Petri Games: Synthesis of Distributed Systems with Causal Memory

# Petri Games: Synthesis of Distributed Systems with Causal Memory

Bernd Finkbeiner Universität des Saarlandes Carl von Ossietzky Universität Oldenburg    Ernst-Rüdiger Olderog Carl von Ossietzky Universität Oldenburg
###### Abstract

We present a new multiplayer game model for the interaction and the flow of information in a distributed system. The players are tokens on a Petri net. As long as the players move in independent parts of the net, they do not know of each other; when they synchronize at a joint transition, each player gets informed of the causal history of the other player. We show that for Petri games with a single environment player and an arbitrary bounded number of system players, deciding the existence of a safety strategy for the system players is EXPTIME-complete.

## 1 Introduction

Games are a natural model of the interaction between a computer system and its environment. Specifications are interpreted as winning conditions, implementations as strategies. An implementation is correct if the strategy is winning, i.e., it ensures that the specification is met for all possible behaviors of the environment. Algorithms that determine the winner in the game between the system and its environment can be used to determine whether it is possible to implement a specification (the realizability question) and, if the answer is yes, to automatically construct a correct implementation (the synthesis problem).

We present a new game model for the interaction and the flow of information in a distributed system. The players are tokens on a Petri net. In Petri nets, causality is represented by the flow of tokens through the net. It is therefore natural to designate tokens also as the carriers of information. As long as different players move in concurrent places of the net, they do not know of each other. Only when they synchronize at a joint transition, each player gets informed of the history of the other player, represented by all places and transitions on which the joint transition causally depends. The idea is that after such a joint transition, a strategy for a player can take the history of all other players participating in the joint transition into account. Think of a workflow where a document circulates in a large organization with many clerks and has to be signed by everyone, endorsing it or not. Suppose a clerk wants to make the decision whether or not to endorse it depending on who has endorsed it already. As long as the clerk does not see the document, he is undecided. Only when he receives the document, he sees all previous signatures and then makes his decision.

We call our extension of Petri nets Petri games. The players are organized into two teams, the system players and the environment players, where the system players wish to avoid a certain “bad” place (i.e., they follow a safety objective), while the environment players wish to reach just such a place. To partition the tokens into the teams, we label each place as belonging to either the system or the environment. A token belongs to a team whenever it is on a place that belongs to the team.

In the tradition of Zielonka’s automata [29], Petri games model distributed systems with causal memory, i.e., distributed systems where the processes memorize their causal history and communicate it to each other during each synchronization [11, 17, 12]. Petri games thus abstract from the concrete content of a communication in that we assume that the processes always exchange the maximal possible information, i.e., their entire causal history. This is useful at a design stage before the details of the interface have been decided and one is more interested in restricting when a communication can occur (e.g., when a device is connected to its base station, while a network connection is active, etc.) than what may be communicated. The final interface is then determined by the information actually used by the winning strategies, which is typically only a small fraction of the causal history. Note that even though we assume the players to communicate everything they know, the flow of information in a Petri game is far from trivial. At any point, the players of the Petri game may have a different level of knowledge about the global state of the game, and the level of informedness changes dynamically as a result of the synchronizations chosen by the players.

The system players and the environment players move on separate places in the net, the places belonging to the system players are shown in gray. In the example, our goal is to find a strategy for the system players that avoids a false alarm, i.e., a marking where the environment token is still on and at least one system token is on one of the places at the bottom, i.e., , , etc., and a false report, i.e., a marking where the environment token is on place and some system token is on or or a marking where the environment token is on and some system token is on or . To identify such undesirable markings we introduce a distinguished place . Fig. 1 shows (dashed) transitions towards firing at two instances of false reports, when tokens are on both and or on both and . Similar transitions for other erroneous situations are omitted here to aid visibility.

Suppose that, in our Petri game, the burglar breaks into location by taking the left transition. Once the system token in has recorded this via transition , it has two possibilities: either synchronize with the system token in by taking transition , or skip the communication and go straight to via transition . Intuitively, only the choice to synchronize is a good move, because the system token in has no other way of hearing about the alarm. The only remaining move for the system token in would be to move “spontaneously” via transition to , at which point it would need to move to , because the combination of BB and EA would constitute a false alarm. However, the token in has no way of distinguishing this situation from one where the environment token is still on ; in this situation, the move to would also reach a false alarm.

Our definition of strategies is based on the unfolding of the net, which is shown for our example in Fig. 2. By eliminating all joins in the net, net unfoldings [20, 7, 9] separate places that are reached via multiple causal histories into separate copies. In the example, place has been unfolded into four separate copies, corresponding to the four different ways to reach , via the transition arcs through . Each copy represents different knowledge: in , only knows that there has been a burglary at location ; in , knows nothing; in , knows that knows that there has been a burglary at position ; in , knows that there has been a burglary at location . (Symmetric statements hold for and the transition arcs .) In the unfolding, it becomes clear that taking transition is a bad move, because reaching the bad marking containing and either or has now become unavoidable. A strategy is a subprocess of the unfolding that preserves the local nondeterminism of the environment token. Fig. 2 shows a winning strategy for the system players: by omitting the dashed arrows, they can make the bad place unreachable and therefore win the game.

We show that for a single environment token and an arbitrary (but bounded) number of system tokens, deciding the existence of a safety strategy for the system players is EXPTIME-complete. This means that as long as there is a single source of information, such as the input of an algorithm or the sender in a communication protocol, solving Petri games is no more difficult than solving standard combinatorial games under complete information [26]. The case of Petri games with two or more environment tokens, i.e., situations with two or more independent information sources, remains open.

The remainder of the paper is structured as follows. In Section 3 we introduce the notion of Petri games and define strategies based on net unfoldings. In Section 4 we show that for concurrency preserving games every strategy can be distributed over local controllers. In Section 5 we introduce the new notion of mcuts on net unfoldings. In Section 6 we show that the problem of deciding the winner of a Petri game is EXPTIME-complete. Related work and conclusions are presented in Sections 7 and 8. Due to space limitations, proofs have been moved into the full version of this paper.

## 2 Petri nets

We recall concepts from Petri net theory [24, 5, 20, 7, 8, 19, 15, 9]. A place/transition (P/T) Petri net or simply net consists of possibly infinite, disjoint sets of places and of transitions, a flow relation , which is a multiset over , and an initial marking . In general, a marking of is a finite multiset over . It represents a global state of . By convention, a net named has the components , and analogously for nets with decorated names like .

The elements of are called nodes of , thereby referring to the bipartite graphic representation of nets, where places are drawn as circles and transitions as boxes. The flow relation is represented by directed arrows between places and transitions. An arrow from a place to a transition is decorated by a multiplicity if , and analogously, an arrow from a transition to a place is decorated by a multiplicity if . We use a double arrow arc between a place and a transition if there are arcs in both directions. A marking is represented by placing tokens in every place .

is finite if it has only finitely many nodes, and infinite otherwise. For nodes we write if . The precondition of is the multiset over nodes defined by . The postcondition of is the multiset over nodes defined by . When stressing the dependency on the net , we write and instead of and . As in [7] we require finite synchronization [5] and non-empty pre- and postconditions: and are finite, non-empty multisets for all transitions .

A transition is enabled at a marking if the multiset inclusion holds. Executing or firing such a transition at yields the successor marking defined by . We denote this by . The set of reachable markings of a net is denoted by and defined by . A net is -bounded for a given if holds for all and all . It is bounded if it is -bounded for some given and safe if it is 1-bounded.

denotes the transitive closure and the reflexive, transitive closure of . Nodes and are in conflict, abbreviated by , if there exists a place , different from and , from which one can reach and via , exiting by different arcs. A node is in self-conflict if .

We use the notations and for the sets of places without incoming or outgoing transitions, respectively. For a multiset over let result from by changing its initial marking to . For a set of nodes we define the restriction of to as the net .

Consider two nets and . Then is an initial subnet or simply subnet of , denoted by , if , , , and . A homomorphism from to is a mapping with and , and with and . If additionally , then is called an initial homomorphism. An (initial) isomorphism is a bijective (initial) homomorphism.

Occurrence nets and unfoldings. To represent the occurrences of transitions with both their causal dependency and conflicts (nondeterministic choices), we consider occurrence nets, branching processes, and unfoldings of Petri nets as in [20, 7, 15, 9]. We follow the axiomatic presentation in [7], taking [19] into account for dealing with P/T Petri nets.

An occurrence net is a Petri net , where and are sets, , the inverse flow relation is well-founded, no transition is in self-conflict, and . Note that an occurrence net is a safe net. Two nodes of an occurrence net are causally related if or . They are concurrent if they are neither causally related nor in conflict. If then is called a causal predecessor of , abbreviated . We write if or . The causal past of a node is the set .

A branching process of a net is a pair , where is an occurrence net and is a “labeling”, i.e., a homomorphism from to that is injective on transitions with the same precondition: implies . If is initial, is called an initial branching process. The unfolding of a net is an initial branching process that is complete in the sense that every transition of the net is recorded in the unfolding: : if is a set of concurrent places and , then there exists a transition such that and .

Let and be two branching processes of . A homomorphism from to is a homomorphism from to with . It is called initial if is initial; it is an isomorphism if is an isomorphism. and are isomorphic if there exists an initial isomorphism from to . approximates if there exists an initial injective homomorphism from to . is a subprocess of if approximates with the identity on as the homomorphism. Thus and . If approximates then is isomorphic to a subprocess of .

In [7] is shown that the unfolding of a net is unique up to isomorphism and that every initial branching process of approximates . Thus up to isomorphism we can assume that is a subprocess of .

Cuts and sequential composition. A cut of an occurrence net is a maximal subset of the places that are pairwise concurrent. For a cut let and . A cut splits into the two nets and ; it also splits a branching process into two branching processes and , where and and and .

Two branching processes and of a given P/T Petri net are compatible if . Given two compatible branching processes and , we can up to isomorphisms of and of assume that and construct a unique branching process with and , and and , for the cut . This branching process is the sequential composition of and , denoted by . If is an initial branching process, then so is .

Causal nets and concurrent runs. Executions of Petri nets are represented by causal nets and concurrent runs as in [20, 5]. A causal net is an occurrence net , where . Thus in a causal net there are no (self-) conflicts. A (concurrent) run or process of is a special case of a branching process , where is a causal net. If is initial, is called an initial run. Note that every initial run of approximates the unfolding of . Thus up to isomorphism we can assume the an initial run of is a subprocess of .

The marking reached by a finite initial run of is denoted by and defined as the multiset . We remark that the set of reachable markings of can be obtained via the runs as follows: .

## 3 Petri Games

We wish to model games where the players proceed independently of each other, without information of each others state, unless they explicitly communicate. To this end, we introduce Petri games, defined as place/transition (P/T) Petri nets, where the set of places is partitioned into a subset belonging to the system players and a subset belonging to the environment. Additionally, the Petri game identifies a set of bad places (from the point of view of the system), which indicate a victory for the environment. Formally, a Petri game is a structure , where the (underlying) Petri net of the game is with places . Players are modeled by the tokens of . Throughout this paper we stipulate that there is only one environment player.

A global strategy is obtained from the unfolding by deleting some of the branches that are under control of the system players. We call this a “global” strategy because it looks at all players simultaneously. Note that nevertheless a strategy describes for each place which transitions the player in that place can take. Formally, this is expressed by the net-theoretic notion of subprocess.

An unfolded (global) strategy for the system players in is a subprocess of the unfolding of subject to the following conditions for all :

1. if then is deterministic at ,

2. if then , i.e., at an environment place the strategy does not restrict any local transitions.

Here denotes the system places and the environment places in . A strategy is deterministic at a place if for all , the set of reachable markings in :

 p∈M⇒∃≤1t∈Tσ:p∈pre(t)⊆M.

Due to the unfolding, a decision taken by in a place depends on the causal past of , which may be arbitrarily large. The adjective “global” indicates that looks at all players simultaneously. Local controllers are discussed in Section 4.

###### Example 3.3

Fig. 4 shows also a global strategy for the system players of the Petri game in Fig. 4.

A (concurrent) play of a Petri game is an initial concurrent run of the underlying net . If contains a place of , the environment wins . Otherwise, the system players win . Note that up to isomorphism we can assume that is a subprocess of the unfolding . A play conforms to a strategy  if is a subprocess of . A strategy for the system players is winning if the system players win every play that conforms to .

Since the winning condition of a game is a safety objective, the system players can satisfy it by doing nothing. To avoid such trivial solutions, we look for strategies that are deadlock avoiding in the sense that , i.e., if the unfolding can execute a transition the strategy can as well, thus avoiding unnecessary deadlocks. A marking where there is no enabled transition in the unfolding either is not a deadlock. Then we say that the game has terminated.

A (global) strategy for the system players in is a pair consisting of a safe net and an initial homomorphism from to that is injective on transitions with the same preset, i.e., implies , subject to the conditions (S1) and (S2) above. A global strategy may have cycles and thus be finite, i.e., have a finite set .

## 4 Distribution

We show that for Petri games with a concurrency preserving underlying net, every global strategy is distributable over local controllers. A net is concurrency preserving if every transition satisfies . The parallel composition of two nets , , with is defined as the Petri net obtained by taking the componentwise union. The two nets synchronize on each common transition as in the process algebra CSP [14, 21].

Let be a concurrency preserving, safe net with the places partitioned into system and environment places . A slice of describes the course of one token in . Formally, it is a net , where or , , , are minimal subsets satisfying

• and and ,

• .

The net is called reachable if every place and transition of is reachable from its initial marking.

###### Lemma 4.1 (Parallel Composition of Slices)

Every safe reachable net which is concurrency preserving is the parallel composition of slices: where is a family of slices of such that is a partition of .

A local controller specifies the moves of a single player in a Petri game. It is a pair consisting of a safe net with one token, i.e., and , and a weak homomorphism from to , the underlying net of the Petri game. A local controller is finite if is a finite set. It may have nondeterministic choices of transitions that are resolved (later) by synchronization with other controllers working in parallel. Unfolding yields a branching process , where is an initial homomorphism from to . Then is an unfolded local controller.

A (n unfolded) strategy is distributable if can be represented as the parallel composition of (unfolded) local controllers for the environment and the system players in the sense that the reachable part of the parallel composition is isomorphic to . Using Lemma 4.1 we show:

###### Lemma 4.2 (Distribution)

Every unfolded global strategy for a concurrency-preserving Petri game is distributable.

###### Example 4.3

The global strategy of Fig. 4 can be distributed into the local controllers of Fig. 5.

###### Theorem 4.4

If the system players in a bounded and concurrency preserving Petri game have a winning strategy, then they have a finite distributable winning strategy.

## 5 Cuts

In an unfolded strategy , a decision taken by in a place depends on the causal past of , which may be arbitrarily large. Similar to model checking approaches based on net unfoldings [8], we use cuts (maximal subset of pairwise concurrent places) as small summaries of the causal past. The standard notion of cuts is, however, problematic for games with multiple players, because it collects places without regard for the (possibly different) knowledge of the individual players about the causal past. To solve this problem, we introduce a new kind of cut, called mcut, which guarantees that the system players can be considered to be perfectly informed about the environment decisions.

Throughout this section, we consider a Petri game with underlying net , unfolding , and an unfolded strategy , so and . Since in the nondeterminism of has been restricted, we distinguish for a node the postconditions and taken in the nets and , respectively. Note that . For preconditions we have . Thus, while the postconditions of nodes may be different in and , their preconditions are identical.

The formal definition is as follows: For a -cut and a place we define if and if Note that . By type-1(C) we denote the set of all places in that have type 1, and analogously for type-2(C). Then we define: For an example, see Fig. 6.

###### Lemma 5.1 (Existence of mcuts)

For every environment place , is well-defined.

An ecut results from an mcut by firing a single environment transition. Formally, given an environment place and a transition with environment participation let be the cut obtained by firing at , formally . For an example, see Fig. 6.

## 6 Deciding Petri Games

We now reduce Petri games to games over finite graphs, which can subsequently be solved by a standard fixed point construction. Unlike the Petri game, the finite-graph game has only two players, Player 0 and Player 1, which both act on complete information. We construct a finite-graph game that is equivalent to the Petri game in the sense that the system players have a deadlock-avoiding and winning strategy in the Petri game iff Player 0 has a winning strategy in the finite-graph game. The key idea is that Player 1, representing the environment, is only allowed to make a decision at mcuts, which guarantees that the system players learn about the decision before they have to make their next choice. In this way, the system players can be considered to be perfectly informed.

A finite-graph game consists of a finite set of states, partitioned into Player 0’s states and Player 1’s states , a set of initial states , an edge relation , and disjoint sets of winning states for Player 0 and Player 1, respectively. A play is a possibly infinite sequence of states, constructed by letting Player 0 choose the next state from the -successors whenever the play is in and letting Player 1 choose otherwise. Player 0 wins if the play reaches or forever avoids visiting .

A strategy for Player 0 is a function that maps a prefix of a play ending in a state owned by Player 0, i.e., a sequence of states that ends in a state, to some successor state according to . A play conforms to a strategy , if all successors of states in the play are chosen according to . A strategy is winning for Player 0 if there is an initial state such that all plays that start in and conform to are won by Player 0.