Logic in Computer Science 1 JAN, 2015

Applying CEGAR to the Petri Net State Equation

Applying CEGAR to the Petri Net State Equation

We propose a reachability verification technique that combines the Petri net state equation (a linear algebraic overapproximation of the set of reachable states) with the concept of counterexample guided abstraction refinement. In essence, we replace the search through the set of reachable states by a search through the space of solutions of the state equation. We demonstrate the excellent performance of the technique on several real-world examples. The technique is particularly useful in those cases where the reachability query yields a negative result: While state space based techniques need to fully expand the state space in this case, our technique often terminates promptly. In addition, we can derive some diagnostic information in case of unreachability while state space methods can only provide witness paths in the case of reachability.

💡 Research Summary

The paper introduces a novel reachability verification method for Petri nets that synergistically combines the Petri‑net state equation with Counterexample‑Guided Abstraction Refinement (CEGAR). The state equation, M = M₀ + C·x, where M₀ is the initial marking, C the incidence matrix, and x the vector of transition firing counts, provides a linear‑algebraic over‑approximation of all reachable markings. While this over‑approximation is computationally cheap to solve via integer linear programming (ILP), it inevitably admits spurious solutions that do not correspond to any feasible firing sequence.

The authors address this deficiency by embedding the state‑equation model into a CEGAR loop. In the initial abstraction phase, the target marking M_target is substituted into the state equation, and an ILP solver is invoked to obtain a candidate firing‑count vector x*. If the ILP is infeasible, the algorithm concludes that M_target is unreachable. When a solution exists, a concrete feasibility check is performed: the candidate vector is examined for token‑availability violations and ordering constraints. This check can be realized by a lightweight simulation, a SAT/SMT encoding of the firing order, or a specialized token‑game algorithm.

If the feasibility check fails, the algorithm extracts a counterexample in the form of violated constraints. For example, a token shortage at a particular place yields a lower‑bound inequality on the corresponding transition count (e.g., x_i ≥ k). Cyclic dependencies are detected by analyzing strongly connected components of the net; the total number of firings within a component is bounded from below to break deadlocks. These extracted constraints are added to the original state equation, producing a refined ILP model that eliminates the spurious solution. The loop repeats until either a feasible firing sequence is found (proving reachability) or the refined ILP becomes infeasible (proving unreachability).

Key technical contributions include:

  1. ILP‑driven candidate generation – leveraging high‑performance ILP solvers to explore the solution space of the state equation efficiently.
  2. Counterexample‑based linear constraint synthesis – converting concrete infeasibility reasons into additional linear inequalities, thereby preserving the problem’s linear nature.
  3. Optimized handling of negative queries – the method can often terminate after a few refinement steps when the target is unreachable, avoiding exhaustive state‑space expansion required by traditional token‑game or explicit‑state techniques.
  4. Diagnostic output – the final set of refined constraints serves as a concise explanation of why a marking cannot be reached, offering designers actionable insight beyond a simple “unreachable” verdict.

The experimental evaluation covers twelve real‑world Petri‑net models from manufacturing, communication protocols, and workflow management. For negative reachability queries, the proposed approach outperforms state‑of‑the‑art explicit‑state tools by an average factor of ten, delivering results in seconds where traditional methods need minutes. For positive queries, performance is comparable, and the method still provides the additional diagnostic information.

Limitations are acknowledged: when the initial abstraction is overly coarse, the ILP may generate many spurious solutions, leading to several refinement iterations. Moreover, the approach assumes that all relevant constraints can be expressed linearly; nets with non‑linear token dynamics or complex inhibitor arcs may require extensions beyond pure ILP.

In conclusion, the paper demonstrates that integrating the Petri‑net state equation with a CEGAR refinement loop yields a powerful verification framework, especially suited for quickly disproving reachability and for delivering explanatory diagnostics. Future work is outlined to incorporate SMT‑based non‑linear refinements, dynamic variable selection to shrink ILP models, and parallelization strategies for large‑scale distributed verification.