Abstract
Mobile cyberphysical systems (CPSs) are very hard to verify, because of asynchronous communication and the arbitrary number of components. Verification via model checking typically becomes impracticable due to the state space explosion caused by the system parameters and concurrency. In this paper, we propose a formal approach to verify the safety properties of parameterized protocols in mobile CPS. By using counter abstraction, the protocol is modeled as a Petri net. Then, a novel algorithm, which uses IC3 (the stateoftheart model checking algorithm) as the backend engine, is presented to verify the Petri net model. The experimental results show that our new approach can greatly scale the verification capabilities compared favorably against several recently published approaches. In addition to solving the instances fast, our method is significant for its lower memory consumption.
1. Introduction
A cyberphysical system (CPS) [1] is an integration of computation and physical components. The improvement of contemporary mobile devices, such as smartphones and wearable electronics, enables the formation of mobile CPSs [2, 3]. A mobile CPS could be considered as a subcategory of CPSs with inherent mobile features [4, 5]. Different from traditional CPSs, mobile CPSs could be built on mobile devices that travel with their owners. For example, mobile social networking [6, 7] helps people communicate with each other on their daily commute to and from work, traveling along the same rotes at about the same time. Due to distributed interactions of cyber word, physical word, and human behaviors, the mobile CPS becomes more complex. Asynchronous communication and the arbitrary number of components make the mobile CPS appear similar to a parameterized system. It is difficult to guarantee the parameterized system’s correctness for any natural number [8, 9].
Due to the tight market windows and safetycritical nature of their applications, it has become an urgent need to design errorfree mobile CPSs and thus a significant amount of time is spent on ensuring the correctness of mobile CPS designs. The verification of the CPS designs becomes an important issue [10]. Formal methods, replacing the traditional testing methods for large mobile CPSs, have been successfully used for verifying software, hardware, and physical systems in the past decades [11]. Model checking [12, 13] is an automatic formal approach to verify if the specification satisfies the properties and has been used in finite and infinite state system verification successfully.
Abstraction [14, 15] is a good way to reduce the state space. By abstraction, each agent of the mobile CPS can be modeled as a finite state automaton in which local transitions model one of the following: an internal action, a broadcast, or a reception of a message. A mobile CPS is defined as the composition of a finite but arbitrary number of copies of the automaton running in parallel. A mobile CPS which combined with an arbitrary number of components is a parameterized system, which is a wide class infinite system, including cache coherence protocols and mutual exclusion protocols.
Parameterized systems arise naturally in the modeling of mutual exclusion algorithms, distributed protocols, or cache coherence protocols. Parameterized verification [8] is aimed at verifying families of transition systems for all values of the parameter. Counter abstraction [14] is natural to model parameterized systems into Petri nets and their extensions. Petri net is a powerful mathematical tool and has been used widely for modeling and verifying CPSs [10, 16, 17].
In this paper, we propose a formal approach to verify the safety properties of parameterized protocols in mobile CPSs. By using counter abstraction, the protocols of mobile CPSs are described as Petri nets, and then the stateoftheart model checker is used to check the safety properties.
The significant contributions of this paper are as follows:(i)We propose a new method based on the SATbased model checking algorithm to verify the parameterized protocols of mobile CPSs. By using counter abstraction, we describe the parameterized protocol as a Petri net and then translate it into a finite state machine (FSM), so that IC3 [18, 19], the stateoftheart finite state model checking algorithm, can be used as the backend engine.(ii)A smart encoding technique is introduced to make the verification efficient. A bounded Petri net is transformed into a FSM and described as a general format for most model checkers.(iii)To improve the scalability of parameterized protocols verification, an incremental algorithm is proposed to make IC3 perform more efficiently.
The rest of this paper is organized as follows. In Section 2, we review the related work. Section 3 presents necessary preliminaries used in this paper. In Section 4, we propose our new method based on the model checking algorithm and give more details of the implementation and optimization. Section 5 shows the experimental evaluation on parameterized protocols. Section 6 concludes this paper and discusses future works.
2. Related Works
As a successful application in traditional hardware and software verification, model checking has been frequently used in CPS verification, especially for safetycritical CPSs. Akella and McMillin [20] encoded the physical system into an eventbased discretized system and modeled the associated CPS by Security Process Algebra. The model checker, CoPS, was used to check the confidentiality properties. A statistical model checker has been recently utilized to analyze some aspects of CPSs [21]. However, this method also suffers from the classical model checking problems, such as the state space explosion and the lack of ability to reason about mathematical relations. Bae et al. [22] combined model checking and Multirate PALS (physically asynchronous, logically synchronous) methodology for the first time to verify an airplane turning control system. More cases should be studied for the verification of distributed cyberphysical systems using Multirate PALS.
Petri nets are wellknown tools for modeling and verification of distributed systems and CPSs. Xu and Deng [16] proposed a Petri netsbased method for architectural modeling of mobile agent systems. Chen et al. [17] investigated the use of Petri nets for modeling coordinated cyberphysical attacks on the smart grid. A novel hierarchical method was proposed to construct large Petri nets from a number of smaller Petri nets that can be created separately by different domain experts. Vita [23, 24], which is a novel mobile cyberphysical system for crowdsensing applications, introduced Petri nets to design a high level service state synchronization mechanism to address the possible unavailable situations of mobile devices in mobile CPSs. In order to define the functionality of traveler information systems (TIS) and integrate new functions and technologies based on cloud computing and mobile communications, Nemtanu et al. [25] presented a Petri netsbased model of this system. Zhang et al. [26] proposed a mechanism to model fault tolerated mobile agents by using colored Petri nets.
There is a large amount of related works on automating the parameterized verification problem [27–29]. The theorem prover PVS, for example, has been successfully applied to verify Small Aircraft Transportation System (SATS) [30]. By using the Model Checker Modulo Theories, Johnson and Mitra presented a model checking method for SATS [31]. Guo et al. [32, 33] proposed a new method to reduce the state space of parameterized systems by twodimensional abstraction (TDA). Asynchronous composition was the key part of TDA but suffered from higher memory consumption.
3. Preliminaries
Petri nets have been popular models for various types of asynchronous or concurrent processes. A Petri net is a directed graph consisting of places (drawn as circles), transitions (typically boxes), and directed arcs. Input places point to a transition, and a transition points to output places. A number of tokens move around the net from place to place, and the distribution of tokens among the places (called the marking) represents the dynamic state of the entire modeled system. The formal definition of Petri nets is as follows.
Definition 1 (Petri net). A Petri net (PN) is a triple , where is a finite set of places, is a finite set of transitions disjoint from , and is flow relations for the set of arcs.
The configuration of is , which can be seen as the multisets of places. The semantics of is given by . A marking is a function , which describes the number of tokens in place . In the sequel, if places are ordered by , we often identify and the vector .
Example 2. As shown in Figure 1, a simple example contains all components of a Petri net. There are two places and three transitions. Arcs have capacity 1 by default; if other than 1, the capacity is marked on the arc. Places have infinite capacity, and transitions have no capacity and cannot store tokens at all. The current marking is . If is fired, the next marking will be . If is fired, the next marking will be . The transition cannot be fired now.
In particular, it has been shown that certain communication procedures, which are common when programming distributed systems, can easily be modeled by plain Petri nets, but other communication procedures such as broadcast are not easily captured by plain Petri nets. For that reason, we address two extensions of the model in this paper, following the definition in [34].(i)Petri nets with transfer arcs, in which a transition can also consume all tokens present in one place and move them to another(ii)Petri nets with reset arcs, in which a transition can delete all tokens present in one place
This significance of these extensions in terms of modeling power has been demonstrated, for instance, in the modeling and verification of parameterized protocols in [35].
A common way to model a parameterized system by a Petri net is to apply the idea of the counter abstraction [8]. This principle consists of mapping each single process to a token and representing each state of each type of process by a place. In this case, the presence of a token in a given place indicates that, in the current global state of the system, there is a process that corresponds to in its local states. The transition of the Petri net then consumes and produces tokens to move the associated process from one state to another. This formalization has the drawback of abstracting away the actual identities of the processes. Still, some interesting properties, for instance, safety properties, can be verified at this level of abstraction.
In this paper, we focus on the safety property, which is equal to the coverability of wellstructured transition systems (WSTSs) when expressing the safety property as the upwardclosed set. Petri nets are WSTSs (with respect to ≤) [36]. We present the related notions of WSTSs and then define the PN safety problem.
Definition 3 (wellquasiordering). A wellquasiordering (wqo) is a reflexive and transitive binary relation over set , and for every infinite sequence of elements from , there exists such that . For , the upwardclosure of is the set . A set is said to be upwardclosed (or simply upwardclosed if is clear from the context) if = .
In Figure 1, the safety property is defined whether the tokens number of place is greater than or equal to 2; then we can use the upwardclosed set to express the property.
Definition 4 (wellstructured transition systems). A wellstructured transition system (WSTS) is a transition system equipped with a wqo on its states that satisfies the monotonicity property. A WSTS is a triple such that (1) is the (possibly infinite) state space,(2) is transition relation,(3) is a wqo over ,(4)for all , if and , there exists such that and .
The covering relation ≤ between Petri net markings is a wqo. A and the initial marking give rise to a WSTS , where is the set of markings and corresponding with is the initial states. The transition relation is defined as follows: there is an edge if and only if there is some transition such that when transition was fired, the marking yields a new marking . The coverability problem for PN is defined as the coverability problem on this WSTS.
Definition 5 (PN safety problem). Given a Petri net and the initial marking , we get a WSTS . Then given an upwardclosed set , does there exist a sequence such that and ? We write safe if the answer is “no.”
Example 6. As shown in Figure 1, if the initial marking is , and the safety property is described by the upwardclosed set , there exists a sequence , which means the Petri net is not safe.
4. Incremental Bounded Model Checking Algorithm
This section describes how to bound a Petri net to an equivalent FSM and then verifies the safety properties by using SATbased model checkers. An incremental method is proposed, which benefits more from the modern SAT solver by assumption.
4.1. Cut Off the Petri Net to FSM
In general, Petri nets are infinite state systems, as the number of tokens can be assigned with arbitrary . In order to use the finite state model checking algorithms, we cut off the Petri net to FSM by a given boundary . As the counter abstraction is used to model the parameterized systems, the boundary can be defined as the current process number.
Definition 7 (finite state machine). A finite state machine is a quadruple , where is a finite set of states, is the transition relations, is the initial states, and In is a finite set of inputs.
To cut off the Petri net to FSM, we represent Petri nets as follows. Let be the set of places. A marking is represented as the tuple of natural numbers . A transition is represented as a pair , where is the guards and is the effects. Formally, , which represents the enabling condition, and , which represents the yield marking .
The Petri net is a concurrent model, in which just one transition can be fired at one time. In the equivalent FSM, we introduce extra inputs to simulate and select one transition to be fired randomly.
Definition 8 (bounded Petri net, bounded upwardclosed set). Given a Petri net and a boundary , a bounded Petri net is a FSM, where is the subset for all markings, so that, for a marking , for all ; is the subset of , so that, for , the guard can be fired under the boundary ; is the bounded initial marking ; In is the set of extra inputs for selecting which rule to be fired. Given an upwardclosed set , is the bounded upwardclosed set, which cuts off the infinite to finite by the boundary .
is the total token’s boundary, so the summary of each place’s token number should be less than or equal to . Here an adder is used to count the total tokens, which will be discussed in Section 4.3.
The bad states are presented with an upwardclosed set in Petri nets. We bound with the boundary , by cutting off the upwardclosed set with . For instance, for an upwardclosed set , and the boundary 10, the bounded upwardclosed set is .
Here, we introduce a function to map the Petri net PN or upwardclosed set to bounded Petri net or bounded upwardclosed set. That is to say, = cutoff, and = cutoff.
4.2. SATBased Model Checking Algorithms for Petri Nets
The Boolean Satisfiability (SAT) problem is a wellknown NPcomplete constraint satisfaction problem. With the introduction of bounded model checking (BMC) [37], it becomes clear that SAT solvers can be used for model checking [12]. There has been significant progress on SATbased model checking techniques in the past two decades, including BMC, interpolation [38], and IC3.
IC3, known also as property directed reachability (PDR), is a recently proposed SATbased model checking technique for the analysis of sequential circuits. IC3 maintains a list of trace: . The first element is special; it is simply identified with the initial states. For , is a set of clauses that represents an overapproximation of the states reachable from the initial states in steps or less. Together with the trace, the IC3 algorithm consists of a set of proofobligations, which consists of a frame number and a cube . By manipulating the trace and the set of proofobligations, IC3 gets new facts and adds them into the trace until it either (1) produced an inductive invariant proving the property or (2) added a proofobligation at frame 0 with a cube that intersects the initial states, which is a counterexample. Without unrolling the model, IC3 performs better than most SATbased model checking algorithms, especially in memory consumption.
Given a Petri net model PN, the safety property , and the boundary , is expressed as an upwardclosed set, and is the current process number of the parameterized system to be verified. By Definition 8, we create the bounded Petri net model and bounded upwardclosed set by the function . is a FSM and can be translated into propositional logic directly. represents the safety property for . An SATbased model checker is used to check the property. There are multiple choices of model checkers. Here the stateoftheart model checker IC3 was used as the backend engine, because of its lower memory consumption. If the model checker returns UNSAT, it means PN is safe for the current boundary ; otherwise, a counterexample will be found.
We note this method as bounded model checking algorithm. Because of the use of finite state model checking algorithms, the bounded model checking algorithm will terminate when we find a counterexample or prove the safety.
For parameterized verification problem, we want to verify the system on an arbitrary parameter. If the maximum process number is , we need times single runs for . For each single run, the FSM is encoded into a new propositional formula to use an SAT solver, separately.
Fortunately, the modern SAT solver supports the incremental mechanism, so that the new SAT problem can be solved based on the previous solve result. The backend SAT engine used in this paper is MINISAT [39], which supports the incremental mechanism by assumption. There is a vector to store the assumption variables which will be assigned to True. Hence, we introduce some extra variables, named active literals, to control the boundary of the bounded Petri net model.
Definition 9 (Incbounded Petri net, Incbounded upwardclosed set). Given a Petri net , a boundary , and a maximum boundary , an Incbounded Petri net is a mbounded Petri net equipped with the active literals vector for controlling the boundary incrementally. An Incbounded upwardclosed set is a bounded upwardcloset set equipped with .
If , the current boundary is . If is popped out, the boundary increases to . If , the boundary reaches the maximum boundary . A new function inccutoff(,n,m) is introduced to map the Petri net PN or upwardclosed set to Incbounded Petri net or Incbounded upwardclosed set. We write that = inccutoff, and = inccutoff.
Algorithm 1 shows our new algorithm to verify the bounded Petri net from boundary to incrementally. The inputs are a Petri net model PN, safety property , a base boundary , and a maximum boundary . is expressed as an upwardclosed set. The algorithm returns unsafe if it finds a counterexample; otherwise, it returns safe and proves the system is safe from parameters to .

Lines 1–5. Generate the active literals and push them into the assumption vector . Then, set the current boundary as .
Lines 67. Create the incremental bounded Petri net model by using the assumption vector .
Lines 8–19. The whileloop is the main routine to verify the model incrementally. If the condition is satisfied at line 10, the model checker finds a counterexample and returns unsafe. If the model bounded by is safe, then the algorithm increases the boundary at lines 15 and 16 and calls the SATbased model checker again to solve the new model with higher boundary. When vector is empty, the algorithm proves that the input PN is safe from boundaries to .
Algorithm 1 reuses the context from the previous solving results. The main routine in Algorithm 1 is based on an SATbased model checker. Hence, the algorithm terminates when it finds a counterexample at line 12 or proves safety at line 19.
4.3. Implementation and Optimization
In this section, we introduce key points which make a great contribution in improving the performance.
The Petri Net Format. The input Petri net is encoded in the MIST format (https://github.com/pierreganty/mist/). Each place is mapped to a variable, and each transition corresponds to a rule. For each rule, there are guards and effects, as described in Definition 8. The guards are the conditions under which this rule can be fired, and the effects describe how tokens transfer from places. The target is the safety property to be verified, which is expressed as an upwardclosed set.
The FSM Format. AIGER (http://fmv.jku.at/aiger/) is a format, library, and set of utilities for AndInverter Graphs (AIGs). The hardware model checking competition (HWMCC) uses AIGER as input format, and most modern model checkers support AIGER as the input model. AIGER is a good way to describe FSM and can be translated into a propositional logic for an SAT solver. The bounded Petri net is encoded as an AIGER model, where each place corresponds to state variables in Boolean value. Extra input variables are introduced to select which rule to be fired and then update the state variables to set up the transition relations equally.
Encoding: Binary versus Unary. Encoding is important for SAT solvers. In this paper, both binary and unary encodings were used to encode the places in the Petri net model. As shown in Table 1, binary and unary encodings are used to encode the natural numbers. Onehot encoding is one possible unary encoding, where just one bit is “1” and the others are all “0.” The binary encoding needs bits, and the unary encoding needs bits to encode the natural number 0~N.
Full Adder. A full adder is designed to count the total token numbers to bound the Petri net. As binary and unary encodings are used to represent the token numbers for each place, we present how to design an bit binary and unary full adder, respectively.
A bit binary full adder is just combing single bit binary adders together. The bit binary adder can be described using the following logics. The logics AND, OR, and XOR are represented as , , and , respectively.
There are many different ways to design unary adder, but a simple bit unary adder is presented as follow:
Structural Information. When using unary encoding to represent the token’s number of places, it is important to give this structural information to the SAT solver. Hence, we add some extra logics as a constraint to the AIGER circuits. Figure 2 shows the logics to check if the bit vector is encoded in onehot. The total number of gates is .
5. Experimental Evaluation
We have implemented the incremental bounded model checking algorithm in a tool named PNPV. PNPV is implemented with C++ and uses MINISAT as the backend SAT solver. All input instances are encoded in the MIST format.
To measure PNPV’s performance, we compare with TDA [32], which was used to verify parameterized cache coherence protocols. We also compare with the MIST toolkit (https://github.com/pierreganty/mist) with the classical backward [40] and EEC [41] algorithm for WSTS coverability on Petri nets instances.
All experiments are performed on a machine, with Intel 2.60 GHz CPU and 16 GB main memory, running CentOS 6.5 in 64bit. The running time is limited to 600 seconds and memory to 2 GB.
5.1. Benchmarks
Memory coherence is very important for both the multicore processors and mobile CPSs. We verify several classical parameterized cache coherence protocols as described in [35]. We collected 12 Petri nets from the MIST repository, where six bounded Petri nets are all safe and six plain Petri nets are all unsafe. Some of those Petri nets are used to model the communication protocols in mobile CPSs.
5.2. Evaluation
As shown in Table 2, the unary encoding performs about 4~19 times better than binary. By using unary encoding, we can solve 160 processes for Illinois and Firefly protocols, but just 22 and 18 when using binary. For Berkeley, PNPV solves 146 and 18 processes by unary and binary, respectively. German protocol is an industrylike cache coherence protocol, for which 97 and 5 processes are solved by using unary and binary encoding, respectively. The CSMbroad and Dragon protocols both have about 90 processes solved by using the unary encoding but just 9 and 24 processes by using the binary encoding, respectively. The unary encoding is more competitive than binary on all protocols. We identify two reasons for unary’s better performance.
The first reason is the difference in expressing the transition in FSM. Though there are more variables used to encode the places, the transition relations can be generated by shifting the variables. The logics for transitions are simpler than binary, and the SAT problem is easy to solve.
The second reason is the use of the IC3 algorithm. IC3 is an incremental inductive algorithm, which builds the overapproximation from the last SAT results incrementally. The unary encoding is more efficient for learning clauses.
Figure 3 shows a comparison of the bounded model checking algorithm with the incremental bounded model checking algorithm on five parameterized protocols. The incremental bounded model checking algorithm is competitive on all instances, especially for Firefly, Illinois, and Berkeley. The main reason is that the Bbounded algorithm cannot reuse the previous result to prove the current verification problem. Algorithm 1 gives us a good solution with little expenses when adding active literals for the generated FSM.
TDA [32, 33] uses abstract and abstract to reduce the state space of parameterized systems and speed up the verification performance. Asynchronous composition is the key part of TDA, but it suffers from higher memory consumption. As shown in Table 3, PNPV performs better than TDA on all parameterized protocols. For Berkeley and Dragon protocols, TDA solves 14 processes, but PNPV solves 146 and 90 processes, respectively. PNPV handles 160 processes for Firefly and Illinois, but just 22 processes are solved by TDA. Table 3 shows that TDA suffers from high memory consumption, as most instances hit the memory limit before hitting the time limit. PNPV is also competitive with respect to speed when comparing with TDA, especially for large process numbers. As the results are all zero when the process number , we present the data from .
MIST is a tool to check safety properties against Petri netlike models. To compare with PNPV, we select the classical backward and EEC algorithms to run 12 Petri net benchmarks. Six out of 12 instances are bounded Petri nets. The total token numbers of the bounded Petri nets are limited. All of the six bounded Petri nets are safe. To test PNPV’s ability of bug finding, six unsafe instances were collected from the MIST toolkit to evaluate the performance.
As shown in Table 4, PNPV performs better than both backward and EEC algorithms for all unsafe instances. Both in time and memory usage, PNPV is competitive. For six bounded Petri nets, PNPV wins on four out of six instances.
6. Conclusion and Future Works
We introduced an incremental bounded model checking algorithm to verify the safety properties of parameterized protocols in mobile CPS. By using counter abstraction, the protocol is modeled as a Petri net. Then the stateoftheart SATbased model checking algorithm is used to verify the safety properties. The algorithm can be used to verify parameterized systems, including cache coherence protocols, mutual exclusion communication protocols, and common concurrency primitives in mobile CPSs. The results show that our new approach can greatly scale the verification capabilities compared favorably against several recently published approaches. Due to using IC3 as the backend model checking algorithm, our method is significant for its lower memory consumption.
There are two directions to extend the current work in the future. The first one is to study the property to be verified. Liveness would be an interesting direction, as the liveness property can be converted into safety. Security problems and run time verification would also be a good direction in the future. The second one is to model more complex systems. The ideas we have presented are naturally applicable to other concurrency systems modeled by Petri net or its extension. It is natural to shift SAT solver to SMT solver, and it would be a good way to improve the scalability.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The authors would like to acknowledge that this work was supported by the National Natural Science Foundation of China (Grant no. 61133007). The authors thank Carl Kwan for helpful and detailed comments and suggestions.