified theory for reversibility in distributed systems, including behaviouraland logic semantics, and explore how reversibility can help in specification, verification, and17esting.Creating expressive reversible formalisms that can be easily understood and simulated,even by scientists with expertise outside Computer Science, can prove very useful to un-derstand, model, and design complex systems. The expressive power and descriptive natureoffered by formal models coupled with reversible computation has the potential of providingan attractive setting for studying, analysing, or even imagining alternatives in a wide rangeof systems. For example, reversibility-inspired theories and formal methods will enable thesoftware industry to deliver safer and more reliable distributed software and systems.Such reversible formalisms will also assist scientists from other disciplines -for examplebiochemistry, mathematics and material science (superconductors)- since there exists vari-ous systems in the world of artificial and natural sciences where reversibility is inherent orit could be of interest. For instance, biochemical reactions, such as the isomerisation of glu-cose to fructose, are typically bidirectional, meaning that the direction of the computationalsystem is fixed by an appropriate injection of energy or a change of entropy from environ-mental conditions like temperature or pressure [118, 119] Similarly, quantum computationsare also inherently reversible because many of the components in quantum computers, suchas databases or modular exponentiation, are reversible [44]. Reversibility is also used in soft-ware engineering to better explore a computation and analyse different possibilities, as in theexploration of a program state-space toward a solution, or in constructions of mechanismsfor system reliability. In the same category belong systems of industrial robots often usedin production for assembly and disassembly and are normally controlled by a single hostcomputer.Even though the physical implementations of the computational steps of such systems arenaturally reversible, most abstract computation frameworks usually model the progress ofcomputations through a sequence of forward irreversible steps. Therefore, the constructionof reversible modelling languages can indicate how to capture the behaviour of reversibleactions in order to implement or even extend the primitive processes of biological reactions,quantum computation, reliable systems, and movement in robotics.These abstract computation models can be based on existing abstract formalisms and canbe used not only for modelling reversible systems but also for investigating suitable notionsof behavioural equivalences. The natural and artificial processes in these formalisms can bemade reversible in order to facilitate more efficient model checking of new formulations ofuseful properties such as reachability, safety, exception and precedence. We can also explorewhether adding the reversibility feature to these abstract models can increase considerably18heir computational and descriptional complexities. Hence, research on suitable behaviouralsemantics and modal logics for reversibility can result in sound foundations to commercialreversible modelling, debugging and testing software tools.
Challenges
Even though reversing computational processes in concurrent and distributed systems hasmany promising applications it also has many technical and conceptual challenges. In orderto create the theoretical foundations of reversible formal models and to discover their purposeand benefits in natural and artificial systems we have to ascertain the costs and limitations thatcome with reversibility, and to explore the challenges and open problems. A formal modelfor concurrent systems that embeds reversible computation needs to address two challenges.The first one being the ability to identify the legitimate backward moves at any point duringexecution and the second one is the ability to compute without forgetting.The first challenge depends on the choice of the computation’s semantics that determinethe order of forward and reverse actions. There are several forms of undoing computationthat have been studied in the literature over the past years. In the sequential scenario, thelegitimate backtracking moves can be trivially determined based on the order of execution.The computational steps are reversed based on the time of their execution and hence areundone in the exact inverse order of the forward execution.Although, in the concurrent scenario speaking about backtracking in time is immaterialand the interplay with reversibility is no longer trivial. Therefore understanding this interplayis fundamental in many of the areas above, e.g., for biological or reliable distributed systems,which are usually naturally concurrent. In such concurrent systems we do not want to re-verse the actions precisely in the opposite order than the one in which they were executedduring forward computation, as this order is irrelevant. The concurrency relation betweenforward actions has to be taken into account and independent threads of execution should bereversed independently, whereas causal dependencies between related threads should remainprotected.There are however, many important examples, such as mechanisms driving long-runningtransactions [32, 45] and biochemical reactions [118, 119], where concurrent systems violatecausality. Causally dependent threads are allowed to freely backtrack in an out-of-causalorder which in a way would result in losing the initial computation structure. This meansthat reversing in out-of-causal order will not return a thread into a previously executed state19ut it would give it the ability to reach computation states which were formerly inaccessible.The second challenge, of forgetting previously executed actions, applies to both concur-rent and sequential systems. Since processes do not remember their past states if we wantto reverse a standard process we will generate multiple possibilities. This challenge can beaddressed by making the system exactly reversible using memories that remember the po-sition and momentum of each action. When building or extending a reversible variant of aformal models, the syntax can be extended to allow the appropriate syntactic representationsfor computation memories that allow processes to keep track of everything that has beenexecuted. The resulting mechanism should be light in terms of memory without the need ofa global control.
Forms of Reversibility
The first challenge of identifying legitimate backward moves during reversal calls to identifypossible strategies for going backwards. A large amount of work focused on identifyingsuch strategies within process calculi [31,78, 117,118]. Behind the insights of the theoreticalstudy of reversible computation lie the challenging quest of understanding the nature ofreversibility while formally representing various computational concepts. Understanding therole that reversibility plays in natural systems, helps in the development of realistic formalmodels for concurrent and distributed systems. Reversibility could initially be divided intotwo main categories:
Rigid and
Uncontrolled [83].
Rigid means that the execution of a forward step followed by the corresponding backwardstep leads back to the starting state, where an identical computation can restart. Howeverrigid reversibility may not always be the best choice especially in the case of reliable systems.If the error that we are trying to recover was a transient fault then going back to the state thatthe error occurred and retrying the computations might solve the problem. Although, if thefailure was permanent going back and, forth by following the same computational steps willinfinitely result in the same error.
Uncontrolled means that there is no hint as to when to go forward and backward. Uncon-trolled reversibility defines how to reverse a process execution by determining the necessaryhistory and the associated causal transformation yet it does not specify when and whether toprefer backward execution over forward execution or vice versa. Uncontrolled reversibilitygives good understanding on how reversible computation works, but it does not exploit itinto applications because different application areas need different mechanisms to control20eversibility.Uncontrolled reversibility can be further subcategorised into several approaches for per-forming and undoing steps, which differ in the order in which steps are taken backwardsand forwards. The most prominent of these are backtracking , causal reversibility and out-of-causal-order reversibility . Backtracking is the process of rewinding one’s computation trace, that is, computationsteps are undone in the exact inverse order to the one in which they occurred. It does notallow any thread to freely backtrack because it might result in losing the initial computationstructure and reaching computation states which were formerly inaccessible. This form ofreversing ensures that at any state in a computation there is at most one predecessor state,yielding the property of backwards determinism . In the context of concurrent systems, thisform of reversibility can be thought of as overly restrictive since, undoing moves only in theorder in which they were taken, induces fake causal dependencies on backward sequences ofactions: actions, which could have been reversed in any order are forced to be undone in theprecise order in which they occurred.
Figure 2.1: Causal dependencies
Consider the following example with order of forward execution t , t , t . As indicatedin Figure 2.1 let us assume that the action t occurs independently of action t and when both t and t occur they cause the execution of action t . Figure 2.2 shows that in backtrackingmode there exists only one order of reverse execution which is the exact opposite directionof the forward one t , t , t . Figure 2.2: Backtracking
Relaxing the rigidity of backtracking, a second approach to reversibility, causal re-versibility , allows a more flexible form of reversing by allowing events to reverse in anarbitrary order, assuming that they respect the causal dependencies that hold between them.21hus, in the context of causal reversibility, reversing does not have to follow the exact inverseorder for independent events as long as caused actions, also known as effects, are undone be-fore the reversal of the actions that have caused them. This form of reversibility is calledcausal, meaning that it respects causality a binary irreflexive relation of events that identifieswhich events cause others, and therefore need to be reversed last. Thus, causally backtrack-ing a trace could be allowed along any path that respects causality also known as a causallyequivalent path. A main feature of causal reversibility is that reversing an action returns athread into a previously executed state, thus, any continuation of the computation after thereversal would also be possible in a forward-only execution where the specific step was nottaken in the first place.Consider the same example as before with forward execution t , t , t . Since t occursindependently of action t we can now reverse t and t in any order we want, although wecan never reverse them before t . As indicated in Figure 2.3, causal order reversal gives anadditional reverse path which is the execution of t , t , t , as well as, the backtracking path t , t , t . Figure 2.3: Causal reversing
Both backtracking and causal reversing are cause-respecting. There are however, manyimportant examples where undoing events in an out-of-causal order is either inherent orcould be beneficial. In fact, this form of undoing plays vital role on mechanisms driv-ing long-running transactions and biochemical reactions [119]. This flexible notion of re-versibility cancels out soundness since some backtracking computations could give access toformerly unreachable states. Consider every state of the execution to be a result of a seriesof actions that have causally contributed to the existence of the current state. If the actionswere to be reversed in a causally-respecting manner then we would only be able to moveback and forth through previously visited states. Therefore, one might wish to apply out-of-order reversibility in order to create fresh alternatives of current states that were formerlyinaccessible by any forward-only execution path.Again, consider the above example where now actions can be reversed in any possible22xecution path. Given the forward execution of t , t , t , six alternative reversing paths areproduced as potential reverse executions based on out-of-causal reversibility. In Figure 2.4can be observed that these paths include paths produced by backtracking execution as wellas, paths produced during causal reversal. Figure 2.4: Out-of-causal reversing
Reversible Formalisms
Both challenges have been addressed within various computational models ranging fromprocess calculi [31, 117] to event structures [27, 139]. The second challenge, of forgettingpreviously executed actions, has been addressed using external mechanisms such as memo-ries or identifiers that remember the position and momentum of each action. Since processesdo not remember their past states, various reversible formalisms make a system exactly re-versible by extending the syntax to include mechanisms that serve as histories of executedactions of the corresponding processes.Research on reversible formal languages can be traced back to a publication from Berryand Boudol titled “Chemical Abstract Machine" [19]. The authors propose a calculus, in-spired by chemical reactions, whose operational semantics define forward and the corre-sponding reverse reduction relation. They have introduced the notion of a chemical abstractmachine called “cham" which is based on the chemical metaphor used in the Γ language.They have illustrated the descriptive powers of the chemical abstract machine by showingthat it is suited to model concurrent systems and reversible computations.The first attempt to reverse classical process calculi was explored by Vincent Danos andJean Krivine [33] who built a notion of distributed backtracking on top of Milner’s CCS [97].23he proposed process calculus was named CCS-R which is essentially a reversible extensionof CCS motivated by the desire to represent reversible biological systems as the evolutionof biological processes. Reversibility is embedded in the syntax of CCS as a distributedmonitoring system and meshes well with the forward only syntax of the host calculus.Some of the limitations of the model of CCS-R have been later addressed on a newerversion named RCCS [31] where CCS-R is extended to deal with recursion, and uses uniquenames to identify threads. RCCS is again a process algebra in the style of CCS where pro-cesses have the ability to backtrack. Their calculus is essentially Milner’s CCS with theadded bonus that some observable actions in the standard labelled transition system seman-tics can be understood to be reversible. Their seminal paper was the first to discuss the notionof causality as a suitable requirement for reversibility in a concurrent scenario and paved theway to the definition of causal-consistent reversibility. RCCS is a causal-consistent reversibleextension of CCS that uses memory stacks in order to keep track of past communications,further developed in [32].RCCS [31] and the work of [1] on mapping functional programs into reversible automatainspired I. Phillips and I. Ulidowski to proposed another approach on reversing CCS, namedCCSK [117]. CSSK is a reversible version of CCS based on the use of communication keys.It can be used to model and analyse the bidirectional behaviour of systems that are ableto choose the direction of execution spontaneously, for example the binding and unbindingof molecules in biochemical reactions. Given a forward transition relation their reversiblealgebraic process calculi is able to obtain the inverse because it has the ability to rememberpreviously executed actions. To achieve this they have introduced a method for convertingthe standard irreversible operators of CCS into reversible operators, while preserving theiroperational semantics. Similarly to RCCS, they use a memory mechanism which contains ahistory of past communication keys and it can be used to reverse computation in a causallypreserving manner. Contrary to the global control and extensive record keeping of RCCS,their motivation was to produce a reversible process calculus that does not rely heavily onexternal devices such as memories. The most crucial component of their procedure is thenotion of communication keys which are a more expressive form of past actions. These areunique identifiers that are used to “mark" a previously executed action a by a fresh identifier k and record it in the syntax of the action’s occurrence as a [ k ] .The creators of RCCS continued their work by employing their reversible mechanismto π -calculus by proposing a reversible labelled transition semantics called R π [29]. Theyintroduce the syntax and semantics for the reversible π -calculus and they prove similar re-24ults to the ones proved for RCCS, such as equivalence between any backtracking path andforward computation as well as causal equivalence up-to permutation which means that com-putations are maximally liberal with respect to the structural causality of the reduction se-mantics.This work continues in [82] where Lanese et al. presented a reversible asynchronoushigher-order π -calculus, called ρπ , which has been shown to be causally consistent andgives two original contributions. The first one is a novel reversible machinery which, in thecontrary of the previously proposed machineries in CCS, preserves the classical structuralcongruence laws of the π -calculus, and relies on simple name tags for identifying threadsand explicit memory processes. The second contribution is a faithful encoding on ρπ cal-culus into a variant of HO π , showing that adding reversibility does not change substantiallythe expressive power of HO π . The work on reversible π -calculus continues from ρπ to roll- π [78], which is a fine-grained rollback primitive for higher-order π -calculus, that builds onthe reversibility apparatus of ρπ in order to adopt the ability to undo every single step in aconcurrent execution. In [76] Lanese et al. continued their work on reversible π -calculusby proposing a new concurrent process calculus, named croll- π , as a framework for flexi-ble reversibility and compensating roll- π . Croll- π features flexible reversibility, where it ispossible to specify alternatives to a computation, that can be used upon explicit rollback.On a more general note, the work in [77] proposes a general and automatic techniquewhich defines a causal-consistent reversible extension for forward models. These modelsinclude a variety of formalisms studied in the literature on causal-consistent reversibilitysuch as Higher-Order π -calculus and Core Erlang. Another work aiming to generalise causalreversibility in formalisms, is that of [84]. This work examines the various properties that areversible system should enjoy and shows how they relate to the already suggested propertiessuch as the parabolic lemma and the causal consistency property. Specifically, a genericlabelled transition system has been used to capture these properties as a set of axioms whichcan then be used by reversible formalisms in order to verify their properties. Additionally,two new notions of causal consistent reversibility are derived from these axioms, namelysafety and causal liveness.Most recently, the study of out-of-causal-order reversibility continued with the introduc-tion of a new operator for modelling local reversibility in [70]. The authors here also considercontrolled reversibility in CCS, in the form of a reversible process calculus called Calculus ofCovalent Bonding (CCB). Their reversible calculus has a novel and purely local in characterprefixing operator. This operator has been inspired by the mechanism of covalent bonding,25hich is the most common type of chemical bonds between atoms, that allows modelling oflocally controlled reversibility. In their proposal actions can be undone spontaneously or aspairs of concerted actions, where performing a weak action forces reversing of another ac-tion. The new operator in a restricted version of their calculus preserves causal consistency,however in its full generality it also allows modelling in out-of-causal order, where effectsare undone before their causes.Reversibility has also been extended to quantum process calculi, that are used to describeand model the behaviour of systems that combine classical and quantum communicationand computation the most prominent being qCCS [43] and CQP [52]. qCCS is a naturalquantum extension of CCS which can deal with input and output of quantum states, andunitary transformations and measurements on quantum systems. The operational semanticsof qCCS is given in terms of probabilistic labeled transition system. CQP (CommunicatingQuantum Processes) has been defined for modelling systems which combine quantum andclassical communication and computation. CQP combines the communication primitivesof the pi-calculus with primitives for measurement and transformation of quantum state;in particular, it has a static type system which classifies channels, distinguishes betweenquantum and classical data, and controls the use of quantum state.The study of reversible process calculi triggered also research on more abstract mod-els for describing concurrent systems such as event structures [115, 119]. In particular, thework on CCSK has also continued in a paper titled “Reversibility and models of Concur-rency" [115] where the authors studied the impact of allowing events to be undone in primeevent structures. They proposed prime graphs to prove that transition systems associatedwith CCSK and other reversible process algebras are equivalent as models to labelled primeevent structures. This study continued in [119] where they proposed how to model reactionsystems that consist of objects that are combined together by the means of bonds or dis-solved via reduction-style semantics. Motivated from the initial study of [119] research onreversible event structures continued with introducing reversible forms of prime event struc-tures and asymmetric event structures [116]. In order to control the manner in which eventsare reversed, the authors focused on analysing asymmetric conflict and causation of events inthe reversible, and not necessarily causal, setting. Ulidowski et al. continued their researchon reversible event structures in a publication titled “Concurrency and reversibility" [136],where they have shown how to model reversibility in concurrent computation as realisedabstractly in terms of event structures. The authors have introduced two different forms ofevents structures: event structures defined in terms of the causation and precedence relations,26nd event structures defined by the enabling relation. The proposed forms of event structureshave been illustrated in various examples that demonstrate how to model causally consistentreversibility as well as out-of-causal-order reversibility.In the literature there exists another line of research concerning reversible process calculithat focuses on dealing with reduction semantics describing the evolution of processes inisolation. This approach is usually simpler and hence more easily applicable to expressivecalculi such as CCS and π -calculus. In this line of research we are able to find Reversiblestructures a reversible computational calculus for modelling chemical systems, composed ofsignals and gates [27]. Reversible structures are computational units that may progress inforward and backward direction. They are amenable to biological implementations in termsof DNA circuits and are expressive enough to encode a reversible process calculus such asasynchronous RCCS.The first study of reversible computation within Petri nets was proposed in [15, 16]. Inthese works, the authors investigate the effects of adding reversed versions of selected tran-sitions in a Petri net, where these transitions are obtained by reversing the directions of atransition’s arcs. They then explore decidability problems regarding reachability and cover-ability in the resulting Petri nets. However, non-deterministically deciding to reverse any ofthe transitions causes the reversal of the “wrong" transition which might lead to new statesthat have not been reached through forward execution only. The reason behind this is thatthe addition of reversibility into a model like Petri nets results in various backward conflictswhere a token can be generated in a place because of different transition firings. The markingof that particular place is not enough to deduce whether the token has been produced becauseof a particular transition. This approach on reversible computation violates causality whichis more challenging than randomly selecting reversed transitions since in a concurrent settingthere is no natural way for totally ordering events.Towards examining causal consistent reversibility in Petri nets, the work in [96] inves-tigates whether it is possible to add a complete set of effect-reverses for a given transitionwithout changing the set of reachable markings. The authors show that this problem is ingeneral undecidable however it can be decidable in cyclic Petri nets where with the addi-tion of new places these non-reversible Petri nets can become reversible while preservingtheir behaviour. Moreover, the works of [94, 95] propose a causal semantics for P/T netsby identifying the causalities and conflicts of a P/T net through unfolding it into an equiv-alent occurrence net and subsequently introducing appropriate reverse transitions to createa coloured Petri net that captures a causal-consistent reversible semantics. The colours in27his coloured Petri net capture causal histories. On a similar note, [93] introduces the notionof reversible occurrence nets and associate a reversible occurrence net to a causal reversibleprime event structure, and vice versa. In [35] the authors examine the possibility of revers-ing the effect of the execution of groups of various transitions (steps). They then present anumber of properties which arise in this context and show that there is a crucial differencebetween reversing steps which are sets and those which are true multisets.On another note, having models that express controlled reversibility is more useful inreal life applications. For instance, various biological phenomena control the direction ofthe computation based on physical conditions such as temperature, pressure and reactionrates. Therefore, a distinguishing feature of reversible computation is that of c ontrollingreversibility: while various frameworks make no restriction as to when a transition can bereversed (uncontrolled reversibility), it can be argued that some means of controlling theconditions of transition reversal is often useful in practice. For instance, when dealing withfault recovery, reversal should only be triggered when a fault is encountered. Based on thisobservation, a number of strategies for controlling reversibility have been proposed: [32]introduces the concept of irreversible actions, and [80] introduces compensations to dealwith irreversible actions in the context of programming abstractions for distributed systems.Another approach for controlling reversibility is proposed in [118] where an external entityis employed for capturing the order in which transitions can be executed in the forwardor the backward direction. In another line of work, [78] defines a roll-back primitive forreversing computation, and in [76] roll-back is extended with the possibility of specifyingthe alternatives to be taken on resuming the forward execution. Finally, in [9] the authorsassociate the direction of action reversal with energy parameters capturing environmentalconditions of the modelled systems.Reversible calculi were born with mainly biological motivation. Since many biologicalphenomena are naturally reversible, a reversible formalism seems to be suitable to modelsuch systems. Indeed, efforts have been made to model biological systems [27, 33, 118,119] as well as chemical reactions [70] using reversible process calculi. We highlight [27]which illustrates a compilation from asynchronous CCS to DNA circuits. Given their formaldefinition, process calculi are suitable to formally verify properties of systems. There is astrong line of work concerned with applications of reversible process calculi such as sessiontypes, contracts, biological phenomena, and constructs for reliability. [131] shows how thesession type discipline of π -calculus extends to its reversible variants. In [132], (binary andmultiparty) session type systems are used to restrict the study of reversibility in π -calculus28o single sessions. Instead, [11, 12] study the compliance of a client and a server when bothof them have the ability to backtrack to past states. In a different setting, reversible processcalculi have also been used to build constructs for reliability, and in particular communicatingtransactions with compensations [36]. Transactions with compensations are computationsthat either succeed, or their effects are compensated by a dedicated ad-hoc piece of code.In [36], the effect of the transaction is first undone, and then a compensation is executed.Behavioural equivalences for communicating transactions with compensation have also beenstudied in [37, 68]. In [76], interacting transactions with compensations are mapped into areversible calculus with alternatives. In this work, we shall consider a particular model of concurrency, known as Petri nets, thatin this thesis will be extended to its reversible variant. It is a basic model of parallel and dis-tributed systems, designed by Carl Adam Petri in 1962 in his PhD Thesis:“Kommunikationmit Automaten" [110, 122]. Petri Nets are a graphical mathematical language that can beused for the specification and analysis of discrete event systems. Petri nets are a formalmodel of concurrent systems which supports both action-based and state-based modellingand reasoning where the basic idea behind it is to describe state changes in a system withtransitions.
Figure 2.5: Petri net
Petri nets are extensions of directed, finite, bipartite graphs, typically without isolatednodes as seen in Figure 2.5. They are also known as place/transition (PT) nets based on theirfour main components: places, transitions, arcs and tokens. Formally:
Definition 1. A Petri Net is a tuple N = ( P , T , F , W , M ) where:1. P is a finite set of places . 29. T is a finite set of transitions such that P ∩ T = ∅ .3. F is a set of arcs ( or flow relations) F ⊂ ( P × T ) ∪ ( T × P ) W : (( P × T ) ∪ ( T × P )) → N is the arc weight mapping where W ( f ) = for all f (cid:60) F ,and W ( f ) > for all f ∈ F , and5. M : P → N is the initial marking representing the initial distribution of tokens Figure 2.6: Petri net components
Main Components.
As seen in Figure 2.6 the first component is places which are illus-trated by circles and refer to as conditions or states. They are passive nodes used to store,accumulate or show tokens to indicate the current state of the execution. Places are used todefine conditions that need to be satisfied in order to execute a specific action. Therefore, ifa place has an incoming directed arrow then it is called a post-place and if it has outgoingdirected arrows then it is called a pre-place. Places filled by tokens indicate the current stateof the execution and the overall distribution of tokens across places is known as the marking M . The input state is indicated by the initial marking M and every other consecutive statecan be reached by relocating the required tokens.The second component is transitions which are indicated by bars or boxes containing therespective label and model activities which can occur when a transition fires. They are activenodes that when fired they can produce, consume transport or change tokens, indicating theexecution of the corresponding event. A transition is enabled to be fired only when thenumber of tokens in each of its input places is at least equal to the number of arcs going fromthe place to the transition meaning that all of its pre places need to be filled with tokens.Firing a transition means consuming tokens from its pre-places and then distributing them toeach output place. Thus, after the firing of a transition the marking of the net is changed to anew reachable marking, where some transitions are no longer enabled while others becomeenabled. 30laces and transitions are connected to each other by directed arcs. Graphically an arcis represented by an arrow indicating the relation between the components such as logicalconnections, access rights, spatial proximities or immediate linkings. An arc never connectstwo places or two transitions. It rather runs from a place to a transition or from a transition toa place. The order in which transitions and places appear amongst the directed arcs defineswhich places are pre-places and therefore are required in order to fire the transition and whichare post-places. Labelled incoming arcs may be drawn from a place into a transition labelledwith a natural number indicating the finite number of tokens in the associated place that needto be consumed by the occurrence of the transition. Labelled outgoing arcs may be drawnfrom a transition to a place labelled with a natural number indicating the number of tokensto be deposited in the place by the occurrence of an event.A Petri net is a particular kind of directed graph, together with an initial state called theinitial marking. A marking assigns to each place a non-negative integer indicating the is theconfiguration of tokens distributed over an entire Petri net diagram. Pictorially, we placeblack bullets representing tokens in various places of a net where semantically a markingis denoted by M , an m -vector, where m is the total number of places. If a marking assignsto place p a non-negative integer k , we say that p is marked with k tokens. A markingis depicted by placing a dot (token) in each of its places. The dynamic behaviour of therepresented system, in terms of system state and its evolution, is defined by describing thepossible moves between markings based on the marking evolution rule. The marking of thenet changes through the occurrence of transitions according to what is commonly called thetoken game for nets.As in many formal models the concept of conditional events can be used in order torepresent the dynamics of a system. In Petri net modelling places represent conditions, andtransitions represent events. A transition has a certain number of input and output placesrepresenting the pre-conditions and post-conditions of the event, respectively. The presenceof a required number of tokens in a place is interpreted as holding the truth of the conditionassociated with the incoming arc. A transition is said to be enabled if all input places havesufficient number of tokens for the firing consumptions to be possible. Meaning that thenumber of tokens in an input place should be at least equal to the weight of the arc joiningsuch a place with the considered transition. Formally, a transition t is said to be enabled ifeach input place p of t is marked with at least w ( p , t ) tokens, where w ( p , t ) is the label of thearc from p to t .Once a transition is enabled it may or may not fire depending on whether or not the event31ctually takes place. The firing of an enabled transition is an instantaneous operation whichevolves a marking into a new marking. In that case, a number of tokens is consumed byremoving from each input place of the transition a number of tokens equal to the weight ofthe incoming arc leading to a transition. Tokens are consumed by the firing, but also newtokens are produced in its outgoing places, namely a number of tokens are created to eachoutput place equal to the weight of the arc joining the considered transition with such a place. Extensions.
There are many extensions of Petri nets. Some of them are completelybackwards-compatible with the original Petri nets, while some add properties that cannot bemodelled in the original Petri net formalism. Although backwards-compatible models do notextend the computational power of Petri nets, they may have more succinct representationsand may be more convenient for modelling. Extensions that cannot be transformed intoPetri nets are sometimes very powerful, but usually lack the full range of mathematical toolsavailable to analyse ordinary Petri nets. An extension of Petri nets is the addition of new typesof arcs; such as inhibitor arcs which impose the precondition that the transition may only firewhen the place is empty and reset arcs [41] which do not impose a precondition on firing,and empties the place when the transition fires. Reset arcs make reachability undecidable,while some other properties, such as termination, remain decidable [5]; whereas inhibitorarcs allow arbitrary computations on numbers of tokens to be expressed, which makes theformalism Turing complete and implies existence of a universal net [145].The term high-level Petri net is used for many extensions of Petri nets although, theterm is mostly used for the type of Coloured Petri nets [64] supported by CPN Tools. In astandard Petri net, tokens are indistinguishable whereas in a coloured Petri nets, every tokenhas a colour. This allows tokens to have a data value attached to them which can be ofarbitrarily complex type where places in CPNs usually contain tokens of one type, whichis called a coloured set. In popular tools for coloured Petri nets such as CPN Tools, thevalues of tokens are typed, and can be tested using guard expressions and manipulated witha functional programming language. Coloured Petri nets preserve useful properties of Petrinets and at the same time extend the initial formalism to allow the distinction between tokens.Another extension is that of timed Petri nets [141] used to model the timing of a model,where time constraints restrict the causal behaviour of the system and limit its state space byforcing events to occur and keep others from happening following the constraints. In timePetri nets, there is an upper and a lower bound for the time an event can remain enabledwithout occurring after its preconditions are met. The upper time bound of one potentialevent can limit the time when another conflicting event can occur, creating dependencies not32een in the simple causal view of the system.The qualitative notion of time is implicitly represented in Petri nets in the sense that eachfiring of a transition is associated with a timestamp or clock cycle. In such a representation,the firing of transitions depends not only on the marking, but also on the elapsed time sincethe occurrence of some other events. The elapsed time is not represented by the number ofinternal ticks since the start of the clock but is represented based on the configuration of amarking at the given clock cycle.There are several variations of timed Petri nets incorporating the notion of time to vir-tually every component of the Petri nets framework, namely transition, tokens, arcs, and,places. A subsidiary of timed Petri nets are the stochastic Petri nets [90] that add nonde-terministic time through adjustable randomness of the transitions. The exponential randomdistribution is usually used to time these nets. In this case, the nets’ reachability graph canbe used as a continuous time Markov chain (CTMC).
Modelling and Analysis.
Various kinds of Petri nets are applied in different disciplines,including Computer Science (formal languages [123], logic programs [130]), business pro-cess modelling (decision models [129]), information management (distributed-database sys-tems [140]), software engineering (concurrent and parallel programs [101]), and systems en-gineering (multiprocessor memory systems [91], asynchronous circuits and structures [38,65], compiler and operating systems [10]). The reason is that Petri nets are a promisingtool for describing and studying information processing systems, that are characterised asbeing concurrent, asynchronous, distributed, parallel, nondeterministic, and/or stochastic.Specifically, executable modelling languages, applied with proper tool support, are expectedto automate system validation and verification, simulation and code generation from themodelling language representation. Another advantage, is that formal modelling is morerigorous by nature because it explores every possibility to ensure correctness and complete-ness. Formal techniques mainly include process algebras, temporal logic, automata theoretictechniques, Petri nets and partial order models.As a mathematical tool, it is possible to set up state equations, algebraic equations, andother mathematical models governing the behaviour of systems. The simplicity of the basicuser interface of Petri nets has easily enabled extensive tool support over the years, partic-ularly in the areas of model checking, graphically oriented simulation, and software verifi-cation. As a graphical tool, Petri nets can be used as a visual-communication aid similar toflow charts, block diagrams, and networks. The use of computer-aided tools is a necessityfor practical applications of Petri nets and thus most Petri-net research groups have their33wn software packages and tools to assist the drawing, analysis, and simulation of variousapplications.A major strength of Petri nets is their support for analysis of many properties and prob-lems associated with concurrent systems [102]. They can be used to study the reachabilityand coverability problems as well as study properties such as liveness, boundedness, invari-ance and conservativeness. Reachability is a fundamental basis for studying the dynamicproperties of any system and is essentially the ability to identify whether a given state isreachable from the initial state. However, coverability represents precisely the coverable setsrather than the reachable sets and is closely related to liveness which is the possibility toultimately fire any transition of the net by progressing through some further firing sequence.A Petri net is also said to be k -bounded or simply bounded if the number of tokens in eachplace does not exceed a finite number k for any marking reachable from the initial marking.It is also said to be conservative if there exists a positive integer for every place such thatthe weighted sum of tokens is the same for every marking and for any fixed initial mark-ing. Another important feature of Petri nets is that their structural properties can be obtainedby linear algebraic techniques. Such properties are called invariants because they are theproperties that depend on only the topological structure of a Petri net and are independentof the initial marking. One of the properties studied in the context of Petri nets is that ofPetri net reversibility which describes the ability of a system to return to the initial state fromany reachable state. This, however, is in contrast to the notion of reversible computation asdiscussed in this work where the intention is not to return to a state via arbitrary executionbut to reverse the effect of already executed transitions. Petri Net Causality.
Causality is one of the most interesting notions in Petri net theorysince it allows the explicit representation of causal dependencies between action occurrenceswhen modelling reactive systems. In fact, how to formalise causal dependencies based onan appropriate causality based concept is a well-known topic in Petri net theory [138]. Theinvestigation of Petri nets has given rise into two different approaches when it comes tocausality, one of them being disjunctive causality implemented by the collective token inter-pretation and the other one being partial order causality implemented by the individual tokeninterpretation [24, 137, 139]. Many different semantics have been proposed in the literaturefor both views, all of them aiming to remain abstract enough while doing justice to the trulyconcurrent nature of Petri nets. Each philosophy can be justified either by the theoreticalproperties of the modelled systems, or by the implementation of possible applications.A common concern between most of the theoretical models of computation is expressing34ausality in concurrent systems. In contrast to the sequential setting that is well understood,the concurrent setting poses the conceptual question of how do we define the causal order ofexecution. When it comes to Petri nets the ability to formally express causal dependenciesbased on an appropriate causality based concept is one of the most well-known problems ofPetri nets but also one of the most interesting properties [138].Most of the behavioural models for Petri nets have firing rules that embody the collectivetoken philosophy rather than the individual token philosophy. The collective token philos-ophy has been investigated in [23] and is considered to be the standard firing rule of Petrinets were tokens residing in the same place are indistinguishable. In the collective tokeninterpretation when multiple tokens of the same type reside in the same place then these to-kens are not distinguished. This means that all that is known by the model is the amount oftoken occurrences of a specific type and their location in the marking. In the collective tokenphilosophy were we assume unambiguous tokens to be equivalent because when focussingon the net behaviour these tokens are operationally equivalent. The collective approach fitswell with resource allocation systems where tokens represent resources and their identity isindistinguishable since their behavioural capabilities are identical.The computational interpretation of the collective token philosophy has been extendedto the individual token approach, where tokens residing in the same place are distinguishedbased on their causal path [55,121]. As such, the individual token interpretation distinguishestokens of the same type as individual and it has been formally described by the notion of aprocess in [55, 121]. In this approach the model keeps track of where the tokens come fromand therefore identifies the causal links between transitions as means of partial order. Thesemantics of the individual token interpretation are more complicated since this approachrequires precise correspondence between the token instances and their past. This approachsolves the ambiguity between tokens of the same type by allowing tokens to carry infor-mation about their mappings. This distinction between tokens allows us to give a preciseaccount of the causal and distributed nature of the net as a partial order. The causal relationsbetween the transitions in a distributed run of a net can also be described by means of causalnet [138]. In the standard approach to causality [110] a causal link is considered to existbetween two transitions if one produces tokens that are used to fire the other. This relation isused to define “causal order" which is transitive so that if a transition t causally precedes t and t causally precedes t then t also causally precedes t . Furthermore, it is an irreflexiverelation, i.e., no transition causally precedes itself. 35 hapter Reversible Computation in Petri Nets
During the last few years a number of formal models have been developed aiming to provideunderstanding of the basic principles of reversibility along with its costs and limitations, andto explore how it can be used to support the solution of complex problems. In this chapter,we set out to study reversible computation in the context of Petri Nets and to explore themodelling of the main strategies for reversing computation. We aim to address the chal-lenges of capturing the notions of backtracking, causal reversibility and out-of-causal-orderreversibility within the Petri Net framework, thus proposing a novel, graphical methodol-ogy for studying reversibility in a model where transitions can be taken in either direction.Our proposal is motivated by applications from biochemistry where out-of- causal-order re-versibility is inherent, and it supports all the forms of reversibility that have been discussedabove.Adding reversibility to Petri nets turns out to be quite nontrivial since the presence ofcycles exposes the need to define causality of actions within a cyclic structure. Indeed, thereare different ways of introducing reversible behaviour depending on how causality is de-fined. In our approach, we follow the notion of causality as defined by Carl Adam Petri forone-safe nets that provides the notion of a run of a system where causal dependencies arereflected in terms of a partial order [110]. A causal link is considered to exist between twotransitions if one produces tokens that are used to fire the other. In this partial order, causaldependencies are explicitly defined as an unfolding of an occurrence net which is an acyclicnet that does not have backward conflicts. We prove that the amount of flexibility allowedin causal reversibility indeed yields causally consistent semantics. We also demonstrate thatout-of-causal-order reversibility is able to create new states unreachable by forward-onlyexecution. Additionally, we establish the relationship between the three forms of reversingand define a transition relation that can capture each of the three strategies modulo the en-36 igure 3.1: Causal reversibility abledness condition for each strategy. This allows us to provide a uniform treatment of thebasic theoretical results. We demonstrate the framework with a model of the Ras-Raf-MEK-ERK pathway [118], and a transaction processing system, examples that inherently feature(out-of-causal-order) reversibility.
Reversing computational processes in concurrent and distributed systems has many promis-ing applications but also presents some technical and conceptual challenges. In particular,a formal model for concurrent systems that embeds reversible computation needs to be ableto compute without forgetting and to identify the legitimate backward moves at any pointduring computation.The first challenge applies to both concurrent and sequential systems. Since processestypically do not remember their past states, reversing their execution is not directly sup-ported. This challenge can be addressed with the use of memories. When building a re-versible variant of a formal language, its syntax can be extended to include appropriate rep-resentations for computation memories to allow processes to keep track of past execution.The second challenge regards the strategy to be applied when going backwards. As al-ready mentioned, the most prominent approaches for performing and undoing steps are back-tracking , causal reversibility , and out-of-causal-order reversibility . Backtracking is well un-derstood as the process of rewinding one’s computation trace, whereas in causal reversibility,reversing does not have to follow the exact inverse order for events as long as caused actions,also known as effects, are undone before the reversal of the actions that have caused them.For example, consider the Petri net in Figure 3.1. We may observe that transitions t and t are independent from each other as they may be taken in any order, and they areboth prerequisites for transition t . Backtracking the sequence of transitions (cid:104) t , t , t (cid:105) wouldrequire that the three transitions should be reversed in exactly the reverse order, i.e. (cid:104) t , t , t (cid:105) .37 igure 3.2: Catalysis in classic Petri nets Instead, causal flexibility allows the inverse computation to rewind t and then t and t inany order, but never t or t before t .Both backtracking and causal reversing are cause-respecting. There are, however, manyimportant examples where concurrent systems execute in out-of-causal-order reversibility inorder to allow a system to discover states that are inaccessible in any forward-only execution.This can be achieved since, reversing in out-of-causal order allows reversing an action be-fore its effects are undone, and subsequently exploring new computations while the effectsof the reversed action are still present. As such, out-of-order reversibility can create newalternatives of current states that were formerly inaccessible by any forward-only executionpath.Since out-of-order reversibility contradicts program order, it comes with its own peculiar-ities that need to be taken into consideration while designing reversible systems. To appre-ciate these peculiarities and obtain insights towards our approach on addressing reversibilitywithin Petri nets, consider the process of catalysis from biochemistry, whereby a substancecalled catalyst enables a chemical reaction between a set of other elements. Specifically con-sider a catalyst c that helps the otherwise inactive molecules a and b to bond. This is achievedas follows: catalyst c initially bonds with a which then enables the bonding between a and b .Finally, the catalyst is no longer needed and its bond to the other two molecules is released.A Petri net model of this process is illustrated in Figure 3.2. The Petri net executes transition t via which the bond ca is created, followed by action t to produce cab . Finally, action t “reverses” the bond between a and c , yielding ab and releasing c . (The figure portrays thefinal state of the execution assuming that initially exactly one token existed in places a , b ,and c .)This example illustrates that Petri nets are not reversible by nature, in the sense thatevery transition cannot be executed in both directions. Therefore an inverse action (e.g.,transition t for undoing the effect of transition t ), needs to be added as a supplementary38orward transition for achieving the undoing of a previous action. This explicit approach ofmodelling reversibility can prove cumbersome in systems that express multiple reversiblepatterns of execution, resulting in larger and more intricate systems. Furthermore, it failsto capture reversibility as a mode of computation. The intention of our work is to studyan approach for modelling reversible computation that does not require the addition of new,reversed transitions but instead offers as a basic building block transitions that can be takenin both the forward as well as the backward direction, and, thereby, explore the theory ofreversible computation within Petri nets.However, when attempting to model the catalysis example while executing transitions inboth the forward and the backward directions, we may observe a number of obstacles. Atan abstract level, the behaviour of the system should exhibit a sequence of three transitions:execution of t and t , followed by the reversal of transition t . The reversal of transition t should implement the release of c from the bond cab and make it available for furtherinstantiations of transitions, if needed, while the bond ab should remain in place. This impliesthat a reversing Petri net model should provide resources a , b and c as well as ca , cab and ab and implement the reversal of action t as the transformation of resource cab into c and ab .Note that resource ab is inaccessible during the forward execution of transitions t and t andonly materialises after the reversal of transition t , i.e., only once the bond between a and c isbroken. Given the static nature of a Petri net, this suggests that resources such as ab shouldbe represented at the token level (as opposed to the place level). As a result, the conceptof token individuality is of particular relevance to reversible computation in Petri nets whileother constructs/functions at token level are needed to capture the effect and reversal of atransition.Indeed, reversing a transition in an out-of-causal order may imply that while some ofthe effects of the transition can be reversed (e.g., the release of the catalyst back to the ini-tial state), others must be retained due to computation that succeeded the forward executionof the next transition (e.g., token a cannot be released during the reversal of t since it hasbonded with b in transition t ). This latter point is especially challenging since it requires tospecify a model in a precise manner so as to identify which effects are allowed to be “un-done” when reversing a transition. Thus, as highlighted by the catalysis example, reversingtransitions in a Petri net model requires close monitoring of token manipulation within a netand clear enunciation of the effects of a transition.As already mentioned, the concept of token individuality can prove useful to handlethese challenges. This concept has also been handled in various works, e.g., [128, 137, 138],39 igure 3.3: Catalysis in reversing Petri nets where each token is associated with information regarding its causal path, i.e., the placesand transitions it has traversed before reaching its current state. In our approach, we alsoimplement the notion of token individuality where instead of maintaining extensive historiesfor recording the precise evolution of each token through transitions and places, we employ anovel approach inspired by out-of-causal reversibility in biochemistry as well as approachesfrom related literature [119]. The resulting framework is light in the sense that no memoryneeds to be stored per token to retrieve its causal path while enabling reversible semantics forthe three main types of reversibility. Specifically, we introduce two notions that intuitivelycapture tokens and their history: the notion of a base and a new type of tokens called bonds .A base is a persistent type of token which cannot be consumed and therefore preserves itsindividuality through various transitions. For a transition to fire, the incoming arcs identifythe required tokens/bonds and the outgoing arcs may create new bonds or transfer alreadyexisting tokens/bonds along the places of a Petri Net. Therefore, the effect of a transitionis the creation of new bonds between the tokens it takes as input and the reversal of such atransition involves undoing the respective bonds. In other words, a token can be a base or acoalition of bases connected via bonds into a structure.Based on these ideas, we may describe the catalysis example in our proposed frameworkas shown in Figure 3.3. In this setting a and c are bases which are connected via a bond intoplace x during transition t , while transition t brings into place a new bond between a and b . In Figure 3.3 we see the state that arises after the execution of t and t and the reversalof transition t . In this state, base c has returned to its initial place u whereas bond a − b hasremained in place y . A thorough explanation of the notation is given in the next section.Finally, in order to identify at each point in time the history of execution, thus to dis-cern the transitions that can be reversed given the presence of backward nondeterminism ofPetri nets, we associate transitions with history storing keys in increasing order each time40n instance of the transition is executed. This allows to backtrack computation as well as toextract the causes of bonds as needed in causal and out-of-causal-order reversibility. We define reversing Petri nets as follows:
Definition 2. A Reversing Petri net (RPN) is a tuple ( A , P , B , T , F ) where:1. A is a finite set of bases or tokens ranged over by a , b , . . . A = { a | a ∈ A } contains a negative instance for each token and we write A = A ∪ A .2. P is a finite set of places .3. B ⊆ A × A is a set of undirected bonds ranged over by β , γ , . . . We use the notation a − b for a bond ( a , b ) ∈ B . B = { β | β ∈ B } contains a negative instance for each bondand we write B = B ∪ B .4. T is a finite set of transitions .5. F : ( P × T ∪ T × P ) → A∪B defines a set of directed arcs each associated with a subsetof
A ∪ B .A Reversing Petri net is built on the basis of a set of bases or tokens . We consider eachtoken to have a unique name. In this way, tokens may be distinguished from each other, theirpersistence can be guaranteed and their history inferred from the structure of a Petri net (asimplemented by function F , discussed below). Tokens correspond to the basic entities thatoccur in a system. They may occur as stand-alone elements but they may also merge togetherto form bonds . Places and transitions have the standard meaning.Directed arcs connect places to transitions and vice versa and are labelled by a subsetof
A ∪ B where A = { a | a ∈ A } is the set of negative tokens expressing token absence,and B = { β | β ∈ B } is the set of negative bonds expressing bond absence. For a label (cid:96) = F ( x , t ) or (cid:96) = F ( t , x ) , we assume that each token a can appear in (cid:96) at most once, eitheras a or as a , and that if a bond ( a , b ) ∈ (cid:96) then a , b ∈ (cid:96) . Furthermore, for (cid:96) = F ( t , x ) , it mustbe that (cid:96) ∩ ( A ∪ B ) = ∅ , that is, negative tokens/bonds may only occur on arcs incoming toa transition. Intuitively, these labels express the requirements for a transition to fire whenplaced on arcs incoming the transition, and the effects of the transition when placed on theoutgoing arcs. Thus, if a ∈ F ( x , t ) this implies that token a is required for the transition t to41re, and similarly for a bond β ∈ F ( x , t ) . On the other hand, a ∈ F ( x , t ) expresses that token a should not be present in the incoming place x of t for the transition to fire and similarly fora bond β , β ∈ F ( x , t ) . Note that negative tokens/bonds are close in spirit to the inhibitor arcsof extended Petri nets. Finally, note that F ( x , t ) = ∅ implies that there is no arc from place x to transition t and similarly for F ( t , x ) = ∅ .We introduce the following notations. We write ◦ t = { x ∈ P | F ( x , t ) (cid:44) ∅} and t ◦ = { x ∈ P | F ( t , x ) (cid:44) ∅} for the incoming and outgoing places of transition t , respectively.Furthermore, we write pre ( t ) = (cid:83) x ∈ P F ( x , t ) for the union of all labels on the incoming arcsof transition t , and post ( t ) = (cid:83) x ∈ P F ( t , x ) for the union of all labels on the outgoing arcs oftransition t . Definition 3.
A Reversing Petri net ( A , P , B , T , F ) is well-formed if it satisfies the followingconditions for all t ∈ T :1. A ∩ pre ( t ) = A ∩ post ( t ) ,2. If a − b ∈ pre ( t ) then a − b ∈ post ( t ) ,3. F ( t , x ) ∩ F ( t , y ) = ∅ for all x , y ∈ P , x (cid:44) y .According to the above we have that: (1) transitions do not erase tokens or create newones, (2) transitions do not destroy bonds, that is, if a bond a − b exists in an input place of atransition, then it is maintained in some output place, and (3) tokens/bonds cannot be clonedinto more than one outgoing place.As with standard Petri nets, we employ the notion of a marking . A marking is a distri-bution of tokens and bonds across places, M : P → A ∪ B where a − b ∈ M ( x ) , for some x ∈ P , implies a , b ∈ M ( x ) . In addition, we employ the notion of a history , which assignsa memory to each transition of a reversing Petri net as H : T → N . Intuitively, a historyof H ( t ) = ∅ for some t ∈ T captures that the transition has not taken place, and a historyof H ( t ) = { k , . . . , k n } captures that the transition was executed and not reversed n timeswhere k i , ≤ i ≤ n , indicates the order of execution of the i th instance amongst non-reversedactions. Note that this machinery, is needed to accommodate the presence of cycles, whichyield the possibility of repeatedly executing the same transitions. H denotes the initial his-tory where H ( t ) = ∅ for all t ∈ T . A pair of a marking and a history describes a state of areversing Petri net based on which execution is determined. We use the notation (cid:104) M , H (cid:105) todenote states. 42n a graphical representation, tokens are indicated by • , places by circles, transitions byboxes, and bonds by lines between tokens. Furthermore, histories are presented over therespective transitions as the list [ k , ..., k n ] when H ( t ) = { k , . . . , k n } , n > , and omittedwhen H ( t ) = ∅ .As the last piece of our machinery, we define a notion that identifies connected com-ponents of tokens and their associated bonds within a place. Note that more than one con-nected component may arise in a place due to the fact that various unconnected tokens maybe moved to a place simultaneously by a transition, while the reversal of transitions, whichresults in the destruction of bonds, may break down a connected component into varioussubcomponents. We define con ( a , C ) , where a is a base and C ⊆ A ∪ B to be the tokens con-nected to a via sequences of bonds as well as the bonds creating these connections accordingto set C . con ( a , C ) = ( { a } ∩ C ) ∪ { β, b , c | ∃ w s.t. path ( a , w , C ) , β ∈ w , and β = ( b , c ) } where path ( a , w , C ) if w = (cid:104) β , . . . , β n (cid:105) , and for all ≤ i ≤ n , β i = ( a i − , a i ) ∈ C ∩ B , a i ∈ C ∩ A , and a = a .Returning to the example of Figure 3.3, we may see a reversing net with three tokens a , b , and c , transition t , which bonds tokens a and c within place x , and transition t , whichbonds the a of bond c − a with token b into place y . Note that to avoid overloading figures,we omit writing the bases of bonds on the arcs of RPNs, so, e.g., on the arc between t and x , we write a − b as opposed to { a − b , a , b } . (The marking depicted in the figure is the onearising after the execution of transitions t and t and subsequently the reversal of transition t by the semantic relations to be defined in the next section.)We may now define the various types of execution for reversing Petri nets. In whatfollows we restrict our attention to well-formed RPNs ( A , P , B , T , F ) with initial marking M such that for all a ∈ A , |{ x | a ∈ M ( x ) }| = . In this section we consider the standard, forward execution of RPNs.
Definition 4.
Consider a reversing Petri net ( A , P , B , T , F ) , a transition t ∈ T , and a state (cid:104) M , H (cid:105) . We say that t is forward-enabled in (cid:104) M , H (cid:105) if the following hold:1. if a ∈ F ( x , t ) , for some x ∈ ◦ t , then a ∈ M ( x ) , and if a ∈ F ( x , t ) for some x ∈ ◦ t , then a (cid:60) M ( x ) , 43. if β ∈ F ( x , t ) , for some x ∈ ◦ t , then β ∈ M ( x ) , and if β ∈ F ( x , t ) for some x ∈ ◦ t , then β (cid:60) M ( x ) ,3. if a ∈ F ( t , y ) , b ∈ F ( t , y ) , y (cid:44) y , then b (cid:60) con ( a , M ( x )) for all x ∈ ◦ t , and4. if β ∈ F ( t , x ) for some x ∈ t ◦ and β ∈ M ( y ) for some y ∈ ◦ t , then β ∈ F ( y , t ) .Thus, t is enabled in state (cid:104) M , H (cid:105) if (1), (2), all tokens and bonds required for the tran-sition to take place are available in the incoming places of t and none of the tokens/bondswhose absence is required exists in an incoming place of the transition, (3) if a transitionforks into outgoing places y and y then the tokens transferred to these places are not con-nected to each other in the incoming places of the transition, and (4) if a pre-existing bondappears in an outgoing arc of a transition, then it is also a precondition of the transition tofire. Contrariwise, if the bond appears in an outgoing arc of a transition ( β ∈ F ( t , x ) for some x ∈ t ◦ ) but is not a requirement for the transition to fire ( β (cid:60) F ( y , t ) for all y ∈ ◦ t ), then thebond should not be present in an incoming place of the transition ( β (cid:60) M ( y ) for all y ∈ ◦ t ).We observe that the new bonds created by a transition are exactly those that occur in theoutgoing edges of a transition but not in the incoming edges. Thus, we define the effect of atransition as eff ( t ) = post ( t ) − pre ( t ) This will subsequently enable the enunciation of transition reversal by the destruction ofexactly the bonds in eff ( t ) . Definition 5.
Given a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) where: M (cid:48) ( x ) = M ( x ) − (cid:83) a ∈ F ( x , t ) con ( a , M ( x )) if x ∈ ◦ tM ( x ) ∪ F ( t , x ) ∪ (cid:83) a ∈ F ( t , x ) ∩ F ( y , t ) con ( a , M ( y )) if x ∈ t ◦ M ( x ) , otherwiseand H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) ∪ { max( { } ∪ { k | k ∈ H ( t (cid:48)(cid:48) ) , t (cid:48)(cid:48) ∈ T } ) + } , if t (cid:48) = tH ( t (cid:48) ) , otherwiseThus, when a transition t is executed in the forward direction, all tokens and bonds occur-ring in its incoming arcs are relocated from the input places to the output places along withtheir connected components. An example of forward transitions can be seen in Figure 3.444 igure 3.4: Forward execution where transitions t and t take place with the histories of the two transitions becoming [1] and [2] , respectively.We may prove the following result, which verifies that bases are preserved during forwardexecution in the sense that transitions neither erase nor clone them. As far as bonds areconcerned, the proposition states that forward execution may create but not destroy bonds. Proposition 1 (Token and bond preservation) . Consider a reversing Petri net ( A , P , B , T , F ) ,a state (cid:104) M , H (cid:105) such that for all a ∈ A , |{ x ∈ P | a ∈ M ( x ) }| = , and a transition (cid:104) M , H (cid:105) t −→(cid:104) M (cid:48) , H (cid:48) (cid:105) . Then:1. for all a ∈ A , |{ x ∈ P | a ∈ M (cid:48) ( x ) }| = , and2. for all β ∈ B , |{ x ∈ P | β ∈ M ( x ) }| ≤ |{ x ∈ P | β ∈ M (cid:48) ( x ) }| ≤ . Proof.
The proof of the result follows the definition of forward execution and relies on thewell-formedness of RPNs. Consider a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) such45hat |{ x ∈ P | a ∈ M ( x ) }| = for all a ∈ A , and suppose (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) .For the proof of clause (1) let a ∈ A . Two cases exist:1. a ∈ con ( b , M ( x )) for some b ∈ F ( x , t ) . Note that x is unique by the assumption that |{ x ∈ P | a ∈ M ( x ) }| = . Furthermore, according to Definition 5, we have that M (cid:48) ( x ) = M ( x ) − { con ( b , M ( x )) | b ∈ F ( x , t ) } , which implies that a (cid:60) M (cid:48) ( x ) . Onthe other hand, by Definition 3(1), b ∈ post ( t ) . Thus, there exists y ∈ t ◦ , such that b ∈ F ( t , y ) . Note that this y is unique by Definition 3(3). As a result, by Definition 5, M (cid:48) ( y ) = M ( y ) ∪ F ( t , y ) ∪{ con ( b , M ( x )) | b ∈ F ( t , y ) , x ∈ ◦ t } . Since b ∈ F ( x , t ) ∩ F ( t , y ) , a ∈ con ( b , M ( x )) , this implies that a ∈ M (cid:48) ( y ) .Now suppose that a ∈ con ( c , M ( x )) for some c (cid:44) b , c ∈ F ( t , y (cid:48) ) . Then, by Defini-tion 4(3), it must be that y = y (cid:48) . As a result, we have that { z ∈ P | a ∈ M (cid:48) ( z ) } = { y } and the result follows.2. a (cid:60) con ( b , M ( x )) for all b ∈ F ( x , t ) , x ∈ P . This implies that { x ∈ P | a ∈ M (cid:48) ( x ) } = { x ∈ P | a ∈ M ( x ) } and the result follows.To prove clause (2) of the proposition, consider a bond β ∈ B , β = ( a , b ) . We observethat, since |{ x ∈ P | a ∈ M ( x ) }| = for all a ∈ A , |{ x ∈ P | β ∈ M ( x ) }| ≤ . The proof followsby case analysis as follows:1. Suppose |{ x ∈ P | β ∈ M ( x ) }| = . Two cases exist:• Suppose β (cid:60) F ( t , x ) for all x ∈ P . Then, by Definition 5, β (cid:60) M (cid:48) ( x ) for all x ∈ P .Consequently, |{ x ∈ P | β ∈ M (cid:48) ( x ) }| = and the result follows.• Suppose β ∈ F ( t , x ) for some x ∈ P . Then, by Definition 3(3), x is unique, and byDefinition 5, β ∈ M (cid:48) ( x ) . Consequently, |{ x ∈ P | β ∈ M (cid:48) ( x ) }| = and the resultfollows.2. Suppose |{ x ∈ P | β ∈ M ( x ) }| = . Two cases exist:• β (cid:60) con ( c , M ( x )) for all c ∈ F ( x , t ) . This implies that { x ∈ P | β ∈ M (cid:48) ( x ) } = { x ∈ P | β ∈ M ( x ) } and the result follows.• β ∈ con ( c , M ( x )) for some c ∈ F ( x , t ) . Then, according to Definition 5, wehave that M (cid:48) ( x ) = M ( x ) − { con ( c , M ( x )) | c ∈ F ( x , t ) } , which implies that β (cid:60) M (cid:48) ( x ) . On the other hand, by the definition of well-formedness, Definition 3(1), c ∈ post ( t ) . Thus, there exists y ∈ t ◦ , such that c ∈ F ( t , y ) . Note that this y is46nique by Definition 3(3). As a result, by Definition 5, M (cid:48) ( y ) = M ( y ) ∪ F ( t , y ) ∪{ con ( c , M ( x )) | c ∈ F ( t , y ) , x ∈ ◦ t } . Since c ∈ F ( x , t ) ∩ F ( t , y ) , β ∈ con ( c , M ( x )) ,this implies that β ∈ M (cid:48) ( y ) .Now suppose that β ∈ con ( d , M ( x )) for some d (cid:44) c , c ∈ F ( d , y (cid:48) ) . Then, byDefinition 4, and since con ( c , M ( x )) = con ( d , M ( x )) , it must be that y = y (cid:48) . Asa result, we have that { z ∈ P | β ∈ M (cid:48) ( z ) } = { y } and the result follows. (cid:3) Let us now proceed to the simplest form of reversibility, namely, backtracking. We define atransition to be bt -enabled (backtracking-enabled) if it was the last executed transition: Definition 6.
Consider a state (cid:104) M , H (cid:105) and a transition t ∈ T . We say that t is bt -enabled in (cid:104) M , H (cid:105) if k ∈ H ( t ) with k ≥ k (cid:48) for all k (cid:48) ∈ H ( t (cid:48) ) , t (cid:48) ∈ T .Thus, a transition t is bt -enabled if its history contains the highest value among all tran-sitions. The effect of backtracking a transition in a reversing Petri net is as follows: Definition 7.
Given a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t thatis bt -enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) where: M (cid:48) ( x ) = M ( x ) ∪ (cid:83) y ∈ t ◦ , a ∈ F ( x , t ) ∩ F ( t , y ) con ( a , M ( y ) − eff ( t )) , if x ∈ ◦ tM ( x ) − (cid:83) a ∈ F ( t , x ) con ( a , M ( x )) , if x ∈ t ◦ M ( x ) otherwiseand H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) − { k } , if t (cid:48) = t , k = max( H ( t )) H ( t (cid:48) ) otherwiseWhen a transition t is reversed in a backtracking fashion all tokens and bonds in thepostcondition of the transition, as well as their connected components, are transferred to theincoming places of the transition and any newly-created bonds are broken. Furthermore, thelargest key in the history of the transition is removed.An example of backtracking extending the example of Figure 3.4 can be seen in Fig-ure 3.5 where we observe transitions t and t being reversed with the histories of the twotransitions being eliminated. A further example can be seen in Figure 3.6 where after theexecution of transition sequence (cid:104) t , t , t , t , t (cid:105) , only transition t is bt -enabled since it was47 igure 3.5: Backtracking execution the last transition to be executed. During its reversal, the component a − b − c is returned toplace u . Furthermore, the largest key of the history of t becomes empty.We may prove the following result, which verifies that bases are preserved during back-tracking execution in the sense that there exists exactly one instance of each base and back-tracking transitions neither erase nor clone them. As far as bonds are concerned, the propo-sition states that at any time there may exist at most one instance of a bond and that back-tracking transitions may only destroy bonds. Proposition 2 (Token preservation and bond destruction) . Consider a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) such that for all a ∈ A , |{ x ∈ P | a ∈ M ( x ) }| = , and atransition (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then:1. for all a ∈ A , |{ x ∈ P | a ∈ M (cid:48) ( x ) }| = , and2. for all β ∈ B , ≥ |{ x ∈ P | β ∈ M ( x ) }| ≥ |{ x ∈ P | β ∈ M (cid:48) ( x ) }| . 48 igure 3.6: Backtracking execution where σ = (cid:104) t , t , t , t , t (cid:105) Proof.
The proof of the result follows the definition of backward execution and relies onthe well-formedness of reversing Petri nets. Consider RPN ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) such that |{ x ∈ P | a ∈ M ( x ) }| = for all a ∈ A , and suppose (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) .We begin with the proof of clause (1) and let a ∈ A . Two cases exist:1. a ∈ con ( b , M ( x )) for some b ∈ F ( t , x ) . Note that by the assumption of |{ x ∈ P | a ∈ M ( x ) }| = , x must be unique. Let us choose b such that, additionally, a ∈ con ( b , M ( x ) − eff ( t )) . Note that such a b must exist, otherwise the forward executionof t would not have transferred a along with b to place x .According to Definition 7, we have that M (cid:48) ( x ) = M ( x ) − { con ( b , M ( x )) | b ∈ F ( t , x ) } ,which implies that a (cid:60) M (cid:48) ( x ) . On the other hand, note that by the definition of well-formedness, Definition 3(1), b ∈ pre ( t ) . Thus, there exists y ∈ ◦ t , such that b ∈ F ( y , t ) .Note that this y is unique. If not, then there exist y and y (cid:48) such that y (cid:44) y (cid:48) with b ∈ F ( y , t ) and b ∈ F ( y (cid:48) , t ) . By the assumption, however, that there exists at most49ne token of each base, and Proposition 1, t would never be enabled, which leads to acontradiction. As a result, by Definition 7, M (cid:48) ( y ) = M ( y ) ∪ { con ( b , M ( x ) − eff ( t )) | b ∈ F ( y , t ) ∩ F ( t , x ) } . Since b ∈ F ( y , t ) ∩ F ( t , x ) , a ∈ con ( b , M ( x ) − eff ( t )) , this impliesthat a ∈ M (cid:48) ( y ) .Now suppose that a ∈ con ( c , M ( x ) − eff ( t )) , c (cid:44) b , and c ∈ F ( y (cid:48) , t ) . Since a ∈ con ( b , M ( x ) − eff ( t )) , it must be that con ( b , M ( x ) − eff ( t )) = con ( c , M ( x ) − eff ( t )) . Since b and c are connected to each other but the connection was not created by transition t (the connection is present in M ( x ) − eff ( t ) ), it must be that the connection was alreadypresent before the forward execution of t and, by token uniqueness, we conclude that y = y (cid:48) .2. a (cid:60) con ( b , M ( x )) for all b ∈ F ( t , x ) , x ∈ P . This implies that { x ∈ P | a ∈ M (cid:48) ( x ) } = { x ∈ P | a ∈ M ( x ) } and the result follows.Let us now prove clause (2) of the proposition. Consider a bond β ∈ B , β = ( a , b ) . Weobserve that, since |{ x ∈ P | a ∈ M ( x ) }| = for all a ∈ A , |{ x ∈ P | β ∈ M ( x ) }| ≤ . The prooffollows by case analysis as follows:1. β ∈ con ( c , M ( x )) for some c ∈ F ( t , x ) , x ∈ P . By the assumption of |{ x ∈ P | β ∈ M ( x ) }| = , x must be unique. Then, according to Definition 7, we have that M (cid:48) ( x ) = M ( x ) − { con ( c , M ( x )) | c ∈ F ( x , t ) } , which implies that β (cid:60) M (cid:48) ( x ) . Two casesexist:• If β ∈ eff ( t ) , then β (cid:60) M (cid:48) ( y ) for all places y ∈ P .• If β (cid:60) eff ( t ) then let us choose c such that β ∈ con ( c , M ( x ) − eff ( t )) . Note that sucha c must exist, otherwise the forward execution of t would not have connected β with c . By the definition of well-formedness, Definition 3(1), c ∈ pre ( t ) . Thus,there exists y ∈ ◦ t , such that c ∈ F ( y , t ) . Note that this y is unique (if not, t wouldnot have been enabled). As a result, by Definition 7, β ∈ M (cid:48) ( y ) .Now suppose that β ∈ con ( d , M ( x ) − eff ( t )) , d (cid:44) c , and d ∈ M (cid:48) ( y (cid:48) ) . Since β ∈ con ( c , M ( x ) − eff ( t )) , it must be that con ( c , M ( x ) − eff ( t )) = con ( d , M ( x ) − eff ( t )) .Since c and d are connected to each other but the connection was not createdby transition t (the connection is present in M ( x ) − eff ( t ) ), it must be that theconnection was already present before the forward execution of t and, by tokenuniqueness, we conclude that y = y (cid:48) . This implies that { z ∈ P | β ∈ M (cid:48) ( z ) } = { y } .50he above imply that { z ∈ P | β ∈ M ( z ) } = { x } and { z ∈ P | β ∈ M (cid:48) ( z ) } ⊆ { y } and theresult follows.2. β (cid:60) con ( c , M ( x )) for all c ∈ F ( t , x ) , x ∈ P . This implies that { x ∈ P | β ∈ M (cid:48) ( x ) } = { x ∈ P | β ∈ M ( x ) } and the result follows. (cid:3) Let us now consider the combination of forward and backward moves in executions. Wewrite (cid:55)−→ b for −→ ∪ (cid:32) b . The following result establishes that in an execution beginningin the initial state of a reversing Petri net, bases are preserved, bonds can have at mostone instance at any time and a new occurrence of a bond may be created during a forwardtransition that features the bond as its effect whereas a bond can be destroyed during thebacktracking of a transition that features the bond as its effect. This last point clarifies thatthe effect of a transition characterises the bonds that are newly-created during the transition’sforward execution and the ones that are destroyed during its reversal. Proposition 3.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) and anexecution (cid:104) M , H (cid:105) t (cid:55)−→ b (cid:104) M , H (cid:105) t (cid:55)−→ b . . . t n (cid:55)−→ b (cid:104) M n , H n (cid:105) , the following hold:1. For all a ∈ A and i , ≤ i ≤ n , |{ x ∈ P | a ∈ M i ( x ) }| = .2. For all β ∈ B and i , ≤ i ≤ n ,(a) ≤ |{ x ∈ P | β ∈ M i ( x ) }| ≤ ,(b) if t i is executed in the forward direction and β ∈ eff ( t i ) , then β ∈ M i ( x ) for some x ∈ P where β ∈ F ( t i , x ) , and β (cid:60) M i − ( y ) for all y ∈ P ,(c) if t i is executed in the forward direction, β ∈ M i − ( x ) for some x ∈ P , and β (cid:60) eff ( t i ) then, if β ∈ con ( a , M i − ( x )) and a ∈ F ( t i , y ) , then β ∈ M i ( y ) , otherwise β ∈ M i ( x ) ,(d) if t i is executed in the reverse direction and β ∈ eff ( t i ) then β ∈ M i − ( x ) for some x ∈ P where β ∈ F ( t i , x ) , and β (cid:60) M i ( y ) for all y ∈ P , and(e) if t i is executed in the reverse direction, β ∈ M i − ( x ) for some x ∈ P , and β (cid:60) eff ( t i ) then, if β ∈ con ( a , M i − ( x )) and a ∈ F ( y , t i ) , then β ∈ M i ( y ) , otherwise β ∈ M i ( x ) . Proof.
To begin with, we observe that the proofs of clauses (1) and (2)(a) follow directlyfrom clauses (1) and (2) of Propositions 1 and 2. Clause (2)(b) follows from Definition 4(4)and Definition 5. Clause (2)(c) follows from Definition 5 and the condition refers to whether51he bond is part of a component manipulated by the forward execution of t i . Similarly,to(2)(a) clause (2)(d) stems from Definition 7. Finally, Clause (2)(e) follows from Definition 7and the condition refers to whether the bond is part of a component manipulated by thereverse execution of t i . (cid:3) In this setting we may establish a loop lemma:
Lemma 1 (Loop) . For any forward transition (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a backwardtransition (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:32) b (cid:104) M , H (cid:105) and vice versa. Proof.
Suppose (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then t is clearly bt -enabled in H (cid:48) . Furthermore, (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:32) b (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where H (cid:48)(cid:48) = H . In addition, all tokens and bonds involved intransition t (except those in eff ( t ) ) will be returned from the outgoing places of transition t back to its incoming places. Specifically, for all a ∈ A , it is easy to see by the definition of (cid:32) b that a ∈ M (cid:48)(cid:48) ( x ) if and only if a ∈ M ( x ) . Similarly, for all β ∈ B , β ∈ M (cid:48)(cid:48) ( x ) if and onlyif β ∈ M ( x ) . The opposite direction can be argued similarly. (cid:3) We now move on to consider causal-order reversibility in RPNs. To define such as reversiblesemantics in the presence of cycles, a number of issues need to be resolved. To begin with,consider a sequence of transitions pertaining to the repeated execution of a cycle. Adoptingthe view that reversible computation has the ability to rewind every executed action of asystem, we require that each of these transitions is executed in reverse as many times as itwas executed in the forward direction. Furthermore, the presence of cycles raises questionsabout the causal relationship between transitions of a cycle as well as of overlapping or evenstructurally distinct cycles. In the next subsection we discuss our adopted notion of transitioncausality. Subsequently, we develop a theory for causal-order reversibility in RPNs.
Causality in cyclic reversing Petri nets
A cycle in a reversing Petri net is associated with a cyclic path in the net’s graph structure.It contains a sequence of transitions where an outgoing place of the last transition coincideswith an incoming place of the first transition. Note that a cycle in the graph of a revers-ing Petri net does not necessarily imply the repeated execution of its transitions since, forinstance, entrance to the cycle may require a token or a bond that has been directed into adifferent part of the net during execution of the cycle. 52 igure 3.7: RPN with overlapping cycles σ = (cid:104) t , t , t , t , t , t (cid:105) and σ = (cid:104) t , t , t , t (cid:105) , and thestate arising after the forward execution of σ = σ σ In the standard approach to causality in classical Petri nets [110], a causal link is consid-ered to exist between two transitions if one produces tokens that are used to fire the other.This relation is used to define a “causal order", ≺ , which is transitive so that if a transition t causally precedes t and t causally precedes t , then t also causally precedes t .Adapting this notion in the context of cycle execution, consider a cycle with transitions t and t , executed twice yielding the transition instances t , t , t , t , where t ji denotes the j -thexecution of transition t i . Furthermore, suppose that t produces tokens that are consumedby t and vice versa. This implies the causal order relation ≺ , such that t ≺ t ≺ t ≺ t ,allowing us to conclude that each execution of the cycle causally precedes any subsequentexecutions. This is a natural conclusion in the case of the consecutive execution of cycles,since a second execution of a cycle cannot be initiated before the first one is completed. Thisis because the tokens manipulated by the first transition of the cycle need to return to its input53laces before the transition can be repeated. Figure 3.8: Causally dependent cycles, where σ = (cid:104) t , t , t , t (cid:105) Let us now move on to determining when a token produced by a transition is consumedby another. In RPNs this concept acquires an additional complexity due to the fact thattokens are distinguished by names and the fact that the creation of bonds between tokensmay disguise the causal relation between transitions. For instance, consider the example ofFigure 3.7. This RPN features two overlapping cycles, which can be executed sequentially.Suppose we execute the outer cycle (transition sequence (cid:104) t , t , t , t , t , t (cid:105) ) followed by theinner cycle (transition sequence (cid:104) t , t , t , t (cid:105) ).Observing the token manipulation of the transition instances as captured by the arcs ofthe transition, we obtain the order t ≺ t ≺ t ≺ t ≺ t ≺ t and t ≺ t ≺ t ≺ t . Howeverby simply observing the structure of the RPN there is no evidence that t consumes tokens54roduced by t . Nonetheless, in this scenario transition instance t has bonded tokens a and b and, thus, transition instance t requires bond a − b to be produced and placed at r by t before transition t can be executed for the second time. Thus, t ≺ t also holds.Note that, if the two cycles were not considered to be causally dependent and were al-lowed to reverse in any order, then, reversal of the first before the second one would disablethe reversal of the second cycle. This is because reversing transition t would return token b to place u , thus disabling a second reversal of transition t (and consequently the reversal ofthe inner cycle).Similarly, in the example of Figure 3.8 we observe two cycles that are structurally in-dependent but where the presence of common tokens between the two cycles creates a de-pendence between their executions. For instance, suppose that the upper cycle is initiallyselected via execution of transition t . This choice disables the lower cycle, which is onlyre-enabled once the upper cycle is completed and token a is returned to place u . As a result,the execution of t , and thus the lower cycle, following an execution of the upper cycle, isconsidered to be causally dependent on the execution of t .The above examples highlight that syntactic token independence between two transitionsor cycles does not preclude their causal dependence. Instead, causal dependence is deter-mined by the path that tokens follow: two transition occurrences are causally dependent, ifa token produced by the one occurrence was subsequently used to fire the other occurrence.To capture this type of dependencies, we adopt the following definitions. Definition 8.
Consider a state (cid:104) M , H (cid:105) and a transition t . We refer to ( t , k ) as a transitionoccurrence in (cid:104) M , H (cid:105) if k ∈ H ( t ) . Definition 9.
Consider a state (cid:104) M , H (cid:105) and suppose (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) with ( t , k ) , ( t (cid:48) , k (cid:48) ) transition occurrences in (cid:104) M (cid:48) , H (cid:48) (cid:105) , k = max( H ( t )) . We say that ( t , k ) causally depends on ( t (cid:48) , k (cid:48) ) denoted by ( t (cid:48) , k (cid:48) ) ≺ ( t , k ) , if k (cid:48) < k and there exists a ∈ F ( x , t ) where con ( a , M ( x )) ∩ post ( t (cid:48) ) (cid:44) ∅ .Thus, a transition occurrence ( t , k ) causally depends on a preceding transition occurrence ( t (cid:48) , k (cid:48) ) if one or more tokens used during the firing of ( t , k ) was produced by ( t (cid:48) , k (cid:48) ) . Notethat the tokens employed during a transition in a specific marking are determined by theconnected components of F ( x , t ) in the marking. For example, in Figure 3.7 we have ( t , ≺ ( t , and in Figure 3.8 ( t , ≺ ( t , , where in each case token a has been transferred fromits initial place through ( t , to ( t , and through ( t , to ( t , . 55 ausal reversing Following this approach to causality, we now move on to define causal-order reversibility inreversing Petri nets. As expected, we consider a transition t to be enabled for causal-orderreversal only if all transitions that are causally dependent on it have either been reversedor not executed. To this respect, relation ≺ becomes an important piece of machinery andwe extend the notion of a state for the purposes of causal dependence to a triple (cid:104) M , H , ≺(cid:105) where ≺ captures the causal dependencies that have formed up to the creation of the state.We assume that in the initial state ≺ = ∅ and we extend the definition of forward execution asfollows: Definition 10.
Given a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H , ≺(cid:105) , and a transition t forward-enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H , ≺(cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) where M (cid:48) and H (cid:48) aredefined as in Definition 5, and ≺ (cid:48) = ≺ ∪{ (( t (cid:48) , k (cid:48) ) , ( t , k )) | k = max( H (cid:48) ( t )) , ( t , k ) causally depends on ( t (cid:48) , k (cid:48) ) } We may now define that a transition is enabled for causal-order reversal as follows:
Definition 11.
Consider a state (cid:104) M , H , ≺(cid:105) and a transition t ∈ T . Then t , H ( t ) (cid:44) ∅ , is c -enabled (causal-order reversal enabled) in (cid:104) M , H , ≺(cid:105) if1. for all x ∈ t ◦ , if a ∈ F ( t , x ) then a ∈ M ( x ) and if β ∈ F ( t , x ) then β ∈ M ( x ) , and2. there is no transition occurrence ( t (cid:48) , k (cid:48) ) ∈ (cid:104) M , H , ≺(cid:105) with ( t , k ) ≺ ( t (cid:48) , k (cid:48) ) , for k = max ( H ( t )) .According to the definition, an executed transition is c -enabled if all tokens and bondsrequired for its reversal (i.e., in post ( t ) ) are available in its outgoing places and there are notransitions which depend on it causally. Note that the second condition becomes relevant inthe presence of cycles since it is possible that, while more than one transitions simultaneouslyhave available the tokens required for their reversal, only one of them is c -enabled. Such anexample can be seen in the final state of Figure 3.8 and transitions t and t .Reversing a transition in a causally-respecting manner is implemented similarly to back-tracking, i.e. the tokens are moved from the outgoing places to the incoming places of thetransition and all bonds created by the transition are broken. In addition, the history functionis updated in the same manner as in backtracking, where we remove the key of the reversedtransition. Finally, the causal dependence relation removes all references to the reversedtransition occurrence. 56 igure 3.9: Causal-order example Definition 12.
Given a state (cid:104) M , H , ≺(cid:105) and a transition t c -enabled in (cid:104) M , H , ≺(cid:105) , we write (cid:104) M , H , ≺(cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) for M (cid:48) and H (cid:48) as in Definition 7, and ≺ (cid:48) such that ≺ (cid:48) = { (( t , k ) , ( t , k )) ∈≺ | k (cid:44) k , k = max( H ( t )) } An example of causal-order reversibility can be seen in Figure 3.9. Here we have twoindependent transitions, t and t causally preceding transition t . Once the transitions areexecuted in the order t , t , t , the example demonstrates a causally-ordered reversal where t is (the only transition that can be) reversed, followed by the reversal of its two causes t and t . In general t and t can be reversed in any order although in the example t is reversedbefore t . Whenever a transition occurrence is reversed its key is eliminated from the historyof the transition. 57 igure 3.10: Causal execution where σ = (cid:104) t , t , t , t (cid:105) As a further example consider the example in Figure 3.10 demonstrating a cyclic RPN.Assume that σ = (cid:104) t , t , t , t (cid:105) , i.e. from the initial state of the RPN the upper cycle is exe-cuted followed by the lower cycle. The transitions of the two cycles are causally independentsince they manipulate different sets of tokens and therefore they can be reversed in any order.The figure illustrates the reversal of transition t before transition t , which returns the bondbetween a − b to place x .In what follows we write (cid:55)−→ c for −→ ∪ (cid:32) c . The following result, similarly to Proposi-tion 3, establishes that under the causal-order reversibility semantics, tokens are unique andpreserved, bonds are unique, and they can only be created during forward execution and de-stroyed during reversal. Note that in what follows we will often omit the causal dependencerelation and simply write (cid:104) M , H (cid:105) for states when it is not relevant to the discussion. Proposition 4.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) and anexecution (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c . . . t n (cid:55)−→ c (cid:104) M n , H n (cid:105) , the following hold: 58. For all a ∈ A and i , ≤ i ≤ n , |{ x ∈ P | a ∈ M i ( x ) }| = .2. For all β ∈ B and i , ≤ i ≤ n ,(a) ≤ |{ x ∈ P | β ∈ M i ( x ) }| ≤ ,(b) if t i is executed in the forward direction and β ∈ eff ( t i ) , then β ∈ M i ( x ) for some x ∈ P where β ∈ F ( t i , x ) , and β (cid:60) M i − ( y ) for all y ∈ P ,(c) if t i is executed in the forward direction, β ∈ M i − ( x ) for some x ∈ P , and β (cid:60) eff ( t i ) , then, if β ∈ con ( a , M i − ( x )) and a ∈ F ( t i , y ) then β ∈ M i ( y ) , otherwise β ∈ M i ( x ) (d) if t i is executed in the reverse direction and β ∈ eff ( t i ) , then β ∈ M i − ( x ) for some x ∈ P where β ∈ F ( t i , x ) , and β (cid:60) M i ( y ) for all y ∈ P , and(e) if t i is executed in the reverse direction, β ∈ M i − ( x ) for some x ∈ P , and β (cid:60) eff ( t i ) , then, if β ∈ con ( a , M i − ( x )) and a ∈ F ( y , t i ) then β ∈ M i ( y ) , otherwise β ∈ M i ( x ) . Proof.
The proof follows along the same lines as that of Proposition 3 with (cid:32) b replacedby (cid:32) c . (cid:3) We may now establish the causal consistency of our semantics. First we define someauxiliary notions. Given a transition (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , we say that the action of thetransition is t if (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and t if (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) and we may write (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) . We use α to range over { t , t | t ∈ T } and write α = α . We extend thisnotion to sequences of transitions and, given an execution (cid:104) M , H (cid:105) t (cid:55)−→ c . . . t n (cid:55)−→ c (cid:104) M n , H n (cid:105) ,we say that the trace of the execution is σ = (cid:104) α , α , . . . , α n (cid:105) , where α i is the action of transi-tion (cid:104) M i − , H i − (cid:105) t i (cid:55)−→ c (cid:104) M i , H i (cid:105) , and write (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M n , H n (cid:105) . Given σ = (cid:104) α , . . . , α k (cid:105) , σ = (cid:104) α k + , . . . , α n (cid:105) , we write σ ; σ for (cid:104) α , . . . , α n (cid:105) . We may also use the notation σ ; σ when σ or σ is a single transition.An execution of a Petri net can be partitioned as a set of independent flows of executionrunning through the net. We capture these flows by the notion of causal paths: Definition 13.
Given a state (cid:104) M , H , ≺(cid:105) and transition occurrences ( t i , k i ) in (cid:104) M , H , ≺(cid:105) , ≤ i ≤ n , we say that ( t , k ) , . . . , ( t n , k n ) is a causal path in (cid:104) M , H , ≺(cid:105) , if ( t i , k i ) ≺ ( t i + , k i + ) , forall ≤ i < n .As an example, consider the reversing Petri net in Figure 3.11 where we denote the firstexecution by (cid:104) M , H , ∅(cid:105) σ −→ (cid:104) M , H , ≺(cid:105) for σ = (cid:104) t , t , t , t (cid:105) , and the second execution59 igure 3.11: Causal paths in the context of dependent cycles, where σ = (cid:104) t , t , t , t (cid:105) and σ = (cid:104) t , t , t , t (cid:105) by (cid:104) M , H , ∅(cid:105) σ −→ (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) for σ = (cid:104) t , t , t , t (cid:105) . In the case of σ we have ≺ to bethe transitive closure of { (( t , , ( t , , (( t , , ( t , , (( t , , ( t , } , which results in thecausal path ( t , , ( t , , ( t , , ( t , . In the case of σ where the cycles are executed in theopposite order, ≺ (cid:48) is the transitive closure of { (( t , , ( t , , (( t , , ( t , , (( t , , ( t , } ,and the corresponding causal path is ( t , , ( t , , ( t , , ( t , .This comes in contrast to the RPN of Figure 3.12, which contains two independentcycles. Here, the causal dependencies of the first execution (trace σ ) are constructed as ( t , ≺ ( t , and ( t , ≺ ( t , , which results in the two independent causal paths (cid:104) ( t , , ( t , (cid:105) and (cid:104) ( t , , ( t , (cid:105) . Similarly, after execution of σ , the causal dependen-cies are ( t , ≺ ( t , and ( t , ≺ ( t , , which results in the causal paths (cid:104) ( t , , ( t , (cid:105) and (cid:104) ( t , , ( t , (cid:105) .As seen from the examples in Figures 3.11 and 3.12, the causal paths of an executioncapture its causal behaviour. Based on this concept, we define the notion of causal equiv-60 igure 3.12: Causal paths in the context of independent cycles, where σ = (cid:104) π , π (cid:105) such that π = t , t , π = t , t and σ = (cid:104) π , π (cid:105) such that π = t , t , π = t , t alence for histories by requiring that two histories H and H (cid:48) are causally equivalent if andonly if they contain the same causal paths: Definition 14.
Consider a reversing Petri net ( A , P , B , T , F ) and two executions (cid:104) M , H , ≺(cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) and (cid:104) M , H , ≺(cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) , ≺ (cid:48)(cid:48) (cid:105) . Then the histories H (cid:48) and H (cid:48)(cid:48) are causallyequivalent , denoted by H (cid:48) (cid:16) H (cid:48)(cid:48) , if for each causal path ( t , k ) , . . . , ( t n , k n ) in (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) ,there is a causal path ( t , k (cid:48) ) , . . . , ( t n , k (cid:48) n ) in (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) , ≺ (cid:48)(cid:48) (cid:105) , and vice versa.We extend this notion and write (cid:104) M , H , ≺(cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) if and only if M = M (cid:48) and H (cid:16) H (cid:48) .Returning to the example in Figure 3.11 we observe that while the two executions resultin the same marking, the resulting states do not have the same causal paths and, as such, theyare not considered as causally equivalent.We may now establish the Loop lemma. 61 emma 2 (Loop) . For any forward transition (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a backwardtransition (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:32) c (cid:104) M , H (cid:105) and for any backward transition (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) thereexists a forward transition (cid:104) M (cid:48) , H (cid:48) (cid:105) t −→ (cid:104) M , H (cid:48)(cid:48) (cid:105) where H (cid:16) H (cid:48)(cid:48) . Proof.
The proof of the first direction follows along the same lines as that of Lemma 1 with (cid:32) b replaced by (cid:32) c . For the other direction suppose (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) t −→ (cid:104) M , H (cid:48)(cid:48) (cid:105) .To begin with, we may observe that, as with Lemma 1, M = M (cid:48)(cid:48) . To show that H (cid:16) H (cid:48)(cid:48) ,we observe that H = H (cid:48)(cid:48) with the exception of t , where, if k = max( H ( t )) , and k (cid:48) = max( { } ∪ { k (cid:48)(cid:48) | ( t (cid:48) , k (cid:48)(cid:48) ) ∈ H (cid:48) ( t (cid:48) ) , t (cid:48) ∈ T } ) + , then H (cid:48)(cid:48) ( t ) = ( H ( t ) − { k } ) ∪ { k (cid:48) } ) . Furthermore,since t is c -enabled in (cid:104) M , H (cid:105) , ( t , k ) must be the last transition occurrence in all the causalpaths it occurs in, and we may observe that H (cid:48)(cid:48) contains the same causal paths with ( t , k ) replaced by ( t , k (cid:48) ) . As a result it must be that H (cid:16) H (cid:48)(cid:48) and the result follows. (cid:3) We now proceed to define causal equivalence on traces, a notion that employs the conceptof concurrent transitions:
Definition 15.
Actions α and α are concurrent in state (cid:104) M , H , ≺(cid:105) , if whenever (cid:104) M , H , ≺(cid:105) α (cid:55)−→ c (cid:104) M , H , ≺ (cid:105) and (cid:104) M , H , ≺(cid:105) α (cid:55)−→ c (cid:104) M , H , ≺ (cid:105) then (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) and (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) , ≺ (cid:48)(cid:48) (cid:105) , where (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) (cid:16) (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) , ≺ (cid:48)(cid:48) (cid:105) .Thus, two actions are concurrent if the execution of the one does not preclude the otherand the two execution orderings lead to causally equivalent states. The condition on finalstates being equivalent is required to rule out transitions constituting self-loops to/from thesame place that are causally dependent on each other. Definition 16.
Causal equivalence on traces , denoted by (cid:16) , is the least equivalence relationclosed under composition of traces such that (i) if α and α are concurrent actions then α ; α (cid:16) α ; α and (ii) α ; α (cid:16) (cid:15) .The first clause states that in two causally-equivalent traces concurrent actions may occurin any order and the second clause states that it is possible to ignore transitions that haveoccurred in both the forward and the reverse direction.The following proposition establishes that two transition instances belonging to distinctcausal paths are in fact concurrent transitions and thus can be executed in any order. Proposition 5.
Consider a reversing Petri net ( A , P , B , T , F ) and suppose (cid:104) M , H , ≺(cid:105) t −→(cid:104) M , H , ≺ (cid:105) t −→ (cid:104) M , H , ≺ (cid:105) , where the executions of t and t correspond to transitioninstances ( t , k ) and ( t , k ) in (cid:104) M , H , ≺ (cid:105) . If there is no causal path π in (cid:104) M , H , ≺ (cid:105) with62 t , k ) ∈ π and ( t , k ) ∈ π , then ( t , k ) and ( t , k ) are concurrent transition occurrences in (cid:104) M , H , ≺(cid:105) . Proof.
Since there is no causal path containing both ( t , k ) and ( t , k ) in (cid:104) M , H , ≺ (cid:105) ,we conclude that ( t , k ) ⊀ ( t , k ) . This implies that the two transition occurrences donot handle any common tokens and they can be executed in any order leading to the samemarking. Thus, they are concurrent in (cid:104) M , H , ≺(cid:105) . (cid:3) We note that causally-equivalent states can execute the same transitions.
Proposition 6.
Consider a reversing Petri net ( A , P , B , T , F ) with causally-equivalent states (cid:104) M , H , ≺ (cid:105) (cid:16) (cid:104) M , H , ≺ (cid:105) . Then (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) if and only if (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) , where (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) . Proof.
It is easy to see that if a transition α is enabled in (cid:104) M , H , ≺ (cid:105) it is also enabled in (cid:104) M , H , ≺ (cid:105) . Therefore, if (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) then (cid:104) M , H , ≺ (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) where M = M , and vice versa. In order to show that H (cid:48) (cid:16) H (cid:48) two cases exist:• Suppose α is a forward transition corresponding to transition occurrence ( t , k ) in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) and transition occurrence ( t , k ) in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) . Suppose that ( t (cid:48) , k (cid:48) ) ≺ (cid:48) ( t , k ) . Then, post ( t (cid:48) ) ∩ con ( a , M ( x )) (cid:44) ∅ for some a ∈ F ( x , t ) . Since H (cid:16) H , thisimplies that ( t (cid:48) , k (cid:48) ) ≺ (cid:48) ( t , k ) where k (cid:48) = max( H ( t (cid:48) )) . Therefore, for all causal paths π in (cid:104) M , H , ≺ (cid:105) , if the last transition occurrence of π causes ( t , k ) then π ; ( t , k ) is acausal path of (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) and, if not, then π is a causal path in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) . Thesame holds for causal paths in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) and ( t , k ) . Consequently, we deduce that H (cid:48) (cid:16) H (cid:48) , as required.• Suppose that α is a reverse transition, i.e. α = t for some t , and consider the causalpaths of H (cid:48) and H (cid:48) . Since α is a reverse transition, there exists no transition occur-rence caused by ( t , max( H ( t ))) in (cid:104) M , H , ≺ (cid:105) and no transition occurrence caused by ( t , max( H ( t ))) in (cid:104) M , H , ≺ (cid:105) . As such, ( t , max( H ( t ))) and ( t , max( H ( t ))) are thelast transition occurrences in all paths in (cid:104) M , H , ≺ (cid:105) and (cid:104) M , H , ≺ (cid:105) , respectively,in which they belong. Reversing the transition occurrences results in their elimi-nation from these causal paths. Therefore, we observe that for each causal path in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) there is an equivalent causal path in (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) , and vice versa. Thus H (cid:48) (cid:16) H (cid:48) as required. (cid:3) Note that the above result can be extended to sequences of transitions: 63 orollary 1.
Consider a reversing Petri Net ( A , P , B , T , F ) with causally-equivalent states (cid:104) M , H , ≺ (cid:105) (cid:16) (cid:104) M , H , ≺ (cid:105) . Then (cid:104) M , H , ≺ (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) if and only if (cid:104) M , H , ≺ (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) , where (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:48) , ≺ (cid:48) (cid:105) .The main result, Theorem 1 below, states that two computations beginning in the sameinitial state lead to equivalent states if and only if the sequences of executed transitions ofthe two computations are causally equivalent. This guarantees the consistency of the ap-proach since reversing transitions in causal order is in a sense equivalent to not executingthe transitions in the first place. Reversal does not give rise to previously unreachable states,on the contrary, it gives rise to exactly the same markings and causally-equivalent historiesdue to the different keys being possibly assigned because of the different ordering of transi-tions. The proof structure along with the intermediate results follow those initially presentedin [31]. Theorem 1. [31]
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) .Then, σ (cid:16) σ if and only if (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) .For the proof of Theorem 1 we employ some intermediate results. To begin with, thelemma below states that causal equivalence allows the permutation of reverse and forwardtransitions that have no causal relations between them. Therefore, computations are allowedto reach for the maximum freedom of choice going backward and then continue forward. Lemma 3. [31]
Let σ be a trace. Then there exist traces r , r (cid:48) both forward such that σ (cid:16) r ; r (cid:48) and if (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) then (cid:104) M , H (cid:105) r ; r (cid:48) (cid:55)−→ (cid:104) M (cid:48) , H (cid:48)(cid:48) (cid:105) , where H (cid:48) (cid:16) H (cid:48)(cid:48) . Proof.
We prove this by induction on the length of σ and the distance from the beginningof σ to the earliest pair of transitions that contradicts the property r ; r (cid:48) . If there is no suchcontradicting pair then the property is trivially satisfied. If not, we distinguish the followingcases:1. If the first contradicting pair is of the form t ; t then we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where σ = σ ; t ; t ; σ . By the Loop Lemma (cid:104) M , H (cid:105) = (cid:104) M , H (cid:105) , which yields (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) . Thus wemay remove the two transitions from the sequence, the length of σ decreases, and theproof follows by induction.2. If the first contradicting pair is of the form t ; t (cid:48) then we observe that the specific occur-rences of t and t (cid:48) must be concurrent. Specifically we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c M , H (cid:105) t (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where σ = σ ; t ; t (cid:48) ; σ . Since action t (cid:48) is be-ing reversed, all transition occurrences that are causally dependent on it have eithernot been executed up to this point or they have already been reversed. This impliesthat in (cid:104) M , H (cid:105) it was not the case that ( t , max ( H ( t )) was causally dependent on ( t (cid:48) , max ( H ( t (cid:48) )) . As such, by Proposition 5, t (cid:48) and t are concurrent transitions and t (cid:48) can be reversed before the execution of t to yield (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48)(cid:48) (cid:105) , where H (cid:48) (cid:16) H and H (cid:48) (cid:16) H (cid:48)(cid:48) . This re-sults in a later earliest contradicting pair and by induction the result follows. (cid:3) From the above lemma we conclude the following corollary establishing that causal-orderreversibility is consistent with standard forward execution in the sense that causal executionwill not generate states that are unreachable in forward execution:
Corollary 2. [31]
Suppose that H is the initial history. If (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , and σ is atrace with both forward and backward transitions then there exists a transition (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) , where H (cid:16) H (cid:48) and σ (cid:48) a trace of forward transitions. Proof.
According to Lemma 3, σ (cid:16) r ; r (cid:48) where both r and r (cid:48) are forward traces. Since,however, H is the initial history it must be that r is empty. This implies that (cid:104) M , H (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) , H (cid:16) H (cid:48) and r (cid:48) is a forward trace. Consequently, writing σ (cid:48) for r (cid:48) , the result follows. (cid:3) Lemma 4. [31]
Suppose (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:105) , where H (cid:16) H and σ is a forward trace. Then, there exists a forward trace σ (cid:48) such that σ (cid:16) σ (cid:48) . Proof. If σ is forward then σ = σ (cid:48) and the result follows trivially. Otherwise, we mayprove the lemma by induction on the length of σ . We begin by noting that, by Lemma 3, σ (cid:16) r ; r (cid:48) and (cid:104) M , H (cid:105) r ; r (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:105) . Let t be the last action in r . Given that σ is a forwardexecution that simulates σ , it must be that r (cid:48) contains a forward execution of transition t sothat (cid:104) M (cid:48) , H (cid:105) and (cid:104) M (cid:48) , H (cid:105) contain the same causal paths involving transition t (if not wewould have | H ( t ) | < | H ( t ) | leading to a contradiction). Consider the earliest occurrence of t in r (cid:48) . If t is the first transition in r (cid:48) , by the Loop Lemma we may remove the pair of oppositetransitions and the result follows by induction. Otherwise, suppose (cid:104) M , H (cid:105) r (cid:55)−→ c t (cid:55)−→ c r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) t ∗ (cid:55)−→ c t (cid:55)−→ c (cid:104) M (cid:48) , H (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:105) , where r = r ; t and r (cid:48) = r (cid:48) ; t ∗ ; t ; r . Two casesexist: 65. Suppose t ∗ ∈ σ . Let us denote by num ( t , σ ) , the number of executions of transition t in a sequence of transitions σ . We observe that since σ contains no reverse executionsof t , it must be that num ( t , r (cid:48) ) = num ( t , σ ) + num ( t , r ) . Suppose that the transitionoccurrences of t ∗ and t as shown in the execution belong to a common causal path.We may extend this path with the succeeding occurrences of t and obtain a causal pathsuch that t ∗ is succeeded by num ( t , σ ) + num ( t , r ) occurrences of t . We observe thatit is impossible to obtain such a causal path in (cid:104) M (cid:48) , H (cid:105) , since t ∗ is followed by feweroccurrences of t in σ . This contradicts the assumption that H (cid:16) H . We concludethat the transition occurrences of t and t ∗ above do not belong to any common causalpath and therefore, by Proposition 5, the two transition occurrences are concurrent in (cid:104) M , H (cid:105) .2. Now suppose that t ∗ (cid:60) σ . Since H ( t ∗ ) (cid:44) ∅ it must be that H ( t ∗ ) (cid:44) ∅ and | H ( t ∗ ) | = | H ( t ∗ ) | = | H ( t ∗ ) | . As such, it must be that t ∗ ∈ r and that its reversal has precededthe reversal of t . Let us suppose that the transition occurrences of t ∗ and t as shownin the execution belong to a common causal path. This implies that a causal path with t ∗ preceding t also occurs in H as well as in H . If we observe that t ∗ has reversedbefore t we conclude that t ∗ does not cause the preceding occurrence of t . As suchthere is no causal path within (cid:104) M , H (cid:105) or (cid:104) M (cid:48) , H (cid:105) containing both t and t ∗ , whichresults in a contradiction. We conclude that the forward occurrences of t and t ∗ are, byProposition 5, concurrent in (cid:104) M , H (cid:105) .Given the above, since the occurrences of t and t ∗ are concurrent the two occurrences maybe swapped to yield (cid:104) M , H (cid:105) r (cid:55)−→ c t (cid:55)−→ c r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c t ∗ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:16) H (cid:48) and, by Corollary 1, H (cid:16) H (cid:48) . By repeating the process for the remainingtransition occurrences in r (cid:48) , this implies that we may permute t with transitions in r (cid:48) to yieldthe sequence t ; t . By the Loop Lemma we may remove the pair of opposite transitions andobtain a shorter equivalent trace, also equivalent to σ and conclude by induction. (cid:3) We now proceed with the proof of Theorem 1:
Proof of Theorem 1.
Suppose (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) with (cid:104) M , H (cid:105)(cid:16) (cid:104) M , H (cid:105) . We prove that σ (cid:16) σ by using a lexicographic induction on the pair consistingof the sum of the lengths of σ and σ and the depth of the earliest disagreement betweenthem. By Lemma 3 we may suppose that σ and σ satisfy the property r ; r (cid:48) . Call t and t the earliest actions where they disagree. There are three cases in the argument depending on66hether these are forward or backward.1. If t is backward and t is forward, we have σ = r ; t ; u and σ = r ; t ; v for some r , u , v . Lemma 4 applies to t ; v , which is forward, and t ; u , which contains both for-ward and backward actions and thus, by the lemma, it has a shorter forward equivalent.Thus, σ has a shorter forward equivalent and the result follows by induction.2. If t and t are both forward then it must be the case that σ = r ; r (cid:48) ; t ; u and σ = r ; r (cid:48) ; t ; v , for some r , u , v . Note that it must be that t ∈ v and t ∈ u . If not, wewould have | H ( t ) | (cid:44) | H ( t ) | , and similarly for t , which contradicts the assumptionthat H (cid:16) H . As such, we may write σ = r ; r (cid:48) ; t ; u ; t ; u , where u = u ; t ; u and t is the first occurrence of t in u . Consider t ∗ the action immediately preceding t . We observe that t ∗ and t cannot belong to a common causal path in (cid:104) M , H (cid:105) ,since an equivalent causal path is impossible to exist in (cid:104) M , H (cid:105) . This is due to theassumption that σ and σ coincide up to transition sequence r ; r (cid:48) . Thus, we concludeby Proposition 5 that t ∗ and t are in fact concurrent and can be swapped. The samereasoning may be used for all transitions preceding t up to and including t , whichleads to the conclusion that σ (cid:16) r ; r (cid:48) ; t ; t ; u ; u . This results in an equivalent execu-tion of the same length with a later earliest divergence with σ and the result followsby the induction hypothesis.3. If t and t are both backward, we have σ = r ; t ; u and σ = r ; t ; v for some r , u , v .Two cases exist:(a) If t occurs in v , then we have that σ = r ; t ; v ; t ; v . Given that t reversesright after r in σ , we may conclude that there is no transition occurrence at thispoint that causally depends on t . As such it cannot have caused the transitionoccurrences of t and v whose reversal precedes it in σ . This implies that thereversal of t may be swapped in σ with each of the preceding transitions, to give σ (cid:16) r ; t ; t ; v ; v . This results in an equivalent execution of the same lengthwith a later earliest divergence with σ and the result follows by the inductionhypothesis.(b) If t does not occur in v , this implies that t occurs in the forward direction in u , i.e. σ = r ; t ; u ; t ; u , where u = u ; t ; u with the specific occurrenceof t being the first such occurrence in u . Using similar arguments as those in67emma 4, we conclude that σ (cid:16) r ; t ; t ; u ; u (cid:16) r ; u ; u , an equivalent execu-tion of shorter length for σ and the result follows by the induction hypothesis.We may now prove the opposite direction. Suppose that σ (cid:16) σ and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) . We will show that (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . Theproof is by induction on the number of rules, k , applied to establish the equivalence σ (cid:16) σ . For the base case we have k = , which implies that σ = σ and theresult trivially follows. For the inductive step, let us assume that σ (cid:16) σ (cid:48) (cid:16) σ ,where σ can be transformed to σ (cid:48) with the use of k = n − rules and σ (cid:48) canbe transformed to σ with the use of a single rule. By the induction hypothesis,we conclude that (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) , where H (cid:16) H (cid:48) . We need to show that (cid:104) M , H (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:105) . Let us write σ (cid:48) = u ; w ; v and σ = u ; w (cid:48) ; v , where w , w (cid:48) re-fer to the parts of the two executions where the equivalence rule has been applied.Furthermore, suppose that (cid:104) M , H (cid:105) u (cid:55)−→ c (cid:104) M u , H u (cid:105) w (cid:55)−→ c (cid:104) M w , H w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) u (cid:55)−→ c (cid:104) M u , H u (cid:105) w (cid:48) (cid:55)−→ c (cid:104) M (cid:48) w , H (cid:48) w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:105) . Three cases exist:(a) w = t ; t and w (cid:48) = t ; t with t and t concurrent(b) w = t ; t and w (cid:48) = (cid:15) (c) w = t ; t and w (cid:48) = (cid:15) In all the cases above, we have that (cid:104) M w , H w (cid:105) (cid:16) (cid:104) M (cid:48) w , H (cid:48) w (cid:105) : for (a) this follows bythe definition of concurrent transitions, whereas for (b) and (c) by the Loop Lemma.Given the equivalence of these two states, by Corollary 2, we have that (cid:104) M w , H w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:48) (cid:105) and (cid:104) M (cid:48) w , H (cid:48) w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:105) , where (cid:104) M , H (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:105) , as required. Thiscompletes the proof. (cid:3) We note that the causal-consistency theorem has been proved using the standard approachof [31]. An alternative approach, stemming from he recent work of [84] could also be pos-sible, whereby the study of various properties within a general framework for reversiblesystems is established. More precisely, causal consistency can be guaranteed by proving aset of axioms relating to the parabolic Lemma and the Square property.
While in backtracking and causal-order reversibility reversing is cause respecting, there aremany examples of systems where undoing actions in an out-of-causal order is either inherent68 igure 3.13: Forward execution of out-of-causal-order example or desirable. In this section we consider this type of reversibility in the context of RPNs. Webegin by specifying that in out-of-causal-order reversibility any executed transition can bereversed at any time.
Definition 17.
Consider a reversing Petri net ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t ∈ T . We say that t is o -enabled in (cid:104) M , H (cid:105) , if H ( t ) (cid:44) ∅ .Let us begin to consider out-of-causal-order reversibility via the example of Figures 3.13and 3.14. The first Figure 3.13 presents the forward execution of the transition sequence (cid:104) t , t , t (cid:105) . The second Figure 3.14 represents the out-of-causal-order reversal of transitionsequence (cid:104) t , t , t (cid:105) . Suppose that transition t is to be reversed out of order. The effect of69 igure 3.14: Out-of-causal-order example this reversal should be the destruction of the bond between a and b . This means that thecomponent d − a − b − c is broken into the bonds d − a and b − c , which should backtrack withinthe net to capture the reversal of the transition. Nonetheless, the tokens of d − a must remainat place z . This is because a bond exists between them that has not been reversed and wasthe effect of the immediately preceding transition t . However, in the case of b − c , the bondcan be returned to place y , which is the place where the two tokens were connected and fromwhere they could continue to participate in any further computation requiring their coalition.Once transition t is subsequently reversed, the bond between b and c is destroyed and thusthe two tokens are able to return to their initial places as shown in the third net in the figure.Finally, when subsequently transition t is reversed, the bond between d and a breaks and,70iven that neither d nor a are connected to other elements, the tokens return to their initialplaces. As with the other types of reversibility, when reversing a transition histories areupdated by removing the greatest key identifier of the executed transition.Summing up, the effect of reversing a transition in out-of-causal order is that all bondscreated by the transition are undone. This may result in tokens backtracking in the net.Further, if the reversal of a transition causes a coalition of bonds to be broken down into a setof subcomponents due to the destruction of bonds, then each of these coalitions should flowback, as far back as possible, after the last transition in which this sub-coalition participated.To capture this notion of “as far backwards as possible” we introduce the following: Definition 18.
Given a reversing Petri net ( A , P , B , T , F ) , an initial marking M , a history H ,and a set of bases and bonds C ⊆ A ∪ B we write: last T ( C , H ) = t , if ∃ t , post ( t ) ∩ C (cid:44) ∅ , H ( t ) (cid:44) ∅ , and (cid:64) t (cid:48) , post ( t (cid:48) ) ∩ C (cid:44) ∅ , H ( t (cid:48) ) (cid:44) ∅ , max ( H ( t (cid:48) )) ≥ max ( H ( t )) ⊥ , otherwise last P ( C , H ) = x , if t = last T ( C , H ) , { x } = { y ∈ t ◦ | F ( t , y ) ∩ C (cid:44) ∅} or, if ⊥ = last T ( C , H ) , C ⊆ M ( x ) ⊥ , otherwiseThus, if component C has been manipulated by some previously-executed transition, then last T ( C , H ) is the last executed such transition. Otherwise, if no such transition exists (e.g.,because all transitions involving C have been reversed), then last T ( C , H ) is undefined ( ⊥ ).Similarly, last P ( C , H ) is the outgoing place connected to last T ( C , H ) (cid:44) ⊥ having commontokens with C , assuming that such a place is unique, or the place in the initial marking inwhich C existed if last T ( C , H ) = ⊥ , and undefined otherwise.Transition reversal in an out-of-causal order can thus be defined as follows: Definition 19.
Given a reversing Petri net ( A , P , B , T , F ) , an initial marking M , a state (cid:104) M , H (cid:105) and a transition t that is o -enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:48) is defined as in Definition 7 and we have: M (cid:48) ( x ) = (cid:16) M ( x ) ∪ (cid:91) a ∈ M ( y ) ∩ post ( t ) , last P ( C a , y , H (cid:48) ) = x C a , y (cid:17) − (cid:16) eff ( t ) ∪ (cid:91) a ∈ M ( x ) ∩ post ( t ) , last P ( C a , x , H (cid:48) ) (cid:44) x C a , x (cid:17) where we use the shorthand C b , z = con ( b , M ( z ) − eff ( t )) for b ∈ A , z ∈ P . 71 igure 3.15: Out-of-causal-order reversing where σ = (cid:104) t , t , t , t , t (cid:105) Thus, when a transition t is reversed in an out-of-causal-order fashion all bonds that werecreated by the transition in eff ( t ) are undone. Furthermore, tokens and bonds involved inthe transition are relocated back to the place where they would have existed if transition t never took place, as defined by last P ( C , H (cid:48) ) . Note that if the destruction of a bond dividesa component into smaller connected sub-components then each of these sub-components isrelocated separately. Specifically, the definition states that: if a token a and its connectedcomponents involved in transition t , last participated in some transition with outgoing place y other than x , then the sub-component is removed from place x and returned to place y ,otherwise it is returned to the place where it occurred in the initial marking.An example of out-of-causal-order reversibility in a cyclic RPN can be seen in Fig-ure 3.15. Here the cycles (cid:104) t , t (cid:105) and (cid:104) t , t (cid:105) are executed in this order followed by transition t . We reverse in out-of-causal order transition t , which breaks the bond between b − c andreturns token c back to its original place z . Moreover, the bond between a − b remains in place t , which is the outgoing place of the last transition of token a . Note that this state did notoccur during the forward execution of the RPN.The following results describe how tokens and bonds are manipulated during out-of-72ausal-order reversibility, where we write (cid:55)−→ o for −→ ∪ (cid:32) o . Proposition 7.
Suppose (cid:104) M , H (cid:105) t (cid:55)−→ o (cid:104) M (cid:48) , H (cid:48) (cid:105) and let a ∈ A where a ∈ M ( x ) and a ∈ M (cid:48) ( y ) .Then, con ( a , M (cid:48) ( y )) = con ( a , M ( x ) ∪ C ) , where C = eff ( t ) ∪{ con ( b , M ( u )) | a − b ∈ eff ( t ) , b ∈ M ( u ) } ) , if t is a forward transition, and con ( a , M (cid:48) ( y )) = con ( a , M ( x ) − eff ( t )) , if t is a reversetransition. Proof.
The proof is straightforward by the definition of the firing rules. (cid:3)
Proposition 8.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) , and anexecution (cid:104) M , H (cid:105) t (cid:55)−→ o (cid:104) M , H (cid:105) t (cid:55)−→ o . . . t n (cid:55)−→ o (cid:104) M n , H n (cid:105) the following hold for all ≤ i ≤ n :1. For all a ∈ A , |{ x ∈ P | a ∈ M i ( x ) }| = , and a ∈ M i ( x ) where x = last P ( con ( a , M i ( x )) , H i ) .2. For all β ∈ B ,(a) ≤ |{ x ∈ P | β ∈ M i ( x ) }| ≤ .(b) if |{ x ∈ P | β ∈ M i − ( x ) }| = and |{ x ∈ P | β ∈ M i ( x ) }| = , then t i is a forwardtransition and β ∈ eff ( t i ) ,(c) if |{ x ∈ P | β ∈ M i − ( x ) }| = and |{ x ∈ P | β ∈ M i ( x ) }| = , then t i is a reversetransition and β ∈ eff ( t i ) ,(d) if |{ x ∈ P | β ∈ M i − ( x ) }| = |{ x ∈ P | β ∈ M i ( x ) }| , then β (cid:60) eff ( t i ) . Proof.
Consider a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) , and an exe-cution (cid:104) M , H (cid:105) t (cid:55)−→ o (cid:104) M , H (cid:105) t (cid:55)−→ o . . . t n (cid:55)−→ o (cid:104) M n , H n (cid:105) . The proof is given by inductionon n . Base Case.
For n = , by our assumption of token uniqueness and the definitions of last P and last T the claim follows trivially. Induction Step.
Suppose the claim holds for all but the last transition and consider transi-tion t n . Two cases exist, depending on whether t n is a forward or a reverse transition:• Suppose that t n is a forward transition. Then by Proposition 1, for all a ∈ A , |{ x ∈ P | a ∈ M n ( x ) }| = . Additionally, we may see that if a ∈ M n ( x ) two cases exists. If a ∈ con ( b , M n − ( y )) , for some b ∈ F ( t n , z ) then x = z = last P ( con ( a , M n ( x )) , H n ) .73therwise, it must be that a ∈ M n − ( x ) where, by the induction hypothesis, x = last P ( con ( a , M n − ( x )) , H n − ) . Since a (cid:60) eff ( t n ) , by clause 2(b) we may deduce that con ( a , M n − ( x )) = con ( a , M n ( x )) , which leads to x = last P (( con ( a , M n − ( x )) , H n − ) = last P ( con ( a , M n ( x )) , H n ) . Thus, the result follows.Now let β ∈ B . To begin with, clause (2)(a) follows by Proposition 1. Furthermore, wemay see that the forward transition t n may only create exactly the bonds in eff ( t n ) andit maintains all remaining bonds. Thus, clauses 2(b) and 2(d) follow.• Suppose that t n is a reverse transition. Consider a ∈ A with a ∈ M n − ( x ) for some x ∈ P . Two cases exist: – Suppose last T ( con ( a , M n − ( x ) − eff ( t n )) , H n ) = ⊥ . It must be that con ( a , M n − ( x ) − eff ( t n )) ⊆ M ( y ) for some y such that a ∈ M ( y ) . Suppose that this is not thecase. Then there must exist some β ∈ con ( a , M n − ( x ) − eff ( t n )) with β (cid:60) M ( y ) .By the induction hypothesis, there exists some t i in the execution such that β ∈ eff ( t i ) which was not reversed, i.e. H n ( t i ) (cid:44) ∅ . This however implies that t i is a transition that has manipulated the connected component con ( a , M n − ( x ) − eff ( t n )) , which contradicts our assumption of last T ( con ( a , M n − ( x ) − eff ( t n )) , H n ) = ⊥ . Therefore, a ∈ M n ( y ) , where a ∈ M ( y ) and by Proposition 7 con ( a , M n − ( x ) − eff ( t n )) = con ( a , M n ( y )) which gives y = last P ( con ( a , M n ( y )) , H n ) and the resultfollows. – Suppose last T ( con ( a , M n − ( x ) − eff ( t n )) , H n ) = t k . Then, it must be that thereexists a unique y ∈ t k ◦ such that con ( a , M n − ( x ) − eff ( t n )) ∩ F ( t k , z ) (cid:44) ∅ .Suppose that this is not the case. Then there must exist some β = ( a , b ) ∈ con ( a , M n − ( x ) − eff ( t n )) with a ∈ F ( t k , y ) , b ∈ F ( t k , y ) , and y (cid:44) y . Since β ∈ M n ( y ) , by the induction hypothesis, there exists some t i in the executionsuch that β ∈ eff ( t i ) , i > k which was not reversed, i.e. H n ( t i ) (cid:44) ∅ . Thishowever implies that t i is a transition that has manipulated the connected com-ponent con ( a , M n − ( x ) − eff ( t n )) later than t k , which contradicts our assumptionof last T ( con ( a , M n − ( x ) − eff ( t n )) , H n ) = t k . Therefore, there exists a unique y ∈ t k ◦ such that con ( a , M n − ( x ) − eff ( t n )) ∩ F ( t k , z ) (cid:44) ∅ , a ∈ M n ( y ) . Further-more, by Proposition 7 con ( a , M n − ( x ) − eff ( t n )) = con ( a , M n ( y )) which gives y = last P ( con ( a , M n ( y )) , H n ) and the result follows.Now consider β ∈ B . By clause 1, we may deduce clause 2(a). Finally, we may74bserve that the reverse transition t n may only remove exactly the bonds in eff ( t n ) andit maintains all remaining bonds, thus, clauses 2(b)-2(d) follow. (cid:3) As we have already discussed (e.g., see Figures 3.2 and 3.15), unlike causal-order reversibil-ity, out-of-causal-order reversibility may give rise to states that cannot be reached by forward-only execution. Nonetheless, note that the proposition establishes that during out-of-causal-order reversing it is not the case that tokens and bonds may reach places they have not pre-viously occurred in. On the contrary, a component will always return to the place followingthe last transition that has manipulated it. This observation also gives rise to the followingcorollary, which characterises the marking of a state during computation.
Corollary 3.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) , and anexecution (cid:104) M , H (cid:105) t (cid:55)−→ o (cid:104) M , H (cid:105) t (cid:55)−→ o . . . t n (cid:55)−→ o (cid:104) M n , H n (cid:105) , then for all x ∈ P we have M n ( x ) = (cid:91) a ∈ M n ( y ) , last P ( C a , y , H n ) = x C a , y where C a , y = con ( a , M n ( y )) . Proof.
According to Proposition 8 clauses (1) and 2(a) the result follows. (cid:3)
The dependence of the position of a connected component and a transition sequence canbe exemplified by the following proposition.
Proposition 9.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) ,and a token a such that a ∈ M ( x ) , a ∈ M ( y ) , for some x , y ∈ P , and con ( a , M ( x )) = con ( a , M ( x )) . Then, last T ( con ( a , M ( x )) , H ) = last T ( con ( a , M ( y )) , H ) implies x = y . Proof.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) and a token a such that a ∈ M ( x ) , a ∈ M ( x ) . Further, let us assume that last T ( con ( a , M ( x )) , H ) = last T ( con ( a , M ( y )) , H ) . Two cases exist:• last T ( con ( a , M ( x )) , H ) = last T ( con ( a , M ( y )) , H ) = ⊥ . This implies that no tran-sition has manipulated any of the tokens and bonds of the two connected components.As such, by Proposition 8, con ( a , M ( x )) ⊆ M ( x ) and con ( a , M ( y )) ⊆ M ( y ) , andby the uniqueness of tokens we conclude that x = y as required.• last T ( con ( a , M ( x )) , H ) = last T ( con ( a , M ( y )) , H ) = t . This implies that there is b ∈ con ( a , M ( x )) = con ( a , M ( y )) such that b ∈ F ( t , z ) for some place z . By definition,we deduce that last P ( con ( a , M ( x )) , H ) = z = last P ( con ( a , M ( y )) , H ) , thus, x = y as required. (cid:3) Proposition 10.
Suppose (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) . If σ (cid:16) σ then (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . Proof.
Suppose (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) and σ (cid:16) σ . Since σ (cid:16) σ it must be that the two executions contain the same causal paths, therefore, H (cid:16) H .To show that M = M consider token a such that a ∈ M ( x ) ∩ M ( y ) . Since σ (cid:16) σ , wemay conclude that the two executions contain the same set of executed and not reversedtransitions. Thus, by Proposition 8(2), we have con ( a , M ( x )) = con ( a , M ( y )) . Further-more, it must be that t = last T ( con ( a , M ( x )) , H ) = last T ( con ( a , M ( y )) , H ) = t . If not,since σ (cid:16) σ , we would have that t and t are concurrent, which is not possible since theymanipulate the same connected component and thus a causal relation exists between them.Therefore, by Proposition 9, x = y . This implies by Corollary 3 that M ( x ) = M ( x ) , for allplaces x , which completes the proof. (cid:3) We finally establish a Loop Lemma for out-of-causal reversibility.
Lemma 5 (Loop) . For any forward transition (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a reversetransition (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:32) o (cid:104) M , H (cid:105) . Proof.
Suppose (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then t is clearly o -enabled in H (cid:48) . Furthermore, (cid:104) M (cid:48) , H (cid:48) (cid:105) t (cid:32) o (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where H (cid:48)(cid:48) = H by the definition of (cid:32) o . In addition, for all a ∈ A ,we may prove that a ∈ M (cid:48)(cid:48) ( x ) if and only if a ∈ M ( x ) . Suppose a ∈ M ( y ) , we distinguishtwo cases. If con ( a , M ( y )) ∩ pre ( t ) = ∅ , then we may see that a ∈ M (cid:48) ( y ) and a ∈ M (cid:48)(cid:48) ( y ) ,and the result follows. Otherwise, if con ( a , M ( y )) ∩ pre ( t ) (cid:44) ∅ , then a ∈ M (cid:48) ( z ) , where F ( t , z ) ∩ con ( a , M ( y )) (cid:44) ∅ . Furthermore, suppose that a ∈ M (cid:48)(cid:48) ( w ) . By Proposition 7 we havethat con ( a , M (cid:48) ( z )) = con ( a , M ( y ) ∪ C ) , C = eff ( t ) ∪ { con ( b , M ( u )) | a − b ∈ eff ( t ) , b ∈ M ( u ) } ,and con ( a , M (cid:48)(cid:48) ( w )) = con ( a , M (cid:48) ( z ) − eff ( t )) = con ( a , ( M ( y ) ∪ C ) − eff ( t )) = con ( a , M ( y )) .Furthermore, y = last P ( con ( a , M ( y )) , H ) , by Corollary 3. Since H = H (cid:48)(cid:48) , we have w = last P ( con ( a , M (cid:48)(cid:48) ( w )) , H (cid:48)(cid:48) )) = last P ( con ( a , M ( y )) , H )) = y , and the result follows. (cid:3) Note that in the case of out-of-causal-order reversibility, the opposite direction of thelemma does not hold. This is because reversing a transition in an out-of-causal-order fashionmay bring a system to a state not reachable by forward-only transitions, and where the transi-tion is not enabled in the forward direction. As an example, consider the RPN of Figure 3.1476nd after the reversal of transition t . In this state, transition t is not forward enabled sincetoken b is not available in place x , as required for the transition to fire. We continue to study the relationship between the three forms of reversibility. Our firstresult confirms the relationship between the enabledness conditions for each of backtracking,causal-order, and out-of-causal-order reversibility.
Proposition 11.
Consider a state (cid:104) M , H (cid:105) , and a transition t . Then, if t is bt -enabled in (cid:104) M , H (cid:105) it is also c -enabled. Furthermore, if t is c -enabled in (cid:104) M , H (cid:105) then it is also o -enabled. Proof.
The proof is immediate by the respective definitions. (cid:3)
We next demonstrate a “universality” result of the (cid:32) o transition relation by showingthat it manipulates the state of a reversing Petri net in an identical way to (cid:32) c , in the caseof c -enabled transitions, and to (cid:32) b , in the case of bt -enabled transitions. Central to theproof is the following result establishing that during causal-order reversibility a componentis returned to the place following the last transition that has manipulated it or, if no suchtransition exists, in the place where it occurred in the initial marking. Proposition 12.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) , and anexecution (cid:104) M , H (cid:105) t (cid:55)−→ c (cid:104) M , H (cid:105) t (cid:55)−→ c . . . t n (cid:55)−→ c (cid:104) M n , H n (cid:105) . Then for all a ∈ A , a ∈ M n ( x ) where x = last P ( con ( a , M n ( x )) , H n ) . Proof.
The proof is by induction on n and it follows along similar lines to the proof ofProposition 8(1). (cid:3) Propositions 8 and 12 yield the following corollary for forward-only execution.
Corollary 4.
Given a reversing Petri net ( A , P , B , T , F ) , an initial state (cid:104) M , H (cid:105) , and anexecution (cid:104) M , H (cid:105) t −→ (cid:104) M , H (cid:105) t −→ . . . t n −→ (cid:104) M n , H n (cid:105) , for all a ∈ A , a ∈ M n ( x ) where x = last P ( con ( a , M n ( x )) , H n ) .We may now verify that the causal-order and out-of-causal-order reversibility have thesame effect when reversing a c -enabled transition. Proposition 13.
Consider a state (cid:104) M , H (cid:105) and a transition t c -enabled in (cid:104) M , H (cid:105) . Then, (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) . 77 roof. Let us suppose that transition t is c -enabled and (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M , H (cid:105) . By Proposi-tion 11, t is also o -enabled. Suppose (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M , H (cid:105) . It is easy to see that in fact H = H (the two histories are as H with the exception that H ( t ) = H ( t ) = H ( t ) − { max( H ( t )) } ).To show that M = M first we observe that for all a ∈ A , by Proposition 12 we have a ∈ M ( x ) where x = last P ( con ( a , M ( x )) , H ) and by Proposition 8 we have a ∈ M ( y ) where y = last P ( con ( a , M ( y )) , H ) . We may also see that con ( a , M ( x )) = con ( a , M ( z ) − eff ( t )) = con ( a , M ( y )) , where a ∈ M ( z ) . Since in addition we have H = H the resultfollows.Now let β ∈ B . We must show that β ∈ M ( x ) if and only if β ∈ M ( x ) . Two cases exist:• If β ∈ eff ( t ) then by Propositions 4 and 8, β (cid:60) M ( x ) and β (cid:60) M ( x ) for all x ∈ P .• if β (cid:60) eff ( t ) then by Propositions 4 and 8, |{ x ∈ P | β ∈ M ( x )) }| = |{ x ∈ P | β ∈ M ( x )) }| = and by the analysis on tokens β ∈ M ( x ) if and only if β ∈ M ( x ) and theresult follows.This completes the proof. (cid:3) An equivalent result can be obtained for backtracking.
Proposition 14.
Consider a state (cid:104) M , H (cid:105) , and a transition t , bt -enabled in (cid:104) M , H (cid:105) . Then, (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) . Proof.
Consider a state (cid:104) M , H (cid:105) and suppose that transition t is bt -enabled and (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then, by Proposition 11, there exists k ∈ H ( t ) , such that for all t (cid:48) ∈ T , k (cid:48) ∈ H ( t (cid:48) ) ,it holds that k ≥ k (cid:48) . This implies that t is also c -enabled, and by the definition of (cid:32) c , weconclude that (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) . Furthermore, by Proposition 13 (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) , andthe result follows. (cid:3) We obtain the following corollary confirming the expectation that backtracking is aninstance of causal reversing, which in turn is an instance of out-of-causal-order reversing. Itis easy to see that both inclusions are strict, as for example illustrated in Figures 3.5, 3.9,and 3.14.
Corollary 5. (cid:32) b ⊂ (cid:32) c ⊂ (cid:32) o . Proof.
The proof follows from Propositions 13 and 14. (cid:3)
We note that in addition to establishing the relationship between the three notions ofreversibility, the above results provide a unification of the different reversal strategies, in78he sense that a single firing rule, (cid:32) o , may be paired with the three notions of transitionenabledness to provide the three different notions of reversibility. This fact may be exploitedin the proofs of results that span the three notions of reversibility. Such a proof follows in thefollowing proposition that establishes a reverse diamond property for RPNs. According tothis property, the execution of a reverse transition does not preclude the execution of anotherreverse transition and their execution leads to the same state. In what follows we write (cid:55)−→ for −→ ∪ (cid:32) where (cid:32) could be an instance of one of (cid:32) b , (cid:32) c , and (cid:32) o . Proposition 15 (Reverse Diamond) . Consider a state (cid:104) M , H (cid:105) , and reverse transitions (cid:104) M , H (cid:105) t (cid:32) (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) t (cid:32) (cid:104) M , H (cid:105) , t (cid:44) t . Then (cid:104) M , H (cid:105) t (cid:32) (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) t (cid:32) (cid:104) M (cid:48) , H (cid:48) (cid:105) . Proof.
Let us suppose that (cid:104) M , H (cid:105) t (cid:32) (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) t (cid:32) (cid:104) M , H (cid:105) , t (cid:44) t . Firstwe note that (cid:32) may be an instance of (cid:32) c or (cid:32) o but not (cid:32) b , since in the case of (cid:32) b the backward transition is uniquely determined as the transition with the maximum key.Furthermore, we observe that t remains backward-enabled in (cid:104) M , H (cid:105) and likewise t in (cid:104) M , H (cid:105) . Specifically, if (cid:32) = (cid:32) c , since t and t are c − enabled in (cid:104) M , H (cid:105) , by Definition 11we conclude that ( t , max ( H ( t ))) is not causally dependent on ( t , max ( H ( t ))) and viceversa, which continues to hold after the reversal of each of these transitions. In the case of (cid:32) = (cid:32) o this is straightforward from the definition of o -enabledness.So, let us suppose that (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) . It is easy tosee that H (cid:48) = H (cid:48) since both of these histories are identical with H with the maximum keysof t and t removed.To show that M (cid:48) = M (cid:48) first we observe that for all a ∈ A , by Propositions 8 and 12 wehave a ∈ M (cid:48) ( x ) , a ∈ M (cid:48) ( y ) where x = last P ( con ( a , M (cid:48) ( x )) , H (cid:48) ) , y = last P ( con ( a , M (cid:48) ( y )) , H (cid:48) ) .We may see that con ( a , M (cid:48) ( x )) = con ( a , M ( z ) − ( eff ( t ) ∪ eff ( t )) = con ( a , M (cid:48) ( y )) , where a ∈ M ( z ) . Since in addition we have H (cid:48) = H (cid:48) the result follows.Now let β ∈ B . We must show that β ∈ M (cid:48) ( x ) if and only if β ∈ M (cid:48) ( x ) . Two cases exist:• If β ∈ eff ( t ) ∪ eff ( t ) then by Propositions 4 and 8, β (cid:60) M (cid:48) ( x ) and β (cid:60) M (cid:48) ( x ) for all x ∈ P .• if β (cid:60) eff ( t ) ∪ eff ( t ) then by Propositions 4 and 8, |{ x ∈ P | β ∈ M (cid:48) ( x )) }| = |{ x ∈ P | β ∈ M (cid:48) ( x )) }| and, by the analysis on tokens, β ∈ M (cid:48) ( x ) if and only if β ∈ M (cid:48) ( x ) .This completes the proof. (cid:3) orollary 6. Consider a state (cid:104) M , H (cid:105) , and traces σ , σ permutations of the same reversetransitions where (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Then (cid:104) M (cid:48) , H (cid:48) (cid:105) = (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Proof.
The proof follows by induction on the sum of the length | σ | = | σ | and the depth ofthe earliest disagreement between the two traces, and uses similar arguments to those foundin the proof of Proposition 15. (cid:3) We note that the analogue of Proposition 15 for forward transitions, i.e. the ForwardDiamond property, does not hold for RPNs. To begin with t and t may be in conflict. Theproposition fails to hold even in the case of joinable transitions (i.e. transitions that mayyield the same marking after a sequence of forward moves) due to the case of co-initial,independent cycles: Even though such cycles can be executed in any order, it is impossibleto complete the square for their initial transitions. The framework of reversing Petri nets could be applied in fields outside Computer Science,since the expressive power and visual nature offered by Petri nets coupled with reversiblecomputation has the potential of providing an attractive setting for analysing systems, forinstance in biology, chemistry or hardware engineering. The construction of reversible mod-elling languages can indicate how to capture the behaviour of reversible actions in orderto implement or even extend the primitive processes of biological reactions, movement inrobotics, quantum computation and reliable systems. Implementing several applicationsranging from biochemistry to long-running transactions would give a better understandingon reversible computation especially when it comes to out-of-causal modelling which is stillnot very well understood in the area of Computer Science.
Biochemical systems, such as covalent bonds, constitute the ideal setting to study reversiblecomputation especially in its out-of-causal-order form. In particular, the MAPK/ERK path-way (also known as the Ras-Raf-MEK-ERK pathway)is one of many real-life examples thatnaturally feature reversibility that violates the causal ordering established by forward ex-ecution. This pathway has been modelled in various formalisms including
CCSK [118],PEPA [26], BioNetGen [21], and Kappa [30]. 80n this section we illustrate how reversing Petri nets allow us to capture naturally thisform of out-of-causal-order reversible system. Specifically, our configuration follows thatof CCSK in [118] where out-of-causal reversibility is triggered to release tokens form con-nected component so that the tokens can proceed to participate in other transitions. Addition-ally, in [118] an execution control operator is used to enforce a particular order of executionbetween forward and reverse actions. In RPNs this is achieved by using negative tokens thatrequire the reversal of specific transitions in order to reverse negative tokens and thereforeallow the forward execution of following transitions. However, in RPNs the execution ofconcurrent forward transitions can be executed in any order unlike the control operator ofCCSK which is able to require a specific order among forward transitions.In Figure 3.16 we demonstrate the extracellular-signal-regulated kinase (
ERK ) pathway,also known as
Ras/Raf-1, MEK, ERK pathway, which is one of the major signalling cassettesof the mitogen activated protein kinase (
EMAPK ) signalling pathway. The ERK pathwayis a chain of proteins in the cell that delivers mitogenic and differentiation signals from themembrane of a cell to the
DNA in the nucleus, and is regulated by the protein
RKIP . Thestarting point of the pathway is when a signalling molecule binds to a receptor on the cellsurface and is spatially organised so that, when a signal arrives at the membrane, it can betransmitted to the nucleus via a cascade of biological reactions that involves protein kinases.A kinase is an enzyme that catalyses the transfer of a phosphate group from a donor moleculeto an acceptor. The main
MAPK / ERK kinase kinase (
MEKK ) component is the kinasecomponent
Raf-1 that phosphorylates the serine residue on the
MAPK/ERK kinase
MEK . Wedenote
Raf*-1 with F , MEK with M , ERK with E , RKIP with R , and the phosphorylation ofthe bonded molecule is denoted by P.The pathway begins with the activation of the protein kinase of Raf-1 by the G protein Ras that has been activated near a receptor on the cell’s membrane.
Ras activates a kinase
Raf-1 to become
Raf*-1 , which is generally known as a mitogen-activated protein kinasekinase kinase (
MAP-KKK ) and can be inhibited by
RKIP . Subsequently, as we may see inFigure 3.16,
Raf*-1 ( F ) may bind with MEK ( F − M ) by facilitating the next step in the cascade( MAPKK ), which is the phosphorylation of the
MEK ( F − M − P ) protein and the release of Raf*-1 ( M − P ). The phosphorylated MEK ( M − P ) activates a mitogen-activated protein kinase, ERK ( E − M − P ), which in turn becomes phosphorylated and releases MEK ( P − E ). Finally, thephosphorylation of MAPK allows the phosphorylated
ERK ( P − E ) to function as an enzymeand translocate in order to signal the nucleus. Now the regulation sequence consumes thephosphorylated ERK ( P − E ) in order to deactivate RKIP ( R ) from regulating Raf*-1 ( F ).81 igure 3.16: Reactions in the ERK -pathway where F denotes Raf*-1 , M denotes MEK , E denotes ERK , R denotes RKIP , and P denotes the phosphorylation of the bonded molecule Therefore, when
RKIP binds
Raf*-1 ( R − F ), the resulting complex binds to a phosphorylated ERK ( P − E − R − F ). In the end, the complex breaks releasing Raf*-1 ( P − E − R ), which can getinvolved in the cascade and after the phosphorylation of RKIP ( E − R − P ) the system releases ERK ( R − P ) and the phosphorylated RKIP .We now describe the biochemical reactions of the ERK signalling pathway as the RPNdemonstrated in Figure 3.17. On this RPN we represent molecules as tokens that can bondwith each other, thus creating more complex molecules, and these composite molecules canbe dissolved back to single tokens. The building blocks of the system are the base tokensrepresenting the associated molecules.We begin our execution from the already activated
Raf-1 kinase that has become
Raf*-1 .The molecule of
Raf*-1 is represented by base token f and resides in place F . The tokenavailability of base m , which represents MEK in place M enables the firing of transition a denoting that f has bonded with m and thus creating molecule f − m . The firing of transition a facilitates the next step in the cascade, which is transition p representing the phosphorylationof m as the binding between p and m . Since transition a has enabled the execution of p the transition a is now reversed and therefore releases f back to place F . This reversalin necessary for the next step of the execution where the absence of f is a condition fortransition c to fire. Indeed, in transition c , the phosphorylated m is now able to activate the82 igure 3.17: ERK-pathway example in reversing Petri nets kinase ERK denoted by base e and thus creating a bond between m − e along with p that showsthat m is already phosphorylated. In the next step, transition p reverses in order to release p ,which can then be used in the firing of transition p to phosphorylate e and therefore creatingthe molecule p − e . After transition p , transition c is reversed in order to release m back to M .Finally, after the phosphorylation of p − e , transition a executes in order to bond f − r where r represents molecule RKIP . Base r functions as an enzyme and by enabling transition b represents the passing of the signal to the nucleus which can then consume p − e by creating aconnected component between f − r − e − p . In the end, the complex breaks by reversing a inorder to release f and p to release p which then in action p phosphorylates r . Finally, thesystem reverses b to release e followed by the reversal of p , which releases both r and p andtherefore returns the system back to its initial marking.We show below an execution of the reversing Petri net that illustrates the process untilthe signal that arrived at the membrane is transmitted to the nucleus. The following states ofthe net (with histories omitted) represent a cascade of reactions that involve protein kinases F , M , E , P , R , with initial marking M such that M ( R ) = { r } , M ( F ) = { f } , M ( M ) = { m } , M ( P ) = { p } , M ( E ) = { e } , and M ( p ) = ∅ for all remaining places. (In the following, themarkings of places with no tokens are omitted.) M a −→ M , where M ( R ) = { r } , M ( P ) = { p } , M ( E ) = { e } , M ( FM ) = { f − m } M p −→ M , where M ( R ) = { r } , M ( E ) = { e } , M ( FMP ) = { f − m , m − p } M a (cid:32) M , where M ( R ) = { r } , M ( F ) = { f } , M ( E ) = { e } , 83 ( FMP ) = { m − p } M c −→ M , where M ( R ) = { r } , M ( F ) = { f } , M ( EMP ) = { m − e , m − p } M p (cid:32) M , where M ( R ) = { r } , M ( F ) = { f } , M ( P ) = { p } , M ( EMP ) = { m − e } M p −→ M , where M ( R ) = { r } , M ( F ) = { f } , M ( MEP ) = { m − e , e − p } M c (cid:32) M , where M ( R ) = { r } , M ( F ) = { f } , M ( M ) = { m } , M ( MEP ) = { e − p } M a −→ M , where M ( M ) = { m } , M ( RF ) = { r − f } , M ( MEP ) = { e − p } M b −→ M , where M ( M ) = { m } , M ( FREP ) = { r − f , r − e , e − p } M a (cid:32) M , where M ( M ) = { m } , M ( F ) = { f } , M ( FREP ) = { r − e , e − p } M p (cid:32) M , where M ( M ) = { m } , M ( F ) = { f } , M ( P ) = { p } , M ( FREP ) = { r − e } M p −→ M , where M ( M ) = { m } , M ( F ) = { f } , M ( PRE ) = { r − e , p − r } M b (cid:32) M , where M ( M ) = { m } , M ( F ) = { f } M ( E ) { e } , M ( PRE ) = { p − r } M p (cid:32) M , where M ( R ) = { r } , M ( F ) = { f } , M ( M ) = { m } , M ( P ) = { p } , M ( E ) = { e } Transaction processing manages sequences of operations, also called transactions, that caneither succeed or fail as a complete unit. Specifically, a long-running transaction aggregatessmaller atomic transactions, and typically use a coordinator to complete or abort the trans-action. An atomic transaction is an indivisible and irreducible series of operations such thateither all occur, or nothing occurs [106].Long-running transactions consist of a sequence of steps that avoid locks on non-localresources and use compensation to handle failures. Each of these steps may either succeed,in which case the flow of control moves on to the next atomic step in the sequence, or itmay fail, in which case a compensating transaction is often used to undo failed transactions84 igure 3.18: Transaction processing - forward execution and restore the system to a previous state. In contrast to rollback in atomic transactions,compensation restores the original state, or an equivalent, and it is business-specific. If allsteps of the transaction execute successfully then the transaction is considered as successfuland it is committed.The definition of causal reversibility has spawned various reversible extensions of con-current languages that are used for validating formal connections between causal-consistentreversibility and reliability as well as studying its consequences. It enables a new strategy fordebugging concurrent systems, where the different speed of processes that are replaying anexecution looking for a bug may cause different behaviours. There have been proposed re-versible process calculi used to build constructs for reliability, and in particular communicat-85 igure 3.19: Transaction processing: out-of-causal-order execution ing transactions with compensations [36] where interacting transactions with compensationshave been mapped into a reversible calculus with alternatives in [76]. [36] uses transactionswith compensations, which are computations that either succeed, or their effects are reversedand then a compensation is executed by a dedicated ad-hoc piece of code. Behavioural equiv-alences for communicating transactions with compensation have been studied in [37, 68].In Figures 3.18 and 3.19 we consider a model of such a transaction. Specifically inFigure 3.18 we demonstrate the forward execution of a failed transaction and in 3.19 wedemonstrate the compensation part of the transaction execution which follows the strategyof out-of-causal-order reversing. Due to the size of the net we restrict our attention to atransaction with only one step. The computation starts with the initialisation step a which86ever fails. The intuition is as follows: for the execution of the transaction to commenceit is necessary for token i to be available. This token is bonded with token a in which casetransition a can be executed with the effect of creating the bond i − a in place u . At thisstage there are two possible continuations. The first possibility is that the bond i − a willparticipate in transition s which models the successful completion of step a as well as thetransaction, yielding the bond i − a − s . The second possibility that a transaction can fail atany stage after step a . In this case, token f comes in place and the failure is implementedvia transitions f and f as follows: To begin with in action f , token f is bonded withtoken a repressing that the transaction has failed, whereas in action f token i is bonded withtoken f indicating that the initialisation has failed thus triggering reversal. At this stage thecompensation comes in place (token c ) where the intention is that step a should be undone byundoing transition a . Note that this will have to be done according to our out-of-causal-orderdefinition since transition a was followed by f and f which have not been undone. Onlyonce this is accomplished, will the precondition of transition c , namely a , be enabled. In thiscase, transition c can be executed leading to the creation of bond i − c in place z . This chapter proposes a reversible approach to Petri nets [111,112] that allows the modellingof reversibility as realised by backtracking, causal-order reversing and out-of-causal-orderreversing. To the best of our knowledge, this is the first such proposal in the context ofPetri nets. For instance, the works of [15, 16] introduce reversed transitions in a Petri netand study various decidability problems in this setting. This approach, however, does notprecisely capture reversible behaviour due to the property of backward conflict in PNs. Onthe contrary, [96] is concerned with causal order reversal where a subclass of Petri nets can berestructured by adding effect-reversals that do not affect the computational behaviour of themodel. Moreover, the works of [94,95] propose a causal semantics for P/T nets by identifyingthe causalities and conflicts of a P/T net through unfolding it into an equivalent occurrencenet and subsequently introducing appropriate reverse transitions to create a coloured Petrinet that captures a causal-consistent reversible semantics. The colours in this net capturecausal histories.On the other hand, our proposal consists of a reversible approach to Petri nets, wherethe formalism supports the reversible semantics without explicitly introducing reverse tran-sitions. This is achieved with the use of bonds of tokens, which can be thought of as colours87nd, combined with the history function of the semantics, capture the memory of an execu-tion as needed to implement reversibility. Furthermore, the approach allows to implementboth causal-order and out-of-causal-order reversibility.As in [94,95], our goal has been to allow a causally-consistent semantics reflecting causaldependencies as a partial order, and allowing an event to be reversed only if all its conse-quences have already been undone. To achieve this goal we have defined a causal dependencerelation that resorts to the marking of a net. As illustrated via examples (e.g. see Figures 3.7and 3.8), this is central in capturing causal dependencies and the intended causal-consistentsemantics. Our dependence relation is strong enough to capture partial order causality evenin the absence of bonds. Specifically, the introduction of bonds can be handled by repre-senting tokens as colours similarly to coloured Petri nets. Therefore, a simplification of themodel can be proposed without including bonds that will still preserve the causal-consistentsemantics of RPNs. The resulting framework would be closely related to coloured Petri netsthus possibly inheriting various theoretical results proven for the traditional model.In a related line of work, we are also investigating the expressiveness relationship be-tween RPNs and Coloured Petri Nets. Specifically, in [13] a subclass of RPNs with trans-acyclic structures has been encoded in coloured PNs. Currently, we are extending this workwith ultimate objective to provide and prove the correctness of the translation between thetwo formalisms and analyse the associated trade-offs in terms of Petri net size.Another possible direction for future work would be the extension of RPNs with directedbonds. This would enable the framework to model double bonds as defined in biochemistry,where a covalent bond between two atoms involves four bonding electrons as opposed to twoin a single bond. 88 hapter Token Multiplicity in Reversing Petri Nets
In the previous chapter we have introduced a form of reversing Petri nets that assumes tokensto be unique and does not allow transitions to break bonds. In this chapter we focus on re-laxing these restrictions, to develop reversible semantics in the presence of bond destruction,and to allow multiple tokens of the same base/type to occur in a model.By allowing the destruction of bonds in forward transitions we alter our perception ofwhat the effect of a transition is, as additionally to the addition of new bonds the destruc-tion of existing bonds should also be considered as the effect of a transition. We show theassociated semantics of all three forms of reversible computing in this setting.We also enhance the modelling flexibility of reversing Petri nets by introducing tokenmultiplicity. We study how the partial order of causality in the original RPN model is affectedand explain what modifications to the causal semantics are needed in order to provide asatisfactory treatment of reversibility. The causal semantics of such extended nets can oftenno longer be described solely in terms of a partial order, thus we introduce a new form ofreversibility that follows disjunctive causality and we justify our proposal by modelling anexample of a biochemical reaction.
As our original RPN model is inspired by biochemistry and since concerted chemical reac-tions involve the breaking and making of bonds in a single step, a consideration of transitionsthat allow the simultaneous bonding and destructing of molecules is essential to this under-standing. We motivate our design decisions by giving an example of a concerted reversiblechemical reaction that allows the simultaneous creation and destruction of bonds. 89 igure 4.1: Reversible chemical reaction
A reversible chemical reaction is a reaction where the reactants and products react to-gether to give the reactants back. Weak acids, such as carbonic acid, and bases, such aswater, undertake reversible reactions. Carbonic acid is a chemical compound with the chem-ical formula H CO . It is also a name sometimes given to solutions of carbon dioxide inwater also known as carbonated water, because such solutions contain small amounts of H CO . In the example presented in Figure 4.1, carbonic acid H CO and water H O reactto form bicarbonate HCO and hydronium H O .We may now proceed to define Single Reversing Petri Nets (SRPNs) that extend the modelof Chapter 3 by allowing transitions to break bonds during forward execution. As with theoriginal RPN model we use the tuple ( A , P , B , T , F ) to define SRPN structures that consist ofbases, places, bonds, transitions and labelled directed arcs. In this section we only considerthe extension of destructing bonds thus we still consider each token to have a unique name.Allowing connected tokens to fork in different outgoing places requires close attention to theexisting connected components so that we do not clone tokens. To avoid duplicating tokenswe still require directed arcs to ensure token preservation as defined by the well-formednessof RPNs. However, compared to the original model, we have eliminated one condition as weno longer require existing bonds to be preserved on the outgoing arcs of a transition. Definition 20.
A SRPN ( A , P , B , T , F ) is well-formed if it satisfies the following conditionsfor all t ∈ T :1. A ∩ pre ( t ) = A ∩ post ( t ) , 90. F ( t , x ) ∩ F ( t , y ) = ∅ for all x , y ∈ P , x (cid:44) y .According to the above we have that: (1) transitions do not erase tokens, and (2) tokensand bonds cannot be cloned into more than one outgoing place.We may now define the various types of execution for single reversing Petri nets whereforward transitions are able to break bonds. As with the original RPNs in this extension werestrict our attention to well-formed SRPNs ( A , P , B , T , F ) with initial marking M such thatfor all a ∈ A , |{ x | a ∈ M ( x ) }| = . In this section we consider the standard, forward execution of SRPNs. As before, for a transi-tion to fire in the forward direction we require the corresponding token and bond availability.As we now allow connected tokens to break their bonds during forward execution we requirethe bonds that connect them to be a requirement for the transition to fire. Formally:
Definition 21.
Consider a SRPN ( A , P , B , T , F ) , a transition t ∈ T , and a state (cid:104) M , H (cid:105) . Wesay that t is forward-enabled in (cid:104) M , H (cid:105) if the following hold:1. if a ∈ F ( x , t ) , for some x ∈ ◦ t , then a ∈ M ( x ) , and if β ∈ F ( x , t ) , for some x ∈ ◦ t , then β ∈ M ( x ) ,2. for all a , b ∈ F ( x , t ) , x ∈ ◦ t where ( a , b ) ∈ M ( x ) then ( a , b ) ∈ F ( x , t ) , and3. if a ∈ F ( t , y ) , b ∈ F ( t , y ) , y , y ∈ t ◦ , y (cid:44) y then a (cid:60) con ( b , ( M ( x ) − pre ( t )) ∪ post ( t )) , x ∈ ◦ t .Thus, t is enabled in state (cid:104) M , H (cid:105) if (1) all tokens and bonds required for the transitionto take place are available in the incoming places of t , (2) if a pre-existing bond appearsin an incoming place of the transition and its tokens are required for the transition to firethen the bond should also appear as a requirement on the incoming arcs (we do not recreatebonds), and (3) if two tokens are transferred by a transition to different outgoing places thenthese tokens should not remain connected when removing the incoming arcs and addingthe outgoing arcs. Transferring tokens that are connected either directly or indirectly todifferent places without breaking their bonds it would result in token duplication. As such,we require for the tokens that fork to different places not to be connected when executing thetransitions, thus any bonds that exist between them in the incoming places of the transitionwill be destructed by the specifications on the arcs of the transition. 91 igure 4.2: Forward executionFigure 4.3: Backtracking execution During forward execution the new bonds created by a transition are exactly those thatoccur in the outgoing edges of a transition but not in the incoming edges and the bonds thatare broken are those that occur in the incoming edges of a transition but not in the outgoingedges. Thus, firing a transition in the forward direction recreates the marking by removingthe bonds that occur on the incoming arcs but adding the bonds that occur in the outgoingarcs. Specifically, firing a transition in the forward direction is defined as follows:
Definition 22.
Given a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:48) is updated as in Definition 5 and: M (cid:48) ( x ) = M ( x ) − (cid:83) a ∈ F ( x , t ) con ( a , M ( x )) if x ∈ ◦ tM ( x ) ∪ (cid:83) a ∈ F ( t , x ) ∩ F ( y , t ) con ( a , ( M ( y ) − F ( y , t )) ∪ F ( t , x )) if x ∈ t ◦ M ( x ) , otherwiseThus, when a transition t is executed in the forward direction, all tokens and bonds occur-ring in its outgoing arcs are relocated from the input places to the output places along withtheir connected components. The SRPN in Figure 4.2 represents the destruction of bond a − b and the creation of bond c − a where the new bond c − a is relocated in place y and token b is relocated in place z . The history is updated as usual. Let us now proceed to backtracking. As with the original model the destruction of bondsdoes not affect bt -enabledness thus we define a transition to be bt -enabled if it was the last92xecuted transition: Definition 23.
Consider a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t ∈ T . Wesay that t is bt -enabled in (cid:104) M , H (cid:105) as in Definition 6.The effect of backtracking a transition in a single reversing Petri net with bond destruc-tion is shown in Figure 4.3 which reverses the execution of the reversing Petri net by recre-ating the bond a − b and returning it to its initial place x as well as breaking the bond c − a andreturning c to place v . Thus backtracking execution is defined as follows: Definition 24.
Given a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t with history k = max ( H ( t )) that is bt -enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:48) isupdated as in Definition 7 and: M (cid:48) ( x ) = M ( x ) ∪ (cid:83) y ∈ t ◦ , a ∈ F ( x , t ) ∩ F ( t , y ) con ( a , ( M ( y ) − F ( t , y )) ∪ F ( x , t )) , if x ∈ ◦ tM ( x ) − (cid:83) a ∈ F ( t , x ) con ( a , M ( x )) , if x ∈ t ◦ M ( x ) otherwise We introduce destruction of bonds in causal reversibility and show that no modifications areneeded to the notions of causal dependence and causal enabledness of the original reversingPetri nets. As expected, we consider a transition t to be enabled for causal-order reversal onlyif all transitions that are causally dependent on it have either been reversed or not executed.We may now define that a transition is enabled for causal-order reversal as follows: Definition 25.
Consider a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H , ≺(cid:105) , and a transition t ∈ T .Then t is c -enabled in (cid:104) M , H , ≺(cid:105) as in Definition 11.Reversing a transition in a causally-respecting order is implemented similarly to back-tracking, i.e. the tokens are moved from the outgoing places to the incoming places of thetransition, all bonds created by the transition are broken and all bonds destructed by thetransition are reconstructed. In addition, the history function is updated in the same manneras in backtracking, where we remove the key of the reversed transition, and the causal de-pendence relation removes all references to the reversed transition occurrence. The examplein Figure 4.4 represents two concurrent transitions that have been executed and reversed indifferent orders. 93 igure 4.4: Causal-order execution Definition 26.
Given a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H , ≺(cid:105) , and a transition t c -enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H , ≺(cid:105) t (cid:32) c (cid:104) M (cid:48) , H (cid:48) , ≺ (cid:48) (cid:105) for M (cid:48) and H (cid:48) as in Definition 24, and ≺ (cid:48) suchthat ≺ (cid:48) = { (( t , k ) , ( t , k )) ∈≺| k (cid:44) k } Theorem 2.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) . Then, σ (cid:16) σ if and only if (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . Proof.
The proof of the theorem follows as a corollary of Theorem 3, which will be pre-sented in Section 4.2 since SRPNs are a special instance of Multi Reversing Petri Nets. (cid:3) .1.4 Out-of-Causal Order We may now proceed to out-of-causal order reversibility which in the original model of RPNsallows any transition to reverse as long as it is an executed transition. When allowing thedestruction of bonds during forward execution, this form of reversing presents a peculiaritysince we allow bonds to be broken during forward execution then there is the possibilityto execute two forward transitions that have the opposite effect. Consider the example inFigure 4.5 where the first transition creates a bond and the second transition destructs thesame bond. When reversing the first transition in out-of-causal order, then we try to reversea bond that has already been broken by the second transition. In this way we negate a bondthat was necessary for the effect of the second transition and thus create inconsistencies suchas the token duplication presented in the final net of Figure 4.5. In this case reversing abond that was required for the already executed following transition leads to inconsistenciesin regards to token preservation, an important feature of reversing Petri nets and reversiblecomputation in general. As such, we assume transitions like these to be irreversible and weonly allow out-of-causal reversal in transitions that do not generate these paradoxes.We begin by noting that in out-of-causal-order reversibility any executed transition canbe reversed at any time as long as its effect has not been reversed by a forward transition.
Definition 27.
Consider a SRPN ( A , P , B , T , F ) , a state (cid:104) M , H (cid:105) , and a transition t ∈ T . Wesay that transition t is o -enabled in (cid:104) M , H (cid:105) , if (1) H ( t ) (cid:44) ∅ and:a for all ( a , b ) ∈ pre ( t ) , ( a , b ) (cid:60) post ( t ) then (cid:64) t (cid:48) , k (cid:48) ∈ H ( t (cid:48) ) where k (cid:48) > k such that ( a , b ) ∈ post ( t (cid:48) ) , ( a , b ) (cid:60) pre ( t (cid:48) ) b for all ( a , b ) ∈ post ( t ) , ( a , b ) (cid:60) pre ( t ) then (cid:64) t (cid:48) , k (cid:48) ∈ H ( t (cid:48) ) where k (cid:48) > k such that ( a , b ) ∈ pre ( t ) , ( a , b ) (cid:60) post ( t ) The definition states that for t to be o − enabled then (1) the transition should be executed,(2)(a) if the transition breaks a bond during forward execution then it should not be followedby an executed transition that has destructed the same bond, and (2)(b) if the transition createsa bond during forward execution then it should not be followed by a transition that hasdestructed the same bond. Requirements (2)(a) and (2)(b) are used to avoid token duplicationas in the case of 4.5. As in the original model we define the last transition that a connectedcomponent has participated and the last place where it should be relocated. 95 igure 4.5: Out-of-causal order paradox Definition 28.
Given a SRPN ( A , P , B , T , F ) , an initial marking M , a history H , and a set ofbases and bonds C ⊆ A ∪ B we write: last T ( C , H ) = t , if ∃ t , post ( t ) ∩ C (cid:44) ∅ , H ( t ) (cid:44) ∅ , and (cid:64) t (cid:48) , post ( t (cid:48) ) ∩ C (cid:44) ∅ , H ( t (cid:48) ) (cid:44) ∅ , max ( H ( t (cid:48) )) ≥ max ( H ( t )) ⊥ , otherwise last P ( C , H ) = x , if t = last T ( C , H ) , { x } = { y ∈ t ◦ | F ( t , y ) ∩ C (cid:44) ∅} or, if ⊥ = last T ( C , H ) , C ⊆ M ( x ) ⊥ , otherwise 96 igure 4.6: Out-of-causal order execution Note that similarly to backtracking and causal order we recreate broken bonds and re-break created bonds by removing the bonds in the outgoing arcs and adding the bonds in theincoming arcs. Transition reversal in an out-of-causal order can thus be defined as follows:
Definition 29.
Given a SRPN ( A , P , B , T , F ) , an initial marking M , a state (cid:104) M , H (cid:105) and atransition t with history k that is o -enabled in (cid:104) M , H (cid:105) , we write (cid:104) M , H (cid:105) t (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:48) is defined as in Definition 26 and we have: M (cid:48) ( x ) = (cid:16) M ( x ) ∪ (cid:91) a ∈ M ( y ) ∩ post ( t ) , last P ( C a , y , H (cid:48) ) = x C a , y (cid:17) − (cid:16) eff ( t ) ∪ (cid:91) a ∈ M ( x ) ∩ post ( t ) , last P ( C a , x , H (cid:48) ) (cid:44) x C a , x (cid:17) where we use the shorthand C b , z = con ( b , { con ( c , M ( z )) | c ∈ A , z ∈ P } − post ( t )) ∪ pre ( t )) for b ∈ A , z ∈ P .Thus, when a transition t is reversed in an out-of-causal-order fashion all bonds that werecreated by the transition are undone and all bonds destructed are recreated. If the destructionof a bond divides a component into smaller connected sub-components then each of thesesub-components should be relocated (if needed) back to the place where the sub-complexwould have existed if transition t never took place, i.e., exactly after the last transition thatinvolves tokens from the sub-complex. Otherwise if the recreation of a bond creates a larger97omponent then this component should be moved (if needed) to the place where the complexwould have existed if transition t never took place, i.e. exactly after the last transition thatinvolves tokens from the bigger complex. The example in Figure 4.6 represents the ou-of-causal reversal of two bond breaking transitions t and t . By initially reversing t thebond a − b is reconstructed and the history of t is eliminated. Since reversing a transition isequivalent to skipping the transition in the net, then the bond a − b is transferred to place y asif transition t has never been executed. We now proceed to explore token multiplicity in reversing Petri nets. Allowing multipletokens of the same type to occur in a model entails that tokens of the same type are allowedto execute the same transition. As a transition can be fired by different sets of tokens thisintroduces possible nondeterminism when going backwards. This nondeterminism is alsoknown as backward conflicts since multiple different tokens are allowed to reverse the sametransition resulting in different states.In order to define reversible semantics for RPNs in the presence of backward conflictwe have identified two different approaches. The first approach is inspired by the individualtoken interpretation presented in [137] and the second by the collective token interpretationpresented in [24,139]. The two approaches differ on the way they handle backward conflicts,however, both of them remain abstract enough while doing justice to the truly concurrentnature of Petri nets. We observe that the individual token interpretation is accompanied by aset of desirable theoretical properties while the collective token interpretation is well suitedfor modelling a variety of possible applications.According to the individual token philosophy, tokens are distinguished based on theircausal path [55, 121]. The approach distinguishes tokens as individual by providing precisecorrespondence between the token instances and their past. Specifically, the model keepstrack of where the tokens come from and therefore identifies the causal links between tran-sitions in terms of a partial order. In this partial order, causal dependencies are explicitlydefined as an unfolding of an occurrence net which is an acyclic net that does not have back-ward conflicts. This approach ensures backward determinism which is a crucial property ofreversible systems.Let us consider the example in Figure 4.7, which illustrates backward determinism asunderstood by the individual token interpretation. As already discussed in Chapter 3 the98 igure 4.7: Individual token interpretation causal relationship between transitions is defined as the manipulation of common tokens.Based on this relationship we are able to uniquely identify the transition that can be reversedby a particular token. If we consider the example in Figure 4.7 after the execution of t there are two identical connected components in the middle place. If the component that wasalready there was used to fire t , then there is no causal link between the two transitions.If the component produced by t was used to fire t , then t is causally dependent on t .Depending on how the causal relationships are defined the behaviour of reversible actionschanges, as a causal link between t and t means that transition t is unable to reverse until t has also reversed.On the other hand, based on the collective token philosophy, when multiple tokens of thesame type reside in the same place then these tokens are indistinguishable. The rationalitybehind this approach is that in the example of Figure 4.7 the preconditions for firing transition t do not change and consequently t is always independent of t . This means that all that isknown by the model is the amount of token occurrences of a specific type and their locationin the marking. 99 .3 Multi Reversing Petri Nets In this section we propose an extension of the SRPN model, multi reversing Petri nets, byallowing multiple tokens of the same type as well as the possibility for transitions to breakbonds under the individual token interpretation. Thus, we allow tokens of the same type tofire the same transition when going forward, however when going backwards tokens will beable to reverse only the transitions that they have fired. Therefore, the individuality of tokensof the same type is imposed by their causal path.We formulate four firing rules for multi reversing Petri nets under the individual tokeninterpretation with multiple tokens, namely forward, backtracking, causal-order reversing,and out-of-causal-order reversing. We then proceed to translate multi reversing Petri netsand single reversing Petri nets into Labelled Transition Systems (LTSs) [54]. We comparethe expressive power offered by multi tokens against that of single tokens, in terms of theassociated Labelled Transition Systems. We conclude that reversing Petri nets with singletokens are equally expressive as reversing Petri nets with multiple tokens.We present multi reversing Petri nets (MRPNs) which are Petri net structures with mul-tiple tokens of the same type, which we refer to as multi-tokens that allow transitions to bereversed. Formally, a MRPN is defined as follows:
Definition 30. A multi reversing Petri net (MRPN) is a tuple ( P , T , A , A V , B , F ) where:1. P is a finite set of places and T is a finite set of transitions .2. A is a finite set of base or token types ranged over by a , b , . . . A V is a finite set of token variables . We write type ( v ) for the type of variable v andassume that type ( v ) ∈ A for all v ∈ A V .4. B ⊆ A × A is a finite set of undirected bond types ranged over by β, γ, . . . We use thenotation a − b for a bond ( a , b ) ∈ B .5. F : ( P × T ∪ T × P ) → P ( A V ∪ ( A V × A V )) is a set of directed labelled arcs .A multi reversing Petri net is built on the basis of a set of tokens or bases . These areorganized in a set of token types A , where each token type is associated with a set of tokeninstances. A I defined as follows: Definition 31.
Given a multi reversing Petri net ( P , T , A , A V , B , F ) the set of token instances A I is recursively defined by: 100 ( a , ∗ , i ) , i ∈ N , a ∈ A , and– ( a i , k , u ) where a i ∈ A I , k ∈ N and u ∈ {∗} ∪ { A V } .For a i , a j ∈ A I we use the notation a i ∈ a j if (i) a i = a j or (ii) a j = ( a (cid:48) j , k , u ) , a i ∈ a (cid:48) j . Moreover,we define a j ↓ a i = a i if a j = ( a i , k , u )( a (cid:48) j ↓ a i , k j , u j ) if a j = ( a (cid:48) j , k j , u j ) , a (cid:48) j (cid:44) a i The set of token instances A I corresponds to the basic entities that occur in a system.Initially tokens of type a ∈ A are denoted by ( a , ∗ , i ) where type (( a , ∗ , i )) = a and i ∈ N is a unique number that distinguishes tokens from each other. As computation proceedsthe tokens evolve by extending their memory whenever they fire a transition in the forwarddirection or decreasing their memory whenever they execute a transition in reverse. Note thatin a token of the form ( a i , k , u ) , k is the key of the last transition the token has engaged in and u the variable to which the token was assigned, with u = ∗ for tokens that participate in thetransition but do not correspond to any variables. Token instances may occur as stand-aloneelements but they may also merge together to form bonds . Bond instances are denoted bythe set B I and are formed similarly to the other variations of RPNs. For a i , a j ∈ A I we use thenotation a i ∈ a j to denote that token a i has evolved to a j . As such, the memories of a i are alsopart of the memory of a j . For a i , a j ∈ A I we use the notation a j ↓ a i to denote the removal ofa specific memory in token a j . Specifically, by replacing ( a i , k , u ) with a i we remove from a j the memory of transition occurrence ( t , k ) where a i , and as a result a j , has participated in.As with the original RPN model, places and transitions are connected via labelled di-rected arcs. These labels are derived from A V ∪ ( A V × A V ) . They express the requirementsand the effects of the transition based solely on the type of tokens consumed. Thus, any tokencorresponding to the same type as the variable on the labelled arc is able to participate in thetransition. More precisely, if F ( x , t ) = U ∪ V , where U ⊆ A V , V ⊆ A V × A V , this implies thatfor the transition to fire for each u ∈ U a distinct token instance of type type ( u ) is required.These instances should be bonded together according to V . Similarly, if F ( t , x ) = U ∪ V ,where U ⊆ A V , V ⊆ A V × A V , this implies that during the forward execution of the tran-sition for each u ∈ U a token instance of type type ( u ) will be transmitted to place x by thetransition, in addition to the bonds specified by V , some of which will be created as an effectof the transition. We make the assumption that if ( u , v ) ∈ V then u , v ∈ U .We restrict our attention to well-formed MRPNs defined as follows: 101 efinition 32. A multi reversing Petri net ( P , T , A , A V , B , F ) is well-formed , if for all t ∈ T :1. A V ∩ pre ( t ) = A V ∩ post ( t ) , and2. F ( t , x ) ∩ F ( t , y ) ∩ A V = ∅ for all x , y ∈ P , x (cid:44) y .Thus, a multi reversing Petri net is well-formed if (1) whenever a variable exists in theincoming arcs of a transition then it also exists on the outgoing arcs, which implies thattransitions do not erase tokens, and (2) tokens/bonds cannot be cloned into more than oneoutgoing places.As with RPNs the association of token/bond instances to places is called a marking suchthat M : P → A I ∪ B I , where we assume that if ( u , v ) ∈ M ( x ) then u , v ∈ M ( x ) . In addition,we employ the notion of a history , which assigns a memory to each transition H : T → N .Intuitively, a history of H ( t ) = ∅ for some t ∈ T captures that the transition has not takenplace, or every execution of it has been reversed, and a history of k ∈ H ( t ) , captures thatthe transition was executed as the k th transition occurrence. Note that | H ( t ) | > may arisedue to cycles but also due to the consecutive execution of the transition by different tokeninstances. A pair of a marking and a history, (cid:104) M , H (cid:105) , describes a state of a MRPN with (cid:104) M , H (cid:105) the initial state, where H ( t ) = ∅ for all t ∈ T and if a i ∈ M ( x ) , x ∈ P , then a i = ( a , ∗ , i ) , i ∈ N , a ∈ A . Graphically, token variables u ∈ F ( x , t ) ∩ A V of type type ( v ) = a are denoted by u : a over the corresponding arc F ( x , t ) (respectively for F ( t , x ) ).Finally, we define con ( a i , C ) , where a i ∈ A I and C ⊆ A I ∪ B I , to be the tokens connectedto a i as well as the bonds creating these connections according to set C , in the usual way.SRPNs are a special case of MRPNs as tokens in SRPNs correspond to tokens in MRPNswith the associated memories ignored. Additionaly, tokens are explicitly requested on thedirected arcs of SRPN transitions where in MRPNs a variable is used to represent tokens ofthe same type. We may now define the forward and backward execution within multi reversing Petri nets.Note that as in Section 4.1 we allow transitions to break bonds and we restrict our attentionto well-formed MRPNs ( P , T , A , A V , B , F ) with initial marking M such that for all a i ∈ A I , |{ x | a i ∈ M ( x ) }| = . 102 .4.1 Forward Execution During the forward execution of a transition in a MRPN, a set of tokens and bonds, asspecified by the incoming arcs of the transition, are selected and moved to the outgoingplaces of the transition, as specified by the transition’s outgoing arcs, possibly forming ordestructing bonds, as necessary. Due to the presence of multiple instances of the same tokentype, it is possible that different token instances are selected during the transition’s execution.A transition is forward-enabled in a state (cid:104) M , H (cid:105) of a MRPN if there exists a selection oftoken instances available at the incoming places of the transition matching the requirementson the transitions incoming arcs. Also the transition should not recreate bonds or clonetokens. Formally: Definition 33.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition t , we saythat t is forward-enabled in (cid:104) M , H (cid:105) if there exists an injective function U f : pre ( t ) ∩ A V → A I such that:1. for all u ∈ F ( x , t ) , x ∈ ◦ t , then U f ( u ) ∈ M ( x ) where type ( u ) = type ( U f ( u )) , and for all ( u , v ) ∈ F ( x , t ) , for some x ∈ ◦ t , then ( U f ( u ) , U f ( v )) ∈ M ( x ) ,2. for all u , v ∈ F ( x , t ) , x ∈ ◦ t and ( U f ( u ) , U f ( v )) ∈ M ( x ) , then ( u , v ) ∈ F ( x , t ) , and3. if u ∈ F ( t , y ) , v ∈ F ( t , y ) , y , y ∈ t ◦ , y (cid:44) y then U f ( u ) (cid:60) con ( U f ( v ) , ( M ( x ) − • pre ( t , U f )) ∪ post • ( t , U f )) , x ∈ ◦ t .where • pre ( t , U ) = { U ( u ) | u ∈ F ( x , t ) , x ∈ ◦ t } ∪ { ( U ( u ) , U ( v )) | ( u , v ) ∈ F ( x , t ) , x ∈ ◦ t } and post • ( t , U ) = { U ( u ) | u ∈ F ( t , y ) , y ∈ t ◦} ∪ { ( U ( u ) , U ( v )) | ( u , v ) ∈ F ( t , y ) , y ∈ t ◦} .Thus, t is enabled in state (cid:104) M , H (cid:105) if (1) there is a type-respecting assignment of tokeninstances in the incoming places of the transition to the variables on the incoming edges,with the token instances originating from the appropriate input places and where tokens areconnected with bonds as required by the transition’s incoming edges, (2) if the selected tokeninstances are bonded together in an incoming place of the transition then the bond should alsoexist on the variables labelling the incoming arcs (thus transitions do not recreate bonds),and (3) if two token instances are transferred by a transition to different outgoing placesthen these tokens should not remain connected when removing the selected incoming tokensand adding the selected outgoing tokens (we do not clone tokens). We use • pre ( t , U ) and post • ( t , U ) to help us identify the effect of the transition t on the particular selection oftoken instances U . We refer to U f as a forward enabling assignment. 103e now define the incoming token/bond instances as: Definition 34.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t and an en-abling assignment U f , we define • U f : P → A I ∪ B I to be a function that assigns to each placea set of incoming token and bond instances that are used for the firing of t : • U f ( x ) = (cid:83) u ∈ F ( x , t ) con ( U f ( u ) , M ( x )) We now define the outgoing token/bond instances as:
Definition 35.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t , and an en-abling assignment U f , we define U • f : P → A I ∪ B I to be a function that assigns to each placea set of outgoing token/bond instances of t : U • f ( x ) = (cid:83) u ∈ F ( t , x ) , U f ( u ) ∈ M ( y ) con ( U f ( u ) , ( M ( y ) − • pre ( t , U f )) ∪ post • ( t , U f )) To execute a transition t according to an enabling assignment U f , the selected tokeninstances, along with their connected components, are relocated to the outgoing places of thetransition as specified by the outgoing arcs, with bonds created and destructed accordingly.Furthermore, the history of the executed transition is updated in the standard way. As thesame transition can be executed by different tokens of the same type we indicate transitionfirings by ( t , k ) in order to be able to identify the set of tokens that have participated in thisspecific transition occurrence. In Figure 4.8 we observe the change in history of transition t ,as well as, the change in the name of the token instances ( a , ∗ , , and ( b , ∗ , to (( a , ∗ , , , u ) and (( b , ∗ , , , v ) , respectively. Thus, the memory of token instance ( a , ∗ , is extended toindicate that ( a , ∗ , has participated in transition t with history identifier corresponding tovariable u . Similarly, for token instance ( b , ∗ , and variable v . Specifically, we define: Definition 36.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t that is enabledin state (cid:104) M , H (cid:105) , and an enabling assignment U f , we write (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) where k = max ( { } ∪ { k (cid:48) | k (cid:48) ∈ H ( t (cid:48) ) , t (cid:48) ∈ T } ) + and for all x ∈ P : M (cid:48) ( x ) = ( M ( x ) − • U f ( x )) ∪ ( (cid:91) a i ∈ U • f ( x ) ( a i , k , V ( a i )) ∪ (cid:91) ( a i , b i ) ∈ U • f ( x ) (( a i , k , V ( a i )) , ( b i , k , V ( b i ))) where V ( a i ) = u if U f ( u ) = a i ∗ otherwiseand H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) ∪ { k } if t (cid:48) = tH ( t (cid:48) ) , otherwise 104 igure 4.8: Forward execution The following proposition states that tokens are preserved throughout forward executionsuch that the amount of tokens of the same type remains the same.
Proposition 16 (Token preservation) . Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) and a transition (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then for all a i ∈ A I ∩ M ( z ) , z ∈ P we have |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y ) ∩ A I , y ∈ P , a i ∈ a (cid:48) j }| = . Proof.
The proof follows from the definition of forward execution and relies on the well-formedness of MRPNs. Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) such that |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = for some a i ∈ A I ∩ M ( z ) , z ∈ P , and suppose (cid:104) M , H (cid:105) ( t , k ) −→(cid:104) M (cid:48) , H (cid:48) (cid:105) such that |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y ) ∩ A I , y ∈ P , a i ∈ a (cid:48) j }| = n . Let a j ∈ A I . Two cases exist:1. a j ∈ con ( b j , M ( x )) for some b j = U f ( v ) , v ∈ F ( x , t ) . According to Definition 34, wehave that a j ∈ • U f ( x ) , which by Definition 36 implies that a j (cid:60) M (cid:48) ( x ) . On the otherhand, by Definition 32(1), v ∈ post ( t ) . Thus, there exists y ∈ t ◦ , such that v ∈ F ( t , y ) .Note that this y is unique by Definition 32(2). As a result, by Definition 35, a j ∈ U • f ( y ) which by Definition 36 yields a j ∈ a (cid:48) j , a (cid:48) j ∈ M (cid:48) ( y ) such that a i ∈ a (cid:48) j .Now suppose that a j ∈ con ( c j , M ( x )) for some c j (cid:44) b j , u ∈ F ( t , y (cid:48) ) , U f ( u ) = c j . Then,by Definition 32(2), it must be that y = y (cid:48) . As a result, we have that n = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y (cid:48) ) ∩ A I , y (cid:48) ∈ P , a i ∈ a (cid:48) j }| = |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = and the resultfollows.2. a j (cid:60) con ( b j , M ( x )) for all v ∈ F ( x , t ) , U f ( v ) = b j , x ∈ P . This implies that = |{ a j | j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = |{ a j | a j ∈ M (cid:48) ( x ) , x ∈ P , a i ∈ a j }| = n and the resultfollows. (cid:3) Let us now proceed to backtracking. A transition can be reversed in a certain state if it wasthe last executed transition and there exist token instances in its output places that matchthe requirements on its outgoing arcs. To capture this, we define transition occurrence asfollows:
Definition 37.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition t . Werefer to ( t , k ) as a transition occurrence in (cid:104) M , H (cid:105) if k ∈ H ( t ) .We now define the notion of backtracking enabledness as follows. Definition 38.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition occur-rence ( t , k ) . We say that ( t , k ) is bt-enabled in (cid:104) M , H (cid:105) if (1) k ∈ H ( t ) with k ≥ k (cid:48) for all k (cid:48) ∈ H ( t (cid:48) ) , t (cid:48) ∈ T , and (2) there exists an injective function U b : post ( t ) ∩ A V → A I suchthat:(a) for all u ∈ F ( t , x ) , x ∈ t ◦ , we have U b ( u ) = ( a i , k , u ) , U b ( u ) ∈ M ( x ) where type ( u ) = type ( U b ( u )) , and(b) for all ( u , v ) ∈ F ( t , x ) , x ∈ t ◦ , we have ( U b ( u ) , U b ( v )) = (( a i , k , u ) , ( b i , k , v )) , ( U b ( u ) , U b ( v )) ∈ M ( x ) .Thus, a transition t is bt -enabled in (cid:104) M , H (cid:105) if (1) it was the last transition to be executed,and (2) there exists a type-respecting assignment of token instances in the outgoing places ofthe transition, to the variables on the outgoing edges of the transition, and where the tokensare connected with bonds as required by the transition’s outgoing edges. We refer to U b as abacktracking enabling assignment.Similarly to forward execution, the following definition selects the incoming connectedcomponents and the outgoing connected components. Note that the incoming connectedcomponents are selected based on the outgoing arcs of the transition and the outgoing con-nected components are selected based on the incoming arcs. We now define the incomingtoken/bond instances as: 106 igure 4.9: Backtracking execution Definition 39.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t and an en-abling assignment U b , we define • U b : P → A I ∪ B I to be a function that assigns to each placea set of incoming token and bond instances that are used for the backtracking of t : • U b ( x ) = (cid:83) u ∈ F ( t , x ) con ( U b ( u ) , M ( x )) We now define the outgoing token/bond instances as:
Definition 40.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t , and an en-abling assignment U b , we define U • b : P → A I ∪ B I to be a function that assigns to each placea set of outgoing token/bond instances of t : U • b ( x ) = (cid:83) u ∈ F ( x , t ) , U b ( u ) ∈ M ( y ) con ( U b ( u ) , ( M ( y ) − post • ( t , U b )) ∪ • pre ( t , U b )) To implement the reversal of a transition t according to a backtracking enabling assign-ment U b , the selected instances are relocated from the outgoing places of the transition to theincoming places, as specified by the incoming arcs of the transition, with bonds created anddestructed accordingly. In Figure 4.9 the backtracking execution of Figure 4.8 is illustrated,where we can observe the history of the reversing transition being eliminated and the tokeninstances returning to their initial place. Specifically we define: Definition 41.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition occurrence ( t , k ) that is bt − enabled and an enabling assignment U b , we write (cid:104) M , H (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) where for107ll x ∈ P : M (cid:48) ( x ) = ( M ( x ) − • U b ( x )) ∪ ( (cid:91) ( a i , k , u ) ∈ U • b ( x ) a i ∪ (cid:91) (( a i , k , u ) , ( b i , k , v )) ∈ U • b ( x ) ( a i , b i )) and H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) − { k } , if t (cid:48) = tH ( t (cid:48) ) , otherwiseThe following proposition states that tokens are preserved throughout backtracking exe-cution such that the amount of tokens of the same type remains the same. Proposition 17 (Token preservation) . Consider a multi reversing Petri net ( P , T , A , A V , B , F ) ,a state (cid:104) M , H (cid:105) , and a transition (cid:104) M , H (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then for all a i ∈ A I ∩ M ( z ) , z ∈ P wehave |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j | = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y ) ∩ A I , y ∈ P , a i ∈ a (cid:48) j }| = . Proof.
The proof of the result follows the definition of backward execution and relies on thewell-formedness of multi reversing Petri nets. Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) such that for all a i ∈ A I ∩ M ( z ) , z ∈ P we have |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = ,and suppose (cid:104) M , H (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) such that |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y ) ∩ A I , y ∈ P , a i ∈ a (cid:48) j }| = n . Twocases exist:1. a j ∈ con ( b j , M ( x )) for some b j = U b ( v ) , v ∈ F ( t , x ) . Let us choose b j such that a j ∈ con ( b j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) . Note that such a b j must exist,otherwise the forward execution of t would not have transferred a j along with b j toplace x .According to Definition 39, we have that a j ∈ • U b ( x ) , which implies that a j (cid:60) M (cid:48) ( x ) .On the other hand, note that by the definition of well-formedness, Definition 32(1), v ∈ pre ( t ) . Thus, there exists y ∈ ◦ t , such that v ∈ F ( y , t ) . Note that this y is unique byDefinition 32(2). As a result, by Definition 40, a j ∈ U • b ( y ) . Since v ∈ F ( y , t ) ∩ F ( t , x ) , a j ∈ con ( b j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) , this implies that a (cid:48) j ∈ a j , a (cid:48) j ∈ M (cid:48) ( y ) where a i ∈ a (cid:48) j .Now suppose that a j ∈ con ( c j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) , c j (cid:44) b j , and c j ∈ F ( y (cid:48) , t ) . Since a j ∈ con ( b j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) , it must bethat con ( b j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) = con ( c j , ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b )) . Since b j and c j are connected to each other but the connection was not cre-ated by transition ( t , k ) (the connection is present in ( M ( x ) − post • ( t , U b )) ∪ • pre ( t , U b ) ),it must be that the connection was already present before the forward execution of t y = y (cid:48) and therefore = |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y (cid:48) ) ∩ A I , y (cid:48) ∈ P , a i ∈ a (cid:48) j }| = n .2. a j (cid:60) con ( b j , M ( x )) for all b j = U b ( v ) , v ∈ F ( t , x ) . This implies that |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j }| = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( x ) ∩ A I , x ∈ P , a i ∈ a (cid:48) j }| = and the result follows. (cid:3) We may establish a loop lemma:
Lemma 6 (Loop) . For any forward transition (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a backwardtransition (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k ) (cid:32) b (cid:104) M , H (cid:105) and vice versa. Proof.
Suppose (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then t is clearly bt -enabled in H (cid:48) . Furthermore, (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where H (cid:48)(cid:48) = H . In addition, all tokens and bonds involved intransition t (except those that have been created but including those that have been brokenby t ) will be returned from the outgoing places of transition t back to its incoming places.Specifically, for all a i ∈ A I , it is easy to see by the definition of (cid:32) b that a i ∈ M (cid:48)(cid:48) ( x ) ifand only if a i ∈ M ( x ) . Similarly, for all β i ∈ B I , β i ∈ M (cid:48)(cid:48) ( x ) if and only if β i ∈ M ( x ) .The opposite direction can be argued similarly, only this time tokens and bonds involved intransition t will be moved from the incoming places to the outgoing places of transition t . (cid:3) We now move on to reversing transitions in causal order. Causal dependence is determinedby the path that tokens follow: two transition occurrences are causally dependent, if a tokenproduced by the one occurrence was subsequently used to fire the other. To capture this typeof dependencies, we adopt the following definition of causal dependence.
Definition 42.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) and suppose ( t , k ) and ( t (cid:48) , k (cid:48) ) are transition occurrences in (cid:104) M , H (cid:105) . We say that ( t (cid:48) , k (cid:48) ) causally depends on ( t , k ) denoted by ( t , k ) ≺ ( t (cid:48) , k (cid:48) ) , if k < k (cid:48) and there exists a i ∈ M ( x ) , x ∈ P , such that ( a j , k , u ) ∈ a i and ( a (cid:48) j , k (cid:48) , u (cid:48) ) ∈ a i .As tokens in multi reversing Petri nets are associated with their causal path, we are ableto identify the transitions that each token has participated in by observing the memory ofthe token. When the keys of two transitions belong to the memory of the same token thenit means that this token has participated in both transitions. Thus, a transition occurrence109 t (cid:48) , k (cid:48) ) causally depends on a preceding transition occurrence ( t , k ) if one or more tokensused during the firing of ( t (cid:48) , k (cid:48) ) was also used for the firing of ( t , k ) .A transition can be reversed in a certain state if there are no transitions causally followingit and there exist token instances in its output places that match the requirements on itsoutgoing arcs. Specifically, we define the notion of reverse enabledness as follows. Definition 43.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition occur-rence ( t , k ) . We say that transition occurrence ( t , k ) is c-enabled in (cid:104) M , H (cid:105) if (1) there is notransition occurrence ( t (cid:48) , k (cid:48) ) ∈ (cid:104) M , H (cid:105) with ( t , k ) ≺ ( t (cid:48) , k (cid:48) ) , and (2) there exists an injectivefunction U c : post ( t ) ∩ A V → A I such that:(a) for all u ∈ F ( t , x ) , x ∈ t ◦ , we have U c ( u ) = ( a i , k , u ) , U c ( u ) ∈ M ( x ) where type ( u ) = type ( U c ( u )) , and(b) for all ( u , v ) ∈ F ( t , x ) , x ∈ t ◦ , we have ( U c ( u ) , U c ( v )) = (( a i , k , u ) , ( b i , k , v )) , ( U c ( u ) , U c ( v )) ∈ M ( x ) .Thus, a transition occurrence ( t , k ) is c-enabled in (cid:104) M , H (cid:105) if (1) there are no transitionscausally dependent on it, and (2) there exists a type-respecting assignment of token instancesin the outgoing places of the transition, to the variables on the outgoing edges of the transi-tion, and where the tokens are connected with bonds as required by the transition’s outgoingedges. We refer to U c as a causal enabling assignment.We now define the incoming token/bond instances as: Definition 44.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t and an en-abling assignment U c , we define • U c : P → A I ∪ B I to be a function that assigns to each placea set of incoming token and bond instances that are used for the reversing of t where for all x ∈ P , • U c ( x ) is defined as • U b ( x ) in Definition 39 with U b replaced by U c .We now define the outgoing token/bond instances as: Definition 45.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t , and an en-abling assignment U c , we define U • c : P → A I ∪ B I to be a function that assigns to each placea set of outgoing token/bond instances of t where for all x ∈ P , U • c ( x ) is defined as U • b ( x ) inDefinition 40 with U b replaced by U c .To implement the reversal of a transition t according to a causal enabling assignment U c ,the selected instances are relocated from the outgoing places of the transition to the incoming110 igure 4.10: Causal-order execution places, as specified by the incoming arcs of the transition, with bonds created and destructedaccordingly. In Figure 4.10 we can observe causal order reversal of transitions t and t where the history of transitions and the memories of token/bond instances are updated asdefined by the definition bellow: Definition 46.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition occurrence ( t , k ) that is c − enabled and an enabling assignment U c , we write (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) where H is updated as in Definition 41 and for all x ∈ P : M (cid:48) ( x ) = ( M ( x ) − • U c ( x )) ∪ ( (cid:91) ( a i , k , u ) ∈ U • c ( x ) a i ∪ (cid:91) (( a i , k , u ) , ( b i , k , v )) ∈ U • c ( x ) ( a i , b i )) The following proposition states that tokens are preserved throughout backtracking exe-cution such that the amount of tokens of the same type remains the same.
Proposition 18 (Token preservation) . Consider a multi reversing Petri net ( P , T , A , A V , B , F ) ,a state (cid:104) M , H (cid:105) , and a transition (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then for all a i ∈ A I ∩ M ( z ) , z ∈ P wehave |{ a j | a j ∈ M ( x ) ∩ A I , x ∈ P , a i ∈ a j | = |{ a (cid:48) j | a (cid:48) j ∈ M (cid:48) ( y ) ∩ A I , y ∈ P , a i ∈ a (cid:48) j }| = . 111 roof. The proof follows along the same lines as that of Proposition 17 with (cid:32) b replacedby (cid:32) c . (cid:3) We may now establish the causal consistency of our semantics. First, we define someauxiliary notions. Given a transition (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , we say that the action of thetransition is ( t , k ) if (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and ( t , k ) if (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) and we maywrite (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) . We use α to range over { ( t , k ) , | t ∈ T } , α to range over { ( t , k ) , | t ∈ T } . Given an execution (cid:104) M , H (cid:105) α (cid:55)−→ c . . . α n (cid:55)−→ c (cid:104) M n , H n (cid:105) , we say that the trace of the execution is σ = (cid:104) α , α , . . . , α n (cid:105) , and write (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M n , H n (cid:105) . Given σ = (cid:104) α , . . . , α k (cid:105) , σ = (cid:104) α k + , . . . , α n (cid:105) , we write σ ; σ for (cid:104) α , . . . , α n (cid:105) . We may also use thenotation σ ; σ when σ or σ is a single transition.As in RPNs, the execution of a MRPN can be partitioned as a set of independent flows ofexecutions running through the net. We capture these flows by the notion of causal paths: Definition 47.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) and transition occurrences ( t i , k i ) in (cid:104) M , H (cid:105) , ≤ i ≤ n , we say that ( t , k ) , . . . , ( t n , k n ) is a causal path in (cid:104) M , H (cid:105) , if ( t i , k i ) ≺ ( t i + , k i + ) , for all ≤ i < n .Based on this concept, we define the notion of causal equivalence for histories by requir-ing that two histories H and H (cid:48) are causally equivalent if and only if they contain the samecausal paths: Definition 48.
Consider a MRPN ( P , T , A , A V , B , F ) and two executions (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Then the histories H (cid:48) and H (cid:48)(cid:48) are causally equivalent , denotedby H (cid:48) (cid:16) H (cid:48)(cid:48) , if for each causal path ( t , k ) , . . . , ( t n , k n ) in (cid:104) M (cid:48) , H (cid:48) (cid:105) , there is a causal path ( t , k (cid:48) ) , . . . , ( t n , k (cid:48) n ) in (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) , and vice versa.Now we define causal equivalence of markings as the equivalence where markings con-sist of identical token instances participating in the same transitions that have been assigneddifferent keys. Two equivalent markings can be observed in Figure 4.11, where in the firstexecution we fire t with (( a , ∗ , , ( c , ∗ , first and then with (( a , ∗ , , ( b , ∗ , , and in thesecond execution we fire with (( a , ∗ , , ( b , ∗ , first and then (( a , ∗ , , ( c , ∗ , . This resultsin equivalent markings, i.e. markings consisting of connected components that have tokensof the same type used to fire the same transitions. Definition 49.
Consider a MRPN ( P , T , A , A V , B , F ) and two executions (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Then the markings M (cid:48) and M (cid:48)(cid:48) are causally equivalent , denotedby M (cid:48) (cid:16) M (cid:48)(cid:48) , if for each a i ∈ M (cid:48) ( x ) where ( a j , k , u ) ∈ a i , k ∈ H (cid:48) ( t ) , u ∈ pre ( t ) , t ∈ T there112 igure 4.11: Equivalent markings exists a (cid:48) i ∈ M (cid:48)(cid:48) ( x ) where ( a (cid:48) j , k (cid:48) , u ) ∈ a (cid:48) i such that k (cid:48) ∈ H (cid:48)(cid:48) ( t ) and vice versa.We extend this notion and write (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if M (cid:16) M (cid:48) and H (cid:16) H (cid:48) .We may now establish the Loop lemma. Lemma 7 (Loop) . For any forward transition (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a backwardtransition (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k ) (cid:32) c (cid:104) M , H (cid:105) and for any backward transition (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) thereexists a forward transition (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k (cid:48) ) −→ (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Proof.
The proof of the first direction follows along the same lines as that of Lemma 6 with (cid:32) b replaced by (cid:32) c . For the other direction, suppose (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k (cid:48) ) −→ (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) .To begin with, we may observe that, as with Lemma 6, by Definitions 36 and 46, the tokensinvolved in transition t will be transferred to the incoming places of t and then back to theoutgoing places leading to M (cid:16) M (cid:48)(cid:48) . To show that H (cid:16) H (cid:48)(cid:48) , we observe that H = H (cid:48)(cid:48) withthe exception of t , where, if k ∈ H ( t ) , and k (cid:48) = max( { } ∪ { k (cid:48)(cid:48) | ( t (cid:48) , k (cid:48)(cid:48) ) ∈ H (cid:48) ( t (cid:48) ) , t (cid:48) ∈ T } ) + ,then H (cid:48)(cid:48) ( t ) = ( H ( t ) − { k } ) ∪ { k (cid:48) } ) . Furthermore, since t is c -enabled in (cid:104) M , H (cid:105) , ( t , k ) mustbe the last transition occurrence in all the causal paths it occurs in, and we may observe that H (cid:48)(cid:48) contains the same causal paths with ( t , k ) replaced by ( t , k (cid:48) ) . As a result it must be that H (cid:16) H (cid:48)(cid:48) and the result follows. (cid:3) igure 4.12: Non-equivalent transition firings Definition 50.
Consider a MRPN ( P , T , A , A V , B , F ) , two actions α and α , and a state (cid:104) M , H (cid:105) . Then α and α are said to be concurrent in state (cid:104) M , H (cid:105) , if whenever (cid:104) M , H (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) α (cid:55)−→ c (cid:104) M , H (cid:105) then (cid:104) M , H (cid:105) α (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) α (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) , and (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) .As in the original RPNs two actions are concurrent when they can be executed in anyorder while preserving path equivalence. Definition 51.
Consider a MRPN ( P , T , A , A V , B , F ) , and two actions (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then ( t , k ) and ( t , k ) are said to be equivalent if for all ( a i , k , u ) ∈ M (cid:48) ( x ) there exists ( a i , k , u ) ∈ M (cid:48) ( x ) for some u ∈ pre ( t ) .Since a transition can be executed in the forward direction by different token instances,as long as they respect the arc requirements, then it is possible for the same transition tofire using different connected components. As these connected components might consistof different token instances then it is possible to fire the same transition resulting in mark-ings that are not equivalent. Consider the example in Figure 4.12, where firing transition t with bond (( a , ∗ , , ( c , ∗ , will result in a different marking than firing the transition withbond (( a , ∗ , , ( b , ∗ , . Thus, two transition occurrences are said to be equivalent when theyexecute the same transition by manipulating the same token instances. Definition 52.
Consider a multi reversing Petri nets ( P , T , A , A V , B , F ) and two executions (cid:104) M , H (cid:105) σ −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Causal equivalence on executions ,is the least equivalence relation closed under composition of traces such that if (i) σ = ( t , k ); ( t , k ) and σ = ( t , k ); ( t , k ) where ( t , k ) and ( t , k ) are concurrent actions instate (cid:104) M , H (cid:105) = (cid:104) M , H (cid:105) , (ii) σ = ( t , k ); ( t , k ) and σ = (cid:15) , and (iii) σ = ( t , k ); ( t , k ) and σ = (cid:15) where ( t , k ) and ( t , k ) are equivalent actions according to states (cid:104) M (cid:48) , H (cid:48) (cid:105) and114 M (cid:48) , H (cid:48) (cid:105) . If the executions (cid:104) M , H (cid:105) σ −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) are causallyequivalent then we say that traces σ and σ are also causally equivalent denoted by σ (cid:16) σ .The first clause states that in two causally-equivalent executions concurrent actions mayoccur in any order and the second clause states that it is possible to ignore transitions thathave occurred in both the forward and the reverse direction. The third clause states that it ispossible to ignore equivalent transitions that have occurred in both the reverse and forwarddirection. Note that unlike ( t , k ); ( t , k ) (cid:16) (cid:15) , we require these transitions to be equivalentas with token multiplicity it is possible to fire again a reversed transition by manipulatingdifferent connected tokens of the same type. These two transitions should be equivalent inorder to be ignored so that they will produce the same marking, as explained for Figure 4.12.The following proposition establishes that two transition instances belonging to distinctcausal paths are in fact concurrent transitions, and thus can be executed in any order. Proposition 19.
Consider a MRPN ( P , T , A , A V , B , F ) and suppose (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M , H (cid:105) ( t , k ) −→(cid:104) M , H (cid:105) . If there is no causal path π in (cid:104) M , H (cid:105) with ( t , k ) ∈ π and ( t , k ) ∈ π , then ( t , k ) and ( t , k ) are concurrent transition occurrences in (cid:104) M , H (cid:105) . Proof.
Since there is no causal path containing both ( t , k ) and ( t , k ) in (cid:104) M , H (cid:105) , weconclude that ( t , k ) ⊀ ( t , k ) . This implies that there is no token that has participatedin both transition occurrences and they can be executed in any order, leading to the samemarking. Thus, they are concurrent in (cid:104) M , H (cid:105) . (cid:3) We note that causally-equivalent states canexecute the same transitions.
Proposition 20.
Consider a MRPN ( P , T , A , A V , B , F ) and states (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . Then (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , where (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) . Proof.
It is easy to see that if a transition ( t , k ) is enabled in (cid:104) M , H (cid:105) it is also enabledin (cid:104) M , H (cid:105) . Specifically, there exists an enabling assignment U for ( t , k ) and U for ( t , k ) such that they manipulate the same components that have been assigned different keys.Therefore if (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) then (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where M (cid:48) (cid:16) M (cid:48) , andvice versa. In order to show that H (cid:48) (cid:16) H (cid:48) two cases exist:• Suppose t is a forward transition corresponding to transition occurrences ( t , k ) and ( t , k ) in each state respectively. Suppose that ( t (cid:48) , k (cid:48) ) ≺ ( t , k ) . Then, ∃ a i , ( a (cid:48) , k (cid:48) , u ) ∈ a i ( a , k , v ) ∈ a i , a i ∈ M (cid:48) ( x ) . Since H (cid:16) H this implies that ( t (cid:48) , k (cid:48) ) ≺ ( t , k ) . There-fore, for all causal paths π in (cid:104) M , H (cid:105) , if the last transition occurrence of π causes ( t , k ) then π ; ( t , k ) is a causal path of (cid:104) M (cid:48) , H (cid:48) (cid:105) and, if not, then π is a causal path in (cid:104) M (cid:48) , H (cid:48) (cid:105) . The same holds for causal paths in (cid:104) M , H (cid:48) (cid:105) and ( t , k ) . Consequently, wededuce that H (cid:48) (cid:16) H (cid:48) , as required.• Suppose that t is a reverse transition and consider the causal paths of H (cid:48) and H (cid:48) .Since t is a reverse transition, there exists no transition occurrence in (cid:104) M , H (cid:105) causedby ( t , k ) and no transition occurrence in (cid:104) M , H (cid:105) caused by ( t , k ) . As such, ( t , k ) and ( t , k ) are the last transition occurrences in all paths in (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) ,respectively, in which they belong. Reversing the transition occurrences results intheir elimination from these causal paths. Therefore, we observe that for each causalpath in (cid:104) M (cid:48) , H (cid:48) (cid:105) there is an equivalent causal path in (cid:104) M (cid:48) , H (cid:48) (cid:105) , and vice versa. Thus H (cid:48) (cid:16) H (cid:48) as required. (cid:3) Note that the above result can be extended to sequences of transitions:
Corollary 7.
Consider a MRPN ( P , T , A , A V , B , F ) and states (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . Then (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , where (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) .The main result, Theorem 3 below, states that two computations beginning in the sameinitial state lead to equivalent states if and only if the two computations are causally equiv-alent. Specifically, if two executions from the same state reach causally-equivalent statesby executing transitions σ and σ , then the two executions are causally equivalent and viceversa. This guarantees the consistency of the approach since reversing transitions in causalorder is in a sense equivalent to not executing the transitions in the first place. Reversaldoes not give rise to previously unreachable states, on the contrary, it gives rise to causally-equivalent markings and histories due to the different keys being possibly assigned becauseof the different ordering of transitions. Theorem 3.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) . Then, (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) are causally equivalent executions if andonly if (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) .For the proof of Theorem 3 we employ some intermediate results. To begin, the lemmabelow states that causal equivalence allows the permutation of reverse and forward transitionsthat have no causal relations between them. Therefore, computations are allowed to reachfor the maximum freedom of choice going backward and then continue forward. 116 emma 8. Let (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) be an execution. Then there exist traces r , r (cid:48) bothforward such that (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) r ; r (cid:48) (cid:55)−→ (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) are causally equivalentexecutions where (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . Proof.
We prove this by induction on the length of σ and the distance from the beginningof σ to the earliest pair of transitions that contradicts the property r ; r (cid:48) . If there is no suchcontradicting pair, then the property is trivially satisfied. If not, we distinguish the followingcases:1. If the first contradicting pair is of the form ( t , k ); ( t , k ) then we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where σ = σ ; ( t , k ); ( t , k ); σ .By the Loop Lemma 2 (cid:104) M , H (cid:105) = (cid:104) M , H (cid:105) , which yields (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) . Thus we may remove the two transitions from the sequence, the length of σ decreases, and the proof follows by induction.2. If the first contradicting pair is of the form ( t , k ); ( t (cid:48) , k (cid:48) ) , then we observe that thespecific occurrences of ( t , k ) and ( t (cid:48) , k (cid:48) ) must be concurrent. Specifically, we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M , H (cid:105) ( t (cid:48) , k (cid:48) ) (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where σ = σ ; ( t , k ); ( t (cid:48) , k (cid:48) ); σ . Since action ( t (cid:48) , k (cid:48) ) is being reversed it implies that all transitionoccurrences that are causally dependent on it have either not been executed up to thispoint or they have already been reversed. This implies that in (cid:104) M , H (cid:105) it was not thecase that ( t , k ) was causally dependent on ( t (cid:48) , k (cid:48) ) . As such, by Proposition 19 ( t (cid:48) , k (cid:48) ) and ( t , k ) are concurrent transitions and ( t (cid:48) , k (cid:48) ) can be reversed before the executionof t to yield (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) ( t (cid:48) , k (cid:48) ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k (cid:48)(cid:48) ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) and ( t , k (cid:48)(cid:48) ) is an equivalent transition to ( t , k ) as in Defini-tion 4.12. Note that it is possible for k (cid:48)(cid:48) = k if ( t (cid:48) , k (cid:48) ) was not last the transition to beexecuted in the forward direction before ( t , k ) , otherwise k (cid:48)(cid:48) (cid:44) k . This results in a laterearliest contradicting pair and by induction the result follows.3. If the first contradicting pair is of the form ( t , k ); ( t , k (cid:48) ) , then we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k (cid:48) ) (cid:55)−→ c (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , where σ = σ ; ( t , k ); ( t , k (cid:48) ); σ .Then ( t , k ) and ( t , k (cid:48) ) are not the same transition occurrence as transition ( t , k (cid:48) ) reverseswith a different key value than the forward execution ( t , k ) thus they do not cancel eachother out. As ( t , k (cid:48) ) reverses before ( t , k ) this means that ( t , k ) and ( t , k (cid:48) ) must be con-current and by applying similar arguments as those in (2) we observe that the specificoccurrences of ( t , k ) and ( t , k (cid:48) ) can be swapped to yield (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k (cid:48) ) (cid:55)−→ c M (cid:48) , H (cid:48) (cid:105) ( t , k (cid:48)(cid:48) ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) σ (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) and ( t , k (cid:48)(cid:48) ) is anequivalent transition to ( t , k ) as in Definition 4.12. Note that it is possible for k (cid:48)(cid:48) = k if ( t , k (cid:48) ) was not the last transition to be executed in the forward direction before ( t , k ) ,otherwise k (cid:48)(cid:48) (cid:44) k . This results in a later earliest contradicting pair and by inductionthe result follows. (cid:3) From the above lemma we may conclude the following corollary. The result establishesthat causal-order reversibility is consistent with standard forward execution in the sense thatcausal execution will not generate states that are unreachable in forward execution:
Corollary 8.
Suppose that H is the initial history. If (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , and σ is atrace with both forward and backward transitions then there exists a transition (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) where (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) , and σ (cid:48) a trace of forward transitions. Proof.
According to Lemma 8, σ (cid:16) r ; r (cid:48) where both r and r (cid:48) are forward traces. Since,however, H is the initial history it must be that r is empty. This implies that (cid:104) M , H (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48) , H (cid:48) (cid:105) and r (cid:48) is a forward trace. Consequently, writing σ (cid:48) for r (cid:48) , theresult follows. (cid:3) Lemma 9.
Suppose (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , where (cid:104) M , H (cid:105) (cid:16)(cid:104) M , H (cid:105) and σ is a forward trace. Then, there exists a forward trace σ (cid:48) such that (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) are causally equivalent executions. Proof. If σ is forward, then σ = σ (cid:48) and the result follows trivially. Otherwise, we mayprove the lemma by induction on the length of σ . We begin by noting that, by Lemma 8, σ (cid:16) r ; r (cid:48) and (cid:104) M , H (cid:105) r ; r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) . Let ( t , k ) be the last action in r . Given that σ isa forward execution that simulates σ , it must be that r (cid:48) contains a forward execution oftransition t manipulating the same tokens since (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) contain the samecausal paths involving transition t (if not we would have (cid:104) M , H (cid:105) (cid:45) (cid:104) M , H (cid:105) leading to acontradiction). Consider the earliest such occurrence in r (cid:48) to be ( t , k (cid:48) ) an equivalent transitionto ( t , k ) . If ( t , k (cid:48) ) is the first transition in r (cid:48) and as it is equivalent to ( t , k ) the Loop Lemma 2can be applied to remove the pair of opposite transitions and the result follows by induction.Otherwise, suppose (cid:104) M , H (cid:105) r (cid:55)−→ c ( t , k ) (cid:55)−→ c r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) ( t ∗ , k ∗ ) (cid:55)−→ c ( t , k (cid:48) ) (cid:55)−→ c (cid:104) M , H (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) ,where r = r ; ( t , k ) and r (cid:48) = r (cid:48) ; ( t ∗ , k ∗ ); ( t , k (cid:48) ); r . Two cases exist:1. Suppose ( t ∗ , k ∗ ) ∈ σ . Let us denote by num ( α, σ ) , the number of executions of action α in a sequence of transitions σ where α represents all transition occurrences of tran-118ition t manipulating the same connected components. We observe that since σ con-tains no reverse executions of t , it must be that num ( α, r (cid:48) ) = num ( α, σ ) + num ( α, r ) .Suppose that the transition occurrences of ( t ∗ , k ∗ ) and ( t , k (cid:48) ) as shown in the exe-cution belong to a common causal path. We may extend this path with the suc-ceeding occurrences of α and obtain a causal path such that ( t ∗ , k ∗ ) is succeeded by num ( α, σ ) + num ( α, r ) occurrences of α . We observe that it is impossible to obtainsuch a causal path in (cid:104) M , H (cid:105) , since ( t ∗ , k ∗ ) is followed by fewer occurrences of α in σ . This contradicts the assumption that H (cid:16) H . We conclude that the transitionoccurrences of ( t , k (cid:48) ) and ( t ∗ , k ∗ ) above do not belong to any common causal path and,therefore, by Proposition 19, the two transition occurrences are concurrent in (cid:104) M , H (cid:105) .2. Now suppose that ( t ∗ , k ∗ ) (cid:60) σ . Since k ∗ ∈ H ( t ∗ ) it must be that H ( t ∗ ) (cid:44) ∅ and | H ( t ∗ ) | = | H ( t ∗ ) | = | H ( t ∗ ) | . As such, it must be that ( t ∗ , k (cid:48) ∗ ) ∈ r and that its reversalhas preceded the reversal of ( t , k ) . Let us suppose that the transition occurrences of ( t ∗ , k ∗ ) and ( t , k (cid:48) ) as shown in the execution belong to a common causal path. Thisimplies that a causal path with ( t ∗ , k (cid:48) ∗ ) preceding ( t , k ) also occurs in H as well as in H . If we observe that ( t ∗ , k (cid:48) ∗ ) has reversed before ( t , k ) we conclude that ( t ∗ , k (cid:48) ∗ ) doesnot cause the preceding occurrence of ( t , k ) . As such there is no causal path within (cid:104) M , H (cid:105) or (cid:104) M , H (cid:105) containing both ( t , k ) and ( t ∗ , k ∗ ) , which results in a contradiction.We conclude that the forward occurrences of ( t , k (cid:48) ) and ( t ∗ , k ∗ ) are, by Proposition 19,concurrent in (cid:104) M , H (cid:105) .Given the above, we conclude that we may swap the occurrences of ( t , k (cid:48) ) and ( t ∗ , k ∗ ) to ob-tain (cid:104) M , H (cid:105) r (cid:55)−→ c ( t , k ) (cid:55)−→ c r (cid:48) (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k (cid:48)(cid:48) ) (cid:55)−→ c ( t ∗ , k (cid:48)(cid:48) ∗ ) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) r (cid:48) (cid:55)−→ c (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where (cid:104) M , H (cid:105) (cid:16)(cid:104) M (cid:48) , H (cid:48) (cid:105) and, by Corollary 7, (cid:104) M , H (cid:105) (cid:16) (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) . By repeating the process for the re-maining transition occurrences in r (cid:48) , this implies that we may permute ( t , k (cid:48) ) with transitionsin r (cid:48) to yield the sequence ( t , k ); ( t , k (cid:48) ) . By the Loop Lemma 2 we may remove the pair ofopposite transitions and obtain a shorter equivalent trace, also equivalent to σ and concludeby induction. (cid:3) We may now proceed with the proof of Theorem 3:
Proof of Theorem 3.
Suppose that we have (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) with (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . We prove that (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) are causally equivalent executions thus giving σ (cid:16) σ by using a lexicographic inductionon the pair consisting of the sum of the lengths of σ and σ and the depth of the earliest119isagreement between them. By Lemma 8 we may suppose that σ and σ satisfy the property r ; r (cid:48) . Call ( t , k ) and ( t , k ) the earliest actions where they disagree. There are three casesin the argument depending on whether these are forward or backward.1. If ( t , k ) is backward and ( t , k ) is forward, we have σ = r ; ( t , k ); u and σ = r ; ( t , k ); v for some r , u , v . Lemma 9 applies to ( t , k ); v , which is forward, and ( t , k ); u , which contains both forward and backward actions and thus, by the lemma,it has a shorter forward equivalent. Thus, σ has a shorter forward equivalent and theresult follows by induction.2. If ( t , k ) and ( t , k ) are both forward then it must be the case that σ = r ; r (cid:48) ; ( t , k ); u and σ = r ; r (cid:48) ; ( t , k ); v , for some r , u , v . Note that it must be that an equivalenttransition to t appears in v and an equivalent transition to t appears in u . If not, wewould have H (cid:45) H , which contradicts the assumption that H (cid:16) H . As such, wemay write σ = r ; r (cid:48) ; ( t , k ); u ; ( t , k ); u , where u = u ; ( t , k ); u and ( t , k ) is thefirst occurrence of t in u manipulating the same tokens as ( t , k ) . Consider ( t ∗ , k ∗ ) the action immediately preceding ( t , k ) . We may observe that ( t ∗ , k ∗ ) and ( t , k ) cannot belong to a common causal path in (cid:104) M , H (cid:105) , since an equivalent causal path isimpossible to exist in (cid:104) M , H (cid:105) . This is due to the assumption that σ and σ coincideup to transition sequence r ; r (cid:48) . Thus, we may conclude by Proposition 19 that ( t ∗ , k ∗ ) and ( t , k ) are in fact concurrent and can be swapped. The same reasoning may beused for all transitions preceding ( t , k ) up to and including ( t , k ) , which leads to theconclusion that σ (cid:16) r ; r (cid:48) ; ( t , k ); ( t , k ); u ; u . This results in an equivalent executionof the same length with a later earliest divergence with σ and the result follows by theinduction hypothesis.3. If ( t , k ) and ( t , k ) are both backward, we have σ = r ; ( t , k ); u and σ = r ; ( t , k ); v for some r , u , v . Two cases exist:(a) If ( t , k (cid:48) ) occurs in v , then we have that σ = r ; ( t , k ); v ; ( t , k (cid:48) ); v . Giventhat t reverses right after r in σ , we may conclude that there is no transitionoccurrence at this point that causally depends on ( t , k (cid:48) ) . As such it cannot havecaused the transition occurrences of ( t , k ) and v whose reversal precedes it in σ . This implies that the reversal of ( t , k (cid:48) ) may be swapped in σ with each ofthe preceding transitions, to give σ (cid:16) r ; ( t , k (cid:48) ); ( t , k ); v ; v . This results in anequivalent execution of the same length with a later earliest divergence with σ ( t , k (cid:48) ) does not occur in v , this implies that ( t , k (cid:48) ) , an equivalent transitionof ( t , k ) occurs in the forward direction in u , i.e. σ = r ; ( t , k ); u ; ( t , k (cid:48) ); u ,where u = u ; ( t , k (cid:48) ); u with the specific occurrence of ( t , k (cid:48) ) being the firstsuch occurrence in u . Using similar arguments as those in Lemma 9, we concludethat σ (cid:16) r ; ( t , k ); ( t , k (cid:48) ); u ; u (cid:16) r ; u ; u , an equivalent execution of shorterlength for σ and the result follows by the induction hypothesis.We may now prove the opposite direction. Suppose that (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) are causally equivalent executions thus σ (cid:16) σ . We will showthat (cid:104) M , H (cid:105) (cid:16) (cid:104) M , H (cid:105) . The proof is by induction on the number of rules, k , appliedto establish the equivalence σ (cid:16) σ . For the base case we have k = , which impliesthat σ = σ and the result trivially follows. For the inductive step, let us assume that (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ c (cid:104) M , H (cid:105) , and (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) are causallyequivalent executions thus σ (cid:16) σ (cid:48) (cid:16) σ , where σ can be transformed to σ (cid:48) with theuse of k = n − rules and σ (cid:48) can be transformed to σ with the use of a single rule. Bythe induction hypothesis, we conclude that (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) , where (cid:104) M , H (cid:105) (cid:16)(cid:104) M (cid:48) , H (cid:48) (cid:105) . We need to show that (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:105) . Let us write σ (cid:48) = u ; w ; v and σ = u ; w (cid:48) ; v , where w , w (cid:48) refer to the parts of the two executions where the equiva-lence rule has been applied. Furthermore, suppose that (cid:104) M , H (cid:105) u (cid:55)−→ c (cid:104) M u , H u (cid:105) w (cid:55)−→ c (cid:104) M w , H w (cid:105) v (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M , H (cid:105) u (cid:55)−→ c (cid:104) M u , H u (cid:105) w (cid:48) (cid:55)−→ c (cid:104) M (cid:48) w , H (cid:48) w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:105) .Three cases exist:(a) w = ( t , k ); ( t , k ) and w (cid:48) = ( t , k ); ( t , k ) with ( t , k ) and ( t , k ) concurrent(b) w = ( t , k ); ( t , k ) and w (cid:48) = (cid:15) (c) w = ( t , k ); ( t , k (cid:48) ) and w (cid:48) = (cid:15) with ( t , k ) and ( t , k (cid:48) ) equivalent.In all the cases above, we have that (cid:104) M w , H w (cid:105) (cid:16) (cid:104) M (cid:48) w , H (cid:48) w (cid:105) : for (a) this follows bythe definition of concurrent transitions, whereas for (b) and (c) by the Loop Lemma.Given the equivalence of these two states, by Corollary 8, we have that (cid:104) M w , H w (cid:105) v (cid:55)−→ c (cid:104) M (cid:48) , H (cid:48) (cid:105) and (cid:104) M (cid:48) w , H (cid:48) w (cid:105) v (cid:55)−→ c (cid:104) M , H (cid:105) , where (cid:104) M (cid:48) , H (cid:48) (cid:105) (cid:16) (cid:104) M , H (cid:105) , as required. Thiscompletes the proof. (cid:3) .4.4 Out-of-Causal Order In this form of reversibility we allow events to reverse without the need to respect causalityas long as the transition is executed and its effect (creation/destruction of a bond) has notbeen undone.
Definition 53.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition occur-rence ( t , k ) in (cid:104) M , H (cid:105) . We say that ( t , k ) is o-enabled in (cid:104) M , H (cid:105) if there exists an injectivefunction U o : post ( t ) ∩ A V → A I such that:1. for all u ∈ F ( t , x ) , x ∈ t ◦ ,we have U o ( u ) = a j , ( a i , k , u ) ∈ a j , U o ( u ) ∈ M ( y ) for some y where type ( u ) = type ( U o ( u )) ,2. for all ( u , v ) ∈ F ( t , x ) , x ∈ t ◦ we have ( U o ( u ) , U o ( v )) = ( a j , b j ) , ( a i , k , u ) ∈ a j , ( b i , k , v ) ∈ b j , ( U o ( u ) , U o ( v )) ∈ M ( y ) ,3. for all ( u , v ) ∈ pre ( t ) , ( u , v ) (cid:60) post ( t ) and U o ( u ) = a j , U o ( v ) = b j , ( a (cid:48) i , k (cid:48) , u (cid:48) ) ∈ a j , ( b (cid:48) i , k (cid:48) , v (cid:48) ) ∈ b j then (cid:64) t (cid:48) , k (cid:48) ∈ H ( t (cid:48) ) where k (cid:48) > k such that ( u (cid:48) , v (cid:48) ) ∈ post ( t (cid:48) ) , ( u (cid:48) , v (cid:48) ) (cid:60) pre ( t (cid:48) ) , and4. for all ( u , v ) ∈ post ( t ) , ( u , v ) (cid:60) pre ( t ) and U o ( u ) = a j , U o ( v ) = b j , ( a (cid:48) i , k (cid:48) , u (cid:48) ) ∈ a j , ( b (cid:48) i , k (cid:48) , v (cid:48) ) ∈ b j then (cid:64) t (cid:48) , k (cid:48) ∈ H ( t (cid:48) ) where k (cid:48) > k such that ( u (cid:48) , v (cid:48) ) ∈ pre ( t ) , ( u (cid:48) , v (cid:48) ) (cid:60) post ( t ) .Thus, a transition occurrence ( t , k ) is o-enabled in (cid:104) M , H (cid:105) if (1) and (2) there exists atype-respecting assignment of token instances in the outgoing places of the transition, to thevariables on the outgoing edges of the transition, and where the instances are connected withbonds as required by the transition’s outgoing edges. Finally, (3) and (4) require the effectof the transition, i.e. breaking or creating a bond, not to have been undone by a followingforward transition. We refer to U o as an out-of-causal-order enabling assignment.Summing up, the effect of reversing a transition in out-of-causal order is that all bondscreated by the transition are undone and all bonds broken by the transition are redone. Thismay result in tokens backtracking in the net, in the case where the reversal of a transitioncauses a coalition of bonds to be broken down into a set of subcomponents and movingforward in the net, in the case where the reversal of a transition recreates a coalition into alarger component. In both cases the component should be relocated (if needed) after the lasttransition in which this sub-coalition participated. To capture this we introduce the following:122 efinition 54. Given a MRPN ( P , T , A , A V , B , F ) , an initial marking M , a history H , and aset of bases and bonds C ⊆ A I ∪ B I we write: last T ( C , H ) = ( t , k ) , if ∃ t , ( a j , k , u ) ∈ a i , a i ∈ C , k ∈ H ( t ) , u (cid:44) ∗ and (cid:64) t (cid:48) , ( b j , k (cid:48) , u (cid:48) ) ∈ b i , b i ∈ C , k (cid:48) ∈ H ( t (cid:48) ) , u (cid:48) (cid:44) ∗ , k (cid:48) > k ⊥ , otherwise last P ( C , H ) = x , if ( t , k ) = last T ( C , H ) , { x } = { y ∈ t ◦ | ( a j , k , u ) ∈ a i , a i ∈ C , u ∈ F ( t , y ) } or, if ⊥ = last T ( C , H ) , C ∈ M ( x ) ⊥ , otherwiseThus, if the tokens from component C have been manipulated by some previously-executed transition, then last T ( C , H ) is the last executed such transition. Otherwise, if nosuch transition exists (e.g., because all transitions involving C have been reversed), then last T ( C , H ) is undefined ( ⊥ ). Similarly, last P ( C , H ) is the outgoing place connected to t withcommon tokens with C , if last T ( C , H ) (cid:44) ⊥ assuming that such a place is unique, or the placein the initial marking in which C existed if last T ( C , H ) = ⊥ , and undefined otherwise.The following definition defines all tokens to be removed from a place because their lasttransition has changed and their current place is not the outgoing place of last. Definition 55.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , an o-enabled transitionoccurrence ( t , k ) , a history H (cid:48) as in Definition 46, and an enabling assignment U o , we define • U o : P → A I ∪ B I to be a function that assigns to each place a set of incoming token and bondinstances: • U o ( x ) = post • ( t , U o ) ∪ { C a i , x | ∃ a i ∈ M ( x ) , x (cid:44) last P ( C a i , x , H (cid:48) ) } where we use the shorthand C b i , z = con ( b i , ( { con ( c i , M ( z )) | c i ∈ A I , z ∈ P } − post • ( t , U o )) ∪ • pre ( t , U o )) for b i ∈ A I .We now define the outgoing tokens as the tokens that remain or move to these placesbecause it is an outgoing place of their last transition. Definition 56.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , an o-enabled transitionoccurrence ( t , k ) , a history H (cid:48) updated as in Definition 46 and an enabling assignment U o we define U • o : P → A I ∪ B I to be a function that assigns to each place a set of outgoingtoken/bond instances: U • o ( x ) = { last A I ( a i , L , k ) |∃ a i ∈ M ( y ) , L = last T ( C a i , y , H (cid:48) ) , x = last P ( C a i , y , H (cid:48) ) } ∪{ ( last A I ( a i , L , k ) , last A I ( b i , L , k )) |∃ ( a i , b i ) ∈ M ( y ) , L = last T ( C a i , y , H (cid:48) ) , x = last P ( C a i , y , H (cid:48) ) } last A I ( a i , L , k ) = ( a m , k m , u m ) ↓ a k , if (cid:64) ( a (cid:48) m , k (cid:48) m , u (cid:48) m ) ∈ a i , k (cid:48) ≥ k (cid:48) m > k m where ( a m , k m , u m ) ∈ a i , L = ( t (cid:48) , k (cid:48) ) and ( a k , k , u ) ∈ ( a m , k m , u m )( a , ∗ , i ) , if ( a , ∗ , i ) ∈ a i , L = ⊥ and we use the shorthand C b i , z = con ( b i , ( { con ( c i , M ( z )) | c i ∈ A I , z ∈ P } − post • ( t , U o )) ∪ • pre ( t , U o )) for b i ∈ A I .The above definition reconstructs connected components by undoing the effect of thetransition and by removing from tokens the memory of the transition along with the memo-ries that where recorded later than their last transition. The definition uses C a i , y to reconstructthe component as a result of breaking or creating bonds during reversal. By last A I ( a i , L , k ) we indicate the updated memory of token a i by removing transition ( t , k ) and all memoriesexecuted later than its last transition L = ( t (cid:48) , k (cid:48) ) . Specifically, ( a m , k m , u m ) is the latest mem-ory taken before and including its last transition L = ( t (cid:48) , k (cid:48) ) . ( a m , k m , u m ) ↓ a k indicates thatthe memory of transition ( t , k ) has been removed from ( a m , k m , u m ) . In the case that thereis no last transition the initial token ( a , ∗ , i ) is returned. In this way we remove the implicitmemories where the transition has not actively participated in. As demonstrated in the ex-ample of Figure 4.13 after the reversal of ( t , the implicit memory of transition ( t , isremoved from the token ((( a , ∗ , , , u ) , , ∗ ) along with the memory of transition ( t , asdefined below: Definition 57.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition occurrence ( t , k ) that is o-enabled and an enabling assignment U o , we write (cid:104) M , H (cid:105) ( t , k ) (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) where H (cid:48) is updated as in Definition 46 and for all x ∈ P : M (cid:48) ( x ) = ( M ( x ) − • U o ( x )) ∪ U • o ( x ) Thus, when a transition t is reversed in an out-of-order fashion all bonds that were createdby the transition are undone and all bonds broken by the transition are reconstructed. If thedestruction of a bond divides a component into smaller connected components then each ofthese components should again be relocated (if needed) back to the place where the complexwould have existed if transition t never took place, i.e., exactly after the last transition thatinvolves tokens from the sub-complex. Otherwise when a recreation of a bond creates alarger connected component then this component should be relocated (if needed) to the placewhere the complex would have existed if transition t , never took place, i.e., exactly after the124 igure 4.13: Updating the memories of tokens in out-of-causal-order reversibility last transition that involves tokens from the bigger complex. Token memories are updatedby removing the memory of the reversed transition ( t , k ) and removing all implicit memoriesof transitions executed later than their last transition. Also the history is update as defined inDefinition 46.From the example in Figure 4.14 we observe that after the execution of transitions t and t , the component a − b − c has been broken to three parts a , b , and c located in different places.The reversal of t recreates the bond between a − b and since b last participated in t then a − b is moved to the outgoing place of t as it would have happened if we had skipped theexecution of t . However when t and t are reversed then our system resets and there areno transitions holding the tokens further down the execution of the RPN and therefore the125 igure 4.14: Out-of-causal order execution component a − b − c returns to its initial place. Note that the history and the token instancesare updated accordingly.The following results describe how tokens and bonds are manipulated during out-of-causal-order reversibility, where we write (cid:55)−→ o for −→ ∪ (cid:32) o . Proposition 21.
Suppose (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ o (cid:104) M (cid:48) , H (cid:48) (cid:105) and let a i , a (cid:48) i ∈ A I where a i ∈ M ( x ) and a (cid:48) i ∈ M (cid:48) ( y ) . If ( t , k ) is a forward occurrence with U f then C = con ( a i , ( { con ( b i , M ( z )) | b i ∈ A I , z ∈ P } − • pre ( t , U f )) ∪ post • ( t , U f )) and C (cid:48) = con ( a (cid:48) i , M (cid:48) ( y )) such that for all a i ∈ C and a (cid:48) i ∈ C (cid:48) , a i ∈ a (cid:48) i and if ( t , k ) is a reverse transition with U o then C (cid:48) = con ( a (cid:48) i , M (cid:48) ( y )) and C = con ( a i , ( { con ( b i , M ( z )) | b i ∈ A I , z ∈ P } ) − post • ( t , U o )) ∪ • pre ( t , U o )) such that for all a i ∈ C and a (cid:48) i ∈ C (cid:48) , a (cid:48) i ∈ a i . Proof.
The proof is straightforward by the definition of the firing rules. (cid:3)
Proposition 22.
Given a MRPN ( P , T , A , A V , B , F ) , an initial state (cid:104) M , H (cid:105) , and an execu-tion (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ o (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ o . . . ( t n , k n ) (cid:55)−→ o (cid:104) M n , H n (cid:105) the following hold for all ≤ i ≤ n where a i ∈ A I ∩ M ( z ) , z ∈ P , |{ a i | a i ∈ M i ( x ) ∩ A I , x ∈ P , a ∈ a i }| = |{ a i + | a i + ∈ M i + ( y ) ∩ A I , y ∈ P , a ∈ a i + }| = , and a i ∈ M i ( x ) where x = last P ( con ( a i , M i ( x )) , H i ) . Proof.
Consider a MRPN ( P , T , A , A V , B , F ) , an initial state (cid:104) M , H (cid:105) , and an execution (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ o (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ o . . . t n , k n (cid:55)−→ o (cid:104) M n , H n (cid:105) . The proof is by induction on n . 126 ase Case. For n = , by our assumption of token uniqueness and the definitions of last P and last T the claim follows trivially. Induction Step.
Suppose the claim holds for all but the last transition and consider transi-tion ( t n , k n ) . Two cases exist, depending on whether t n is a forward or a reverse transition:• Suppose that ( t n , k n ) is a forward transition. Then by Proposition 16, for all a ∈ A I ∩ M ( z ) , z ∈ P , |{ a n | a n ∈ M n ( x ) ∩ A I , x ∈ P , a o ∈ a n }| = . Additionally, we may seethat if a n ∈ M n ( x ) two cases exists. If a n − ∈ con ( b n − , M n − ( y )) , for some b n − where U f ( v ) = b n − , v ∈ F ( t n , z ) then x = z = last P ( con ( a n − , M n − ( x )) , H n ) and a n − ∈ a n then last P ( con ( a n , M n ( x )) , H n ) = x = z . Otherwise, it must be that a n − ∈ M n − ( x ) where, by the induction hypothesis, x = last P ( con ( a n − , M n − ( x )) , H n − ) . Since a n − (cid:60) con ( b n − , M n − ( y )) we may deduce that con ( a n − , M n − ( x )) = con ( a n , M n ( x )) , leadingto x = last P ( con ( a n , M n ( x )) , H n ) = last P ( con ( a n − , M n − ( x )) , H n ) . Thus, the resultfollows.• Suppose that ( t n , k n ) is a reverse transition. Consider a n − ∈ A I with a n − ∈ M n − ( x ) for some x ∈ P . Two cases exist: – Suppose C = con ( a n − , ( { con ( b n − , M ( z )) | b n − ∈ A I , z ∈ P } − post • ( t , U o )) ∪ • pre ( t , U o )) where last T ( C , H n ) = ⊥ . Then, it must be that for C (cid:48) = con ( a n , M n ( y )) where a n ∈ a n − by Proposition 21 where C (cid:48) ⊆ M ( y ) . Suppose that this is not thecase. By the induction hypothesis, there exists some t i in the execution such that ∃ β i ∈ C (cid:48) and β i (cid:60) M ( y ) , if β i is produced by t i , or ∃ β i ∈ M ( y ) and β i (cid:60) C (cid:48) ,if β i is destructed by t i . This however implies that t i is a transition that hasmanipulated the connected component C , which contradicts our assumption of last T ( C , H n ) = ⊥ . Therefore, a n ∈ M n ( y ) , where a n ∈ M ( y ) and by Proposi-tion 21 a n − ∈ a n which gives y = last P ( C (cid:48) , H n ) and the result follows. – Suppose C = con ( a n − , ( { con ( b n − , M ( z )) | b n − ∈ A I , z ∈ P } − post • ( t , U o )) ∪ • pre ( t , U o )) where last T ( C , H n ) = ( t k , k ) . Then, it must be that there exists aunique y ∈ t k ◦ such that c n − ∈ C where ( c k , k , v ) ∈ c n − , v ∈ F ( t k , z ) . Supposethat this is not the case. Then for C (cid:48) = con ( a n , M n ( x )) there must exist some β n = ( a n , c n ) ∈ C (cid:48) with ( a k , k , u ) ∈ a n , u ∈ F ( t k , y ) , v ∈ F ( t k , y ) , and y (cid:44) y . By the induction hypothesis, there exists some t i in the execution such that ( a i , k i , u i ) ∈ a n and ( c i , k i , v i ) ∈ c n , where ( u i , v i ) ∈ F ( t i , y i ) and k i > k which wasnot reversed. This however implies that t i is a transition that has manipulated the127onnected component C later than ( t k , k ) , which contradicts our assumption of last T ( C , H n ) = t k . Therefore, there exists a unique y ∈ t k ◦ such that a n ∈ M n ( y ) .Furthermore, by Proposition 21 a n ∈ a n − which gives y = last P ( C (cid:48) , H n ) and theresult follows. (cid:3) Lemma 10 (Loop) . For any forward transition (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) there exists a reversetransition (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k ) (cid:32) o (cid:104) M , H (cid:105) . Proof.
Suppose (cid:104) M , H (cid:105) ( t , k ) −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then t is clearly o -enabled in H (cid:48) . Furthermore, (cid:104) M (cid:48) , H (cid:48) (cid:105) ( t , k ) (cid:32) o (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) where H (cid:48)(cid:48) = H by the definition of (cid:32) o . In addition, for all a i ∈ A I ,we distinguish two cases. If for some a i ∈ M ( x ) , (cid:64) ( a i , k , u ) = a (cid:48) i , a (cid:48) i ∈ M (cid:48) ( y ) , then we maysee that a i ∈ M (cid:48) ( y ) and a i ∈ M (cid:48)(cid:48) ( y ) , and the result follows. Otherwise, if ∃ ( a i , k , u ) = a (cid:48) i then a (cid:48) i ∈ M (cid:48) ( z ) where u ∈ F ( t , z ) . Furthermore suppose a (cid:48)(cid:48) i ∈ M (cid:48)(cid:48) ( w ) . By proposition 21 for C = con ( a i , { con ( b i , M ( z )) | b i ∈ A I , z ∈ P } − • pre ( t , U f ) ∪ post • ( t , U f )) and C (cid:48) = con ( a (cid:48) i , M (cid:48) ( y )) we have a i ∈ a (cid:48) i and for C (cid:48) = con ( a (cid:48) i , { con ( b (cid:48) i , M (cid:48) ( z )) | b (cid:48) i ∈ A I , z ∈ P }− post • ( t , U o ) ∪ • pre ( t , U o )) and C (cid:48)(cid:48) = con ( a (cid:48)(cid:48) i , M (cid:48)(cid:48) ( w )) we have a (cid:48)(cid:48) i ∈ a (cid:48) i . Since H = H (cid:48)(cid:48) we have w = last P ( C (cid:48)(cid:48) , H (cid:48)(cid:48) )) = last P ( C , H )) = y and the result follows. (cid:3) As in the original RPN model, the opposite direction of the lemma does not hold. Thefollowing result establishes that the placement of a connected component is uniquely deter-mined by the last transition to have manipulated it.
Proposition 23.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) ,and a token a i ∈ A I , a i ∈ M ( x ) ∩ M ( y ) for some x , y ∈ P . Then, last T ( con ( a i , M ( x )) , H ) = last T ( con ( a i , M ( y )) , H ) implies x = y . Proof.
Consider executions (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) σ (cid:55)−→ o (cid:104) M , H (cid:105) and a to-ken a i as specified by the lemma. Further, let us assume that last T ( con ( a i , M ( x )) , H ) = last T ( con ( a i , M ( y )) , H ) . Two cases exist:• last T ( con ( a i , M ( x )) , H ) = last T ( con ( a i , M ( y )) , H ) = ⊥ . This implies that no tran-sition has manipulated any of the tokens and bonds in the two connected components.As such, by Proposition 22, con ( a i , M ( x )) ⊆ M ( x ) and con ( a i , M ( y )) ⊆ M ( y ) , andwe conclude that x = y as required.• last T ( con ( a i , M ( x )) , H ) = last T ( con ( a i , M ( y )) , H ) = ( t , k ) . This implies that thereexists b i ∈ con ( a i , M ( x )) ∩ con ( a i , M ( y )) such that b i = ( b j , k , u ) , u ∈ post ( t ) . By128roposition 22, x = last P ( con ( b i , M ( x )) , H ) , y = last P ( con ( b i , M ( y )) , H ) . Sincewe have that last T ( con ( a i , M ( x )) , H ) = last T ( con ( a i , M ( y )) , H ) we conclude that last P ( con ( b i , M ( x )) , H ) = last P ( con ( b i , M ( y )) , H ) , thus, x = y as required. (cid:3) As in the original RPN model we confirm the relationship between the enabledness con-ditions for each of backtracking, causal-order, and out-of-causal-order reversibility.
Proposition 24.
Consider a state (cid:104) M , H (cid:105) , and a transition occurrence ( t , k ) . Then, if ( t , k ) is bt -enabled in (cid:104) M , H (cid:105) it is also c -enabled. Furthermore, if ( t , k ) is c -enabled in (cid:104) M , H (cid:105) thenit is also o -enabled. Proof.
The proof is immediate by the respective definitions. (cid:3)
The following result establishing that during causal-order reversibility a component is re-turned to the place following the last transition that has manipulated it or, if no such transitionexists, in the place where it occurred in the initial marking.
Proposition 25.
Given a multi reversing Petri net ( P , T , A , A V , B , F ) , an initial state (cid:104) M , H (cid:105) ,and an execution (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c (cid:104) M , H (cid:105) ( t , k ) (cid:55)−→ c . . . ( t n , k n ) (cid:55)−→ c (cid:104) M n , H n (cid:105) . Then for all a i ∈ A I , a i ∈ M n ( x ) where x = last P ( con ( a i , M n ( x )) , H n ) . Proof.
The proof is by induction on n and it follows along similar lines to the proof ofProposition 22. (cid:3) We may now verify that the causal-order and out-of-causal-order reversibility have thesame effect in MRPNs when reversing a c -enabled transition. Proposition 26.
Consider a state (cid:104) M , H (cid:105) and a transition occurrence ( t , k ) c -enabled in (cid:104) M , H (cid:105) . Then, (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) ( t , k ) (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) . Proof.
Let us suppose that ( t , k ) is c -enabled and (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M , H (cid:105) . By Proposition 24, ( t , k ) is also o -enabled. Suppose (cid:104) M , H (cid:105) ( t , k ) (cid:32) o (cid:104) M , H (cid:105) . It is easy to see that in fact H = H (the two histories are as H with the exception that H ( t ) = H ( t ) = H ( t ) − { k } ).To show that M = M first we observe that for all a i ∈ A I , by Proposition 25 we have a i ∈ M ( x ) where x = last P ( con ( a i , M ( x )) , H ) and by Proposition 22 we have a i ∈ M ( y ) where y = last P ( con ( a i , M ( y )) , H ) . We may also see that con ( a i , M ( x )) = con ( a i , M ( y )) .Since in addition we have H = H the result follows. (cid:3) An equivalent result can be obtained for backtracking. 129 roposition 27.
Consider a state (cid:104) M , H (cid:105) , and a transition occurrence ( t , k ) , bt -enabled in (cid:104) M , H (cid:105) . Then, (cid:104) M , H (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) if and only if (cid:104) M , H (cid:105) ( t , k ) (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) . Proof.
Consider a state (cid:104) M , H (cid:105) and suppose that transition occurrence ( t , k ) is bt -enabledand (cid:104) M , H (cid:105) ( t , k ) (cid:32) b (cid:104) M (cid:48) , H (cid:48) (cid:105) . Then, by Proposition 24, there exists k ∈ H ( t ) , such that for all t (cid:48) ∈ T , k (cid:48) ∈ H ( t (cid:48) ) , it holds that k ≥ k (cid:48) . This implies that ( t , k ) is also c -enabled, and bythe definition of (cid:32) c , we conclude that (cid:104) M , H (cid:105) ( t , k ) (cid:32) c (cid:104) M (cid:48) , H (cid:48) (cid:105) . Furthermore, by Proposition 26 (cid:104) M , H (cid:105) ( t , k ) (cid:32) o (cid:104) M (cid:48) , H (cid:48) (cid:105) , and the result follows. (cid:3) As in RPNS we obtain the following corollary confirming the "universality" of (cid:32) o . Corollary 9. (cid:32) b ⊂ (cid:32) c ⊂ (cid:32) o . The individual token interpretation can be used to model systems that require an associationbetween the modelled system and its processes. Specifically, in [138], the classical notionof a process is given as a run of the modelled system, obtained by choosing one of the alter-natives in case of a conflict. As such, the individual token interpretation is able to representsuch processes as token memories. These memories record all occurrences of the transitionsand places visited during a run, together with the causal dependencies between them, whichare given by the flow relation of the net. Causal semantics of the system are thus obtainedby associating with tokens the processes running in a net. According to the individual tokeninterpretation, causal dependencies are a central aspect in the dynamic evolution of a net. Inthis case, the actual order of execution of concurrent transitions in the net is invisible whenreversing, but all the causal dependencies are preserved.Let us consider the multicasting system of transaction processing in Figure 4.15. Inthis example we demonstrate a multi reversing Petri net that corresponds to the examplein Figure 3.19 of the original RPN model. An agent can simultaneously execute multipletransactions in the same system, thus, several processes are running in parallel. In case onetransaction fails whereas the rest of the transactions have been successfully completed, thesystem should be able to correspond transaction initialisations to failed transactions so thatonly failed initialisations can be reversed. This can be done by associating each transactiontoken with its process indicating which transitions the token has traversed and whether oneof these transitions represents failure. In this way the individual token interpretation canbe used to coordinate and synchronize a system consisting of multiple transactions in case130 igure 4.15: Transaction processing with multitokens out-of-causal reversal is necessary due to failures. Multi reversing Petri nets rely on thememories of tokens as a mechanism which is used to express their behaviours.Specifically, in this example we have two transaction tokens of type a , ( a , ∗ , and ( a , ∗ , , which can participate in the same transitions. We randomly select one of the twotransaction tokens, token ( a , ∗ , , to be involved in a sequence of failed transitions, whereastoken ( a , ∗ , will be executed successfully. As we have a failed transaction in the modelwe should reverse in out-of-causal order transition a to be able to proceed with the compen-sation transition c . In this example the approach of individual token interpretation plays animportant role as it is essential to reverse the occurrence of transition a that is associated withthe failed transaction rather than the transaction that has been completed successfully. Thus,by observing the memory of the tokens we are able to identify that the failed transaction131orresponds to transition occurrence ( a , and we may proceed by reversing ( a , in orderto release the failed transaction token. In this section we present two translations from reversing Petri nets to Labelled TransitionSystems (LTS), one from RPNs with single tokens and one from RPNs with multi tokens.This serves to establish the equivalence between the two models by showing that for ev-ery MRPN there is a SRPN which is equivalent in terms of the underlining LTS. LabelledTransition Systems (LTS) are defined as follows:
Definition 58.
A labelled transition system is a tuple ( Q , E , → , I ) where:• Q is a countable set of states,• E is a countable set of actions,• →⊆ Q × E × Q is the step transition relation, and• I ∈ Q is the initial state.Henceforth, we write p u −→ q for ( p , u , q ) ∈→ .Here p u −→ q means that the represented system can transition from state p to state q byperforming action u .When used for comparing systems, LTSs are considered modulo a suitable semanticequivalence. For our purposes, we employ the following notion of isomorphism of reachableparts, (cid:27) R : Definition 59.
Two LTSs A = ( Q A , E A , → , I A ) and B = ( Q B , E B , → , I B ) are isomorphic,written A (cid:27) B , if they differ only in the names of their states and events, i.e. if there arebijections β : Q A → Q B and η : E A → E B such that β ( I A ) = I B , and, for p , q ∈ Q A , u ∈ E A : β ( p ) η ( u ) −→ B β ( q ) iff p u −→ A q .The set R ( Q ) of reachable states in A = ( Q , E , → , I ) is the smallest set such that I isreachable and whenever p is reachable and p u −→ q then q is reachable. We write A (cid:27) R B if R ( A ) and R ( B ) are isomorphic. To check A (cid:27) R B it suffices to restrict to subsets of Q A and Q B that contain all reachable states, and construct an isomorphism between the resultingLTSs. 132e now give the translation from reversing Petri nets with multi and single tokens intolabelled transition systems. In what follows we write (cid:55)−→ s for −→ ∪ (cid:32) where (cid:32) could beany of (cid:32) b , (cid:32) c , and (cid:32) o with single tokens and (cid:55)−→ m the equivalent for mutli tokens. Definition 60.
Let N = ( P , T , A , A v , B , F ) be a net with multi tokens and initial marking M and N (cid:48) = ( A (cid:48) , P , B (cid:48) , T (cid:48) , F (cid:48) ) be a net with single tokens and initial marking M (cid:48) . Then H m ( N , M ) = (2 A I ∪ B I , ( T × N ) , (cid:55)−→ m , M ) is the LTS associated with N under the multitoken interpretation, and H s ( N (cid:48) , M (cid:48) ) = (2 A (cid:48) ∪ B (cid:48) P , T (cid:48) , (cid:55)−→ s , M (cid:48) ) is the LTS associated with N (cid:48) under the single token interpretation.The following theorem says that reversing Petri nets under the single token interpretationare at least as expressive as reversing Petri nets under the multi token interpretation, in thesense that any LTS that can be denoted by a net under the latter interpretation can also be adenoted by a net under the former interpretation. Theorem 4.
For every multi reversing Petri net N = ( P , T , A , A v , B , F ) with initial markings M there is a single reversing Petri net N (cid:48) = ( A (cid:48) , P , B (cid:48) , T (cid:48) , F (cid:48) ) with initial marking M (cid:48) suchthat H s ( N (cid:48) , M (cid:48) ) (cid:27) R H m ( N , M ) . Proof.
Let N = ( P , T , A , A v , B , F ) be a MRPN with initial marking M . We construct aSRPN as N (cid:48) = ( A (cid:48) , P , B (cid:48) , T (cid:48) , F (cid:48) ) with initial marking M (cid:48) as follows:• A (cid:48) = { a i | ( a , ∗ , i ) ∈ A I ∩ M ( x ) , x ∈ P } • B (cid:48) = { ( a i , b i ) | ( a , ∗ , i ) , ( b , ∗ , i ) ∈ A I ∩ M ( x ) , x ∈ P } • T (cid:48) = { t s | s ∈ S , S = { ( a , ..., a n ) ∈ ( A (cid:48) ) n | type ( a i ) = type ( v i ) , ( v , ..., v n ) = pre ( t m ) ∩ A V , t m ∈ T }} • F (cid:48) ( x , y ) = a i , if x ∈ P , y ∈ T (cid:48) , t m ∈ T , v ∈ F ( x , t m ) ∩ A V , type ( v ) = type ( a i ) , a i ∈ A (cid:48) a i , if x ∈ T (cid:48) , y ∈ P , t m ∈ T , v ∈ F ( t m , y ) ∩ A V , type ( v ) = type ( a i ) , a i ∈ A (cid:48) ( a i , b i ) , if x ∈ P , y ∈ T (cid:48) , t m ∈ T , ( u , v ) ∈ F ( x , t m ) , u , v ∈ A V , type ( u ) = type ( a i ) , type ( v ) = type ( b i ) , a i , b i ∈ A (cid:48) ( a i , b i ) , if x ∈ T (cid:48) , y ∈ P , t m ∈ T , ( u , v ) ∈ F ( t m , y ) , u , v ∈ A V , type ( u ) = type ( a i ) , type ( v ) = type ( b i ) , a i , b i ∈ A (cid:48) • M (cid:48) ( x ) = a i , if ( a , ∗ , i ) ∈ M ( x ) ∩ A I , x ∈ P ∅ , otherwise 133e denote M s ∈ A (cid:48) ∪ B (cid:48) and M m ∈ A I ∪ B I for any possible marking in each respective RPNtype, and t s ∈ T (cid:48) , t m ∈ T for transitions. For H s ( N (cid:48) , M (cid:48) ) (cid:27) R H m ( N , M ) to hold it mustbe that β ( M m ) = M s and η ( t m , k m ) = t s . We define β ( M m ) = M s for all x ∈ P if thereexists a i , b i ∈ A I ∩ M m ( x ) and ( a i , b i ) ∈ B I ∩ M m ( x ) then there exists a , b ∈ A (cid:48) ∩ M s ( x ) and ( a , b ) ∈ B (cid:48) ∩ M s ( x ) such that type ( a i ) = type ( a ) and type ( b i ) = type ( b ) . We also define η ( t m , k m ) = t s if for all v ∈ A V where v ∈ F ( x , t m ) ∩ F ( t m , y ) for some x ∈ ◦ t m , y ∈ t m ◦ thenthere exists a ∈ A (cid:48) where a ∈ F (cid:48) ( x , t s ) ∩ F (cid:48) ( t s , y ) such that type ( v ) = type ( a ) . Similarly forbonds, if ( u , v ) ∈ F ( x , t m ) for some x ∈ ◦ t m then there exists ( a , b ) ∈ B (cid:48) where ( a , b ) ∈ F (cid:48) ( x , t s ) such that type ( u ) = type ( a ) and type ( v ) = type ( b ) (respectively for F ( t m , y ) ).Now for the mapping of transition firings from N (cid:48) to N we have two cases depending onthe form of execution:• (cid:104) M m , H m (cid:105) ( t m , k m ) −→ (cid:104) M (cid:48) m , H (cid:48) m (cid:105) and (cid:104) M s , H s (cid:105) t s −→ (cid:104) M (cid:48) s , H (cid:48) s (cid:105) are both forward executions.During forward execution in both models tokens along with their connected compo-nents are transferred from the incoming to the outgoing places breaking or creatingbonds according to the specifications on the incoming and outgoing arcs. Let us as-sume that β ( M m ) = M s . For β ( M (cid:48) m ) = M (cid:48) s to hold by the respective definitions of −→ of each RPN model it must be that η ( t m , k m ) = t s . The bijections β and η constitutean isomorphism between the reachable parts of H s ( N (cid:48) , M (cid:48) ) and H m ( N , M ) , and theresult follows.• (cid:104) M m , H m (cid:105) ( t m , k m ) (cid:32) (cid:104) M (cid:48) m , H (cid:48) m (cid:105) and (cid:104) M s , H s (cid:105) t s (cid:32) (cid:104) M (cid:48) s , H (cid:48) s (cid:105) are both reverse executionswhere (cid:32) represents either (cid:32) b , (cid:32) c , or (cid:32) o . In all three cases the transition is reversedby undoing the effect of the transition, i.e. breaking or creating a bond, and transfer-ring the resulting components in the incoming places of the transition, for backtrackingand causal order, or to the outgoing place of the last participating transition in out-of-causal order reversibility. We make again the same arguments as in forward executionand by assuming that β ( M m ) = M s we show that β ( M (cid:48) m ) = M (cid:48) s holds by the respectivedefinitions of (cid:32) b , (cid:32) c , (cid:32) o only if η ( t m , k m ) = t s . Again the bijections β and η consti-tute an isomorphism between the reachable parts of H s ( N (cid:48) , M (cid:48) ) and H m ( N , M ) , andthe result follows. (cid:3) Theorem 5.
For every single reversing Petri net N = ( A , P , B , T , F ) with initial marking M there is a multi reversing Petri net N (cid:48) = ( P (cid:48) , T (cid:48) , A (cid:48) , A v , B (cid:48) , F (cid:48) ) with initial marking M (cid:48) suchthat H m ( N (cid:48) , M (cid:48) ) (cid:27) R H s ( N , M ) . 134 a) Reversing Petri net with multi to-kens (b) Reversing Petri net with single to-kens Figure 4.16: Equivalent RPNs with multi and single tokens
Proof.
The proof follows trivially as SRPNs are a special instance of MRPNs with singletokens. (cid:3)
In Figure 4.16 we present a MRPN N and its respective SRPN N (cid:48) . From N we areable to obtain the SRPN N (cid:48) by constructing the unique tokens a , a , b and b each ofthem representing one of the tokens ( a , ∗ , , ( a , ∗ , , ( b , ∗ , , and ( b , ∗ , respectively. Theplaces are the same in both RPN models. The amount of transitions constructed for theSRPN is dependent on the type of variables required for each MRPN transition and theamount of tokens representing that type. Specifically for each token of type a associatedwith the variable v , type ( v ) = a a respective transition is constructed in the SRPN. Thus, inthis example two tokens of type a represent the token variable u and two tokens of type b represent the token variable v . As both variables u and v are required for the transition to firefour combinations of tokens of type a and b exist resulting in four different transitions. Onthat note, the arcs between the places and the constructed transitions follow the token/bondvariable specifications in the MRPN expressed by the combinations of tokens in the SRPN.Let the LTSs in Figure 4.17 capture the complete state space of the respective RPNs inFigure 4.16. The equivalence of N and N (cid:48) manifests itself as an isomorphism of reach-able parts of the associated LTSs. Letters like t and t stand for different events labelled t . In fact the first step of H s ( N (cid:48) , M (cid:48) ) is ( M (cid:48) , t , M s ) where the first step of H m ( N , M ) is ( M , ( t , k ) , M m ) . As we can see β ( M ) = M (cid:48) since type ( a ) = type (( a , ∗ , , type ( a ) = type (( a , ∗ , , type ( b ) = type (( b , ∗ , , and type ( b ) = type (( b , ∗ , . The same can beobserved for all reachable markings in both RPNs. We also know that η ( t , k ) = t since type ( u ) = type ( a ) and type ( v ) = type ( b ) . The same equivalence applies between t and the135 a) LTS for reversing Petrinet with multi tokens (b) LTS for reversing Petri net withsingle tokens Figure 4.17: Labelled transition systems for the reversing Petri nets in Figure 4.16 rest of the transitions in the SRPN. Therefore, H s ( N (cid:48) , M (cid:48) ) (cid:27) R H m ( N , M ) . In this section we describe a new form of reversibility based on the collective token interpre-tation philosophy according to which tokens of the same type are not distinguished. We notethat this philosophy is maintained by various application domains e.g. recourse aware sys-tems or systems from biology. This approach is implemented as another firing rule for multireversing Petri nets. Unlike forms of reversing under the individual token interpretation thisapproach focuses on the local nature of reversing Petri nets and introduces a new approachon reversing systems where the interest is on the location of tokens rather than the relationsbetween transitions.To better understand the purpose of the collective token interpretation consider the ex-ample in Figure 4.18, originally presented in [137]. This example illustrates the situationwhere two students want to buy a present for their teacher. In places S and S we are ableto find their coins, indicated by tokens C , C . The actions t and t indicate the contributionof the coins where action t indicates the act of buying the present that only costs one coin.After the contributions are made and the present has been bought one coin remains in place S , that needs to be returned. Based on the collective token interpretation this coin can bereturned to any of the students since the purchase has been caused by the contribution of both136 igure 4.18: Students buying present for their teacher of them. Whereas in the individual token interpretation we only have one option when goingbackwards that is predefined during forward execution. Reversal can therefore be identifiedby keeping track of the student whose coin has been used for the purchase.In this case the collective token philosophy is a fairer description, in which the buying ofthe present is caused by a disjunction of the two contributions, whereas the individual phi-losophy suggests that the present is bought from the contribution of either one student or theother. Thus, we relax the requirement of backward determinism of reversible computationand propose a variation where we can reverse any of the transitions where students contributetheir coins and return the coin to a randomly selected student. Therefore, the collective tokenphilosophy gives rise to more subtle causal relationships between transitions that cannot beexpressed by partial order. This relation where a transition could be causally dependent oneither of two transitions is called disjunctive causality. In this case the system admits onlyone execution where the disjunctive causality is realised as t ∨ t causing t . Whereas in theindividual token interpretation causality is given as a partial order and we have two separateexecutions, one where t causes t and another execution where t causes t .Under the collective token interpretation, two transitions are considered to be causallyindependent when the preconditions for the execution of one do not change by the executionof the other. To understand the effect of this let us consider another example in Figure 4.19which describes the process of creating two water molecules. In this example, transitions t igure 4.19: Chemical reaction for the creation of water molecules and t create a water molecule H − O − H . Both t and t are enabled in the initial markingsince there already exists a hydroxide element O − H in y and another one can be createdby the execution of t . The execution of t will place another hydroxide molecule O − H in place y which results in two bonds of an identical type in the same place. According tothe collective token interpretation, these transitions are always considered to be concurrentbecause the execution of the one does not preclude the execution of the other. Since theenabling condition of t does not depend on the execution of t but only on the existence ofa token of type o − h , then there is no reason in distinguishing whether the molecule was aresult of t or not.This frame of mind when it comes to causal relations also reflects on how we perceivereversibility. Lets us assume that during the execution of t the O − H molecule that hasbeen produced by t bonds with H to create the water molecule H − O − H . In the collectivetoken interpretation we are allowed to proceed with the reversal of t since we already havethe required o − h tokens in the outgoing place y . When reversing, we undo the effect of t bybreaking the bond O − H without distinguishing whether this was the pre-existing moleculeor the exact one that has been produced during forward execution. However, in the individualtoken interpretation, we keep track of the tokens that have executed each transition, whichmeans that t cannot be reversed by the pre-existing O − H since it can only be reversedafter the reversal of t . 138n the following subsections we present an additional firing rule for multi reversing Petrinets under the collective interpretation. As we are no longer interested in explicitly distin-guishing tokens that participate in specific transitions we no longer update the memories oftoken instances as triples of the form ( a , k , u ) . We assume that for any token of type a theremay exist a finite number of token instances . We denote initial token ( a , ∗ , i ) with a i and weuse A I for the set of all token instances. Tokens are distinguished by their index i in order toavoid introducing multisets to the model. Tokens of the same type have identical capabilitieson firing transitions and can participate only in transitions with variables of the same type.The collective token interpretation is proposed as an additional form of reversibility be-cause, due to its local nature, it allows reversing to states that cannot be reached throughforward execution. For this reason it does not follow backtracking, causal, and non-causalsemantics because it involves and proposes reversal based on a distinct notion of causalityclosely related to disjunctive causality (rather than the usual partial-order causality). Tokensof the same type are considered to be indistinguishable and when a transition involving acertain set of tokens is to be reversed, any set of tokens of the needed types can be em-ployed to reverse the transition. As a result, different components may be involved in theforward and backward execution of a transition and reversing a transition may lead to statesnot reachable by forward-only execution. Furthermore, the approach is light in terms ofmemory and preserves the local nature of classical Petri nets. We note that an alternativeapproach could be followed to enable the definition of causal-order and out-causal-order re-versibility by considering two tokens to be indistinguishable only if they belong to equivalentconnected components. However, we have opted for the present approach, motivated by theapplications at hand as well as the philosophy described above. We may now redefine the forward firing rule by ignoring the memories of token instances inorder to allow tokens to reverse transitions that they have not participated in. Forward en-abledness is defined in the same manner as in the individual token interpretation where tokeninstances are selected non-deterministically as long as they respect the variable types re-quired by the transition’s incoming arcs. Based on the selected forward enabling assignment U f we are able to identify the tokens that are removed from places as defined by • U f and thetokens that are added to places as defined by U • f . Thus a transition firing executed in the for-ward direction will transfer a set of token and bond instances, as specified by the incoming139 igure 4.20: Forward execution under the collective token interpretation arcs of the transition, to the outgoing places of the transition, as specified by the transition’soutgoing arcs, possibly forming or destructing bonds, as necessary. In the collective tokeninterpretation token instances are relocated without being updated with memories of theirpast transitions. Furthermore, the history of the executed transition is updated accordingly. Definition 61.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition t that is enabledin state (cid:104) M , H (cid:105) , and an enabling assignment U f , we write (cid:104) M , H (cid:105) ( t , k ) −→ coll (cid:104) M (cid:48) , H (cid:48) (cid:105) where k = max ( { } ∪ { k (cid:48) | k (cid:48) ∈ H ( t (cid:48)(cid:48) ) , t (cid:48)(cid:48) ∈ T } ) + and for all x ∈ P : M (cid:48) ( x ) = ( M ( x ) − • U f ( x )) ∪ U • f ( x ) and H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) ∪ { k } if t (cid:48) = tH ( t (cid:48) ) , otherwiseAs demonstrated in Figure 4.20 a bond of type a − b is selected from the incoming places ofthe transition as required by the variables labelled on the incoming arcs. The result of firingthe transition is transferring the tokens into their respective outgoing places by breakingthe bond between them. Unlike the individual token interpretation we do not update thememories of the token instances as we are only interested in the location of tokens, i.e. theeffect of the transitions, as well as, the fact that a transition has been executed. We now move on to reversing transitions. A transition can be reversed in a certain stateif it has been previously executed and there exist token instances in its output places thatmatch the requirements on its outgoing arcs. Note that compared to the individual token140nterpretation, in the collective approach we ignore the causal paths assigned to the tokensduring forward execution. As such, tokens are allowed to reverse any transition as long asthey respect the variable types, independently on whether the tokens were explicitly used forfiring this particular transition occurrence. Specifically, we define the notion of collectivereverse enabledness as follows:
Definition 62.
Consider a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition occur-rence ( t , k ) . We say that ( t , k ) is coll-enabled in (cid:104) M , H (cid:105) if there exists an injective function U coll : post ( t ) ∩ A V → A I such that:1. for all u ∈ F ( t , x ) , x ∈ t ◦ , we have U coll ( u ) ∈ M ( x ) where type ( u ) = type ( U coll ( u )) , andfor all ( u , v ) ∈ F ( t , x ) , then ( U coll ( u ) , U coll ( v )) ∈ M ( x ) ,2. If u , v ∈ F ( t , x ) , x ∈ t ◦ and ( U coll ( u ) , U coll ( v )) ∈ M ( x ) then ( u , v ) ∈ F ( t , x ) , and3. if u ∈ F ( y , t ) , v ∈ F ( y , t ) , y , y ∈ ◦ t , y (cid:44) y then U f ( u ) (cid:60) con ( U f ( v ) , ( M ( x ) − post • ( t , U coll )) ∪ • pre ( t , U coll )) , x ∈ ◦ t .Thus, a transition occurrence ( t , k ) is reverse-enabled based on the collective token inter-pretation in (cid:104) M , H (cid:105) if (1) there exists a type-respecting assignment of token instances, fromthe instances in the out-places of the transition, to the variables on the outgoing edges of thetransition, and where the instances are connected with bonds as required by the transition’soutgoing edges. Furthermore, (2) if the selected token instances are bonded together in anoutgoing place of the transition then the bond should also exist on the variables labelling theoutgoing arcs (thus we do not recreate existing bonds), and (3) if two tokens are transferredby a transition to different incoming places then these tokens should not remain connectedwhen removing the selected outgoing tokens and adding the selected incoming tokens (wedo not clone tokens). We refer to U coll as a reversal enabling assignment.We now define the incoming token/bond instances as: Definition 63.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , a transition occurrence ( t , k ) and an enabling assignment U coll , we define • U coll : P → A I ∪ B I to be a function thatassigns to each place a set of incoming token and bond instances that are used for the firingof t : • U coll ( x ) = (cid:83) u ∈ f ( t , x ) con ( U coll ( u ) , M ( x )) We now define the outgoing token/bond instances as: 141 efinition 64.
Given a MRPN ( P , T , A , A V , B , F ) , a transition t , and a state (cid:104) M , H (cid:105) and anenabling assignment U coll , we define U • coll : P → A I ∪ B I to be a function that assigns to eachplace a set of outgoing token/bond instances of t : U • coll ( x ) = (cid:83) u ∈ f ( x , t ) , U coll ( u ) ∈ M ( y ) con ( U coll ( u ) , ( M ( y ) − post • ( t , U coll )) ∪ • pre ( t , U coll ) To implement the reversal of a transition t according to a reversal enabling assignment U coll , the selected instances are relocated from the outgoing places of the transition to theincoming places, as specified by the incoming arcs of the transition, with bonds createdand destructed accordingly. Note that compared to the individual token interpretation in thecollective approach we do not update the causal paths assigned to the tokens during forwardexecution. Definition 65.
Given a MRPN ( P , T , A , A V , B , F ) , a state (cid:104) M , H (cid:105) , and a transition occurrence ( t , k ) that is reverse-enabled in (cid:104) M , H (cid:105) with U coll a reversal enabling assignment, we write (cid:104) M , H (cid:105) ( t , k ) (cid:32) coll (cid:104) M (cid:48) , H (cid:48) (cid:105) where for all x : M (cid:48) ( x ) = ( M ( x ) − • U coll ( x )) ∪ U • coll ( x ) and H (cid:48) ( t (cid:48) ) = H ( t (cid:48) ) − { k } , if t (cid:48) = tH ( t (cid:48) ) , otherwiseIn Figure 4.21 we may observe the reverse execution of the net presented in Figure 4.20.As two tokens of type a and b are located in the outgoing places of the transition match-ing the requirements of the variables in the labelled outgoing arcs, we are able to non-deterministically select a pair to reverse transition t . As such it is not necessary to reverse thetransition with the exact token instances that have contributed in its execution thus we select a − b to reverse. Biological reactions, pathways, and reaction networks have been extensively studied in theliterature using various techniques, including process calculi and Petri nets. Initial researchwas mainly focused on reaction rates by modelling and simulating networks of reactions, inorder to analyse or predict the common paths through the network. Reversibility was notconsidered explicitly. Later on reversibility started to be taken into account, since it plays acrucial role in many processes, typically by going back to a previous state in the system.142 igure 4.21: Forward execution under the collective token interpretation.
OHH OHH OHH H OH + +
Figure 4.22: Autoprotolysis of water
Autoprotolysis of Water
In this case study we consider a chemical reaction that transfers a hydrogen atom betweentwo water molecules. This reaction is known as the autoprotolysis of water and is shown inFigure 4.22. There, O indicates an oxygen atom and H a hydrogen atom. The lines indicatebonds. Positive and negative charges on atoms are shown by ⊕ and (cid:9) respectively. Themeaning of the curved arrows and the dots will be explained in the next paragraphs. Thereaction is reversible and it takes place at a relatively low rate, making pure water slightlyconductive. We have chosen this reaction as our example reaction, since it is non-trivial butmanageable, and has some interesting aspects to be represented.To model the reaction we need to understand why it takes place and what causes it. Themain reason is that the oxygen in the water molecule is nucleophilic , meaning it has thetendency to bond to another atomic nucleus, which would serve as an electrophile . This143s because oxygen has a high electro-negativity, therefore it attracts electrons and has anabundance of electrons around it. The electrons around the atomic nucleus are arranged onelectron shells, where only those in the outer shell participate in bonding. Oxygen has fourelectrons in its outer shell, which are not involved in the initial bonding with hydrogen atoms.These electrons form two lone pairs of two electrons each, which can form new bonds (lonepairs are shown in Figure 4.22 by pairs of dots). All this makes oxygen nucleophilic: ittends to connect to other atomic nuclei by forming bonds from its lone pairs. Since oxygenattracts electrons, the hydrogen atoms in water have a positive partial charge and oxygen hasa negative partial charge.The reaction starts when an oxygen in one water molecule is attracted by a hydrogen inanother water molecule due to their opposite charges. This results in a hydrogen bond . Thisbond is formed out of the electrons of one of the lone pairs of the oxygen. The large curvedarrow in Figure 4.22 indicates the movements of the electrons. Since a hydrogen atom cannothave more than one bond, the creation of a new bond is compensated by breaking the existinghydrogen-oxygen bond (indicated by the small curved arrow). When this happens, the twoelectrons, which formed the original hydrogen-oxygen bond, remain with the oxygen. Sincea hydrogen contains one electron and one proton, it is only the proton that is transferred, sothe process can be called a proton transfer as well as a hydrogen transfer. The forming of thenew bond and the breaking of the old bond are concerted , meaning that they happen togetherwithout a stable intermediate configuration. As a result we have reached the state where oneoxygen atom has three bonds to hydrogen atoms and is positively charged, represented onthe right side of the reaction in Figure 4.22. This molecule is called hydronium and is writtenas H O + . The other oxygen atom bonds to only one hydrogen and is negatively charged,having an electron in surplus. This molecule is called a hydroxide and is written as OH − .Note that the reaction is reversible: the oxygen that lost a hydrogen can pull back oneof the hydrogens from the other molecule, the H O + molecule. This is the case since thenegatively charged oxygen is a strong nucleophile and the hydrogens in the H O + moleculeare all positively charged. Thus, any of the hydrogens can be removed, making both oxygensformally uncharged, and restoring the two water molecules. In Figure 4.22 the curved arrowsare given for the reaction going from left to right. Since the reaction is reversible (indicatedby the double arrow) there are corresponding electron movements when going from right toleft. These are not given in line with usual conventions, but can be inferred.In this simple reaction, the forward and the reverse step consist of two steps each. Thebreaking of the old and the forming of the new bond occur simultaneously. This means144hat there is no strict causality of actions, since none of them can be called the cause of theoverall reaction. Furthermore, the reverse step can be done with a different atom to the oneused during the forward step because each of the molecules are in a sense identical and inpractice there does not exist a single “reverse” path corresponding to a forward one.It should be noted that there are two types of bonding modelled here. Firstly, we havethe initial bonds where two atoms contribute an electron each. Secondly, the dative or coor-dinate bonds are formed where both electrons come from one atom (an oxygen in this case).Both are covalent bonds , and once formed they cannot be distinguished. Specifically, in theoxygen with three bonds all bonds are the same and no distinction can be made. If one ofthe bonds is broken by a deprotonation (as in the autoprotolysis of water) the two electronsare left behind and they form a lone pair. If the broken bond was not previously formedas a dative bond, the electrons changed their “role”. This explains why any proton can betransferred in the reverse reaction and not just the one that was involved in the forward path. Reversing Petri Net representation
Figure 4.23 shows the graphical representation of the forming of a water molecule as a RPN.In this model, we assume two token types, h for hydrogen and o for oxygen. They are instan-tiated via four token instances of h ( H , H , H , and H ) and two token instances of o , ( O and O ). The net consists of five places and three transitions and the edges between themare associated with token variables and bonds, where we assume that type ( u ) = type ( q ) = o and type ( v ) = type ( w ) = type ( r ) = type ( s ) = h . Looking at the transitions, transition t models the formation of a bond between a hydrogen token and an oxygen token. Precisely,the transition stipulates a selection of two such molecules with the use of variables u and v on the incoming arcs of the transition which are bonded together, as described in the out-going arc of the transition. Subsequently, transition t completes the formation of a watermolecule by selecting an oxygen token from place x and a hydrogen token from place v andforming a bond between them, placing the resulting component at place y . Note that theselected oxygen instance in this transition will be connected to a hydrogen token via a bondcreated by transition t ; this bond is preserved and the component resulting from the creationof the new o − h bond will be transferred to place y . Finally, transition t models the auto-protolysis reaction: assuming the existence of two distinct oxygen instances, as required bythe variables of type o and h on the incoming arc of the transition, connected with hydrogeninstances as specified in F ( y , t ) , the transition breaks the bond q − r and forms the bond u − r .145 igure 4.23: RPN model of the formation of a water molecule igure 4.24: RPN model of the execution of the autoprotolysis of water y , the transition will forma hydronium ( H + O ) and a hydroxin ( OH − ) molecule in place z of the net. The reversibilitysemantics of RPNs ensures that reversing the transition t will result in the re-creation oftwo water molecules placed at y , while the use of variables allows the formation of watermolecules consisting of different bonds between the hydrogen and oxygen instances.The first net in Figure 4.24 shows the system after the execution of transition t withenabling assignment U f ( v ) = H , U f ( u ) = O . Subsequently, we have the model afterexecution of transition t with enabling assignment U f ( v ) = H , U f ( u ) = O , creating thebond O − H , thus forming the first water molecule. A second execution of transitions t and t results in the second molecule of water in the system, placed again at place y , as shown inthe third net in the figure. At this state, transition t is forward-enabled and, with enablingassignment U f ( u ) = O , U f ( q ) = O , U f ( w ) = H , U f ( v ) = H , U f ( r ) = H , U f ( s ) = H ,we have the creation of the hydronium and hydroxide depicted at place z in the fourth netof the figure. At this stage, transition t is now reverse-enabled and the last net in the figureillustrates the state resulting after reversing t with reversal enabling assignment U coll ( u ) = O , U coll ( v ) = O , U coll ( w ) = H , U coll ( v ) = H , U coll ( r ) = H , U coll ( s ) = H . This chapter has focused on relaxing the restrictions of the RPN model presented in the pre-vious chapter, by allowing multiple tokens of the same base/type to occur in a model anddeveloping reversible semantics in the presence of bond destruction. We have extended ourformalism with multi tokens by following the individual token philosophy, which definesthe notion of causality in reversible systems as a partial order. The individuality of iden-tical tokens can be imposed by their causal path, which allows identical tokens to fire thesame transition when going forward, however, when going backwards tokens will be ableto reverse only the transitions that they have fired. Additionally, our work provides the re-versible semantics for out-of-causal-order reversibility and shows how the presence of bonddestruction affects transition enabledness. Finally, we have shown that the expressive powerof RPNs with multi tokens is equivalent to the expressive power of RPNs with single tokens.Another approach on extending our formalism with multiple tokens is that of the collec-tive token philosophy. Our experience strongly suggests that resource management systemscan be studied and understood in terms of the collective token interpretation of RPNs [69].Reversing Petri Nets are a natural choice to model and analyse biochemical reaction sys-148ems, such as the autoprotolysis of water, which by nature has multi-party interactions, isinherently concurrent, and features reversible behaviour.The autoprotolysis of water has also been modelled by the Calculus of Covalent Bond-ing (CCB) as well as the Bonding Calculus [69]. All three models can perform the forwardreaction using any of the hydrogens involved. In RPNs the feature of token multiplicity andthe use of variables allows to non-deterministically select different combinations of atoms ofa particular element when creating molecules. Unlike Bonding calculus, CCB and RPNs areable to express concerted actions, since a transition simultaneously destroys a water moleculeand creates a hydronium whose reversal results in the opposite effect. CCB and RPNs canperform the reverse reaction by transferring arbitrary hydrogens, whereas the Bonding Cal-culus permits only the transfer of exactly those hydrogens that were used in the forwardreaction.The other criterion for comparing the formalisms for the modelling of chemical reactionsis to ask if they enable the same actions as they appear in reality. Each of the three formalismsdoes not permit a H O molecule to be formed directly. Furthermore, CCB and the bondingcalculus allow one reaction which is not realistic: If there are many water molecules andtherefore several hydroxide and water molecules at the same time, it is possible that the re-maining hydrogen is transferred from the hydroxide to a water. In reality, this is not possiblesince the hydroxide is strongly negatively charged and no hydrogen bond can form. How-ever, this is not the case for RPNs since, on the one hand, a transition’s conditions makerestrictions on the types of molecules that will participate in a transition firing or its rever-sal and, on the other hand, places impose a form of locality for molecules. For instance, inthe autoprotolysis example, each place is the location of specific types of molecules, e.g.,transition t modelling the autoprotolysis reaction is only applied on water molecules and itsreversal only on pairs of a hydronium and a hydroxide molecule, as required. 149 hapter Controlling Reversibility in Reversing Petri Nets
In this chapter we extend the framework of reversing Petri nets with a mechanism for con-trolling reversibility [113, 114, 127]. This control is enforced with the aid of conditionsassociated with transitions, whose satisfaction acts as a guard for executing the transitionin the forward/backward direction. The conditions are enunciated within a simple logicallanguage expressing properties relating to available tokens. The mechanism may captureenvironmental conditions, e.g., changes in temperature, or the presence of faults. Note thatconditional transitions can also be found in existing Petri net models, e.g., in [64], a Petri-netmodel that associates transitions and arcs with expressions. The resulting model is generalenough to capture a wide range of systems, in this context we give an overview of severalproperties of reversing Petri nets that could be used to analyse the behaviour of these sys-tems. We conclude this section with the model of a novel antenna selection (AS) algorithmwhich inspired the development of our framework.
In this section we extend the multi reversing Petri nets of Chapter 4, by associating tran-sitions with conditions that control their execution and reversal, enunciated on data valuesassociated with tokens. We introduce controlled reversible semantics under the collectivetoken interpretation where transitions are controlled and can break bonds, and tokens areindistinguishable and can curry data values. Specifically, we define:
Definition 66. A Controlled Reversing Petri Net (CRPN) is a tuple ( N , Σ , D , C F , C R , I ) where:1. N is a multi reversing Petri net. 150. Σ forms a finite set of data types with D the associated set of data values where type Σ ( d ) ∈ Σ , d ∈ D .3. C F : T → COND A V is a function that assigns a forward condition to each transition t ∈ T .4. C R : T → COND A V is a function that assigns a reverse condition to each transition t ∈ T .5. I : A I → D is a function that associates a data value from D to each token instance a i ∈ A I such that type Σ ( I ( a i )) = type Σ ( a i ) .As in multi reversing Petri nets a controlled reversing Petri net is built on the basis of aset of tokens or bases . These are organized in a set of token types A , where each token typeis associated with a set of token instances A I . Variable tokens are associated with a data typesuch that for all u ∈ A V , type Σ ( u ) ∈ Σ . Places and transitions have the standard meaning andare connected via directed arcs which are labelled by a set of elements from A V ∪ ( A V × A V ) .Finally, we define C ⊆ A I ∪ B I in the expected way according to MRPNs. We also assumethat the CRPN model is well formed with distinct tokens.In addidtion, in CRPNS token instances are associated with data values via function I .These data values have a type from the set Σ , and we write type Σ ( d ) to denote the type ofa data value. Transitions are associated with conditions COND A V which constitute addi-tional preconditions for a transition to fire. Conditions are boolean expressions over a setof variables A V that evaluate to either "TRUE" or "FALSE" determining the behaviour ofthe net. The function C F assigns a forward condition to each transition that needs to be sat-isfied during forward execution, whereas, C R assigns a reverse condition that needs to besatisfied during reverse execution. Graphically we indicate conditions below their respectivetransitions as C F ( t ) / C R ( t ) and in case where C F ( t ) = ! C R ( t ) only C F ( t ) is presented.Conditions are built via a simple propositional language whose basic building blocks arerelations on the data types Σ applied on expressions involving token values of a CRPN model.An instantiation of such a language for arithmetic expressions follows, though this can begeneralised for more complex types. Therefore, the grammar of the expression COND A V isdefined as follows: φ : = ¬ φ | φ ∨ φ | e > e e : = a i . x | u | d | ( e ) | i f φ e else e | e + e | e − e | e × e | e / e φ are denoted by Free ( φ ) ⊆ A V . Variable assignments V : A V ∩ Free ( φ ) → A I are the mappings of a token instance to a free variable. We requirethe variable assignments to respect the types of data values associated with the respectivevariable token instances such that for V ( u ) = a i , a i ∈ A I ∩ M ( x ) , x ∈ P we have type Σ ( u ) = type Σ ( a i ) . The variable assignment V of a transition covers (at least) all variables from pre ( t ) such that u ∈ pre ( t ) ∩ Free ( φ )) = ∅ ( post ( t ) ∩ Free ( φ ) = ∅ for reverse transitions).Conditions are evaluated based on data values associated with the token instances of themodel and functions/predicates over the associated data types. Given a transition t withcondition φ , the corresponding variable assignment V , a marking M , and an assignmentfunction I , we evaluate the condition φ as follows: E ( φ, V , M , I ) = ¬ E ( φ (cid:48) , V , M , I ) , if φ = ¬ φ (cid:48) E ( φ , V , M , I ) ∨ E ( φ , V , M , I ) , if φ = φ ∨ φ Eval ( e , V , M , I ) > Eval ( e , V , M , I ) if φ = e > e Eval ( e , V , M , I ) = Eval ( e , V , M , I ) , if e = i f φ then e else e , E ( φ, V , M , I ) = TEval ( e , V , M , I ) , if e = i f φ then e else e , E ( φ, V , M , I ) = FEval ( e , V , M , I ) (cid:5) Eval ( e , V , M , I ) , if e = e (cid:5) e , (cid:5) ∈ { + , − , × , / } I ( V ( u )) , if e = u , u ∈ A V I ( a i ) , if e = a i . x , a i ∈ M ( x )0 , if e = a i . x , a i (cid:60) M ( x ) d , if e = d , d ∈ D The function E : ( COND A V × A I × (2 A I ∪ B I ) × D ) → BOOL evaluates the condition of atransition into a boolean value and the function
Eval : (
COND A V × A I × (2 A I ∪ B I ) × D ) → D evaluates the data value of an arithmetic expression. The truth value of conditions dependson the interaction of the logical operators and their component conditions. Arithmetic condi-tions have the value "TRUE" if the relation exists between the two expressions and "FALSE"otherwise. We resolve nested conditions with recursive evaluation where variable assign-ments V ( v ) = a i are substituted by the data value of the selected token instance I ( a i ) . Ele-ments of the form a i . x are substituted by the data value of the token instance I ( a i ) if the tokeninstance exists in place x , and if not ( is the identity element dependent on the application).152 .1.1 Controlled Forward Execution A transition is forward-enabled in a MRPNs, if there exists a selection of token instancesavailable at the incoming places of the transition matching the requirements on the tran-sitions incoming arcs. Also the transition should not recreate bonds and duplicate tokens.The addition of conditions in CRPNs requires additionally for the forward condition of thetransition to evaluate to TRUE according to the variable assignment V f . Formally: Definition 67.
Given a CRPN ( N , Σ , D , C F , C R , I ) , a state (cid:104) M , H (cid:105) , and a transition t , we saythat t is controlled-forward-enabled in (cid:104) M , H (cid:105) if there exist two injective functions U f : pre ( t ) ∩ A V → A I and V f : A V ∩ Free ( COND A V ) → A I such that:1. transition t is forward-enabled in N (Definition 33),2. for all u ∈ Free ( C F ( t )) then V f ( u ) = a i , a i ∈ A I ∩ M ( x ) , x ∈ P such that type Σ ( u ) = type Σ ( a i ) ,3. if u ∈ F ( x , t ) , x ∈ P , and u ∈ Free ( C F ( t )) then V f ( u ) = U f ( u ) , and4. E ( C F ( t ) , V f , M , I ) = TRUE.Thus, t is enabled in state (cid:104) M , H (cid:105) if (1) it is also forward-enabled in MRPNs, (2) thereis a type respecting assignment of data instances to variables, (3) variables that appear onboth the arcs and the condition should have the same variable assignment, (4) if the transi-tion bears a forward condition C F ( t ) , then by substituting the variables with the selected datavalues E ( C F ( t ) , V f , M , I ) evaluates to TRUE. Note that different selections of token and bondinstances may yield different evaluations to a transition’s condition. Thus, for some selec-tions the transition may be enabled whereas for others not. Note that if E ( C F ( t ) , V f , M , I ) or C F ( t ) is not defined, then the validity of the input is only dependent on the first two condi-tions. We refer to V f as a variable assignment.As in MRPNs, when a transition t is executed in the forward direction, all tokens andbonds occurring in its outgoing arcs are relocated from the input to the output places alongwith their connected components. The history of t is extended accordingly: Definition 68.
Given a CRPN ( N , Σ , D , C F , C R , I ) , a state (cid:104) M , H (cid:105) , and a transition t controlled-forward enabled in (cid:104) M , H (cid:105) with U f an enabling assignment and V f a variable assignment,we write (cid:104) M , H (cid:105) ( t , k ) −→ coll (cid:104) M (cid:48) , H (cid:48) (cid:105) where M (cid:48) and H (cid:48) are updated as in N (Definition 61). 153 igure 5.1: Forward execution in CRPNs Figure 5.1 demonstrates the forward execution of a CRPN with two transitions. Theforward conditions of both transitions require a variable assignment for variable u of type type ( u ) = a to be greater than three ( u > ). Only token A [5] is able to satisfy theseconditions and thus fire both transitions. As such, token A [5] has been selected as a variableassignment for variable u which is then used to fire transition t followed by t . We now move on to controlled reversibility. The following definition enunciates that a tran-sition t is controlled-reverse enabled if it is also reverse-enabled in multi reversing Petri netsunder the collective token interpretation. Furthermore, we require that the reverse conditionof the transition is satisfied according to the variable assignment V coll . Definition 69.
Consider a CRPN ( N , Σ , D , C F , C R , I ) , a state (cid:104) M , H (cid:105) , and a transition occur-rence ( t , k ) . Then ( t , k ) is controlled-reverse-enabled in (cid:104) M , H (cid:105) if there exist two injectivefunctions U coll : post ( t ) ∩ A V → A I and V coll : A V ∩ Free ( COND A V ) → A I such that:1. t is coll -enabled in in N (Definition 62), 154. for all u ∈ Free ( C R ( t )) then V coll ( u ) = a i , a i ∈ A I ∩ M ( x ) , x ∈ P such that type Σ ( u ) = type Σ ( a i ) ,3. if u ∈ F ( t , x ) , x ∈ P and u ∈ Free ( C R ( t )) then V coll ( u ) = U coll ( u ) , and4. E ( C R ( t ) , V coll , M , I ) = TRUE.Thus, a transition occurrence ( t , k ) is reverse-enabled in (cid:104) M , H (cid:105) if (1) it is coll − enabledin MRPNs, (2) (3) the definition makes similar requirements to Definition 67 only this timein (4) it requires for the reverse condition of the transition to evaluate to TRUE. Note thatwhile a selection of tokens may yield the reversal of the transition impossible by setting E ( C R ( t ) , V coll , M , I ) = FALSE, another selection, and its associated variable assignment V coll may be such that E ( C R ( t ) , V coll , M , I ) = TRUE. This is determined by the data values asso-ciated to the token instances by the assignment I . We refer to V coll as a reversal variableassignment.When a transition occurrence ( t , k ) is reversed the marking and history of the controlledreversing Petri net are updated according to the respective definition of MRPNs under thecollective token interpretation. Definition 70.
Given a CRPN ( N , Σ , D , C F , C R , I ) , a state (cid:104) M , H (cid:105) , and a transition occurrence ( t , k ) controlled-reversed-enabled in (cid:104) M , H (cid:105) with U coll a reversal enabling assignment and V coll a reversal variable assignment, we write (cid:104) M , H (cid:105) ( t , k ) (cid:32) coll (cid:104) M (cid:48) , H (cid:48) (cid:105) where M (cid:48) and H (cid:48) areupdated as in N (Definition 65).Figure 5.2 is a continuation of the forward execution of Figure 5.1. The reverse conditionof transition t requires for the variable assignment of token variable u of type type ( u ) = a to be smaller than two ( u < ), whereas, the reverse condition of transition t requires fora token variable u of type type ( u ) = a to be smaller than three ( u < ). Note that in thecase of transition t we have C F ( t ) = ! C R ( t ) , thus, the reverse condition is omitted from thefigure. In this example, only transition t is able to reverse as token A [1] can be used for thevariable assignment of u enabling the reversal of transition t .Let us consider a more complicated example of a reversible chemical reaction that de-pends on environmental conditions. Ammonium chloride ( NH Cl ) is an inorganic com-pound that decomposes into ammonia ( NH ) and hydrogen chloride gas ( HCl ). This de-composition is a reversible reaction that occurs when ammonium chloride is heated to over degrees Celsius. The two gases ammonia and hydrogen chloride can then react togetherin cooler temperatures to reform the solid ammonium chloride and therefore reverse the155 igure 5.2: Reverse execution in CRPNs decomposition. The recommended storing temperature of ammonium chloride is ◦ C to ◦ C.The model of this reaction is shown in the initial marking of Figure 5.3. Here we assumethe token types A = { H , N , Cl , T } , with the first three bearing the expected meaning and type T capturing different temperatures. In particular T has instances T and T , bearing values I ( T ) = and I ( T ) = . These are placed in places v and z , respectively. In place x , theinitial marking contains the component NH Cl . In transition t , with condition I ( t ) ≥ ,the ammonium chloride decomposes into NH and HCl , assuming that a T token with valueat least is present. This is the case, thus, the transition takes place as shown in the secondmarking of the figure. If the temperature decreases, as implemented in transition t wheretoken instance T exchanges places with token instance T , I ( T ) = , then the reversal ofthe transition is enabled leading to the reversal of the decomposition, as shown in the lastmarking of the figure. A major strength of Petri nets is their support for analysis of various properties and problemsassociated with concurrent systems [102]. Two types of properties can be studied withinreversing Petri net models based on whether they are dependent on the initial marking, or areindependent of the initial marking. The former type of properties is referred to as marking-156 igure 5.3: Ammonium chloride chemical reaction dependent or behavioural properties, whereas the latter type of properties is called structuralproperties. In this section, we discuss only basic behavioural properties and their analysis.
Reachability.
Reachability is a fundamental basis for studying the dynamic properties ofsystems. The firing of an enabled transition will change the token distribution in a net ac-cording to the firing rules. A sequence of firings will result in a sequence of states. A state (cid:104) M n , H n (cid:105) , is said to be reachable from a state (cid:104) M , H (cid:105) if there exists a sequence of firingsthat transforms (cid:104) M , H (cid:105) to (cid:104) M n , H n (cid:105) . A firing or transition sequence is denoted by σ = t ; t ; ... ; t n . If (cid:104) M n , H n (cid:105) is reachable from (cid:104) M , H (cid:105) by σ we write (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M n , H n (cid:105) .The set of all possible sates reachable from (cid:104) M , H (cid:105) in a net N is denoted by R ( N , (cid:104) M , H (cid:105) ) R ( (cid:104) M , H (cid:105) ) . The set of all possible firing sequences from (cid:104) M , H (cid:105) in a net N with initial state (cid:104) M , H (cid:105) is denoted by L ( N , (cid:104) M , H (cid:105) ) or simply L ( (cid:104) M , H (cid:105) ) . Now,the reachability problem for controlled reversing Petri nets is the problem of finding if (cid:104) M n , H n (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) for a given state (cid:104) M n , H n (cid:105) in a net N with initial marking M .In some applications, one may be interested in the markings of a subset of places and notcare about the rest of places in a net. This leads to a submarking reachability problem whichis the problem of finding if (cid:104) M j , H j (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) ,where (cid:104) M j , H j (cid:105) is any marking whoserestriction to a given subset of places agrees with that of a given marking (cid:104) M n , H n (cid:105) . Definition 71.
Given a CRPN N an initial state (cid:104) M , H (cid:105) and an execution (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) then (cid:104) M (cid:48) , H (cid:48) (cid:105) is reachable from (cid:104) M , H (cid:105) in the net N and the set of all states reachable from (cid:104) M , H (cid:105) is denoted by R ( N , (cid:104) M , H (cid:105) ) or simply R ( (cid:104) M , H (cid:105) ) . The set of all possible firing se-quences from (cid:104) M , H (cid:105) in N is denoted by L ( N , (cid:104) M , H (cid:105) ) or simply L ( (cid:104) M , H (cid:105) ) .As a state in CRPNs constitutes a combination of both a marking and a history most ofthe properties are defined based on both parameters. However, depending on the needs ofthe modelled system the reachability properties can be redefined to ignore the status of thehistory. The reachability property is redefined as follows: Definition 72.
Given a CRPN N an initial state (cid:104) M , H (cid:105) and an execution (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) then marking M (cid:48) is reachable from (cid:104) M , H (cid:105) in the net N denoted by M (cid:48) ∈ R ( (cid:104) M , H (cid:105) ) . Figure 5.4: Reachability property
Let us consider the example in Figure 5.4. The figure on the top represents the initialmarking (cid:104) M , H (cid:105) . The figure on the bottom represents a desired marking (cid:104) M , H (cid:105) of the same158ontrolled reversing Petri net. The reachability property questions whether (cid:104) M , H (cid:105) is reach-able from the initial marking (cid:104) M , H (cid:105) , such that (cid:104) M , H (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) . We can see that in-deed (cid:104) M , H (cid:105) is reachable from (cid:104) M , H (cid:105) through the firing sequence σ = ( t , t , t , such that (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M , H (cid:105) . Home state.
In many applications, it is not necessary to get back to the initial state aslong as one can get back to some (home) state. For example in various electronic devices,home states may be reached automatically after periods of inactivity, or may be forced to bereached by resetting the device. Also in self-stabilising systems, reaching a failed state canbe recovered from automatically reaching a non-erroneous home state. A state (cid:104) M (cid:48) , H (cid:48) (cid:105) issaid to be a home state if, for each state (cid:104) M , H (cid:105) in R ( (cid:104) M , H (cid:105) ) , (cid:104) M (cid:48) , H (cid:48) (cid:105) is reachable from (cid:104) M , H (cid:105) . Definition 73.
Given a CRPN N , a state (cid:104) M , H (cid:105) is a home state if (cid:104) M , H (cid:105) ∈ R ( N , (cid:104) M (cid:48) , H (cid:48) (cid:105) ) from every state (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( N , (cid:104) M , H (cid:105) ) and N is reversible if (cid:104) M , H (cid:105) is a home state.As with the reachability property, home state can be redefined to ignore the history. Inthis way we have a more flexible notion of a home state where only the location of tokensconstitutes a home state. Definition 74.
Given a CRPN N , a marking M is a home state if M ∈ R ( N , (cid:104) M (cid:48) , H (cid:48) (cid:105) ) fromevery marking M (cid:48) ∈ R ( N , (cid:104) M , H (cid:105) ) and N is reversible if M is a home state.Now consider the controlled reversing Petri net in Figure 5.5. Given as initial state (cid:104) M , H (cid:105) the controlled reversing Petri net on the top we can observe that the state on thebottom (cid:104) M , H (cid:105) is a home state for that controlled reversing Petri net. Since only transitions t and t are irreversible then when executing any other transition we can reverse their ex-ecution and proceed with the firing sequence ( t , t , t , leading to the home state (cid:104) M , H (cid:105) . Also note that this controlled reversing Petri net is not reversible since t and t arenot reversible and therefore after the are execution we cannot return to the initial marking (cid:104) M , H (cid:105) . Liveness.
The concept of liveness is closely related to the complete absence of deadlocksin operating systems. A controlled reversing Petri net N with initial marking M is said tobe live (or equivalently (cid:104) M , H (cid:105) is said to be a live marking for N ) if, no matter what statehas been reached from (cid:104) M , H (cid:105) , it is possible to ultimately fire any transition of the net by159 igure 5.5: Home state property progressing through some further firing sequence. This means that a live controlled reversingPetri net guarantees deadlock-free operation, no matter what firing sequence is chosen. Definition 75.
A CRPN N it is said to be live (or equivalently (cid:104) M , H (cid:105) is said to be a livestate for N ) if for all (cid:104) M , H (cid:105) ∈ R ( N , (cid:104) M , H (cid:105) ) then there exists t ∈ T such that t enabled in (cid:104) M , H (cid:105) .Liveness is an ideal property for many systems. However, it is impractical and too costlyto verify this strong property for some systems such as the operating system of a large com-puter. Thus, we relax the liveness condition and define different levels of liveness. Definition 76.
Given a CRPN N and a transition t ∈ T then t is said to be:1. dead( L − live) if t (cid:60) L ( (cid:104) M , H (cid:105) ),2. L − live (potentially fire-able) if | { t | t ∈ L ( (cid:104) M , H (cid:105) ) } | = ,3. L − live if given any positive integer k | { t | t ∈ L ( (cid:104) M , H (cid:105) ) } | = k ,4. L − live if | { t ∈ L ( (cid:104) M , H (cid:105) ) } | = ∞ ,5. L − live or live if t is L − live for all (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) , and6. Lk -live if every transition in the net is Lk -live, k = , , , , . 160 − liveness is the strongest and corresponds to the liveness defined earlier. It is easyto see the following implications: L -liveness = ⇒ L − liveness = ⇒ L − liveness = ⇒ L − liveness. We say that a transition is strictly Lk − live if it is Lk − live but not L ( k + − live, k = , , .In the case of liveness the history parameter of a state cannot be ignored as history in con-trolled reversing Petri nets plays an important role when deciding if a transition is reversedenabled in a specific state. For example non executed transitions indicated by H ( t ) = ∅ cannot be reversed. Figure 5.6: Liveness property
Consider the controlled reversing Petri net in Figure 5.6. We observe that the execution ( t , t , t , t , t , can be repeated infinitely. Deadlock.
The concept of deadlock in controlled reversing Petri nets is the inability toproceed with the execution of a transition. Therefore, a controlled reversing Petri net has adeadlock when there are no other transitions that can be executed in the forward or reversetransition.
Definition 77.
Given a CRPN N a deadlock is as state (cid:104) M , H (cid:105) , (cid:104) M , H (cid:105) ∈ R ( N , (cid:104) M , H (cid:105) ) such that there exists no t ∈ T such that t (controlled-forward/controlled-reverse) enabled in (cid:104) M , H (cid:105) .As deadlock is equivalently defined as L0-liveness then the history as part of a state is animportant element when deciding if a transition can fire.Consider the CRPN in Figure 5.7. The controlled reversing Petri net on the top fig-ure represents the initial marking (cid:104) M , H (cid:105) and the controlled reversing Petri net in thebottom figure represents the resulting marking (cid:104) M , H (cid:105) after the execution of t , such that161 igure 5.7: Deadlock property (cid:104) M , H (cid:105) ( t , −→ (cid:104) M , H (cid:105) . Since transition t requires u > = TRUE , type ( u ) = a in or-der to be executed in forward direction then it is not fireable by A [5] . Also t requires u < = TRUE in order to reverse then it is irreversible by A [5] . Therefore in state (cid:104) M , H (cid:105) there are no transitions fireable by the only token A [5] and therefore the reversing Petri nethas reached a deadlock. Siphon.
A non-empty subset of places P S in a CRPN is called a siphon if for all (cid:104) M , H (cid:105) where M ( x ) = ∅ , x ∈ P S and for all (cid:104) M (cid:48) , H (cid:48) (cid:105) then (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) we have M (cid:48) ( y ) = ∅ , y ∈ P S . A siphon has a behavioural property that if it is token-free under some marking, thenit remains token-free under each successor marking. It is easy to verify that the union of twosiphons is again a siphon. A siphon is called a basic siphon if it cannot be represented as aunion of other siphons. All siphons in a CRPN can be generated by the union of some basissiphons. A siphon is said to be minimal if it does not contain any other siphon. A minimalsiphon is a basis siphon, but not all basis siphons are minimal.Exiting a siphon highly depends on whether a transition is executable in either the for-ward or reverse direction. The execution of transitions in controlled reversing Petri netsdepends both on the satisfaction or violation of conditions but also on the form of executioni.e. whether we are firing in forward or reverse. As reversibility allows the execution oftransitions in both forward and reverse execution this means that a fully reversible MRPNcannot have siphons as when exiting a siphon we always have the possibility of reversingin order to enter the siphon again. As such the use of conditions disables transitions fromreversing when necessary and therefore irreversible transitions do not constitute entrance ina siphon area. Trap.
A non-empty subset of places P T in a CRPN is called a trap if for all (cid:104) M , H (cid:105) where M ( x ) (cid:44) ∅ , x ∈ P T then for all (cid:104) M (cid:48) , H (cid:48) (cid:105) where (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) we have M (cid:48) ( y ) (cid:44) ∅ ,162 ∈ P T . A trap has a behavioural property that if it is marked (i.e., it has at least one token)under some marking, then it remains marked under each successor marking. It is easy toverify that the union of two traps is again a trap. A trap is called a basic trap if it cannot berepresented as a union of other traps. All traps in a CRPN can be generated by the union ofsome basis traps. A trap is said to be minimal if it does not contain any other trap. A minimaltrap is a basis trap, but not all basis traps are minimal.Similarly to siphons, traps are a behavioural property in which when entering the trapregion we are unable to execute transitions outside that region. As MRPNs can be fullyreversible the introduction of conditions disables transitions from reversing and thus beingable to exit the trap. Figure 5.8: Coverability property
Coverability.
A state (cid:104) M , H (cid:105) in a controlled reversing Petri net N with (cid:104) M , H (cid:105) is said tobe coverable if there exists a marking (cid:104) M (cid:48) , H (cid:48) (cid:105) in R ( (cid:104) M , H (cid:105) ) such that M (cid:48) ( x ) ⊆ M ( x ) foreach x ∈ P in the net and H (cid:48) ( t ) ⊆ H ( t ) for each t ∈ T in the net. Coverability is closelyrelated to L - liveness (potential firability). Let (cid:104) M , H (cid:105) be the minimum marking needed toenable a transition t . Then t is dead (not L - live) if and only if (cid:104) M , H (cid:105) is not coverable. Thatis, t is L -live if and only if (cid:104) M , H (cid:105) is coverable. 163 efinition 78. Given a CRPN N and a state (cid:104) M , H (cid:105) is said to be coverable if there exists (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) such that | { a i | a i ∈ M ( x ) , type ( a i ) = a } | (cid:54) | { a i | a i ∈ M ( x ) , type ( a i ) = a } | , for all a ∈ A and if k ∈ H ( t ) then k ∈ H (cid:48) ( t ) , t ∈ T .Coverable states can be similarly defined as: Proposition 28.
Given a CRPN N and a state (cid:104) M , H (cid:105) is said to be coverable if there exists (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) such that (cid:104) M (cid:48) , H (cid:48) (cid:105) ≥ (cid:104) M , H (cid:105) . Proposition 29.
Given a CRPN N and a state (cid:104) M , H (cid:105) is said to be coverable iff (cid:104) M , H (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) .Similarly, to the reachability property, coverability can be defined in terms of a markingand thus ignoring the history part of state. Definition 79.
Given a CRPN N and a marking M is said to be coverable if there exists M (cid:48) ∈ R ( (cid:104) M , H (cid:105) ) such that | { a i | a i ∈ M ( x ) , type ( a i ) = a } | (cid:54) | { a i | a i ∈ M ( x ) , type ( a i ) = a } | , for all a ∈ A .Consider the CRPN in Figure 5.8. The first controlled reversing Petri net on the topcorner is the initial marking (cid:104) M , H (cid:105) . The second controlled reversing Petri net is the de-sired state (cid:104) M , H (cid:105) that we want to check if its coverable by some marking (cid:104) M (cid:48) , H (cid:48) (cid:105) reach-able from the initial marking such that (cid:104) M (cid:48) , H (cid:48) (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) . The final controlled re-versing Petri net is the marking (cid:104) M (cid:48) , H (cid:48) (cid:105) which is reachable from (cid:104) M , H (cid:105) by the execu-tion σ = ( t , t , t , t , , (cid:104) M , H (cid:105) σ (cid:55)−→ (cid:104) M (cid:48) , H (cid:48) (cid:105) which covers (cid:104) M , H (cid:105) such that (cid:104) M (cid:48) , H (cid:48) (cid:105) ≥ (cid:104) M , H (cid:105) . Note that the marking derived from the execution σ (cid:48) = ( t , t , , (cid:104) M , H (cid:105) σ (cid:48) (cid:55)−→ (cid:104) M (cid:48)(cid:48) , H (cid:48)(cid:48) (cid:105) also covers (cid:104) M , H (cid:105) . Persistence.
A controlled reversing Petri net N with initial marking (cid:104) M , H (cid:105) is said tobe persistent if, for any two enabled transitions, the firing of one transition will not disablethe other. A transition in a persistent net, once it is enabled, will stay enabled until it fires.Persistence is closely related to conflict-free nets, and a safe persistent net can be transformedinto a marked graph by duplicating some transitions and places. Definition 80.
Given a CRPN N and a state (cid:104) M , H (cid:105) ∈ R ( (cid:104) M , H (cid:105) ) then N is said to bepersistent if for all t , t ∈ T , t , t enabled in (cid:104) M , H (cid:105) and (cid:104) M , H (cid:105) t −→ (cid:104) M (cid:48) , H (cid:48) (cid:105) then t enabled in (cid:104) M (cid:48) , H (cid:48) (cid:105) and vice versa. 164 igure 5.9: Persistence property As persistence is dependent on the enabledness of transitions, it cannot be defined solelyby the marking of a state.Consider the controlled reversing Petri net in Figure 5.9. In the first controlled reversingPetri net we observed the initial marking (cid:104) M , H (cid:105) where transitions t and t are simultane-ously forward enabled and the execution of one does not preclude the execution of the other.On the second controlled reversing Petri net we observe the marking (cid:104) M , H (cid:105) after the execu-tion of both t and t where transitions t and t are simultaneously forward enabled. Sincetransitions t and t are irreversible by A [10] and B [5] respectively then only transitions t and t can be executed and the execution of one of them does not preclude the execution ofthe other. Hence the controlled reversing Petri net is indeed persistent. Note that if transi-tions t and t were not irreversible then the reversal of transition t would have precludedthe execution of transition t and t . Antenna selection in distributed Massive MIMO (Multiple Input Multiple Output) [50] an-tenna arrays is an important optimisation problem on a complex system comprised of a largenumber of simple, similar-behaving components. While a large number of antennas offersdiversity, spatial multiplexing opportunities, interference suppression and redundance [105],not all antennas contribute the same, and powering all of them is not optimal [61]. Optimaltransmit antenna selection for large antenna arrays is computationally demanding [51], so165uboptimal approaches are pursued for real time use.Petri nets are a convenient tool for modelling and control of networks, and have beenapplied in higher layers of ISO OSI model for wireless networks [58]. Centralized AS inDM MIMO (distributed, massive, multiple input, multiple output) systems is computation-ally complex, demands a large information exchange, and the communication channel be-tween antennas and users changes rapidly. The reliability of distributed multiple-antennasystems depends on fault tolerance and recovery which align naturally with reversibility.We therefore introduce a CRPN-based, distributed, time-evolving solution with reversibility,asynchronous execution and local condition tracking for reliable performance and fault tol-erance. In this setting, we use our expressive controlling mechanism in order to manage thepattern and the direction of computation in order to deal with error recovery or to providethe main focus of the computation. The internal control mechanism validates the conditionswhen the addition of an antenna improves the sum capacity and violates the condition in casean antenna is consider to be no longer useful triggering reversal which removes the antennafrom the selected set.Reversible models conserve quantities, both in the sense of energy and matter. In thecase of our controlled reversing Petri net model, it preserves the number of tokens: in theparticular implementation it means that a constant number of antennas will be used at alltimes, which is advantageous in terms of planning and hardware resource deployment andrepresents an improvement compared to the previous localised antenna selection in whichthe number of antennas was an emergent property. Conservation of the token count can alsorepresent a fixed power budget, when we use the controlled reversing Petri net for powercontrol, constant user count if we perform user selection, etc.Reversibility allows the resource management algorithm to go back to a previous stateand take a different execution route in case of an antenna becomes faulty in one or moreplaces (in our presented case, antennas). Since there has been a fault and no forward tran-sition is possible we should reverse the last transition and thus see the token returning to aproperly-functioning antenna.Reversing the evolution of a controlled reversing Petri net is a logical behaviour in someuse cases. Without movement of users in the grid, the selected set of antennas is concentratedin a predefined state. With users moving, the antennas coordinate their tracking. Once thereis no more need for their activity, the tokens return to the initial positions with simple reversalof their trajectories. At the same time, the whole network does not have to be reversed, asparts of it could still be engaged with serving users. 166 igure 5.10: Antenna selection on massive-MIMO
In this section, the semantics for collective reversibility as realised in the framework of con-trolled reversing Petri nets (CRPNs), dynamically illustrate antenna selection in massive-MIMO based on how the proposed algorithm is implemented and how it changes basedon different operating scenarios. This section presents a new method for antenna selectionwhich divides antennas into virtual sub-neighbourhoods whose dynamic behaviour can beobserved by being simulated in controlled reversing Petri nets.For real-life systems such as massive-MIMO the state space is too large to illustrate andtherefore we decompose the whole system into smaller subsystems. This decomposition di-vides the whole model into two sub-models the first one being the power distribution amongantennas and the second one being the memory mechanism that controls the execution oftransitions. We call the power distribution model the high-level layer illustrating the ex-changes of power between antennas as well as the neighbouring connections between them.The low-level layer consists of the memory mechanism that collects information about thepowered antennas in a neighbourhood and thus executing transitions in forward or reversedirection depending on whether the required conditions are satisfied. Ideally, the two sub-models can be merged together resulting in a complete model, which then includes both thepower allocation of the system and the controlled decision steps.
High-level layer.
The model in Figure 5.10 illustrates the higher-level net of the antennaselection algorithm. We demonstrate a sample neighbourhood of eight base station antennaswith random distributed topology. Every eight antennas are considered to belong in the sameneighbourhood by allowing each antenna to be bidirectionally linked to four other antennas167e create overlapping neighbourhoods. The maximum number of enabled antennas in thisexample is two and the power token is transferred from one antenna to the other throughdirectly connected links. Note that resource allocation systems like antenna selection cangreatly benefit from the collective token interpretation since the existence of any power token p in the corresponding place should be able to execute a transition in either the forward orreverse direction. Low-level layer.
The search for a suitable set of antennas is a sum capacity maximizationproblem: C = max P , H c log det (cid:18) I + ρ N R N TS H c PH c H (cid:19) (5.1)where ρ is the signal to noise ratio, N TS the number of antennas selected from a total of N T antennas, N R the number of users, I the N TS × N TS identity matrix, P a diagonal N R × N R power matrix; H c is the N TS × N R submatrix of N T × N R channel matrix H . Instead ofcentralized AS, in our approach sum capacity is calculated locally for small sets of antennas(neighbourhoods), switching on only antennas which improve the capacity as for examplein Figure 5.11(a), we demonstrate the case where antenna A i − decreases sum capacity andtherefore it will not be selected.In the CRPN interpretation, we present the antennas by places A , . . . , A n , where n = N T ,and the overlapping neighbourhoods by places M , . . . , M h . These places are connected to-gether via transitions t i , j , connecting A i , A j and M k , whenever there is a connection linkbetween antennas A i and A j . The transition captures that based on the neighbourhood knowl-edge in place M k , antenna A i may be preferred over A j or vice versa (the transition may bereversed).To implement the intended mechanism, we employ three types of tokens. First, we havethe power tokens p i , which are of the same type and therefore by the collective token inter-pretation are able to execute/reverse any transition that requires them. If token p i is locatedon place A i , antenna A i is considered to be on. The transfer of these tokens results intonew antenna selections, ideally converging to a locally optimal solution. Second, tokens m , . . . , m h , each represent one neighbourhood. Finally, a , . . . , a n , represent the antennas.The tokens are used as follows: Given transition t i , j between antenna places A i and A j inneighbourhood M k , transition t i , j is enabled if token p is available on A i , token a j on A j , andbond ( a i , m k ) on M k , i.e., F ( A i , t i , j ) = { u } , type ( u ) = p , F ( A j , t i , j ) = { v } , type ( v ) = a , and F ( M k , t i , j ) = { ( q , w ) , q , w } , type ( q ) = a and type ( w ) = m . This configuration captures thatantennas A i and A j are on and off, respectively. (Note that the bonds between token m k and168 a) antennas and users(b) a part of the CRPN model Figure 5.11: CRPN for antenna selection in DM MIMO (large antenna array) tokens of type a in M k capture the active antennas in the neighbourhood.) Then, the effect ofthe transition is to break the bond ( a i , m k ) , and release token a i to place A i , transferring thepower token to A j , and creating the bond ( a j , m k ) on M k , i.e., F ( t i , j , A i ) = { q } , F ( t i , j , A j ) = { u } ,and F ( t i , j , M k ) = { ( v , w ) , v , w } . The mechanism achieving this for two antennas can be seenin Figure 5.11(b).Finally, to capture the transition’s condition, an antenna token a i is associated with datavector I ( a i ) = h i , type Σ ( h i ) = R ( = C ), i.e., the corresponding row of H . The conditionconstructs the matrix H c of (5.1) by collecting the data vectors h i associated with the antennatokens a i in place M k : H c = ( h , ..., h n ) T where h i = I ( a i ) if a i ∈ M k , otherwise h i = (0 . . . . The transition t i , j will occur if the sum capacity calculated for all currentlyactive antennas (including a i ), C a i , is less than the sum capacity calculated for the sameneighbourhood with the antenna A i replaced by A j , C a j , i.e., C a i < C a j . Note that if thecondition is violated, the transition may be executed in the reverse direction. 169 .3.2 Property Analysis in Massive MIMO Systems The behaviour of a modern wireless communications system (in our example, a massiveMIMO system) can be thought as an aggregation of multiple networks employing varyinglevels of coordination and communication. Various resources (electromagnetic spectrum,power, physical infrastructure) are continuously managed, the network of users interactswith the network of base stations, computation and communication intertwine. Hardwarefaults happen, working modes change, and the modern networks are supposed to handlethese unexpected events seamlessly. The general idea behind the aggregation method is tosubstitute complex Petri net structures by simple ones observing some important propertiesof the model like e.g. deadlock, siphons, traps, reachability etc. Intelligent monitoringof a massive distributed network requires careful specification and modelling in order toanalyse its constraints and deliverables, as well as to avoid hazards, waste of resources andsecurity threats and therefore be used by engineers and designers for what-if analysis andexperimentation.On that note, the modelled MIMO system can be used for formal verification of prop-erties such as the deadlock property, siphons and traps. Optimisation processes in wirelesscommunications in general should be converging fast to a steady state with minimal compu-tational burden in order to enable real time application in high mobility scenarios. Therefore,we could use the deadlock property to define the final antenna selection where our algorithmconverges. Similarly, in the case of siphons we know that once a token escapes the siphonregion the token will never return to that region. As such once a power token escapes to anantenna outside a siphon region it will never consider that region as computationally betterthan the antenna that the token is already in. In this way we are able to define non critical an-tennas given a predefined set of specifications of our MIMO system. In the opposite manneronce a token enters a trap region it will never escape that region, i.e. it will never considerantennas outside that region as better antennas than the already selected ones. As such we areable to identify critical antennas that improve sum capacity given a predefined set of specifi-cations for our MIMO system. Finally, the ability of our model to allow tokens to carry datayields in customized performance properties which can be quantified by specific metrics thatprovide the average measure of the probability with which an error is encountered. 170 .4 Concluding Remarks
In this chapter we have extended MRPNs with conditions that control reversibility [113,127], and we have applied our framework in the context of wireless communications. Ourformalism introduces conditional transitions that permit the system to manage the patternand direction of computation. It allows systems to reverse under specified conditions leadingto previously visited states or even new ones without the need of additional forward actions.A possibility to extend the model exists by introducing arc expressions that will performoperations on the data values associated with the manipulating tokens.We have shown how the reversible structure of CRPNs is amenable to implementationsfrom wireless communications in terms of distributed antenna selection and is expressiveenough to encode reversible processes. This experience has illustrated that resource man-agement can be studied and understood in terms of CRPNs as, along with their visual nature,they offer a number of features, such as token persistence, that is especially relevant in thesecontexts. 171 hapter Conclusions
This thesis proposes a reversible approach to Petri Nets [111, 112] that allows the modellingof reversibility as realised by backtracking, causal reversing, and out-of-causal-order revers-ing. Our proposal allows transitions to reverse at any time leading to previously visited statesor even to new ones without the need of additional forward actions. Moreover, this interpre-tation of Petri Nets has the capability of reversing without the need of an extensive memory.To enable this, additional machinery has been necessary to capture causal dependencies inthe presence of cycles. This machinery identifies a causal dependence relation that resortsto the marking of a net and is partnered along with stack histories for each transition thatrecord all previous occurrences. To the best of our knowledge, this is the first such proposal,since the related previous work [15, 16], having a different aim, implemented a very liberalway of reversing computation in Petri nets by introducing additional reversed transitions. Onthe contrary, in [96], reversibility is achieved by adding new places to non-reversible Petrinets while preserving their computation, which however is only possible in a subclass ofPetri nets and it is only focused on causal reversal. The works of [93–95] identify the causalmemory of a Petri net by unfolding them into occurrence nets and coloured Petri nets. Allof these approaches, including ours, are concerned with reversing single steps of transitions,unlike [35], which examines the possibility of reversing the effect of groups of actions.Other than the technical scope of this work we are also concerned with the theoreticalfoundations of reversible computation, specifically the different strategies of reversing andtheir relationships. Through the aid of Petri nets we were able to examine the differentstrategies of reversing and focus mostly on causal reversing and out-of-causal-order revers-ing. Causality is one of the most interesting topics within models of concurrency where172arious interpretations have been proposed throughout time which can be justified either bytheoretical properties, or by the implementation of possible applications. We focus on theapproach where dependencies between transitions are determined by the token manipulationperformed during an execution. We prove that the amount of flexibility allowed in causalreversibility indeed yields a causally consistent semantics.On a similar note, research on out-of-causal reversibility is very limited since the onlyrelated work is that in [118, 119]. Therefore, from various examples and theoretical resultswe have examined the theoretical properties of out-of-causal reversibility and demonstratedthat out-of-causal-order reversibility is able to create new states unreachable by forward-onlyexecution.Most works in the literature discuss out-of-causal reversibility when creating of bondsrather than destructing bonds. In our model, where states are more elaborate since they pre-serve token evolution, we were able to observe that it is not possible to reverse a transition inout of causal order whose effect no longer exists in the system. This shows that out-of-causalorder is not as flexible as one might initially believe. This applies and should be consideredin other formal models, such as process calculi and event structures, independently of howabstract their states are.Additionally, we establish the relationship between the three forms of reversing and de-fine a transition relation that can capture each of the three strategies modulo the enablednesscondition for each strategy. This allows us to provide a uniform treatment of the basic theo-retical results.We continue exploring these reversible strategies in extensions of reversing Petri nets,Multi Reversing Petri Nets (MRPNs), by allowing multiple tokens of the same type to existin a model and developing reversible semantics in the presence of bond destruction. Our aimwas to generalize reversing Petri nets in a setting where multiple tokens that have identicalbehavioural capabilities can occur in a system. However, allowing multiple instances ofidentical tokens results in ambiguities when it comes to causal dependencies. In fact, we havedistinguished the different ways of introducing reversible behaviour into causal systems withmultiple tokens and we explore two directions, namely, the individual token interpretationdefined based on partial order [24, 137] and the collective token interpretation defined basedon disjunctive causality.We have proposed reversible semantics that follow the individual token philosophy andtherefore achieve precise correspondence between the token instances and their past. Theindividuality of identical tokens can be imposed by their causal path which allows identical173okens to fire the same transition when going forward, however when going backwards to-kens will be able to reverse only the transitions that they have fired. We have also providedthe reversible semantics for out-of-causal-order reversibility in the presence of bond destruc-tion. Finally, we show that the expressive power of multi reversing Petri nets is equivalent tothe expressive power of single reversing Petri nets (SRPNs). However, there is blow-up onthe size of SRPNs as multiple transitions in SRPNs can be represented by the same transitionin MRPNs as long as the type equivalence between the required tokens and variables is thesame.We have also presented a more relaxed form of reversibility following the collectivetoken philosophy and we have given the associated semantics for the respective firing rule.This approach considers all tokens of a certain type to be identical, disregarding their historyduring execution, and is particularly applicable in the context of resource-aware systems. Inthe collective token interpretation when multiple tokens of the same type reside in the sameplace then these tokens are not distinguished. This means that all that is known by the modelis the amount of token occurrences of a specific type and their location in the marking. Wehave shown how this firing rule relates to the firing rules of the individual token interpretationand how the robustness of this mechanism can be applied in an application from biochemistryknown as the autoprotolysis of water.A subsequent extension of our formalism, called Controlled Reversing Petri Nets (CRPNs),considers approaches for controlling reversibility as for instance in [78, 81, 118]. While var-ious frameworks make no restriction as to when a transition can be reversed (uncontrolledreversibility), it can be argued that some means of controlling the conditions of transitionreversal is often useful in practice. For instance, in biological phenomena where environ-mental conditions change or when dealing with fault recovery where reversal is triggeredwhen a fault is encountered. We therefore have extended our research by proposing condi-tional executions that indicate the pattern and direction of computation as well as irreversibleactions or less likely executable actions. In fact, we have extended MRPNs with conditionsthat control reversibility by determining the direction of transition execution. We then pro-vide the main behavioural properties of our controlled model as the specification of modelsaccording to these properties can be useful towards their analysis and verification.Finally, we show the robustness of our control mechanism and the associated behaviouralproperties by modelling an example from telecommunications of a recently-proposed dis-tributed algorithm for antenna selection. Our application illustrates the ability of CRPNs tonot only formalise complex distributed systems, but also to naturally capture controlled exe-174ution and conservation of information in a system. The ability of the CRPN solution to actasynchronously and converge fast with minimal computational burden enables real time ap-plication of the algorithm even in high mobility scenarios. We have shown how the reversiblestructure of CRPNs is amenable to implementations from wireless communications in termsof distributed antenna selection and is expressive enough to encode reversible processes.
The simplicity of the basic user interface of Petri nets has easily enabled extensive toolsupport over the years, particularly in the areas of model checking, graphically oriented sim-ulation, and software verification. Recently, Petri nets have been associated with a novelparadigm, known as Answer Set Programming (ASP) [53, 89], which is a declarative pro-gramming language with competitive solvers that solve a problem by devising a logic pro-gram such that models of the program provide the answers to the problem. ASP appliesdeclarative logic programming techniques that run multiple simulations and parallel evolu-tions in order to analyse the properties of various modelling domains. Various subclassesof Petri Nets have been translated to ASP, such as regular Petri Nets [107], Simple LogicPetri Nets [17], 1-safe Petri nets [59], general Petri Nets [4], timed Petri nets [57], as well ashigh-level Petri nets [3].Given that RPNs are able to model discrete event systems with well-formed semantics,they can also be used for specifying and manipulating the states of a system. Based on thatwe are currently exploring how ASP can be used to encode reversing Petri nets in an intuitivemanner while preserving the modelling power and analyzability of decision problems in Petrinet theory [39]. Our implementation allows the enumeration of all possible evolutions of areversing Petri net simulation as well as the ability to carry out additional reasoning aboutthese simulations. Our long term goal is the development of an ASP-based framework forreasoning about RPN models. The visual nature of Petri nets in combination with reversiblecomputation can help in understanding reversibility through various case studies and explorehow reversibility can help in specification, verification, and testing.In order to further understand how reversibility affects computation, we need to investi-gate the expressiveness relationship between models that are equipped with reversibility andthe forms of traditional models. The trade-offs between traditional models and reversiblemodels, the relations between the several reversible approaches as well as a clarification andclassification of the different notions are of particular interest, and need to be studied in175epth. This will show whether the expressive power of the traditional model improves fromthe added feature of reversible computation and whether it affects the decidability problemsdiscussed in [15], regarding reachability and coverability.As such, another translation of RPNs investigates the expressiveness relationship be-tween RPNs and coloured Petri nets where a subclass of RPNs with trans-acyclic structureshas been translated into coloured Petri Nets (CPNs) by encoding the structure of the netalong with the execution [13, 14]. The more typical challenges are related with the com-plexity and the cost of increasing (exponentially) the size of the net. Specifically, we haveproposed a structural translation from RPNs to CPNs, where for each transition we considerboth forward and backward instances. Furthermore, the translation relies on storing histo-ries and causal dependencies of executed transition sequences in additional places (Figure6.1). We have tested the translation on a number of examples, where the CPN-tools [64] wasemployed to illustrate that the translations conform to the semantics of reversible computa-tion. As a result, we conclude that the principles of reversible computation in the presenceof cyclic behaviour can be encoded in the traditional model.
Figure 6.1: Translation from reversing Petri nets to coloured Petri nets
As an extension of our work with coloured Petri nets we aim to provide and prove thecorrectness of our translation and analyse the associated trade-offs in terms of Petri net size.We intend to investigate the expressiveness relationship between reversing Petri nets andcoloured Petri nets and explore how reversible computation affects the expressive power ofvarious subclasses of Petri nets. As a general aim, we plan on implementing an algorith-mic translation that transforms RPNs to CPNs in an automated manner using the proposedtransformation techniques.From a more practical point of view, we believe that our framework can be applied in176elds outside Computer Science, since the expressive power and visual nature offered byPetri nets coupled with reversible computation has the potential of providing an attractivesetting for analysing systems (for instance in biology, chemistry or electrical engineering).Our application of RPNs in the antenna selection problem is a pioneering one, and we believethat the RPN approach can be expanded to other resource management problems in electricalengineering, drawing benefits from both the conservation properties of RPNs as well as theability to run the networks, or their parts, in reverse direction to recover from faults andhandle inherently reversible communication phenomena (e.g. receiver/transmitter duality).Specifically, intelligent monitoring of the electric power system requires careful specifi-cation and modelling in order to analyse its constraints and deliverables, as well as to avoidhazards, wastage of resources and security threats. In order to observe the global behaviourof the power system, a global model representing the different smart grid components andthe different modes of communication between these components is needed. The selectedmodelling formalism should be intuitive and should support the specification of the appropri-ate abstraction level where in a higher level we should be able to represent the various actorsin a smart grid and in a lower level we should be able to include consumers/prosumers aswell as their electrical appliances. The simulation of the model should be able to support allthe features of the smart grid and incorporate all the technologies used in the smart grid; themodel can therefore be used by the smart grid engineers and designers for what-if analysisand experimentation. We believe that reversing Petri nets satisfy the above requirements andthat they can be used in order to represent the dynamic and complex behaviour associatedwith a smart grid covering all its functionalities ranging from the generation of power tointelligent billing mechanisms.Other than electrical engineering, reversibility attracts much interest for its potential inmany other application areas ranging from cellular automata, programming languages, cir-cuit design to quantum computing. Of a particular interest is quantum computing which is aform of computing that performs based on quantum mechanical phenomena such as superpo-sition and entanglement. Many of the components in quantum computers, such as databasesor modular exponentiation, obey the fundamental laws of physics which are inherently re-versible making quantum computations also reversible [1]. Our aim is to transition fromquantum theory to quantum engineering by formally presenting the fundamental rules gov-erning quantum systems, along with methodologies for verification of correctness, safety andreliability of these systems. Due to some essential differences between classical and quan-tum systems, classical model-checking techniques cannot be directly applied to quantum177ystems. Therefore, an interesting direction would be to extend RPNs to be able to modelthe behaviour of systems that combine classical and quantum communication and computa-tion. The aim of this study could be to extend the application area of reversing Petri nets,which have been very successfully used to model classical engineering systems, by mod-elling the use and operation of Feynman’s quantum computer [44]. Future research coulddevelop model-checking techniques that can be used not only for quantum communicationprotocols but also for general quantum systems, including physical systems and quantumprograms. We envisage that quantum model-checking techniques can be applied for check-ing physical systems, verification of quantum circuits, analysis and verification of quantumprograms, and verification of security of quantum communication protocols. Similar workwas done in process calculi, the most prominent being qCCS, a natural quantum extensionof CCS [43] and CQP [52], a combination of the communication primitives of pi-calculuswith primitives for measurement and transformation of quantum states. 178 ibliography [1] S. Abramsky. A structural approach to reversible computation.
Theoretical ComputerScience , 347(3):441–464, 2005.[2] T. Altenkirch and J. Grattage. A functional quantum programming language. In
Proceedings of LICS 2005 , pages 249–258. IEEE Computer Society, 2005.[3] S. Anwar, C. Baral, and K. Inoue. Encoding higher level extensions of Petri netsin answer set programming. In
Proceedings of LPNMR 2013 , LNCS 8148, pages116–121. Springer, 2013.[4] S. Anwar, C. Baral, and K. Inoue. Encoding Petri nets in answer set programming forsimulation based reasoning.
TPLP , 13(4-5-Online-Supplement), 2013.[5] T. Araki and T. Kasami. Some decision problems related to the reachability problemfor Petri nets.
Theoretical Computer Science , 3(1):85–104, 1976.[6] H. B. Axelsen. Clean translation of an imperative reversible programming language.In
Proceedings of CC, ETAPS 2011 , LNCS 6601, pages 144–163. Spinger, 2011.[7] H. B. Axelsen. Time complexity of tape reduction for reversible turing machines. In
Proceedings of RC 2011 , LNCS 7165, pages 1–13. Springer, 2011.[8] H. B. Axelsen. Reversible multi-head finite automata characterize reversible loga-rithmic space. In
Proceedings of LATA 2012 , LNCS 7183, pages 95–105. Springer,2012.[9] G. Bacci, V. Danos, and O. Kammar. On the statistical thermodynamics of reversiblecommunicating processes. In
Proceedings of CALCO 2011 , LNCS 6859, pages 1–18.Springer, 2011.[10] J.-L. Baer and C. S. Ellis. Model, design, and evaluation of a compiler for a parallelprocessing environment.
IEEE Transactions on software engineering , (6):394–405,1977.[11] F. Barbanera, M. Dezani-Ciancaglini, and U. de’Liguoro. Compliance for reversibleclient/server interactions. In
Proceedings of BEAT 2014 , EPTCS 162, pages 35–42,2014.[12] F. Barbanera, M. Dezani-Ciancaglini, I. Lanese, and U. de’Liguoro. Retractable con-tracts. In
Proceedings of PLACES 2015 , EPTCS 203, pages 61–72, 2015.[13] K. Barylska, A. Gogolinska, L. Mikulski, A. Philippou, M. Piatkowski, and K. Psara.Reversing computations modelled by coloured Petri nets. In
Proceedings of ATAED2018 , CEUR Workshop Proceedings 2115, pages 91–111, 2018.[14] K. Barylska, A. Gogolinska, A. Philippou, and K. Psara. Cycles in reversing compu-tations modelled by coloured Petri nets. (In preparation).[15] K. Barylska, M. Koutny, L. Mikulski, and M. Piatkowski. Reversible computation vs.reversibility in Petri nets.
Science of Computer Programming , 151:48–60, 2018. 17916] K. Barylska, L. Mikulski, M. Piatkowski, M. Koutny, and E. Erofeev. Reversingtransitions in bounded Petri nets. In
Proceedings of CS&P 2016 , CEUR WorkshopProceedings 1698, pages 74–85. CEUR-WS.org, 2016.[17] T. M. Behrens and J. Dix. Model checking multi-agent systems with logic based Petrinets.
Annals of Mathematics and Artificial Intelligence , 51(2-4):81–121, 2007.[18] C. H. Bennett. Logical reversibility of computation.
IBM journal of Research andDevelopment , 17(6):525–532, 1973.[19] G. Berry and G. Boudol. The chemical abstract machine.
Theoretical ComputerScience , 96(1):217–248, 1992.[20] A. Bérut, A. Arakelyan, A. Petrosyan, S. Ciliberto, R. Dillenschneider, and E. Lutz.Experimental verification of landauer’s principle linking information and thermody-namics.
Nature , 483(7388):187–189, 2012.[21] M. L. Blinov, J. Yang, J. R. Faeder, and W. S. Hlavacek. Graph theory for rule-basedmodeling of biochemical networks. pages 89–106, 2006.[22] G. Brown and A. Sabry. Reversible communicating processes. In
Proceedings ofPLACES 2015 , EPTCS 203, pages 45–59, 2015.[23] R. Bruni, J. Meseguer, U. Montanari, and V. Sassone. A comparison of Petri netsemantics under the collective token philosophy. In
Proceedings of ASIAN 1998 ,LNCS 1538, pages 225–244, 1998.[24] R. Bruni and U. Montanari. Zero-safe nets: Comparing the collective and individualtoken approaches.
Information and Computation , 156(1-2):46–89, 2000.[25] H. Buhrman, J. Tromp, and P. M. B. Vitányi. Time and space bounds for reversiblesimulation. In
Proceedings of ICALP 2001 , LNCS 2076, pages 1017–1027. Springer,2001.[26] M. Calder, S. Gilmore, and J. Hillston. Modelling the influence of RKIP on the ERKsignalling pathway using the stochastic process algebra PEPA. In
Transactions onComputational Systems Biology , LNCS 4230, pages 1–23. Springer, 2006.[27] L. Cardelli and C. Laneve. Reversible structures. In
Proceedings of CMSB 2011 ,pages 131–140. ACM, 2011.[28] S. Chen, W. K. Fuchs, and J. Chung. Reversible debugging using program instrumen-tation.
IEEE Transactions on Software Engineering , 27(8):715–727, 2001.[29] I. Cristescu, J. Krivine, and D. Varacca. A compositional semantics for the reversiblepi-calculus. In
Proceedings of ACM/IEEE 2013 , pages 388–397, 2013.[30] V. Danos, J. Feret, W. Fontana, R. Harmer, and J. Krivine. Rule-based modellingof cellular signalling. In
Proceedings of CONCUR 2007 , LNCS 4703, pages 17–41.Springer, 2007.[31] V. Danos and J. Krivine. Reversible communicating systems. In
Proceedings of CON-CUR 2004 , LNCS 3170, pages 292–307. Springer, 2004.[32] V. Danos and J. Krivine. Transactions in RCCS. In
Proceedings of CONCUR 2005 ,LNCS 3653, pages 398–412. Springer, 2005. 18033] V. Danos and J. Krivine. Formal molecular biology done in CCS-R.
Electronic Notesin Theoretical Computer Science , 180(3):31–49, 2007.[34] V. Danos, J. Krivine, and P. Sobocinski. General reversibility.
Electonic Notes inTheoretical Computer Science , 175(3):75–86, 2007.[35] D. de Frutos-Escrig, M. Koutny, and L. Mikulski. Reversing steps in Petri nets. In proceedings of PETRI NETS 2019 , LNCS 1152, pages 171–191. Springer, 2019.[36] E. de Vries, V. Koutavas, and M. Hennessy. Communicating transactions - (extendedabstract). In
Proceedings of CONCUR 2010 , LNCS 6269, pages 569–583. Springer,2010.[37] E. de Vries, V. Koutavas, and M. Hennessy. Liveness of communicating transactions(extended abstract). In
Proceedings of APLAS 2010 , LNCS 6461, pages 392–407.Springer, 2010.[38] J. B. Dennis and S. S. Patil.
Speed independent asynchronous circuits . MassachusettsInstitute of Technology, Project MAC, 1971.[39] Y. Dimopoulos, E. Kouppari, A. Philippou, and K. Psara. Encoding reversing Petrinets in answer set programming. In
Proceedings of RC 2020 , LNCS 12227, pages264–271. Spinger, 2020.[40] R. Drechsler and R. Wille. Reversible computation. In
Proceedings of IGSC 2015 ,pages 1–5. IEEE Computer Society, 2015.[41] C. Dufourd, A. Finkel, and P. Schnoebelen. Reset nets between decidability and un-decidability. In
Proceedings of ICALP 1998 , LNCS 1443, pages 103–115. Springer,1998.[42] S. I. Feldman and C. B. Brown. Igor: A system for program debugging via reversibleexecution. In
Proceedings of the ACM SIGPLAN SIGOPS 1988 , pages 112–123.ACM, 1988.[43] Y. Feng, R. Duan, Z. Ji, and M. Ying. Probabilistic bisimulations for quantum pro-cesses.
Information and Computation , 205(11):1608–1639, 2007.[44] R. P. Feynman. Quantum mechanical computers.
Foundations of physics , 16(6):507–531, 1986.[45] J. Field and C. A. Varela. Transactors: a programming model for maintaining glob-ally consistent distributed state in unreliable environments. In
Proceedings of ACMSIGPLAN-SIGACT, POPL 2005 , pages 195–208. ACM, 2005.[46] M. P. Frank.
Reversibility for efficient computing . PhD thesis, Massachusetts Instituteof Technology, Department of Electrical Engineering and Computer Science, 1999.[47] M. P. Frank. Back to the future: The case for reversible computing. arXiv preprintarXiv:1803.02789 , 2018.[48] E. Fredkin and T. Toffoli. Conservative logic. In
Collision-based computing , pages47–81. Springer, 2002. 18149] E. F. Fredkin and T. Toffoli. Design principles for achieving high-performance sub-micron digital technologies. In
Collision-based computing , pages 27–46. Springer,2002.[50] X. Gao, O. Edfors, F. Tufvesson, and E. G. Larsson. Massive MIMO in real prop-agation environments: Do all antennas contribute equally?
IEEE Transactions onCommunications , 63(11):3917–3928, 2015.[51] Y. Gao, H. Vinck, and T. Kaiser. Massive mimo antenna selection: Switching architec-tures, capacity bounds, and optimal antenna selection algorithms.
IEEE Transactionson Signal Processing , 66(5):1346–1360, 2018.[52] S. J. Gay and R. Nagarajan. Communicating quantum processes. In
Proceedings ofACM, SIGPLAN-SIGACT, POPL 2005 , pages 145–157. ACM, 2005.[53] M. Gebser, R. Kaminski, B. Kaufmann, and T. Schaub.
Answer set solving in practice .Morgan Claypool Publishers, 2012.[54] M. Ghazel and M. Jmaiel, editors.
Proceedings of VECoS 2016 , volume 1689 of
CEUR Workshop Proceedings . CEUR-WS.org, 2016.[55] U. Goltz and W. Reisig. The non-sequential behavior of Petri nets.
Information andControl , 57(2/3):125–147, 1983.[56] R. Grishman. The debugging system AIDS. In
Proceedings of AFIPS 1970 , AFIPSConference Proceedings 36, pages 59–64. AFIPS Press, 1970.[57] G. Havur, C. Cabanillas, J. Mendling, and A. Polleres. Automated resource allocationin business processes with answer set programming. In
Proceedings of BPM 2015,Revised Papers , LNBIP 256, pages 191–203. Springer, 2015.[58] A. Heindl and R. German. Performance modeling of IEEE 802.11 wireless lans withstochastic Petri nets.
Performance Evaluation , 44(1-4):139–164, 2001.[59] K. Heljanko and I. Niemelä. Bounded LTL model checking with stable models.
TPLP ,3(4-5):519–550, 2003.[60] M. Holzer, S. Jakobi, and M. Kutrib. Minimal reversible deterministic finite automata.In
Proceedings of DLT 2015 , LNCS 9168, pages 276–287. Springer, 2015.[61] J. Hoydis, S. t. Brink, and M. Debbah. Massive MIMO in the UL/DL of CellularNetworks: How Many Antennas Do We Need?
IEEE Journal on Selected Areas inCommunications , 31(2):160–171, Feb. 2013.[62] D. A. Huffman. Canonical forms for information-lossless finite-state logical ma-chines.
IRE Transactions on Information Theory , 5(5):41–59, 1959.[63] R. P. James, A. Sabry, and J. Street. Theseus: A high level language for reversiblecomputing. 2014.[64] K. Jensen.
Coloured Petri nets - Basic concepts, analysis methods and practical use -Volume 1, second edition . Monographs in Theoretical Computer Science. An EATCSSeries. Springer, 1996.[65] J. R. Jump and P. Thiagarajan. On the equivalence of asynchronous control structures.In
Proceedings of SWAT 1972 , pages 212–223. IEEE, 1972. 18266] P. Kaye, R. Laflamme, and M. Mosca.
An introduction to quantum computing . OxfordUniversity Press, 2006.[67] T. Koju, S. Takada, and N. Doi. An efficient and generic reversible debugger using thevirtual machine based approach. In
Proceedings of VEE 2005 , pages 79–88. ACM,2005.[68] V. Koutavas, C. Spaccasassi, and M. Hennessy. Bisimulations for communicatingtransactions - (extended abstract). In
Proceedings of FOSSACS 2014 , LNCS 8412,pages 320–334. Springer, 2014.[69] S. Kuhn, B. Aman, G. Ciobanu, A. Philippou, K. Psara, and I. Ulidowski. Reversibil-ity in chemical reactions. In
Reversible Computation: Extending Horizons of Com-puting - Selected Results of the COST Action IC1405 , LNCS 1270, pages 151–176.Spinger, 2020.[70] S. Kuhn and I. Ulidowski. A calculus for local reversibility. In
Proceedings of RC2016 , LNCS 9720, pages 20–35. Springer, 2016.[71] M. Kutrib and A. Malcher. Reversible pushdown automata. In
Proceedings of LATA2010 , LNCS 6031, pages 368–379. Springer, 2010.[72] M. Kutrib and A. Malcher. One-way reversible multi-head finite automata.
TheoreticalComputer Science , 682:149–164, 2017.[73] M. Kutrib, A. Malcher, and M. Wendlandt. Reversible queue automata.
FundamentaInformaticae , 148(3-4):341–368, 2016.[74] M. Kutrib, A. Malcher, and M. Wendlandt. When input-driven pushdown automatameet reversiblity.
RAIRO - Theoretical Informatics and Applications , 50(4):313–330,2016.[75] R. Landauer. Irreversibility and heat generation in the computing process.
IBM Jour-nal of Research and Development , 5(3):183–191, 1961.[76] I. Lanese, M. Lienhardt, C. A. Mezzina, A. Schmitt, and J. Stefani. Concurrent flexiblereversibility. In
Proceedings of ESOP 2013 , LNCS 7792, pages 370–390. Springer,2013.[77] I. Lanese and D. Medic. A general approach to derive uncontrolled reversible seman-tics. In
Proceedings CONCUR 2020 , LIPIcs 171, pages 33:1–33:24. Schloss Dagstuhl- Leibniz-Zentrum für Informatik, 2020.[78] I. Lanese, C. A. Mezzina, A. Schmitt, and J. Stefani. Controlling reversibility inhigher-order pi. In
Proceedings of CONCUR 2011 , LNCS 6901, pages 297–311.Springer, 2011.[79] I. Lanese, C. A. Mezzina, and J. Stefani. Reversing higher-order pi. In
Proceedingsof CONCUR 2010 , LNCS 6269, pages 478–493, 2010.[80] I. Lanese, C. A. Mezzina, and J. Stefani. Controlled reversibility and compensations.In
Proceedings of RC 2012 , LNCS 7581, pages 233–240. Springer, 2012.[81] I. Lanese, C. A. Mezzina, and J. Stefani. Controlled reversibility and compensations.In
Proceedings of RC 2012 , LNCS 7581, pages 233–240. Springer, 2012. 18382] I. Lanese, C. A. Mezzina, and J. Stefani. Reversibility in the higher-order π -calculus. Theoretical Computer Science , 625:25–84, 2016.[83] I. Lanese, C. A. Mezzina, and F. Tiezzi. Causal-consistent reversibility.
EuropeanAssociation for Theoretical Computer Science , 114, 2014.[84] I. Lanese, I. C. C. Phillips, and I. Ulidowski. An axiomatic approach to reversiblecomputation. In
Proceedings of FOSSACS 2020 , LNCS, pages 442–461. Spinger,2020.[85] J. S. Laursen, U. P. Schultz, and L. Ellekilde. Automatic error recovery in robot as-sembly operations using reverse execution. In
Proceedings of IEEE/RSJ, IROS 2015 ,pages 1785–1792. IEEE, 2015.[86] Y. Lecerf. Récursive insolubilité de l’équation générale de diagonalisation de deuxmonomorphisms de monoïdes libres φ x= ψ x. Comptes rendus de l’Académie desSciences Paris , 257:2940–2943.[87] B. Lewis and M. Ducassé. Using events to debug java programs backwards in time.In
Proceedings of ACM, SIGPLAN, OOPSLA 2003 , pages 96–97. ACM, 2003.[88] M. Lienhardt, I. Lanese, C. A. Mezzina, and J. Stefani. A reversible abstract machineand its space overhead. In
Proceedings of IFIP, FMOODS, IFIP, FORTE 2012 , LNCS7273, pages 1–17. Springer, 2012.[89] V. Lifschitz.
Answer Set Programming . Springer, 2019.[90] M. A. Marsan. Stochastic Petri nets: an elementary introduction. In
European Work-shop on Applications and Theory in Petri Nets , pages 1–29. Springer, 1988.[91] M. A. Marsan, G. Balbo, and G. Conte. Performance models of multiprocessor sys-tems. 1986.[92] W. Mauerer. Semantics and simulation of communication in quantum programming. arXiv preprint quant-ph/0511145 , 2005.[93] H. C. Melgratti, C. A. Mezzina, I. Phillips, G. M. Pinna, and I. Ulidowski. Reversibleoccurrence nets and causal reversible prime event structures. In
Proceedingds of RC2020 , LNCS 12227. Spinger, 2020.[94] H. C. Melgratti, C. A. Mezzina, and I. Ulidowski. Reversing P/T nets. In
Proceedingsof COORDINATION 2019 , LNCS 11533, pages 19–36. Springer, 2019.[95] H. C. Melgratti, C. A. Mezzina, and I. Ulidowski. Reversing place transition nets.
Logical Methods in Computer Science , 16(4), 2020.[96] L. Mikulski and I. Lanese. Reversing unbounded Petri nets. In
Proceedings of PETRINETS 2019 , volume 11522 of
LNCS , pages 213–233. Springer, 2019.[97] R. Milner.
Communication and concurrency . Prentice hall New York etc., 1989.[98] H. Mlnaˇrík.
Quantum Programming Language LanQ . PhD thesis, Masarykova Uni-verzita, Fakulta Informatiky, 2007.[99] K. Morita. Reversible computing and cellular automata - A survey.
Theoretical Com-puter Science , 395(1):101–131, 2008. 184100] K. Morita. Two-way reversible multi-head finite automata.
Fundamenta Informaticae ,110(1-4):241–254, 2011.[101] T. Murata. Relevance of network theory to models of distributed/parallel processing.
Journal of the Franklin Institute , 310(1):41–50, 1980.[102] T. Murata. Petri nets: Properties, analysis and applications.
Proceedings of the IEEE ,77(4):541–580, 1989.[103] C. Okasaki.
Purely functional data structures . Cambridge University Press, 1999.[104] B. Ömer. A procedural formalism for quantum computing. 1998.[105] A. Ozgur, O. Lévêque, and D. Tse. Spatial degrees of freedom of large distributedmimo systems and wireless ad hoc networks.
IEEE Journal on Selected Areas inCommunications , 31(2):202–214, 2013.[106] J. Palsberg and M. Abadi, editors.
Proceedings of ACM SIGPLAN-SIGACT, POPL2005 . ACM, 2005.[107] J. A. N. Pérez and A. Voronkov. Encodings of bounded LTL model checking in effec-tively propositional logic. In
Proceedings of CADE-21 , LNCS 4603, pages 346–361.Springer, 2007.[108] M. A. Perkowski, M. Chrzanowska-Jeske, A. Mishchenko, X. Song, A. Al-Rabadi,B. Massey, P. Kerntopf, A. Buller, L. Józwiak, and A. J. Coppola. Regular realizationof symmetric functions using reversible logic. In
Proceedings of Euro-DSD 2001 ,pages 245–253. IEEE Computer Society, 2001.[109] K. S. Perumalla.
Introduction to reversible computing . CRC Press, 2013.[110] C. A. Petri. Kommunikation mit automaten.
PhD Thesis 1962 .[111] A. Philippou and K. Psara. Reversible computation in Petri nets. In
Proceedings ofRC 2018 , LNCS 11106, pages 84–101. Springer, 2018.[112] A. Philippou and K. Psara. Reversible computation in cyclic Petri nets (under submis-sion). 2020.[113] A. Philippou, K. Psara, and H. Siljak. Controlling reversibility in reversing Petri netswith application to wireless communications. In
Proceedings of RC 2019 , LNCS11497, pages 238–245. Springer, 2019.[114] A. Philippou, K. Psara, and H. Siljak. A collective-interpretation semantics for revers-ing Petri nets. (In preparation).[115] I. Phillips and I. Ulidowski. Reversibility and models for concurrency.
ElectronicNotes in Theoretical Computer Science , 192(1):93–108, 2007.[116] I. Phillips and I. Ulidowski. Reversibility and asymmetric conflict in event structures.
Journal of Logical and Algebraic Methods in Programming , 84(6):781–805, 2015.[117] I. Phillips and I. Ulidowski. Reversing algebraic process calculi. In
Proceedings ofFOSSACS 2006 , LNCS 3921, pages 246–260. Springer, 2016. 185118] I. Phillips, I. Ulidowski, and S. Yuen. A reversible process calculus and the modellingof the ERK signalling pathway. In
Proceedings of RC 2012 , LNCS 7581, pages 218–232. Springer, 2012.[119] I. Phillips, I. Ulidowski, and S. Yuen. Modelling of bonding with processes and events.In
Proceedings of RC 2013 , LNCS 7947, pages 141–154. Springer, 2013.[120] J. Pin. On reversible automata. In
Proceedings of LATIN 1992 , LNCS 583, pages401–416, 1992.[121] W. Reisig. Petri nets with individual tokens.
Theoretical Computer Science , 41:185–213, 1985.[122] W. Reisig.
Understanding Petri nets: modeling techniques, analysis methods, casestudies.
Springer, 2013.[123] G. Rozenberg and R. Verraedt. Subset languages of Petri nets part i: The relationshipto string languages and normal forms.
Theoretical Computer Science , 26(3):301–326,1983.[124] U. P. Schultz. Towards a general-purpose, reversible language for controlling self-reconfigurable robots. In
Proceedings of RC 2012 , LNCS 7581, pages 97–111.Springer, 2012.[125] U. P. Schultz, M. Bordignon, and K. Støy. Robust and reversible execution of self-reconfiguration sequences.
Robotica , 29(1):35–57, 2011.[126] U. P. Schultz, J. S. Laursen, L. Ellekilde, and H. B. Axelsen. Towards a domain-specific language for reversible assembly sequences. In
Proceedings of RC 2015 ,LNCS 9138, pages 111–126. Springer, 2015.[127] H. Siljak, K. Psara, and A. Philippou. Distributed antenna selection for mas-sive MIMO using reversing Petri nets.
IEEE Wireless Commununication Letters ,8(5):1427–1430, 2019.[128] D. G. Stork and R. J. van Glabbeek. Token-controlled place refinement in hierarchicalPetri nets with application to active document workflow. In
Proceedings of ICATPN2002 , pages 394–413, 2002.[129] D. Tabak and A. H. Levis. Petri net representation of decision models.
IEEE Trans-actions on Systems, Man, and Cybernetics , (6):812–818, 1985.[130] G. Thieler-Mevissen.
The Petri net calculus of predicate logic . Ges. für Mathematikund Datenverarbeitung, Inst. für Informationssystemforschung, 1977.[131] F. Tiezzi and N. Yoshida. Reversible session-based pi-calculus.
Journal of Logicaland Algebraic Methods in Programming , 84(5):684–707, 2015.[132] F. Tiezzi and N. Yoshida. Reversing single sessions.
CoRR , abs/1510.07253, 2015.[133] J. Timler and C. S. Lent. Maxwell’s demon and quantum-dot cellular automata.
Jour-nal of Applied Physics , 94(2):1050–1060, 2003.[134] T. Toffoli. Reversible computing. In
Proceedings of ICALP 1980 , LNCS 85, pages632–644. Springer, 1980. 186135] I. Ulidowski, I. Lanese, U. P. Schultz, and C. Ferreira, editors.
Reversible Computa-tion: Extending Horizons of Computing - Selected Results of the COST Action IC1405 ,volume 12070 of
Lecture Notes in Computer Science . Springer, 2020.[136] I. Ulidowski, I. Phillips, and S. Yuen. Concurrency and reversibility. In
Proceedingsof RC 2014 , LNCS 8507, pages 1–14. Springer, 2014.[137] R. J. van Glabbeek. The individual and collective token interpretations of Petri nets.In
Proceedings of CONCUR 2005 , LNCS 3653, pages 323–337. Springer, 2005.[138] R. J. van Glabbeek, U. Goltz, and J. Schicke. On causal semantics of Petri nets. In
Proceedings of CONCUR 2011 , LNCS 6901, pages 43–59. Springer.[139] R. J. van Glabbeek and G. D. Plotkin. Configuration structures. In
Proceedings ofIEEE Symposium on Logic in Computer Science 1995 , pages 199–209. IEEE Com-puter Society, 1995.[140] K. Voss. Using predicate/transition-nets to model and analyze distributed databasesystems.
IEEE Transactions on Software Engineering , (6):539–544, 1980.[141] J. Wang.
Timed Petri nets: Theory and application , volume 9. Springer Science &Business Media, 2012.[142] T. Yokoyama. Reversible computation and reversible programming languages.
Elec-tronic Notes in Theoretical Computer Science , 253(6):71–81, 2010.[143] T. Yokoyama, H. B. Axelsen, and R. Glück. Reversible flowchart languages and thestructured reversible program theorem. In
Proceedings of ICALP 2008 , LNCS 5126,pages 258–270. Springer, 2008.[144] T. Yokoyama, H. B. Axelsen, and R. Glück. Towards a reversible functional language.In
Proceedings of RC 2011 , LNCS 7165, pages 14–29. Springer, 2011.[145] D. A. Zaitsev. Toward the minimal universal Petri net.
IEEE Transactions on Systems,Man, and Cybernetics: Systems , 44(1):47–58, 2014.[146] M. V. Zelkowitz. Reversible execution.
Communications of the ACM , 16(9):566,1973.[147] L. Ziarek and S. Jagannathan. Lightweight checkpointing for concurrent ML.