Abstract. In this paper we present a CTL-like logic which i s i n terpreted over the state spaces of Coloured Petri Nets. The logic has been designed to express properties of both state and transition information. This is possible because the state spaces are labelled transition systems. We compare the expressiveness of our logic with CTL's. Then, we present a model checking algorithm which for e ciency reasons utilises strongly connected components and formula reduction rules. We present empirical results for non-trivial examples and compare the performance of our algorithm with that of Clarke, Emerson, and Sistla.
Introduction
Coloured Petri Nets CP-nets or CPN are convenient for specifying complex concurrent systems. Until now properties of CP-nets have mainly been speci ed directly in terms of the state spaces of CP-nets 4, 6 . Temporal logics such as CTL are also useful for expressing properties of concurrent systems see, e.g., 1 . We show h o w w e can de ne a CTL like logic, ASK-CTL, tailored especially for expressing properties of state spaces of CP-nets. We provide example formulas which indicate that the logic is powerful enough to express many of the standard CP-net properties. Use of a logic implies that we g e t a w ell understood and easy to use framework for expressing a much wider range of properties.
If a logic should be of practical use, it must be possible to verify formulas e ciently. The state space explosion problem often makes veri cation impractical. Solutions to this problem are mainly concerned with two methods: The rst is state space reduction as proposed by, e.g., Valmari, Huber, Jensen, Godefroid, and Wolper 13, 3, 6, 2, 14 . The second method is concerned with algorithms which traverse the state space in a more e cient manner. The last point i s a ddressed by this paper. We show h o w it is possible to improve the standard linear time model checking algorithm in that we, in some cases, avoid searching the complete state space, by taking into account strongly connected components SCC's. Our algorithm has the same worst case complexity as the standard algorithm 1 . Nevertheless, our algorithm is faster in many interesting cases, depending on the topology of the SCC's and the combination sub-expressions in ASK-CTL formulas.
The rest of the paper is organised as follows. First we introduce Coloured Petri Nets and state spaces section 2 and 3 respectively. Then we present our proposal for a suitable logic, called ASK-CTL, for CP-nets, and motivate its usefulness by expressing properties about example CP-nets sections 4 and 5. The formal de nition of ASK-CTL is then given in section 6 including a de nition of state spaces. In section 7 we show h o w to model check ASK-CTL formulas, taking advantage of strongly connected components. Performance measures of this model checking algorithm and comparisons with the standard algorithm 1 are given in section 8. Finally in section 9, the conclusion.
Introduction to Coloured Petri Nets
We give here a short and informal overview of CP-nets although we assume the reader to have some prior knowledge of CP-nets. For an in-depth introduction to CP-nets, see 4,5 . We use three examples of CP-nets which are used for performance measures.
The rst example introduces the notation used in this paper, and illustrates the classical scenario of the Chinese Dining Philosophers gure 1. A number of philosophers share a bowl of rice, eating with chop-sticks. Exactly one chopstick is located between each philosopher, i.e., two neighbours share a chop-stick. Each philosopher can be in a state where the philosopher is either eating or thinking, modelled by t w o places called Eat and Think respectively. In order to eat, the philosopher p needs to take t w o c hop-sticks, Chopsticksp; one from the left and one from the right. Unused chop-sticks are located on the place called Unused Chopsticks. I n order to resume thinking, the philosopher puts down both chop-sticks at the same time. In the initial state, all philosophers are located on Think indicated with the inscription PH, and all chop-sticks are located on Unused Chopsticks.
The philosophers are modelled with the colour set type PH which is an indexed set PH = fph1; : : : ; p h n g . The chop-sticks are likewise modelled with the indexed colour set CS. Finally, the function Chopsticks returns a multi-set 1 of chop-sticks, given a philosopher. For example, Chopsticksph1 = 1cs 1 + 1 cs2:
Introduction to State Spaces
We make extensive use of state spaces 2 so we give here an informal overview of some of the relevant concepts. We postpone the formal de nition of state spaces until needed. One approach t o formal veri cation of a complex system is to generate all possible states that the system can reach, given an initial state as starting point. 1 A set where multiple occurrences of the same element is possible. Also called a bag. 2 State spaces are elsewhere referred to as occurrence-or reachability graphs. When also recording the transitions from state to state, we obtain a labelled transition system, which w e refer to as the state space of the system. The transition system is a graph with the property that all nodes are reachable from the node representing the initial state see gure 2. Given the full state space we are now able to check properties that we expect the system to have. For example, we v erify a safety invariant property b y traversing all states in the graph. We typically do this by quantifying over paths in the state space, where a path is a sequence of states and transitions, possibly in nite. An example of a partial state space can be seen in gure 2. Each node has a label indicating the marking, where the marking of Unused Chopsticks is left out, since it can be derived from Think and Eat. Each edge has a label indicating the binding element occurring transition and values of variables. 4 The Logic ASK-CTL The rst contribution of this paper is the proposal of a CTL-like logic, ASK-CTL, useful for checking properties of CP-nets. The models over which w e i n terpret ASK-CTL are state spaces of CP-nets. These graphs carry information on both nodes and edges. Hence, a natural extension of CTL is the ability to also express properties about the information labelling the edges. E.g., edge information is needed when expressing liveness since liveness is expressed by means of transition information. For this purpose we i n troduce two m utually recursively de ned syntactic categories of formulas; state and transition formulas which are interpreted on the state space at states and transitions respectively.
As found in CTL and other temporal logics, path quanti ed state and transition formulas are interpreted over paths. Path quanti cation is used in combination with the CTL until-operator. This combination provides a means for expressing temporal properties. In ASK-CTL we allow rather general predicates, since these are useful for veri cation of CP-nets. We argue that ASK-CTL is exactly as expressive as CTL in the case where we limit the basic predicates and below to atomic propositions. Since CTL cannot express standard fairness properties we inherit this inability, and lose the ability to express interesting properties such as impartiality, fairness, and justice as de ned in 4,9 . However, there exist partial remedies for this drawback as shown by Clarke et al. 1 . In that paper the logic CTL F is introduced as a slight extension of CTL. The purpose is to introduce fairness into CTL. This is done at the semantic level by interpreting CTL-formulas only over paths which are fair with respect to a set of fairness" predicates. One observes that SCC-graphs are used in connection with CTL F , but not for e ciency purposes as in our work. Fairness can be introduced in a similar fashion for ASK-CTL. We do not elaborate further on this subject as it is beyond the scope of this paper.
Syntax
Assume a xed CP-net N. The logic, which i s i n terpreted over the state space of N, has two categories of formulas: state and transition formulas. The two syntactical categories are mutually recursive. Apart from the boolean operators : and _ the above logic also contains the standard temporal operator U until combined with the path quanti ers E and A exist and for-all respectively. E.g., the EU A 1 ;A 2 operator expresses the existence of a path from a given marking with the property that A 1 holds until a marking is reached at which A 2 holds. Dually, AUA 1 ; A 2 requires the property to hold along all paths from a given marking. We h a v e imposed no restrictions with respect to computability of the boolean functions and . W e assume that they range over predicates which in practice are useful for veri cation purposes, i.e., they can be computed e ciently.
The syntax of ASK-CTL is minimal, which i s a n a d v antage when we de ne the formal semantics. In order to increase the readability of the formulas we make use of syntactic sugar. E.g., Pos A means that it is possible to reach a state where A holds, Inv A means that A holds in every reachable state, and Ev A for all paths, A holds within a nite number of steps. Thus for the dining philosophers example CP-net we can easily formulate the question whether the initial marking is a home marking 3 . W e only need to check if the state formula Inv Pos IsInitial is satis ed.
Example CP-nets
The second example is a CP-net taken from 8 where Kindler and Walter solves the problem of rearranging di erent integers asynchronously, see gure 3. Initially a number of di erent integers are distributed on the four places small, great, compSM, and compGR. The latter two places contain only one integer each. After a nite number of steps the system ends up in a dead state, i.e., a state where no binding elements are enabled, in which the following properties hold:
The integers on the places small and maxSM are smaller than the integers on the places great and minGR. The number of integers on place small and great is the same as in the initial state. The place maxSM contains exactly one integer, and this integer is larger than any of the integers on the place small. The place minGR contains exactly one integer, and this integer is smaller than any of the integers on the place great. As the third and nal example, we present a CP-net we call the Multi Stage Process example gure 4. The purpose of the example is to illustrate processes which go through multiple stages of success and failure. The idea is as follows: Processes perform some kind of testing and continue to do so as long as the test fails. If the test succeeds the process divides into two which continue in a new cycle where they change between modes of waiting and idle. Here processes perform tasks which also can fail or succeed. Furthermore, if all failed processes are simultaneously located on either Wait1 or Wait3, then all processes may stop performing tasks and leave the cycle. When the processes leave this cycle, they become inactive and thus do not perform any further tasks.
The choice of these three examples are motivated in section 8. 
Expressing CP-net Properties Using ASK-CTL
In this section we use ASK-CTL to express reachability, liveness, and home properties as presented in 6 . Then, we consider properties of the three examples.
We let M denote a marking, the state formula M denote the characteristic predicate for M, i.e., M M 0 is true if and only if M = M 0 , and the transition formula t is the characteristic predicate for the transition t, i.e., t b is true if and only if the transition in b is t. The formula Inv Pos M then expresses that M is a home marking. Reachability o f M is expressed by the formula Pos M .
M is dead if it satis es : t t and Inv Pos t expresses that t is live.
For the Integer Rearrangement example it is expected that the system will reach a state where it is totally sorted in a nite number of steps. This property can be expressed as Inv Ev IsSorted, where IsSorted is the state predicate denoting that: all integers in small are less than the integer in maxSM, all integers in great are larger than the integers in minGR, and the integers in maxSM are smaller than the one in minGR.
For the Multi Stage Processes example we use the predicate IsFailed to express that both processes are in either Fail1 or Fail3. W e w ould expect that Inv Pos IsFailed is satis ed and Inv Ev IsFailed is not satis ed, i.e., the processes can always fail, but it is also possible that this never happens.
As another example of the usefulness of transition formulas, let us consider how one can express the property that one can reach a marking satisfying A by a sequence of steps involving only transitions from a set T. In the modal -calculus such a property would be expressed as X:A _ T X , where the notation T is borrowed from 11 . We notice that the formula uses the recursion operator . Without transition formulas we would not be able to express the above property easily. The state formula A _ E U T ; A expresses the desired property, where T is the predicate that returns true if and only if the transition of a binding element is an element o f T . F or the Integer Rearrangement example the following formula is true: IsSorted _ E U f t 1 ;t2;t 0 g ; IsSorted , i.e., either we h a v e already reached a state where IsSorted holds or it is possible to reach such a state using only the transitions t1, t2, or t 0 .
Formal De nition of ASK-CTL
So far we h a v e been informal about the meaning of ASK-CTL formulas. In the following we remedy this by giving the interpretation of ASK-CTL in terms of a formal semantics.
De nition of State Spaces
We use the concepts and notation of state spaces and SCC-graphs from 6 .
Viewed as a de nition of a directed graph, the de nition of a state space is non-standard with respect to items 2 and 3 below. They are included for two reasons: Firstly, they allow multiple edges between two nodes. Secondly, they make later de nitions simpler. Here V is the set of nodes reachable markings, A the set of edges occurrences of binding elements, and N a function relating edges to their end-point nodes.
We always generate and explore the full state spaces when checking properties. Therefore we assume state spaces to be nite throughout this paper.
Interpretation
The logic is interpreted over state spaces, as de ned above. For convenience we introduce the following notation: M denotes markings of the CP-net, b denotes binding elements, e denotes labelled edges of the corresponding state space, A denotes state formulas, and B denotes transition formulas.
First we de ne M j = St A, the interpretation of state formulas. The meaning of tt, , :, and _ is standard and do not need further explanation:
The next kind of state formula allows us to switch from state to transition formulas. Recall the motivation for introducing this operator, namely that it gives us the possibility to express properties about labels on edges in the state space. The operator, B , means that we can nd an immediate successor state from the current state and that B holds on the edge between the two states.
Before giving the formal de nition of the operator, we need some con- interpreted over a path. It holds for a path if there exists a state at which the state formula F 2 holds and F 1 holds at all preceding states along the path. In this logic, U only has meaning in combination with a path quanti er, existential E or universal A. E.g., AU means that for every path, U holds for the two given properties. The formal de nition is as follows:
M j =StEU A1;A2 i 9 2 P M : 9 n j j : 8 0 i n: Mi j =StA1
Mnj =StA2 M j =StAUA1; A2 i 8 2 P M : 9 n j j : 8 0 i n : M i j = StA1
Mnj =StA2
Notice that for the interpretation of EU ; and AU ; , n is always a nite natural number, even if j j = 1. The interpretation of transition formulas, a j = T r B , where a = M; b; M 0 , is given in the following. Again, tt, , :, and _ have a standard interpretation: a j =T r tt always holds a j =T r i b a j =T r :B i not a j =T r B a j = T r B 1_ B 2 i a j =T r B 1 or a j =T r B 2 Similarly, as for state formulas, we h a v e a operator in order to switch from transition to state formulas. I.e., if we currently consider a transition, the operator allows us to express a property about the destination state of the transition. Note that the following formal de nition is simpler than in the case of state formulas, because an edge always has a unique successor node. Whenever we i n terpret a formula A, w e implicitly mean M 0 j = St A. In fact, our result implies that by performing the transformation as sketched above, we could have used a standard CTL-model checker. However, we have chosen to avoid this transformation step for several reasons, the major being that our model checker is easier to implement directly in the Design CPN environment 7 .
Model Checking the ASK-CTL Logic
In this section we present an improved model checking algorithm. The approach is based on the local model checking idea" from 12 .
In 1 the complexity of model checking for a similar logic is shown to be linear in the product of the size of the formula and the size of the state space. We obtain the same worst case complexity result with ASK-CTL, assuming that the predicates can be evaluated e ciently, i.e., ONV + E where N is the length of the formula, V is the number of nodes, and E is the number of edges in the state space.
As the second contribution of this paper, we describe our improved model checking algorithm. The concept of strongly connected components allows us to improve the standard model checking algorithm 1 .
Strongly Connected Component Graphs
We use a special kind of graphs derived from state spaces, namely strongly connected component graphs SCC-graphs. In gure 5 a partial SCC-graph is shown for the Multi State Process example. The SCC-graph is indicated with large gray nodes and thick arrows. The underlying state space is shown with small nodes and thin arrows.
An SCC-graph is a graph where each node is a strongly connected component SCC. Each SCC represents a subset of nodes in the state space with the property that each node is reachable from any other node in the subset. These subsets are mutually disjoint, maximal, and are a partition of the states in the state space. There is an edge between two SCC's in the SCC-graph if there is an edge between two nodes, one in each of the two SCC's. SCC-graphs are acyclic. 
A More E cient Algorithm
Our model checking algorithm is a modi cation of the standard algorithm given in 1 . We optimise the standard algorithm for some combinations of ASK-CTL formulas, partly by means of reduction rules, and partly by exploiting the SCCgraph. In the following we show h o w.
All formulas are expanded to the basic primitives of the logic, and reduced to eliminate redundant parts of the formula, e.g., ::A is reduced to A. We optimise the checking of formulas that are combinations of EU t t; , AUtt; , and : i.e., essentially combinations of Pos, Inv, Ev, and Along.
Listing all combinations of two, we recognise eight basic patterns f is either a state or a transition formula:
1. EU t t; EUtt; f 2. AUtt; EUtt; f 3. EU t t; AUtt; f 4. AUtt; AUtt; f 5. EU t t; :EU t t; f 6. AUtt; :EU t t; f 7. EU t t; :AUtt; f 8. AUtt; :AUtt; f
The rst four patterns can be optimised by reduction rules, the next three patterns can be model checked more e ciently taking advantage of the SCC-graph, while the last pattern does not seem to have such property.
Other formula combinations exist with, e.g., f . Unfortunately we have not been able to improve the model checking algorithm for other cases by taking into account the SCC-graph.
The three formula patterns 1 3 above can easily be reduced to EU t t; f. Furthermore, the pattern 4 can be reduced to AUtt; f. We omit the formal proof here.
Instead we explain informally why the pattern 2 is the same as EU t t; f only the state formula is considered in this section to simplify the discussion. Assume AUtt; EUtt; A and a given initial state M 0 . This formula says that eventually a state is reached from where it is possible to reach a state, M A , where A holds. Then certainly it is possible to reach M A from M 0 , t h us EU t t; A also holds. Conversely assume that EU t t; A holds, i.e., it is possible to reach a state M A from M 0 where A holds. Observe that eventually a state is always reached viz. M 0 in zero steps from where it is possible to reach M A our assumption. Thus AUtt; EUtt; A holds. In general we can conclude that the following is a sound reduction rule: AUtt; EUtt; f EU t t; f.
Similar arguments apply for the pattern 3 while the reduction rules for the patterns 1 and 4 are more straightforward to prove.
The three patterns 5 7 containing one negation can all be optimised using the SCC-graph. However, the pattern 8 does not seem to have similar properties, and is thus not considered further. Below w e illustrate the optimisation idea for one of the three patterns again, only the state formula is considered to simplify the discussion.
We use the formula pattern 5 as an example. In order to make the following discussion more intuitive w e negate the formula. Thus consider the formula in question; hA = :EU t t; :EU t t; A. The outer part :EU t t; :A 0 means that it is not possible to reach a state in which A 0 does not hold, where A 0 = EU t t; A. This is equivalent o f s a ying that A 0 holds invariantly. The inner part A 0 says that there exists a path to a state in which A holds, i.e., it is possible to reach a state where A is true. Thus the whole formula says that no matter where you go, it is possible from there to reach a state in where A holds, i.e., Inv Pos A. How do we model check such a formula using the SCC-graph? In order to motivate the usage of SCC's, consider for the moment the speci c case where A identi es a set of markings. Now hA expresses the home space property a s de ned in section 4.3 of 4 . In 6 section 1.4, proposition 1.14 indicates that home spaces are related with SCC-graphs. In the proposition it is stated that a set of markings, X, is a home space i there exists a marking from X in each of the terminal SCC's. In general hA can be checked by only considering the terminal SCC's. If A holds somewhere in each terminal SCC, then hA also holds, and vice versa. We omit the formal proof here.
This means that the complexity of checking this formula is linear in the sum of sizes of the terminal SCC's times the size of the formula. We gain a signi cant improvement in the performance when the number of nodes and edges in the terminal SCC's are small compared with the full graph. If the SCC-graph consists of only one node which is the worst case, we get the same performance as with the original algorithm.
Similar signi cant performance improvements can be found for the remaining two cases 6 7 of formula patterns to consider.
Performance Measures
Above we have shown that a set of formula patterns can be model checked more e ciently compared to the standard algorithm, when taking into account SCC-graphs. In practice we can compare implementations of the standard algorithm and our improved algorithm by making performance measures on state spaces generated from speci c CP-nets. We use the three CP-nets already presented section 5. These examples result in three very di erent state spaces and SCC-graphs. Thus the examples provide reasonably representative material for a v ariation of experiments.
In the subsections following, we rst show the characteristics of the state spaces of the example CP-nets. Then we show that we gain signi cant performance improvements with our improved model checking algorithm.
State Spaces of Example CP-nets
We n o w describe the characteristics of the state spaces of the three examples used in this paper. The Dining Philosophers is an example of a totally cyclic system. This implies that the initial state is reachable from any reachable state. From this we conclude that there is exactly one SCC in the SCC-graph containing all reachable states of the CP-net. The state space of this example contains 322 nodes and 2136 arcs.
Simulating the Integer Rearrangement example always terminates in a nite number of steps. This implies that the state space does not have any cycles. A totally acyclic state space has an isomorphic SCC-graph with only trivial components, i.e., an SCC for each node of the state space. The state space of this example contains 895 nodes and 2548 arcs.
The Multi Stage Process example has a behaviour which includes both local cycles and non-reversible changes between stages of the behaviour. The full SCC-graph of the Multi Stage Process example is shown in gure 6. For each SCC we have shown the identity of the component a natural number, the number of states, and internal transitions. For each arc connecting two SCC's we h a v e indicated the number of binding elements between these SCC's. The state space of this example contains 578 nodes and 2498 arcs. The SCC-graph has 11 components. 
Performance Comparison of Algorithms
We have implemented two v ersions of the model checking algorithm on top of the Design CPN tool 7 , one corresponding to the standard algorithm presented in 1 , and the other which is the standard algorithm including the above described improvements taking advantage of the SCC-graph.
To i n v estigate the performance of our implementation of the model checking algorithm we h a v e measured the time to check some formulas from section 5.1 using both the standard algorithm and the improved algorithm proposed above. The formulas are used on the examples from section 4.1 and 5.1 The results exhibit a signi cant speed-up for all basic formula patterns section 7.2, here ranging from a factor 2.4 to more than 1300.
Conclusion
Three factors determine the usefulness of having a logic to express behavioural properties in terms of state spaces of CP-nets. First of all the logic must be sufciently powerful to express interesting properties of the behaviour. Secondly, there must exist e cient algorithms to validate the properties. Finally, the implementation must be able to handle interesting problems, i.e., combinations of large state spaces and complex formulas. We h a v e provided a CTL-like logic which can express interesting properties about state spaces of CP-nets. In particular the logic allows properties of both states and transitions to be expressed directly. This duality gives a very direct formulation of standard CP-net properties such as liveness and home properties. At the same time we h a v e shown how a linear time model checker for the logic still can be applied. Our model checker has been implemented on top of Design CPN 4 , which is a tool based on CP-nets | free of charge. The tool o ers the possibility of automatic generation of the full state space graph of a CP-net. As we h a v e access to the full state space graph we can, in some important cases, improve the performance of the standard CTL model checking algorithm by exploiting strongly connected components. We h a v e presented empirical results which show that, in some cases, our technique is much more e cient than the standard CTL model checking algorithm.
Contrary to the work of, e.g., Valmari 13 and Jensen 6 our technique does not perform any state space reduction. Our model checking technique is orthogonal" to the symmetry based state space reduction technique described by Jensen 6 . The symmetry reduced state space of a net contains all information about the full state space. Future work should investigate the possibilities of applying the technique proposed in the present paper on symmetry reduced state spaces. We expect this to be possible under certain restrictions on the properties to be veri ed. Such properties could, e.g., be that predicates are invariant under symmetries.
