Applying Floyd ’ s Inductive Assertions Method for Verification of Generalized Net Models Without Temporal Components

Generalized Nets are extensions of Petri Nets. They are a suitable tool for describing real sequential and parallel processes in different areas. The implementation of correct Generalized Nets models is a task of great importance for the creation of a number of applications such as transportation management, e-business, medical systems, telephone networks, etc. The cost of an error in the models of some of these applications can be very high. The implementation of models of similar applications has to use formal approaches to prove that the developed models are correct. A foundation stone of software verification, which is suitable for verification of Generalized Nets models with transitions without temporal component, is Floyd’s inductive assertion method. This article presents a modification of Floyd’s inductive assertion method for verification of flowcharts, which allows Generalized Nets without temporal component to be verified. Using an illustrative example, we show that the offered adaptation is appropriate for the purpose of training university students in the Informatics and Computer Sciences in formal methods of verification. Keywords—Floyd’s inductive assertions method; generalized nets; verification; formal methods; education


I. INTRODUCTION
Generalized Nets (GNs) [1,2] are a means of modeling sequential and parallel processes in a variety of areas, including medicine, industry, transport, software protection, etc.They were introduced in 1982 by Krassimir Atanassov as a further extension of the standard Petri Nets (PNs) and their modifications and extensions.GNs are defined in a way that is fundamentally different from the ways of defining Regular PNs, E-nets, Time PNs, Colored PNs, Self-modifying PNs, Stochastic PNs, Predicate-transition nets, and other PNs.In the 1980s, it was proved that the functioning and the results of the work of each of these types of nets can be described by a GN.Moreover, it was proved that for each of the classes of standard or extended PNs, there exists a GN that is universal for this class, i.e., it represents the functioning and the results of the work of each of the elements of the respective class of nets.In the following years, similar results were published for the Super nets, Numerical PNs, Fuzzy PNs, and others PNs.
In parallel with the scientific research related to GN, a great number of GN models have been developed, which simulate real-life processes.Designing such GN models is useful as researching their characteristics allows for focusing the attention of the real-life system developers on the most important (from the point of view of performance quality) elements, as well as to eliminate the unnecessary details when realizing the real-life systems.After developing a GN model, which presents the behavior of a real-life system, research should be conducted to discover how adequate is the developed model, as evaluated against the criteria for the respective real-life system.
Checking the model adequacy is done in two steps: model verification (if it meets the requirements), and model validation (if the requirements posed to the model are adequate to the real-life system).For some models, such a check is obligatory to be done.This article presents a method of formal verification of GNs, which are without temporal components.The method is a modification of Floyd's inductive assertion method for verification of flowcharts.
The rest of thе paper is organized as follows.Part II presents the definitions of a GN, of its main componentthe transition, as well as of the GN loop.Part III is dedicated to an adaptation of Floyd's method of verification of flowcharts for verification of GNs with transitions without temporal components.As a result, methods for proving the partial correctness and the termination of such GNs are proposed.In Part IV, these methods are illustrated by a simple example.Applying Floyd's method for verification of practically applicable GN models is a subject of another paper due to volume constrains.Part V of the paper provides comments on applying the presented method for GN verification and ideas for further research in the field.

II. GENERALIZED NETS
GNs are defined in a way that [1,2] is fundamentally different from the ways of defining the other types of PNs.
Definition 1 (Transition).Every transition is described by a seven-tuple: where: www.ijacsa.thesai.org t 1 is the current time-moment of the transition's firing;  t 2 is the current value of the duration of its active state;  r is the transition's condition, determining which tokens will transfer from the transition's inputs to its output places.The parameter r has the form of an Index Matrix (IM) [1,11]: where r i,j is the predicate which gives the condition for transfer from the i-th input place to the j-th output place.When r i,j has truth-value "true", then a token from the i-th input place can be transferred to the j-th output place; otherwise, this is impossible;  M is an IM of the capacities of transition's arcs:  □ is called transition type.It is an object having a form similar to a Boolean expression.It may contain as variables the symbols that serve as labels for transition's input places.It is an expression consisting of variables and the Boolean connectives  and  determining the following conditions: every place must contain at least one token, there must be at least one token in all places , ..., , , }  L′.When the value of a type □ (calculated as a Boolean expression) is "true", the transition can become active, otherwise it cannot.
Definition 2 (Generalized Net) [1,2]: The ordered fourtuple:  X is a function which assigns initial characteristics to each token when it enters input places of the net;   is the characteristic function which assigns new characteristics to each token when it transfers from an input to an output place of a given transition;  b is a function giving the maximum number of characteristics a given token can receive, i.e., b : K → N.
It can be concluded that similarities between PNs and GNs exist, however, there are also differences.The GN transitions have a more complex structure of that of the PN ones.It must be noted that the GN transition contains: an index matrix with predicates that determine whether a token from i-th input place can go to the j-th output place; an index matrix with natural numbers that determine the capacities of the arc between i-th input and j-th output place; and a special condition, that determines whether the transition can be activated.The GN definition is also more complex than the definition of a PN.The GN-tokens enter the net with initial characteristics, determined by the characteristic function X. Upon entering a new place, the GN-tokens obtain new characteristics, defined by the characteristic function .In contrast to the Colored PNs and the Predicate-Transition Nets, the GN-tokens can keep all their characteristics and they can be used for evaluation of the truth-values of the transition condition predicates [1,2].

Definition 3 (GN loop).
A sequence of places of a GN, which a given token can go through sequentially and can reach the starting position, is called a GN loop.

III. VERIFICATION OF GNS, BASED ON FLOYD'S METHOD OF VERIFICATION OF A FLOWCHART
The method presented here can be used for verification of GN models without temporal component (without the components:  1 ,  2 ,  K , T, t o and t*).Respectively, the GN transitions do not contain the temporal components t 1 and t 2 .The reason for this is that this restriction and the existence of index matrices with predicates and characteristic functions cause each component of a GN to have a respective segment as in a flowchart.The GNs, which will be verified through a technique following Floyd's method for verification of flowcharts [12], consist of the components given in Fig. 2. In order to increase the readability, we will use the notations for Floyd's method for verification of flowcharts.
Three types of characteristics of the GN (grouped as three vectors) are distinguished:

Start
A token enters an input place with characteristic ( ̅ ̅) ( ̅ ( ̅ )), where ̅ ̅ is a total function.f is defined according to the definition of the function X.

Assignment
A token enters an S place with characteristic ̅ that changes to ( ̅ ̅), i.e., the simultaneous assignment operator ̅ ( ̅ ̅) is executed in the place S. h is defined according to the definition of the function .

Transition
The matrix r on the transition Z 1 sets the conditions for the transition.Note that the transition Z 1 does not depend on time.

Halt
The token that enters an output place sets the value of , z i.e., it realizes the assignment ( , ). z g x y  g is defined according to the definition of the function .As in the case of the flowcharts, the verification of a GN without temporal components depends on the following predicates:  An input predicate, which will be denoted by ( ).
x  It is a total predicate over , x D which describes those elements (data) that may be used as values of the initial characteristics 12 , ,..., n x x x of the GN tokens.
 An output predicate, which will be denoted by ( , ).

A. Partial Correctness of a GN
A technique for proving that a GN of the type described above is partially correct with respect to input predicate () x  and output predicate ( , ) xz  will be presented.It is similar to this for flowcharts [12].
Let us execute the following three steps: Step 1 (Cutpoints).
Each GN loop connects to a cut (see cutpoints S 1 and S 2 on Fig. 5).Start and halt cuts are added to this set of cutpoints (see Fig. 3).Only paths which start and end at cutpoints and which have no intermediate cutpoints are considered.For each path from cutpoint i to cutpoint j there is a predicate ( , ) R x y ( , ) t x y is the condition for transfer from place P 1 to place P 2 .
, ̅ www.ijacsa.thesai.orgFig. 4 presents an example for constructing ( , ) R x y  and ( , ) r x y  for path α, where the condition for transfer from the input place P 1 to the output place P 2 is 1 ( , ), t x y and the condition for transfer from the input place P 2 to the output place P 3 is 2 ( , ). t

x y
Fig. 4. Constructing the Rα and rα functions for the path α.
With each cutpoint i of the GN, a predicate ( , ) i p x y is associated.This predicate is called inductive assertion.It characterizes the relation between the values of the characteristics x and y of the tokens at this point, i.e., ( , ) i p x y will have the property that, whenever the implementation reaches point i, ( , ) Step 3 (Verification conditions).
The final step is to build the verification conditions for each path of the GN:  For each path for which i is cutpoint start and to prove that all these conditions are true.
If the constructed verification conditions for all paths that cover the GN are satisfied, the GN is partially correct with respect to () x  and ( , ).  An appropriate set of inductive assertions is found.
 The verification conditions ( If all the verification conditions are true, then P is partially correct with respect to () x  and ( , ) xz  .

B. Termination of a GN
The following is a description of a method of proving the termination of a GN without temporal components regarding an input predicate () x  .The method was proposed by Floyd for a flowchart [12].Well-founded sets are used [12].
Note that the paths in steps 1 and 3 do not contain intermediate cutpoints.
Let's perform the following three steps: Step 1 (Good assertions).
Select a set of cutpoints that cut the loops of the GN.Associate an assertion ( , ) i q x y with every cutpoint i, which is a good assertion [12], i.e.,  For each path from the start cutpoint to cutpoint j, the following is satisfied:  For each path from the i cutpoint to cupoint j, the following is satisfied: www.ijacsa.thesai.org Step 2 (Well-founded set).
Choose a well-founded set ( ) and with every cutpoint i of the GN associate a partial function ( , ) i u x y u i : ̅ ̅ ⟶ which is a good function [12], i.e., for every curpoint i, is satisfied: Step 3 (Termination conditions).
Show that the termination conditions hold.This means that for every path from a cutpoint i to a cutpoint j, which is a part of some GN loop, the following is satisfied: This means that after each time a path, which is a part of a loop, is executed, the values of the functions u i , that are associated with the cuts, strictly decrease.As ( ) is a wellfounded set, i.е.there are no infinite decreasing sequences of elements of W, then the number of the path executions is limited.This leads to the follow theorem.
Theorem 2. The following steps are applied to a given GN of the type described above and an input predicate ( ̅ ):  The loops are cut and "good" (satisfying (4) and ( 5)) inductive assertions are found.
 A well-founded set is selected and "good" (satisfying (6)) partial functions are found.
 The termination conditions (7) are checked.
If all the termination condition are true, then terminates over

IV. ILLUSTRATIVE EXAMPLE
The generalized net in Fig. 5 implements the model of a sequential program, finding    ( , , ) y y y y  of the characteristic of the token changes in places L 1 and L 2 ; and shows that, when it enters into an output place, it receives characteristic z = y 3 .
The GN has one transition Z 1 , with predicate matrix r 1 of transition: We will perform GN verification by the method described above over:  the input predicate:

A. Partial Correctness
Let us cut the two loops of the GN at points 1 and S 2 (see Fig. 5), and attach to the cutpoint and cutpoint the assertion: www.ijacsa.thesai.orgSince all conditions of the three steps are true, the GN terminates for every 0 2  x natural number.

V. APPLICATIONS AND IDEAS FOR FURTHER RESEARCH
The necessity for developing methods and environments for formal verification of GN models is triggered by the implementation of real-life methods of software protection by using GNs [13].Using Floyd's inductive assertion method for verification of flowcharts, adapted for GNs, GN models which realize sequential processes, and sequential programs in particular [14], can be verified.It can also be applied for verification of GNs, which model parallel processes.To this end, a transition's type component □ is applied.
Following our belief that training in applying formal methods for developing of correct software is the most efficient method of implementing these methods in the software industry, we intend on introducing the method described above in teaching students of specialty Informatics and Computer Sciences at Sofia University.In order to achieve this, we will develop and add tools for its application to the educational framework presented in [15].The ideas presented in [16,17,18] are implemented in the educational framework.The resulting educational framework may be applied not only in teaching programming and data structures [19,20], but also in creating GN models of applications, such as: classical transaction processing systems [21], mobile information applications for public access [22,23], business process models [24,25], software services models [26,27], data models [28], etc.Thus, students will be stimulated to search for out of the box solutions of the tasks given in the programming courses [29] and in the courses in discrete mathematics (discrete structures) [30].Furthermore, we consider designing and improving an educational framework with tools for verification of GN models with temporal components.

VI. RELATED WORK
The field of formal verification of GN models has not been studied by now.The most closely related work with the one presented here is the book by Zohar Manna [12].This book represents an introduction in the mathematical theory of informatics, and is considered the main reference book in this area for many universities around the world, including the Sofia University.Chapter 3 of [12] explores the verification of computer programs.Sections 3-1 and 3-2 of this chapter contains definitions, related to the verification of programs presented in terms of flowcharts, and Floyd's inductive assertions method for program verification is provided.Since the methodology of development of Generalized Net models is difficult enough as such, in order to enhance the understanding of the herewith presented adaptation of Floyd's inductive assertions method for formal verification of GN models without temporal components, we opted to use as much as possible the denotations and theorems, formulated in [12].

VII. CONCLUSION
The paper presents the authors' first attempt to achieve formal verification of GN models.Our research has been restricted to verification of GN models without temporal components.Since the proposed verification approach belongs to the set of formal verification methods, it bears all of their limitations, as well.Significant efforts are required to construct the input/output specification; to prove the conditions for partial correctness and for termination of the execution; the procedures are to be realized by the rare highly qualified experts in formal modelling.Using automated tools for formal theorem proving would reduce the mentioned difficulties.The active and impactful research on development of such tools has motivated us to continue the work in this direction by developing methods for formal verification of GN models featuring temporal components, as well as verification of the GN models of the applications proposed here in Part V.


indicates the condition for this path to be traversed, and the vector ( , ) r x y  describes the transformation of the values of y affected by path traversion.This function can be derived by means of the backwardsubstitution technique[12].First, the values of the ( cut j), are set to true (we will denote true by Т) and , y respectively.Then, at each step, the old R and r are used to construct the new R and r, moving backwards toward the cutpoint i.The description of the new values in the components is shown in Fig.3.The resulting R and r in the cut i are the desired (

Fig. 3 .
Fig. 3. Rules for constructing the new predicate ( , ) R x y and the new function ( , ) r x y for different types of components.
, must be true for the current values of x and y at this point.The input predicate () x  is attached to the start cutpoints, and the output predicate ( , ) xz  is attached to the halt cutpoints.

xz:
This leads to the follow theorem.Theorem 1.The following steps are applied to a given GN P without temporal components, an input predicate () x  and an output predicate ( , ) xz  Тhe loops of the GN are cut.
component, a halt component, 2 assignment components and 9 transition components are shown in the figure.The execution of the GN begins at entering the token with an input place, where y 1 means the current value of the base, y 2 means the current value of the exponent and y 3the current value of the exponential result.
t o , t*, X, , b a given transition Z can be activated, i.e.,  1 (t) = t′, where pr 3 Z = t, t′ [T, T + t*] and t  t′.The value of this function is calculated at the moment when the transition terminates its functioning;  2 isa function giving the duration of the active state of a given transition Z, i.e.,  2 (t) = t′, where pr 4 Z = t  [T, T + t*] and t′  0. The value of this function is calculated at the moment when the transition starts functioning;  K is the set of the GN's tokens;  π K is a function giving the priorities of the tokens, i.e., π K : K → N; www.ijacsa.thesai.orgS   K is a function giving the time-moment when a given token can enter the net, i.e.,  K () = t, where   K and t  [T, T + t * ];  T is the time-moment when the GN starts functioning.This moment is determined with respect to a fixed (global) time-scale;  t o is an elementary time-step, related to the fixed (global) time-scale;  t* is the duration of the GN functioning;