Symbolic execution of concurrent systems using Petri nets

('omput. Lang. Vol. 14+ No. 4, pp. 263-281, 1989 0096-0551/89 $3.00 + 0.00 Printed in Great Britain. All rights reserved Copyright ~ 1989 Pergamon Press plc

SYMBOLIC EXECUTION OF CONCURRENT SYSTEMS USING PETRI NETS

CARLO GHEZZI +, DINO MANDRIOLI 1, SANDRO MORASCAIt and MAURO PEZZI~ 2 ~Politecnico di Milano+ Dipartimento di Elettronica, Piazza Leonardo da Vinci 32, 20133 Milano, Italia

~CEFRIEL, Politecnico di Milano, via Emanueli 15, 20100 Milano, Italia

(Received 31 January 1989; revision received 10 May 1989)

Abstract Techniques for analyzing sequential programs in order to improve their reliability have been widely studied in the past. Among the most interesting analysis techniques, we consider symbolic execution. However, analysis techniques for concurrent programs, and in particular symbolic execution, are still an open research area. In this paper, we define a method for symbolic execution of concurrent systems, based on an extension of the Petri net formalism, called EF nets. EF nets are a powerful, highly expressive and general formalism. Depending on the level of abstraction of actions and predicates that one associates to the transitions of the net, EF nets can be used as a high-level specification formalism for concurrent systems, or as a lower level internal representation of concurrent programs. Thus, the model is not dependent on a particular concurrent programming language, but it is flexible enough to be the kernel model for the representation of a wide set of systems and programming languages. In the paper, in order to support the analysis of a concurrent system or program, at first a general algorithm for symbolically executing an EF net is defined. Then, a more efficient algorithm is given for the particular, though important, subclass of EF nets, defined as sate EF nets. Such algorithm is proved to significantly help in reducing the amount of information needed to characterize a symbolic execution. Both the modelling power of the EF nets and the usefulness of the concurrent symbolic execution algorithms defined are illustrated by means of a case study.

Concurrency Symbolic execution Petri nets Software analysis Testing

1. I N T R O D U C T I O N

The analysis of a system can be car r ied ou t at several abs t rac t ion levels [1] and with different techniques: stat ic analysis , dynamic analysis , symbol ic execut ion, and verif ication. Each class o f techniques can give different results and helps in gett ing more rel iable systems. F o r sequent ia l p rog rams , a var ie ty of different analysis me thods has been successfully p r o p o s e d and several tools are cur rent ly avai lable . The s ta te -of - the-ar t is much less sa t i s fac tory and conso l ida ted in the case of concur ren t sof tware.

A m o n g the most significant results in the field o f concur ren t system analysis , we men t ion the work by Tay lo r [2], Tai and O b a i d [3], and Di l lon et al. [4, 5]. Tay lo r laid the founda t ions of da t a flow analysis o f concur ren t p rograms ; in par t icu la r , [2] p roposes a stat ic da t a flow analysis for concur ren t A d a p rograms . Tai focused on the p rob l ems o f test ing concur ren t software; in par t icu la r , [3] defines the repea ted execut ion p rob lem, which is shown to be a central p rob lem in pe r fo rming systemat ic testing. The idea is tha t we canno t fully analyze a concur ren t p r o g r a m if we are not able to r ep roduce a previous execut ion. The p rob l e m is solved by record ing the execut ion task sequence. F ina l ly in [4] and [5] a verif icat ion p rocedure based on the symbol ic execut ion o f the A d a task system is p roposed . A subset o f the A d a task system is symbol ica l ly executed ei ther execut ing the sequent ia l p r o g r a m ob ta ined by choos ing a pa r t i cu la r in ter leaving sequence o f the tasks or verifying the task in isola t ion, i.e. cons ider ing the execut ion o f a single task.

In this pape r we p ropose a m e t h o d for fully symbol ica l ly executing bo th specificat ions and imp lemen ta t ions o f concur ren t systems: the ma in idea relies on defining the symbol ic execut ion me thods not jus t for a chosen language, but for a general model , which can be used bo th for represent ing the system specif icat ion and its implementa t ion . The p r o p o s e d mode l is a high-level

tThe research activity of Sandro Morasca is supported by Selenia S.p.A.

263

264 CARLO GHEZZI et al.

Petri net. Actually the model has been chosen for a set of considerations which go beyond the symbolic execution: the final goal of our research is the development of an integrated environment for specifying and analyzing concurrent programs. The environment should be based on a kernel formalism with several properties. It should represent the system from a high description level, down to the implementation level. It is required to support a wide spectrum of analysis tools. It should be manipulated through user-friendly, graphical interfaces.

Petri nets have already been proven to be suitable for representing a great variety of systems at different abstraction levels [6-9], although they are usually extended with exogenous, very often informal, notation. A lot of methods for analyzing nets have been proposed for the original model (e.g. see [10]) and for some extensions (e.g. see [11]). The ability of the model to support nice graphical interfaces is also well known. In this paper we propose a net model which provides all of these features and we discuss its use as a support for symbolic execution and, more generally, for specifying and analyzing concurrent systems.

The paper starts with the formal description of the proposed model, called Environ- ment/Function net (EF net) (Section 2.1). A rapid overview of the notation used through the paper is given in Section 2.2; the outline of some properties used in the paper follows in Section 2.3. The use of the model to specify concurrent systems is shown in Section 2.4. Section 3 deals with concurrent symbolic execution. It starts with the description of the symbolic execution algorithm (Section 3.1). The concept of notable sequence, which is the basis for a significant improvement of the basic algorithm, is then presented (Section 3.2). An optimized version of the basic algorithm working for a significant subclass of EF nets is introduced in Section 3.3 and its correctness is proved in Section 3.4. Section 3 concludes with some observations about further improvement of the algorithm from the performance point of view (Section 3.5) and about the possible extension of the algorithm to a wider class of nets (Section 3.6). The example in Section 4 illustrates the use of symbolic execution to analyze the system specified in Section 2.4. The conclusions present some research issues still open (Section 5).

2. E N V I R O N M E N T / F U N C T I O N NETS

Our proposal for symbolic execution of concurrent programs is based upon an extension of Petri nets: Environment/Function (EF) nets. This new model is a high-level Petri net, similar to other extensions of the original model, like Coloured nets [12], Pr/T nets [13], PROT nets [14] and Numerical Petri nets [15]. EF nets are a subclass of a still more general model, Environ- ment/Relationship (ER) nets defined in [16]. ER nets have been introduced as a model for describing concurrency and time; thus, they can be used in the specification and analysis of real-time systems. In this paper we only deal with the subclass of EF nets, as this model is adequate to describe concurrency if time issues can be ignored [16].

2.1 The Model

We start by recalling the basic definitions of (Place/Transition) Petri nets. Other definitions and properties may be found in [10]. DEFINITION: PETRI NETS. A net is a triple N -- (P,T;F), where P is a set of places, T is a set of transitions, F is a set of arcs such that

(i) P ~ T = (ii) P U T #

(iii) F _ (P × T)tO (T × P) (iv) domain(F) U range(F) = P U T

X = PtoT is the set of nodes of the net. The preset of x e X = PUT is defined as "x = {ylyFx} The postset of x E X - Pt0 T is defined as x" = {Yl xFy}

Symbolic execution of concurrent systems 265

For graphical convenience, the places are represented by circles, the transitions are represented by boxes and the arcs are represented by oriented edges. A double ar row represents two arcs (p , t ) and ( t ,p ) .

DEFINITION: PT NETS. A Place/Transit ion net (PT net) is a 4-tuplet P/T = ( P , T ; F , m ) where

(i) ( P , T ; F ) is a net (ii) m : P ~ is said to be the marking of the net (N is the set o f nonnegative integers).

The marking will be represented by the presence o f a number o f tokens in each place o f the net. Thus re(p) is the number o f tokens in p according to marking m. Let P/T = ( P , T ; F , m ) be a PT net. A transit ion t is enabled in marking m iff m(p)_> 1V 1:~ "t.

A firing occurrence produces a new marking m' starting f rom m by choosing an enabled transit ion t in m. The new marking m ' is defined as follows:

m ' (p) = m(p) - 1 m ' (p) = m(p) + 1 m' (p) = m(p)

V p e ' t - t " V p e t ' - ' t for all other places

In EF nets tokens are no more anonymous entities. They are environments, i.e. mappings f rom a set o f identifiers to a set o f values. For simplicity, values are assumed to be untyped. Informally, the firability of a transition relies on the evaluation o f the predicate, which is associated to the transition, on the environments represented by the tokens in the input places, and a transition firing dynamical ly creates not only new tokens but also new environments according to the action, which is associated to the transition involved in the firing. DEFINITION: EF NETS. An environment is a (partial) function from a set o f identifiers ID into a set o f values V: e n v : I D ~ V .

Let ENV = V ~D be the set o f all functions f rom ID to V. In EF nets we associate a predicate ~z~ __% ENV "~ and an action ~,: ENV'~---~ENV t" to each t ~ T.

In order to associate a dynamic behavior to this static description we define the concepts of token, marking, and firing occurrence as a generalization of their counterpar ts in the case o f PT nets.

( 1 ) TOKENS Tokens (often called token-environments) are elements o f ENV, Whenever needed, we assume that token-environments contain an identifier t o k e n _ n a m e whose associated value is the name of the token. Wi thout losing generality, it can also be assumed that in each marking, apart f rom the identifier t oken_name , the same identifier does not appear in two different token-environments .

(2) MARKING We associate a multiset o f token-environments to each p ~ P. This defines a marking m; m : p - -~ENV ~ .

(3) FIRABLE ELEMENT A firable element in marking m is a pair ( t , enab) , with t ~ T and enab ~ 7~, such that Vp ~ ' t (enab(p) ~ m(p)), enab is said to be an enabling tuple o f t.

(4) FIRING OCCURRENCE A firing occurrence produces a new marking m ' f rom m by choosing a firable element x = ( t , enab) . We write this as m[x )m ' , and we define it as follows o m ' ( p ) = m(p) V p e P - ( ' t U t ' ) • m ' (p) = m(p) - {enab(p)} V p e ( ' t - t ' ) • m ' (p) = m(p) + {~(enab)(p)} V p ~ (t" - "t) • m ' (p) = m(p) - {enab(p)} + {~t(enab)(p)} V p e ( ' t R t ' )

(5) FIRING SEQUENCES A complete firing sequence is a finite sequence m o.x 1.m I.x 2.. . . .x n .m n

tFor simplicity, we consider only nets where the weight is l for every arc (see [10]).

266 CARLO GHEzzI et al.

where - - n _>0 ---mi is a marking V i, 0 < i < n --x~ is a firable element in marking m~_ ~ V i, 1 < i < n - - m i _ l [ x i > m i V i, 1 < i _ < n We extend the operator [> to sequences of firable elements in the natural way. Thus we write m0[a > mn where a = x , ' x2" . . . ' x , . a is called a firing sequence from marking m0.

DEFINITION: REACHABILITY. A marking m' is reachable from a marking m if and only if a firing sequence G exists such that m[a >m'. The set of markings reachable from a given marking m will be denoted as 9t(m).

2.2 Notation

In this paper, environments will be represented as sets of pairs <identifier, value>. Pascal-like boolean expressions and Pascal-like pieces of code will be used as predicates and actions respectively. However, it must be noticed that the model given is purely functional, and therefore the Pascal-like notation has been chosen only for simplicity, without any imperative implication. Different notations can be used as well.

Since predicates and actions can refer to only one token-environment for each input and output place of a transition, the variables wili be referred to by means of the dot-notation: place _ name.identifier.

In the example in Fig. 1 transition t can fire if and only if at least one token-environment in place p~ contains a pair with variable x and at least one token-environment in place P2 contains a pair with variable y and the value of x is greater than the value of y. The token produced in place P3 contains only one variable, named x, whose value is obtained as the sum of the values of x and y belonging to the token-environments of the enabling tuple.

Let us suppose that the token-environments in Fig. 1 are the following:

tok,., = {<x,7>} tokL2 = {(z,9>} tok2.~ = {<y,4>} tok2.2 = {<y,8)}

In this situation there is only one enabling tuple for transition t, <tok U ,tok2., ). In fact the tuple <tok u , tok2 ,2> does not satisfy the predicate associated to the transition and the token tok,.2 in place p, cannot participate in any enabling tuple, as it does not contain a variable whose identifier is x. The firing of the transition under the tuple (tokL~ ,tok~., > removes the two token-environments tokL~ and tokz, from the places p~ and P2 respectively, and produces the new token-environment {<x,11>} in place P3.

Here we do not take type issues into consideration, so it is assumed that no type mismatch can ever occur. For instance, in the example of Fig. 1 it will never be the case that p~.x has the integer value 7 and P2.Y has the char value 'a'.

Pl P2

Legend

• t~kl,1

p l . x > p 2 . y ~ tOkl,2

at.: := , . p3 ,x P l x + p 2 y

• t, ok2,1

0 t o k 2,2

P3

Fig. 1


2.3 Properties

In this paper we are not interested in EF nets per se, but mainly in their use as a support to symbolically execute concurrent programs, hereafter we briefly introduce only the definitions and properties of the model that will be used in the rest of the paper. Structural conflict. Two transitions t~ and t2 are in structural conflict iff tl # t:/x "tl n "t2 :~ ~ . Dynamic conflict in the marking m. Two firable elements x~ = (h , enab~) and x 2 = (t2, enab2 ) are in dynamic conflict in the marking m iff enabl and enab2 have at least one token-environment in common and the token-environments they share have only one occurrence in their respective places. Formally: 3 p ~ ( 'h f-q't2)13 env ~ m(p) with enab~(p) = enab2(p) = env A --~(({enab~ ( P ) / + {enab2(p)}) _ m(p)).

This notion of dynamic conflict can be easily generalized to the case in which more tharL two firings are involved.

While the structural conflict is a topological property, the dynamic conflict depends on the marking. A dynamic conflict does not necessarily imply a structural conflict. In Fig. 2, for instance, there are no structural conflicts but the two firable elements (t,(tokl.2,tok2,1)) and (t, (tOkl. j,tOk2.1 ) ) are in dynamic conflict.

Likewise, a structural conflict does not necessarily imply a dynamic conflict. For instance, consider the case in Fig. 3 where rqt = pred and rr~2 =- -npred are the predicates associated to t r a n s i t i o n s t I and t2, respectively. This is an example of a structural conflict. However, a dynamic conflict can never arise because tl and t2 cannot be enabled at the same time. Structural-conflict-free EF Nets. An EF net is structural-conflict-free if and only if there are no two transitions in structural conflict. Dynamic-conflict-free EF Nets for a marking m. An EF net is conflict-free for a marking m if and only if there are no dynamic conflicts between any two firable elements in any marking m' reachable from the marking m. Safe EF Nets for marking m. An EF net is safe for a marking m if and only if for each marking m' reachable from m the number of token-environments in each place is less than or equal to one.

In a safe EF net a complete firing sequence m o . x l . m l . x 2 . . . . ' X n ' m n can be represented unambiguously by a pa i r (mo , r ) , where r = t~-t2.....tn is said to be a transition sequence and x~ = (t~ ,enab~) for some enabling tuple enab~, for all i, with i _< i _< n. We extend the operator [) to transitions and transition sequences. For example, we write mo[z)m, .

Notice that for safe EF nets a dynamic conflict implies a structural conflict. Cycles. A topological arc cycle is a set of arcs [(e~,e2), (e2,e3) . . . . . (e._~,e,)}, where e~ = en. The set of nodes {e~} is called a topological cycle. A complete firing sequence a = m o ' x ~ ' m ~ ' x ~ ' . . . ' x . ' m . , m [ a ) m ' is a cycle iff (n > 1) ^ ( m o = m , )

2.4 On the Use of EF Nets

EF nets can be used to model and analyze concurrent systems. As an example, in this section the activities of a stockbroker are sketchily modelled.

A first and abstract specification of the system is given in Fig. 4 and then the specification is refined in Fig. 5. In both specification levels the places of the net are labelled: the same label appears (with a possibly different index) in the places of both the preset and the postset of the same transition. This is a graphical convention such that, for each t, a correspondence is defined between a place in t" and a place in "t. The convention specifies that when t fires, the token-environment

Pl P2 Legend

• tokt,1

0 tokl,2

• tok2,1

P

Fig. 2 Fig. 3

268 CARLO GHEZZl et al.

withdra~

/ Fig. 4

created in output places having a corresponding input place have the same set of identifiers of the token-environment removed from the corresponding input place. By default, the values of identifiers in the newly produced environments are the same as the values in the corresponding removed environments unless they are explicitly specified by the action.

As shown in Fig. 4, the stockbroker, represented by a token in a place labelled by SBi, once authorized by the customer, consults the stock exchange list (SE-list) and decides either to sell, buy, or consult again the customer depending on the market trends. The customer, represented by a token in place C, can either authorize a new operation, ask the bank about his or her own current account, withdraw money from the bank, or be consulted by the stockbroker.

At this abstraction level, the actions associated to the transitions are only informally shown. The initial marking is denoted by black dots in the places, each denoting a different token, the Customer (in place C), the Stockbroker (in place SB~), the Bank (in place B), and the SE-list (in place SE).

Let us give few additional remarks on the model. The SE-list can change asynchronously. In fact, transition t5 requires only a token in place SE to be enabled and its firing does not depend on any other firing in the net. Every operation on the stock exchange can be executed only by the stockbroker (transitions t6, t7, t8, and t9). While consulting the SE-list (transition t6) requires the synchronization with the stock exchange, selling or buying shares (transitions t7, ts and t9) implies updating the customer's account (i.e. interacting with the bank). Similarly, customer's withdrawals are modelled by interactions with the bank (transition ta). At this abstraction level no restrictions are given on the operations modelled by the net (there are no predicates associated to transitions). A more detailed specification will restrict the actions of the customer and the stockbroker: for instance, the decision of selling rather than buying shares will be made dependent on the value of the SE-list.

In Fig. 5 we give a refinement of the previous specification. The places are still labelled like in the more abstract model. Predicates, actions, and token-environments are defined according to the notation introduced in Section 2.2. Basically, this refinement step enriches the specification of Fig. 4 by modelling the interactions with much more detail. The refinement consists in adding new transitions and detailing predicates, actions, and token-environments. The notations TO SBt, TO B~, TO C2 and FROM B~ denote arcs linking a transition to places SBj, Bt, C2 and coming from place BI, respectively.

The initial marking m0 consists of a token-environment whose token_name is Customer in place C~, a token-environment whose token_name is Stockbroker in place SB~, a token-environment whose token_name is Bank in place B~ and a token-environment whose token_name is Stock_

Symbol i c execut ion o f concurrent sys tems 269

G

H

d

~ J

m ~

?

&

o ~ ~

J

v

V Ii

o ii

6

Ii

g t~

,, m ~

%

m ~

u

t3

o3

t,4 •

!l. o .

? =-

? >

?

E

m ~

©

&

S ~

5_

t r~

. tt~

270 CARLO GHEZZl et al.

exchange in place SE. For brevity, the phrase "the token-environment whose token_name is X" will be abbreviated as "the token-environment X". The token-environment Customer contains the variable cap, whose value is the capital the customer would like to withdraw or invest. The token-environment Bank contains the variable tot, whose value represent the banking account of the customer, and the variable am, amount of money, used as a parameter to communicate with the other processes. The token-environment Stock_exchange contains the variable val, whose value gives the variation in the stock exchange index. Last, the token-environment Stockbroker contains the variable inv, whose value is the investment in shares of the customer, and the variable quot, whose value is the stock exchange index as known by the stockbroker.

The action associated to transition tl is just an initialization of the value of the token-environment representing the customer. Transitions t4, t6, t7, and t 8 correspond to transition t2 Fig. 4 and represent the customer enquiring about the amount of his or her account. Transitions t 4 and t 7 model the start and the end of the rendezvous between the customer and the bank. It is assumed, here and in all other synchronization points, that the calling process waits for the called process to execute the required operations and to return the results. As a simplifying assumption, after the end of the rendezvous between the customer and the bank, the customer always decides to use half of the current financial availability (transition ts).

Similarly, transitions ts, t9, tl0, and t l l correspond to the synchronization represented by t r a n s i t i o n t 3 in Fig. 4; the customer will not withdraw before deciding how much to spend, i.e. only if the variable cap in the token-environment customer is positive. This is represented by the predicate associated to transition ts: C2.cap > 0. During the rendezvous (transition t9) , the account of the customer is decreased by the amount of money the customer withdraws, and after (transition t~) that amount of money is no more available to the customer (C2.cap: =0).

Transition t2 (corresponding to t~ in Fig. 4) models the authorization given to the stockbroker by the customer, along with the involved capital. Likewise, transition t~2 (corresponding to t5 in Fig. 4) models the updating of the stock exchange list (read(SE.val)).

Transitions t~4, t17, and t18 model the selling of shares by the stockbroker on behalf of the customer (transition t7 of Fig. 4). Since we are not interested in the effect of the sale on the stock exchange or on other entities not considered here, but only on the financial situation of the customer, selling shares is modelled only by increasing the bank account of the customer, i.e. interacting with the bank. We assume that the stockbroker sells shares exactly for the amount of money for which he or she has been authorized to operate, represented by the value of variable inv in the token-environment stockbroker. Transitions t~5, tl9 , and tz0 model the purchase of shares by the stockbroker on behalf of the customer (transition t8 of Fig. 4). As before, the purchase is represented only by its side-effect on the bank account.

After consulting the stock exchange list (represented by token-environment Stockbroker in place SB3), the stockbroker will sell shares (transitions tt4, tl7 and t~8), buy shares (tansitions t~5, t19, and t20), or consult the customer (transitions t3, t23, t24, t25, t26, t27) according to the value of the stock exchange list. In particular, he or she may decide to sell if the stock exchange index is going down or is slightly going up (predicate SB3.quot _ 2 associated with transition t~4), to buy if the stock exchange index is going up or is slightly going down (predicate SB3.quot _> - 2 associated with transition t~5), or to consult the customer if the trend is uncertain (predicate - 4 < SB3.quot < 4 associated with transition t16 ). Note that these predicates are not exclusive, i.e. the choice of the action to undertake is not completely determined by the values of the variables.

Transitions t3, tea , t24 , t25 , t26 ~ and t27 (corresponding to transition t 4 of Fig. 4) model the stockbroker consulting the customer. The customer, after asking the bank about the current value of his or her account (transitions tEa , t24 , and t25), decides the amount of the investment (transition t26 ). Eventually, the stockbroker performs the required operation (transitions t28, t29, t30, and t3~ in Fig. 5 corresponding to transition t 9 in Fig. 4).

3. C O N C U R R E N T SYMBOLIC EXECUTION

In this section we discuss how to execute EF nets symbolically by introducing a basic symbolic execution algorithm in Section 3.1. However, the outputs of the algorithm can become rather cumbersome, and often redundant. Thus, in Section 3.2 we introduce the concept of notable firings.


Intuitively, these are the firings that characterize a particular execution. The algorithm for building notable subsequences presented in Section 3.3 provides an effective way to select notable firings for a significant class of EF nets, thus making the results of symbolic execution more readable and manageable, as it will be shown in the case study of Section 4. In this way, the procedure we propose for symbolically executing concurrent programs becomes an appealing method for analyzing concurrent programs.

3.1 Symbolic Execution Algorithm

In the context of symbolic execution, symbols are used as values for the variables in the environments: i.e. the usual numerical execution is extended by considering not only a known constant value for each variable but a (possibly infinite) set of values denoted by a symbol. Therefore symbolic execution requires the ability of algebraically manipulating symbols, in order to symbolically execute each statement. Besides that, all the constraints on symbolic values must be recorded.

In the case of sequential execution, a predicate called path condition (PC) is used to keep track of all the assumptions characterizing an execution path [17-22], [17]. The PC is initialized to TRUE, to show that no constraint is initially given to symbolic values. When a computation step is encountered which depends on a condition B, like in an if statement, the condition must be evaluated on the symbolic values of variables. The expression resulting from substituting the variables in B with their symbolic values, and possibly simplifying it, is denoted by eval(B). The current PC is analyzed to check whether it implies the truth or falsity of eval(B). If PC =~ eval(B) the " then" path of the if statement is followed. If PC=~---~eval(B) the "else" path is followed. However it can be the case that neither PC =~eval(B) nor PC =~---~eval(B) can be proved to hold. This means that PC does not contain enough information to select either the " then" or the "else" path of the if statement. In this case, we must make the choice of one of the paths. As a consequence, PC is updated to record the additional constraints that characterize the choice. If we choose the " then" path we obtain PC,ew: = PCo~d ̂ eval(B). If we choose the "else" path we obtain PCnew : = PCold/x --Teval(B).

In conclusion, in the case of sequential programs PC fully determines an execution path and thus the function computed by it. Also, exactly the same symbolic execution can be repeated if the same PC is ensured by the new execution.

The same does not hold in the case of a concurrent program. The same constraint on input variables, represented by a PC, can cause different execution paths. For example, one thread of execution may fork into two and these are just sequences of unconditional statements, which may produce entirely different results, as they may access global shared variables. In order to characterize the symbolic execution of a concurrent system we must be able to record enough information that would allow us to repeat the execution producing exactly the same results. This problem is known as the "repeated execution problem". It has been studied by [3] in the case of testing, i.e. executing software on "real" data. The problem is new in the case of symbolic execution.

The basic symbolic execution algorithm (SEA)

Let EC (Execution Condition) be a boolean expression initialized to TRUE. EC will record the assumptions made on the variables and therefore plays the role of the PC of the sequential case. Let ES (Execution Sequence) be a data structure recording a firing sequence. The pair <EC,ES) fully characterizes a symbolic execution. Below we describe a symbolic execution algorithm using <EC,ES>. Subsequently, we progressively refine it to make it more efficient.

Let us suppose that the token-environments of the initial marking contain symbolic values for the variables. At each transition firing, the symbolic interpreter incrementally builds EC, ES and the current symbolic marking m. The whole execution is based on the symbolic initial marking; that is, every symbolic value in token-environments is an expression derived from a sequence of elaborations starting from the symbolic values of the initial marking. The symbolic execution algorithm is made up of six phases:

CL 14~4--D

272 CARLO Grmzzl et al.

Phase 0 (initialization).

EC: = TR UE ES: = nil m0:= a symbolic marking

Phase 1 (identification of the set of enabled transitions in the current marking). For each transition t, evaluate the associated predicate 7~ t on each tuple of token-environments of its preset "t. Let us call the result of the evaluation eval(nt). Check whether

(1) EC =~eval(nt) or whether

(2) EC =~---leval(nt)

In case (1), transition t is enabled in the current symbolic marking. In case (2) transition t is disabled. If neither is true then transition t is potentially enabled for a subset of the legal values of the variables (the information in EC is not enough to determine whether the transition can fire).f Phase 2 (selection of the transition which will fire). Nondeterministically select either an enabled or a potentially enabled transition. Phase 3 (update of EC). If the transition t selected to fire is only potentially enabled, then EC must be updated since the firing of t implies some further assumptions on the values of the variables of the token-environments of the enabling tuple and such assumptions have to be recorded in EC:

ECnew := ECoid ^ eval(nt)

Phase 4 (firing of transition t and update of the marking). Transition t fires, i.e. the chosen tuple enab is removed from the places of "t and new tokens are inserted into the places of t', whose environments are specified by ~t(enab). Action ~t should be executed according to the sequential symbolic execution rules, reviewed at the beginning of this section, where EC is taken as the PC. Note that if the sequential symbolic execution of action ~t requires the update of the path condition, EC must be updated accordingly. For instance, this may happen if ~t is a Pascal-like fragment containing conditional statements. Phase 5 (update of ES). Finally, also ES should be updated: ESnew: = append((t,enab),ESold).

3.2 Notable Sequences

The execution sequence ES built be the basic SEA is a data structure that may become too large to be easily readable or even managed by the symbolic interpreter. However, a closer examination of the results suggests that most times we are not really interested in keeping track of a unique execution, but of a set of executions which differ from one another only for permutations of firings whose order does not affect the results of the execution. This remark leads to the definition of notable sequences, i.e. subsequences of transition firings whose recording completely characterizes such sets.

As an example, let us consider the net in Fig. 6, where there are two disjoint sequences of transitions, t~'s and uj's, which come to an interaction only when the token-environments reach places Pr and qs. Let us assume that the final marking consists of a token-environment in place Py+l and a token-environment in place qz+~.

In order to keep track of the evolution of the system, although the firings of the ti's and of the uj's can occur in many different orders, it is useless to record all the transition firings and their order of occurrence. Only the order of the relevant event needs to be recorded: in the example of Fig. 6, the only relevant events are the firings of transitions tr and us, which are in conflict. The results of the execution may be different depending on which of these two transitions fires first. Instead, the exact sequence of firings up to the point where there is one token in either Pr or qs does not affect the results of the execution.

Thus, in the general case a clever selection among the transition firings can significantly reduce the size of information to be retained, leading to a smaller, much more handy, structure which

fNotice that the general problem of proving whether A = B turns out to be undecidible. Therefore, the implications must be solved interactively.


ca

, , o

Pr+l qs+l

o e ,

Py+l

Fig. 6

qz+l

yields a better support for testing and analysis as well as more readable results. Such a structure, called notable sequence is obtained by deleting from ES those transition firings that do not deserve to be recorded to identify the results of the computation. Thus, a notable sequence is a subsequence of ES. The goal is therefore finding an efficient algorithm which produces short notable sequences, by recording as few information as possible, that completely characterize the execution by providing the firing order of the relevant events.

To define the concept of notable subsequence formally, let us first recall some notations for subsequences and then introduce a useful notion or firing sequence equivalence. NOTATIONS. Let cr and ~r' be two sequences:

- - a ' ___ a denotes that a ' is a subsequence of a, i.e. a ' is obtained deleting zero or more elements from a (a ' _~ a will indicate that a ' is a supersequence of a);

- - l a l indicates the length of the sequence.

DEFINITION: EQUIVALENCE OF FIRING SEQUENCES. Let a and a ' be two firing sequencs such that m0[a)m, and m0[a')mn,, a and ~ ' are equivalent (notation used: a = a ' ) if and only if one is a permutat ion of the other. (Two empty sequences are equivalent.) DEFINITION: NOTABLE SUBSEQUENCE. ~ is a notable subsequence of a firing sequence a, such that m0[a>m, iff¥ a ' (m0[a '>m ^ a ' ___ ~ A la'l = la l= '~ ' - ~r).

The underlying idea is that a subsequence ~ of a given firing sequence a from m0 to m is notable if it contains enough information, together with the final marking, to identify the set of permutat ions of the same firings, i.e. it allows to reconstruct only firing sequences a ' that are equivalent to the given sequence a. The condition on the length of the sequence is introduced in order to avoid taking into account also firing sequences of the form # .x , where o 7 is equivalent to a and x is a cycle.

274 CARLO Grl~zzl et al.

3.3 An algorithm for Building Notable Subsequences

Given a firing sequence, in general there is not a unique notable subsequence. In particular, each sequence is a trivial notable subsequence of itself. Of course, we are interested in designing an algorithm which can produce the shortest possible NS. However, such an algorithm could require the examination of a great deal of the firing sequences of a given length which produce a given marking, thus being impractical for its complexity.

On the other hand, the length of the notable subsequences of an EF net is not the only parameter an optimum criterion can be based upon. Given a method for finding a complete set of notable subsequences, i.e. a set of notable subsequences where a notable subsequence exists for each firing sequence, each firing sequence belongs to at least a subset identified by some NS. An optimum criterion might require that the number of such subsets by minimal.

Thus, there are two different figures of merit an algorithm that builds notable subsequences must try to minimize. Actually, though the definitions of these two optima are different, it is likely that they do not contrast. If we reduce the length of a NS, it is often the case that the cardinality of the subset identified by the reduced NS becomes greater. In fact, it is easy to prove the following theorem. THEOREM. Given two notable subsequences ~' and (" of a firing sequence a from m0 to m, with ~"~_ ( ' the sets S ' and S",

2 : '= {~'lm0[cr')m ^ cr'_= ~ ' ^ Icr'l = Icr I=~¢r ' - ~}

S" -- {a"lm0[a")m ^ a" _ ~" A la" l = la I = ' a " - a}

are such that 2:'___ S" Although it seems to be possible to meet the two optimum criteria at the same time, the algorithm to build an optimal set of notable subsequences can be rather complex and impractical. What we are really looking for is an efficient algorithm for finding notable subsequences of small size, not necessarily minimum, working for a large class of EF nets.

The algorithm we describe in this subsection provides all these features. Its applicability is restricted to safe EF nets. It requires an initial step for book-keeping, in which the net is examined statically. Then, it invokes the previously described basic SEA. Instead of using ES to represent a firing sequence, the algorithm uses another data structure, called NTS. NTS records notable transition subsequences. Since we deal with safe EF nets, transition sequences uniquely identify firing sequences (see Section 2.3). It yields a remarkable reduction of ES, and bad results can occur only for pathological situations. The restriction to safe EF nets does not limit the practical applicability of the algorithm severely.

3.3.1 The symbolic execution algorithm for safe EF nets (safe SEA ). Phase 1 (hook-keeping). Build N, the set of transitions which are in structural conflict:

N = {t13 t ' e T , t' ~ t ^ " tN ' t ' ~ ~}

Add to the set N one transition for each topological cycle which does not already contain a transition in the set N. Phase 2 (execution). Execute the basic SEA by substituting ES with a new list called NTS and phase 5 with

NTSnew: = if t ~ N then append((t,NTSo~d)t else no change

The hypotheses under which the algorithm operates are quite intuitive, in that it seems likely that every decision made, in other words every conflict solved, must be recorded and the other events can be discarded. The algorithm does not work in the general case of EF nets, that is the safeness hypothesis cannot be relaxed without inducing a complete change in the algorithm.

The safe SEA is based on a static identification of notable transitions (i.e. transitions whose firing must be recorded in the notable transition subsequence). However, in general a firing can be classified as notable only dynamically, as the existence of conflicts in the general case cannot be deduced statically, but requires a dynamic examination of the EF net. Unfortunately, in many

tLet us recall that for a safe net a firing it totally identified by the transition.


situations (like confusion [10]), a dynamic algorithm could require the examination of a great deal of firing sequences, and this is clearly impractical. So, the overhead required by the complexity of a more refined algorithm that can cope with the dynamic case could be excessive. A good trade-off between the complexity of the algorithm and its power of analysis can be found by defining algorithms which can be applied to particular, though important, cases, like safe EF nets, and then extending them to as many subclasses of EF nets as possible.

3.4 On the Correctness of the Safe SEA

In this subsection we prove that the NTS resulting from the application of the safe SEA is a notable subsequence of the considered execution sequence, according to the definition of notable subsequence given in Section 3.2. To do that, first we define the minimal subsequence of a firing sequence for a transition t. Then, we prove (lemma 3.1) that in a safe, conflict-free, EF net without topological cycles the initial and final markings completely identify the firing sequence, up to permutations of such firings that do not affect the final marking. DEFINITION: MINIMAL SUBSEQUENCE. Given a firing sequence a, such that m [ a ) m ' [ t ) , 0"mi n is called a minimal subsequence of cr for the transition t iff, given E(cr,t) = {~ 18 ~ cr A m[8)iia[t)},

Crmine{dld~Y~(a,t ) A I~1= rain {1~1}} 6 E Z(a,t)

LEMMA 3.1. Given a safe, structural-conflict-free EF net without topological cycles, and a transition sequence a, with m[a )mr , then

V a'lm[o")mr==>o" ~- o.

PROOF. By induction on the length of the sequence a. BASE OF THE INDUCTION. For l a I = 0, it is m = mr. Thus a ' is either empty or it is a cycle. The latter is impossible by hypothesis and therefore the lemma holds for l a I = 0. INDUCTIVE STEP. Let us assume that the lemma is true for l a I < n. We prove it is true for [ a l = n + l .

Given a transition sequence z, we define I~ = {tl(r = t j t r2 for some r~ _ r A z2 ~ r) A (m[t))}. Two cases are possible.

(a) 9 t, t ~ ( I jq I¢ ) . Then we can find a transition sequence ~16 = a A ~ = t. ~, in fact - - t is enabled in the marking m, since t e (I~nI~,); - - t he r e cannot exist in ~r the firing of a transition ~ which must precede the firing of

transition t. In fact this would imply that ~" N" t :/: ~ , but this contradicts either the safe hypothesis (if no transition firing in tr preceding the firing of transition t removes the tokens in ~'N "t) or the conflict-free hypothesis (if such a transition which is not t exists). Similarly, we can find a ~ ' such that ~ ' = a ' ^ ~ ' = t .~ ' . The inductive hypothesis allows us to prove ~" = 5', and thus a ' = (r.

(b) (I, fq I,,) = ~ . First note that there is at least one place in which both transition sequences produce a token. In fact, this is true at least for one of the places that belong to the final marking mr, since the net is cycle-free and the length of the transition sequence is greater or equal to 1. Let a = 21"t'Z2 where t is the leftmost element of the transition sequence whose firing puts a token in a place p where a transition of tr' also puts a token. Let a ' = Xv'V'Xz where V is the leftmost element of the transition sequence whose firing puts a token in p. The sequence Xl"t~'xv"V is a transition sequence. In fact there is not transition that belongs to both sequences Zl and Xt.: since no transitions of both a and a ' are enabled in the initial marking, if there is one such transition, some transition firing in ZI and X~ would enable it, thus putting a token in a common place. Also, no transition firing of Z~ disables transitions of ;(r ; otherwise there would be a structural conflict in the net. Thus, X~ "~' gv 'V is a transition sequence. But this contradicts the safe assumption for place p.

Thus the lemma is proved.

276 CARLO GFmzzl e t al.

LEMMA 3.2. Given a one-safe, conflict-free, cycle-free EF net and a transition t, such that 3 m, m e ~(m0), m[t), then

(V a, tr'lmo[tr)m~[t) ^ m0[a')mo'[t)) ^ V a ' minimal subsequence of (r for the transition t ^ V #'minimal subsequence of a ' for the transition t =~ 6' = 5.

PROOF. The lemma follows almost immediately from lemma 3.1. THEOREM. For a given a safe EF net with initial marking m0, let NTS = h " ' t n be obtained by applying the safe SEA to a firing sequence (r = a0"h'a1't2 . . . . an l' tn'an, with m0[a)mf. Then NTS is a notable subsequence of tr. PROOF (BY CONTRADICTION). (7 ~ 6 0 • h" 61" t2" '" 6n - l" tn ' 6n where 51 is a minimal subsequence of 0" 1

for the transition ti+l, Vie[0,n- 1], and 5n consists of all the transition firings of G which are not in 60"h'61 "t2""6n l"tn.

Consider a sequence z = r 0 " t l " q ' t 2 " " r n _ l ' t , ' r n , r ~ N T S and [ z r = l a l and m0[r)mr and assume not (r -= a). We are going to prove that z turns out to be necessarily longer than a.

Let r --- f0' q ' fl" t2"" Zn I" tn" ?n, where f~ is a minimal subsequence of r~ for the transition ti+ ~, ¥ ie [0 ,n- 1], and f , consists of all the transition firings of z which are not in f 0 ' h ' f l " t 2 ' " f , - 1 " tn.

Let j be the index such that a0" h ' 61 "t2"" ' 6j _ 1" tj = f0'ti "~ "t2" ' f j - 1' tj and 5j # fj. There are two cases:

(a) tk • N and tk is an element of fj. tk cannot be an element of 6~, since 5j contains only transitions which do not belong to N. Then I~[ ) 16jl since (6j and zi are enabled in the same marking mj) 6j is minimal and f contains at least one more transition: tk (Lemma 3.2). J Now we will prove that any following subsequence gm cannot be shorter than the corresponding 5m, thus proving the theorem. Let us consider the next subsequence 6j +z. We can always decompose it in two different parts, 5j + 1 ~ 6 ; + I" 6jr+ 1 where 5j+ 1 contains those firings whose enabling requires the firing of transition tj + 1, i.e. whose enabling tokens are produced by the firing of tj+ 1 or by a transition that must follow tj+j; 5~'+1 contains the other firings. If fj+l - 5;+~ then 1~+11--- 16j+l [" If not (~ + ~ _ 6j+ 1" 5~'+ ~) then not (~j+l --- 5j'_ 1)(Zj+l -- 5j+l should be true for the definition of 6;+ ~). Then z~ + ~. 6j'+l is a feasible sequence, since transitions in 5~'+1 cannot

~ t l . ~ t t be disabled by the firing of tk, aj +, being conflict-free. But the sequence fj +1 aj +l would not be safe, which contradicts the hypothesis; thus [zj+~l -> Ifj+ ~l. We can prove in much the same way that Vie[j + 1,n],lfil > 15il. This would imply If [ ) # 16 l, which contradicts one of the hypotheses.

(b) Vtk • N, tk is not an element of ~j. In this case ?i is conflict-free and cycle-free by construction of NTS, thus fj -= 6j for lemma 3.2.

3.5 Improving the Safe SEA The algorithm proposed in the previous subsection is appealing since it requires only a static

analysis of the net. In fact, once the set N has been built, the symbolic execution algorithm can be used without any further overhead. Actually, the algorithm can be improved in two directions.

The algorithm does not take into account EC, which sometimes provides enough information about the firing sequence to make the recording of a transition in NTS useless, due to the value of the associated predicate. As shown in Fig. 3, even for safe EF nets a topological conflict may not yield a firing conflict. However, according to the safe SEA, structurally conflicting transitions belong to N and thus their firings are recorded in NS. Nevertheless, on the basis of EC it is always possible to identify which of such transitions actually fired, so that there is no need to put them in the set N.

Multiple conflicts must be examined more carefully. For instance, let us consider the situation represented in Fig. 7, where the conflicts are between h and tz and between t2 and t3. The conflict between t~ and t: is just a structural conflict, but the firings of the two transitions h and t2 can never be in dynamic conflict, since the two predicates are mutually exclusive. On the other hand,

Symbolic execution of concurrent systems

~ P4

p2.x>O p2.x-<O and p3.y>lO p3,y>20

Fig. 7

277

P4 P6

Fig. 8

as the predicates associated to t2 and t 3 partially overlap, a dynamic firing conflict may occur. In order to reduce the information contained in NTS, it is therefore possible to exclude transition t~ from the set N, but not transition t2, which is in a conflict that may not be solved unambiguously. This example clearly illustrates that there is an intrinsic limit to the reduction of NTS, since the absence of dynamic conflicts cannot be determined statically.

Another kind of improvement can be made to the algorithm. In the safe SEA, NTSs were defined as subsequences of the transition sequences they identify. In many situations however maintaining the order of the firings could be too restrictive. Consider the fragment of EF net of Fig. 8, where two independent conflicts are concurrently enabled and suppose that tj and t 3 are the transitions that fire in the first and the second conflict, respectively. As to the final marking, the order the two conflicts are solved does not matter. However, there exist two distinct notable subsequences: in the first one, NTS1, the firing of t, precedes the firing of t3 and in the second one, NTS2, the firing of t3 precedes the firing of t~.

3.6 Extending the Safe SEA to More General Cases

In many cases, both safe and non safe representations can be found for the same problem. A safe representation should be preferred whenever it is required to symbolically execute the specification. However, once ensured the correspondence of two representations of the same problem, the algorithm for symbolically executing safe EF nets can be extended to the class of bounded EF nets, since it is possible to prove that every bounded net can be translated in a safe net.

Let us consider, for instance, the example in Fig. 9. In this situation the EF nets is not safe: although no structural conflict exists, the existing two firable elements are in dynamic conflict. The static algorithm as stated in Section 3.3.1 cannot help anymore.

However, the system in Fig. 9 can also be modelled by the safe EF net of Fig. 10: in fact in both EF nets the possible firing sequences are the same.

In the EF net of Fig. 10 the original dynamic conflict is translated into a structural transition conflict. Thus we can apply the safe SEA outlined in Section 3.2.2.

4. A CASE STUDY

In this section, we apply the safe SEA to the stock exchange example presented in Section 2.4, which is modelled by a safe EF net.

Pl P2 Pl P2 P3

Fig. 9 Fig. 10

278 CARLO Grmzzl et al.

Phase 1 (book-keeping). Build N, the set of transitions which are in structural conflict. This set is the union of the postsets of the places with a least two exiting arcs:

C2"= {t2,t3,t4,ts}, S E ' = {tt2,tl3 } SB3"= {tl4,tls,tl6 }, B I ' = {t4,ts,tla,ti5:23,t28}.

Thus, N = {t2 ,t3 ,t4,t5 ,tl2 ,t13 ,tt4 ,tl5 ,t16,t23 ,t28 }. Every topological cycle contains already at least one transition in N. Phase 2: (execution). The system is initialized simply assigning value T R U E to EC, value nil to NTS and suitable symbolic values to the variables, as follows:

EC: = T R U E NTS: = nil mo(Cj) = {(token_name,Customer),(cap,capital)} mo(B~) = {(token_name, Bank) , ( to t , to ta l ) , (am,amount)} mo(SE) = {(token_name,Stock_exchange),(val,value)} mo(SBl) = {(token_name,Stockbroker) ,( inv,investment) ,(quot,quotation)}

The first step, as any other step, consists of five phases: (a) identification of the set of enabled transitions in the current marking, (b) selection of the transition which will fire, (c) updating of EC, (d) firing of the transition and updating of the marking, (e) updating of NTS.

(a) In the initial marking mo transitions tj and tt2 are enabled, since they have one token in their single input places and the associated predicate is TRUE.

(b) We should thus choose between the two firable elements (t~:, Stock_exchange) and (t~, Customer). The selection is left to the user, who decides depending on his or her interests in examining the system. Let us choose the firable element (t~, Customer).

(c) In this case EC has not to be updated. (d) The token-environment whose token_name is Customer is removed from place C1 and

a new token-environment whose token_name is Customer is inserted in place C2. The new token-environment is obtained symbolically evaluating the action associated to transition h: C2.cap: = 0; thus the new token-environment is {(token_name,Customer), (cap, 0)}.

(e) Since transition tj is not in N, NTS does not change (NTS = nil).

Let us proceed with the firing of transitions t4, t6, t7, and t8. The state of our symbolic interpreter becomes:

EC = T R U E NTS = h m5(C2) = {(token_name,Customer), (cap,total/2)} ms(B~) = {(token_name,Bank), ( tot , total) , (am,total)} ms(SE) = {(token_name,Stock_exchange), (val,value)} ms(SB~) = {(token_name,Stockbroker) ,( inv,investment) ,(quot,quotation)}

Now let us consider the next execution step, composed again of the five phases (a)--(e).

(a) There are four transitions in marking m5 with at least one token-environment in each input place: t:, t4, t~, and h:. It is easy to prove that transition t 4 and transition t~2 are enabled. As to transitions t: and t 5, they are potentially enabled; in fact, they are enabled if (total/2) > 0 (i.e. total > 0).

(b) Let us choose to fire transition t:. (c) The assumption to make in order to fire transition t2 is total > 0. Thus, EC should be

updated: ECnew:= (total > 0). (d) The effect of this firing is to remove the token-environment Customer from place C2 and

the token-environment Stockbroker from place SBt, to re-create the token-environment {(token_name,, Customer), (cap, total/2)} in place C2, and to create the token-environment {(token_name, Stockbroker), (inv, (total/2)), (quot, quotation)} in place SB2.

(e) Since transition t: is in N, NTS becomes h' t2.


Assuming that symbolic execution proceeds by firing transitions tl3, ts, tg, tl0, t l l , t4, t6, tT, t s , ts, tg, tlo, tll, which correspond to the customer spending half of the money (transitions tl3 , 1.2, tg, t~o, t~), consulting the bank (transitions t4, t6, t7, t8), and spending again half of the remaining amount (transitions ts, t9, tlo, tll), we reach the following state, characterized by marking mf

EC = (total > 0) NTS = t4' t2" tl3' ts. t4' t5 mr(C2) = {(token_name, Customer), (cap, 0)} mr(B1) = {(token_name, Bank),( tot , total /4) , (am, total/4)} mf(SE) = {(token_name, Stock_exchange), (val,value)} mf(SB3) = {(token_name, Stockbroker), (inv,total/2), (quot,value)}

In mf transitions t4, t s , t12 , t14 , t15 and tl6 a r e enabled, at least potentially. From mf a legal sequence of transitions is tls, tLg, t20, and t22, which produces the situation:

EC = (total > 0) NTS = ta't2"tL~'ts"t4"ts"tl5 m'(C2) = {(token_name,Customer), (cap,0)} m'(B 1 ) = { (token_name,Bank),(tot,-(total/4)),(am,-total/2)} m'(SE) = {(token_name,Stock_exchange),(val,value)} m'(C2) = { (token_name,Stockbroker),(inv,0),(quot,value)}

which is clearly undesirable, as the account of the customer takes a negative value. Note that such error is not statically detectable. On the other hand, a numeric execution would not necessarily expose this incorrect behavior. Actually, a whole class of incorrect executions, characterized by the NTS = t4't2t~3"tst4'tst~5, is identified by symbolic execution. The NTS technique is thus valuable not only because it reduces the amount of space needed to record the sequence of execution steps, but also because a single symbolic execution represents a larger set of numeric executions. In order to appreciate the before mentioned space reduction, the reader should compare NTS with the corresponding ES, which is

ES--- t l . t 4 - t 6 . t 7 . t 8 . t 2 . t 13 . t 5 . t 9 . t 10 . t l l . t 4 . t 6 . t 7 . t S . t 5 . t 9 . t 1 0 . t l l . t 1 5 . t 1 9 . t 2 0 . t 2 2

5. CONCLUSIONS AND FUTURE WORK

In this paper we presented a method, based on an extension of Petri nets, for specifying and analyzing concurrent system specifications and concurrent programs. In particular, we have presented two algorithms for symbolic execution. The former one, called basic SEA, can be used in the general case of EF nets. The latter, called safe SEA, can be used for safe EF nets. The restriction imposed by the safe SEA, as discussed in the paper, in practice is not too serious. The advantage of using the safe algorithm vs. the basic SEA has been illustrated in the case study of Section 4.

We have chosen EF nets as the kernel model for a specification and analysis environment which is currently under development at the Dipartimento de Elettronica, Politecnico di Milano. The model allows us to apply symbolic execution both to specifications and implementations of concurrent programs, as already pointed out in this paper. Other analysis tools, such as Taylor's dataflow analysis [2], can be easily redefined by means of EF net based algorithms. We will also support test case generation from execution conditions. This will be used as a semi-mechanical way of generating system tests starting from specifications represented in terms of EF nets.

We are presently working on extending symbolic execution to the more general case of real-time systems, which would make the proposal even more appealing. The extension will be based on a generalization of the EF net model which can be used to formally specify time aspects of real-time systems, as described in [16].

280 CARLO GHEZZI et al.

R E F E R E N C E S

1. Kemmerer, R. A. Testing formal specifications to detect design errors. IEEE Trans. Software Engng SE-II(1); January 1985.

2. Taylor, R. N. A general-purpose algorithm for analyzing concurrent programs. Commun. ACM 26(5); May 1983. 3. Tai, K. C. and Obaid, E. E. Reproducible testing of Ada task programs. Proc. 2ndlnt. 1EEE Conf. on Ada Applications

and Environments; 8-10 April 1986. 4. Dillon, L. K. Symbolic execution-based verification of Ada tasking programs. Proc. 3rd Int. Conf. on Ada Applications

and Environments; May 1988. 5. Dillon, L. K., Kemmerer, R. A. and Harrison, L. J. An experience with two symbolic execution based approaches to

formal verification of Ada tasking programs. Proc. 2nd Workshop on Software Testing, Verification and Analysis, Banff, Canada. IEEE Press; 19-21 July 1988.

6. Angerwala, T. Putting Petri nets to work. IEEE Comput.; December 1979. 7. Brams, G. W. ROseaux de Petri: Thkorie et Pratique. E.S.I., Paris; 1983. 8. Mandrioli, D., Zicari, R., Ghezzi, C. and Tisato, F. Modeling the Ada task system by Petri nets. Comput. Lang. 10(1),

1985. 9. Peterson, J. L. Petri Net Theory and the Modeling of Systems. Engelwood Cliffs, NJ: Prentice-Hall; 1981.

10. Reisig, W. Petri Nets: An Introduction. ETACS Monographs on Theoretical Computer Science. Berlin: Springer; 1985. 11. Genrich, H. J. and Lautenbach, K. System modelling with high-level Petri nets. Theoret. Comput. Sci. 13, 1981. 12. Jensen, K. Coloured Petri nets. In Petri Nets: Central Models and their Properties. Advances in Petri Nets 1986 Edited

by Brauer, W., Reisig, W. and Rozenberg, G.), Part I. Lecture Notes in Computer Science 254. Berlin: Springer; 1987. 13. Genrich, H. J. Net Theory and Application. Information Processing 86 (Edited by Kugler H. J.). Amsterdam: Elsevier;

1986. 14. Bruno, G. and Marchetto, G. Process-translatable Petri nets for rapid prototyping of process control systems. IEEE

Trans. Software Engng SE-12; February 1986. 15. Billington, J., Wheeler, G. R. and Wilbur-Ham, M. C. PROTEAN: A high level Petri net tool for the specification

and verification of communication protocol. IEEE Trans. Software Engng SE-14; March 1988. 16. Ghezzi, C., Mandrioli, D., Morasca, S. and Pezze, M. On introducing time in Petri nets. 5th Int. Workshop on Software

Specification and Design, Pittsburgh; 19-21 May 1989. 17. Clarke, L. A. A system to generate test data and symbolically execute programs. IEEE Trans. Software Engng SE-2(3);

September 1976. 18. Clarke, L. A. and Richardson, D. J. Symbolic evaluation method--Implementations and applications. Proc. Summer

School on Computer Program Testing (Edited by Chandrasekaren and Radicchi). Amsterdam: North-Holland; 1981. 19. Clarke, L. A. and Richardson, D. J. Symbolic evaluation--An aid to testing and verification. In Software Validation

(Edited by Hauser H.). Amsterdam: North-Holland; 1984. 20. Hantler, S. and King, J. C. An introduction to proving the correctness of programs. Comput. Surv. 8(3); 1976. 21. Kemmerer, R. A. and Eckmann, S. T. UNISEX: A Unix-based symbolic executor for Pascal. Software Pract. Exper.

15; May 1985. 22. King, J. C. Symbolic execution and program testing. Commun. ACM 17(7); July 1976.

About the Author--CARLO GHEZZI is a professor of software engineering at the Politecnico di Milano. Prior to that he held positions at the University of Padova and the University of North Caroilina at Chapel Hill: he was also a visiting scholar at the University of California at Los Angeles. He served on the program committee of several national and international conferences, including the IEEE International Conference on Software Engineering and the European Software Engineering Conference, for which he was Program Chairman in 1989. His research interests are in programming languages, software specification, and software support environments. He has published over 60 papers in these and other areas. He also co-authored five books, among which are Programming Language Concepts and Theoretical Foundations of Computer Science, published by J. Wiley and Sons. He is presently working on a new book, Software Engineering Principles, which will appear in late 1990.

About the Anthor--nINO MANDRIOLI was born in 1949. He graduated in electrical engineering at the Politecnico di Milano in 1972 and in mathematics at the Universitfi Statale di Milano in 1976. He has been assistant and associate professor at Politecnico di Milano from 1976 to 1980; professor at the Universit~i di Udine from 1981 to 1983. Since then, he is professor of computer science at the Politecnico di Milano. He has also been a visiting scholar at the University of California at Los Angeles in 1976. Mandrioli's research interests include theoretical computer science and software engineering, with particular reference to specification languages and environments, programming languages, real time systems. He has published over 60 scientific papers in these areas. Many of such papers have been published in major journals of the field such as Journal of the ACM, ACM Transactions on Programming Languages and Systems, IEEE Trans. On Software Engineering, SIAM Journal on Computing, Information and Control. He is also a coauthor, with Carlo Ghezzi, of the book Theoretical Foundations of Computer Science. He has also written several other books in Italian. Mandrioli served as a reviewer for many international conferences and journals and has participated to program committees of several international conferences.

About the Author--SANDRO MORASCA was born in Como (Italy) on 23 July 1960. He graduated in Electronic Engineering at the Politecnico di Milano (Italy) in 1985. He is currently a Ph.D. student in computer science at the Politecnico di Milano. His research interests concern Petri nets, concurrent and real-time software specification and verification, software metrics and software reliability. He is a member of the IEEE Computer Society.


About the Author--MAuRO PEzz~ was born in Cles, Trento (Italy) on 1 December 1960. He graduated in Computer Science at the University of Pisa (Italy) in 1984. He is a Ph.D. student in Computer Science at the Politecnico di Milano (Italy). In 1987 during his Ph.D. curriculum he joined the University of Edinburgh (U.K.) for 6 months as an academic researcher. He currently works at CEFRIEL, a research institute in Milano (Italy). His research interests concern Petri nets, concurrent and real-time software specification and verification. He is a member of the IEEE Computer Society and the ACM.

Date post:	26-Aug-2016
Category:	Documents
Upload:	carlo-ghezzi
View:	213 times
Download:	0 times

Symbolic execution of concurrent systems using Petri nets

Documents