Petri Net Reachability Graphs: Decidability Status of First Order Properties

We investigate the decidability and complexity status of model-checking problems on unlabelled reachability graphs of Petri nets by considering first-order and modal languages without labels on transitions or atomic propositions on markings. We consider several parameters to separate decidable problems from undecidable ones. Not only are we able to provide precise borders and a systematic analysis, but we also demonstrate the robustness of our proof techniques.


Introduction
Decision problems for Petri nets.Petri nets are among the oldest families of generators of infinite state systems, and much effort has been dedicated to their algorithmic analysis.For Petri nets, the reachability problem is hard but decidable [35].Further important problems that are specific to Petri nets and that were shown decidable are boundedness [29,38], deadlock-freeness and liveness [20] (by reduction to reachability), persistence [18], and semilinearity [22].Hack's thesis [20] provides a comprehensive overview of problems equivalent to Petri net reachability.On the negative side, language equality is undecidable for labelled Petri nets [21,1], but it can be decided for injectively labelled as well as for labelled and deterministic Petri nets [37] (by a reduction to reachability).Another undecidability result for Petri nets, obtained by Rabin [4] and Hack [21], is that equality of reachability sets of two Petri nets with identical places is undecidable.As our main contribution, we link this result to first-order logic expressing properties of general Petri net reachability graphs.
(2) To determine the cause of undecidability, we investigate logical fragments.At the same time, we strive for maximally expressive decidable fragments.With these two goals, our study on graph-theoretical properties is quite systematic.(3) For decidable problems, we assess the computational complexity -either relative to standard complexity classes such as PSpace or ExpSpace or by establishing a reduction from the reachability problem for Petri nets (when decision procedures rely on solving instances of this problem).Our main findings are as follows (refined statements can be found in the body of the paper, see also Table 1 in Section 5): ⋆ Model-checking (Reach(N ), − →) [resp.(Reach(N ), * − →), (Reach(N ), + − →)] is undecidable for the corresponding first-order language with a single binary predicate symbol.⋆ Undecidability is also shown for the positive fragment of FO(− →), for the forward fragment of FO(− →), and for FO(− →) augmented with * − →.The latter result even holds if the reachability sets are effectively semilinear.⋆ Combining procedures for coverability and reachability in Petri nets, we obtain some positive results.We prove that model-checking the existential fragment of FO(− →) is decidable, but as hard as the reachability problem for Petri nets.Moreover, the model checking problem is decidable for FO(− →, * − →, =) under the assumption that the relations − → and * − → are semilinear (consequence of [6]).We have not found any decision result between these two extremes.⋆ Concerning the modal language ML( , −1 ), the global model-checking problem on (Reach(N ), − →) is undecidable but it becomes decidable when restricted to ML( ) (even if extended with Presburger-definable predicates on markings); the latter problem is also as hard as the reachability problem for Petri nets.One may regret that our main results turn towards undecidability but this was not clear at all when we began our study.On the positive side, we were able to identify non-trivial fragments for which the decision problems can be of high computational complexity.Our results shed some new light on the verification of structural properties on unlabelled net reachability graphs.
Structure of the paper.The remaining sections are organized as follows.Section 2 brings the background of the study.Section 3 presents results that focus on the reachability graph without the reachability predicate.Section 4 presents those involving the reachability predicate.

Preliminaries
We recall basics on Petri nets and semilinear sets and we give the standard definitions and fundamental results used in the paper.We first introduce the notations needed when considering Petri net reachability graphs as models for first-order sentences.Then, we define first-order logic and modal logic interpreted on graphs induced by Petri nets.Finally, we present positive decidability results about model-checking problems.
2.1.Petri nets.A Petri net is a bi-partite graph N = (P, T, F, M 0 ), where P and T are finite disjoint sets of places and transitions, and F : (P × T ) ∪ (T × P ) → N is a set of directed edges with non-negative integer weights.A marking of N is a function M : P → N. M 0 is the initial marking of N .A transition t ∈ T is enabled at a marking M , written M [t , if M (p) ≥ F (p, t) for all places p ∈ P .If t is enabled at M then it can be fired.This leads to the marking M ′ defined by M ′ (p) = M (p) + F (t, p)−F (p, t) for all p ∈ P .The firing relation is denoted by M [t M ′ .The definitions are extended to transition sequences s ∈ T * in the expected way.A marking M ′ is reachable from a marking M if M [s M ′ for some s ∈ T * .A transition t is in self-loop with a place p iff F (p, t) = F (t, p) > 0. A transition is neutral if it has null effect on all places.The reachability set Reach(N ) of N is the set of all markings that are reachable from the initial marking.
A stronger version of Theorem 2.2 has been established in [28] where it was shown that undecidability still holds when N and N ′ have five places and one of these nets is fixed.
A Petri net N = (P, T, F, M 0 ) induces several standard structures on which first-order logics may be interpreted.The plain unlabelled reachability graph of N is the structure PURG(N ) = (D, − →) where D = Reach(N ) and − → is the binary relation on D defined by M − → M ′ if M [t M ′ for some t ∈ T .Note that M 0 ∈ D but no predicate is given to identify this specific marking.The unlabelled reachability graph of N is the structure URG for some transition t ∈ T .Note that reachability of markings is not taken into account in UG(N ).In the sequel, by default card(P ) = n and we identify N P and N n .We also call 1-loop an edge M − → M ′ with M = M ′ .2.2.Petri nets and semilinear sets.We rely on results about the semilinear subsets of N n that represent possible markings of a Petri net with n places.Recall that (N n , +) is a commutative monoid where the product operation is the componentwise addition of n-vectors (+) and the neutral element is the null n-vector.
A subset E ⊆ N n is called linear if it can be expressed as x + {y 1 , . . ., y m } * for vectors x ∈ N n and y 1 , . . ., y m ∈ N n .The Kleene iteration {y 1 , . . ., y m } * is a shorthand notation for k 1 y 1 + . . .+ k m y m for some k 1 , . . ., k m ∈ N. A subset E ⊆ N n is semilinear if it is a finite union of linear subsets.Owing to the commutativity of the product operation +, semilinear subsets of N n coincide with the regular subsets of N n .Hence, they are generated by finite automata over N n .Indeed, one can always choose finite automata whose transitions are labelled with generators, i.e., with n-vectors with a single non-null entry equal to 1.The semilinear subsets of N n form an effective Boolean algebra [16], hence providing decision procedures for emptiness.In [17], Ginsburg and Spanier gave an effective correspondence between semilinear subsets and Presburger subsets, i.e., subsets of N n definable in Presburger arithmetic.Presburger arithmetic can be decided in triple exponential time [8].
Proposition 2.3.Given a Petri net N = (P, T, F, M 0 ) and a semilinear subset of markings E ⊆ N |P | , one can decide whether (some marking in) E can be reached from M 0 .
Hack reduced this semilinear reachability problem to the reachability problem in Petri nets [21,Lemma 4.3].The proposition now follows with the decidability of reachability in Theorem 2.1.The statement shows in particular that for any marking M ∈ N |P | , one can decide whether a marking greater than or equal to M is reachable.
We recalled in the introduction that it is decidable whether the reachability set of a Petri net system is semilinear.Note that semilinearity of the reachability set Reach(N ) does not entail semilinearity of the reachability relation Here are some classes of Petri nets and counter systems for which the reachability relation * − → is effectively semilinear (apart from bounded Petri nets): ⋆ Cyclic Petri nets, see e.g.[2,9,32].⋆ Communication-free Petri nets [12].⋆ Vector addition systems with states of dimension 2 [25,33].⋆ Single-path Petri nets [26].⋆ Petri nets with regular languages [41].⋆ Flat affine counter systems with the finite monoid property [7,14].⋆ Flat relational counter systems [11,10].⋆ Reversal-bounded counter systems [27].Some of these results require complex machinery but they are essential to use the decision procedures based on effective semilinearity.

2.3.
First-order languages.To specify properties of structures URG(N ), PURG(N ) and UG(N ) obtained from a Petri net N , we introduce a first-order logic FO with atomic predicates x − → y, x * − → y, x + − → y and init(x).Formulae in FO are defined by Given a set P of predicate symbols from the above signature, we denote the restriction of FO to the predicates in P by FO(P).By default, FO refers to the full language.Formulae are interpreted either on PURG(N ), URG(N ) or UG(N ).Observe that FO on UG(N ) enables, using init and reachability predicates, to relativize formulae to URG(N ), but restricted logical languages motivate the existence of both structures.It is worth noting that by slight abuse, we sometimes use the same notation for a predicate symbol and its fixed interpretation.Note that, as regards interpretation, * It is worth noting that FO can only describe graph-theoretical properties of the structures U , apart from equality tests.The binary relations do not use transitions of nets as labels and no atomic propositions give reference to markings.As a consequence, quantitative properties about markings cannot be expressed in FO, at least in the obvious way, and constraints about the firing of specific transitions cannot be expressed either.Note that FO is not minimal when it comes to expressiveness.The redundancies, however, help us design interesting logical fragments.In the sequel, we consider several model-checking problems.The model-checking problem MC URG (FO) is stated as follows: input:: a Petri net N = (P, T, F, M 0 ) and a sentence ϕ ∈ FO question:: URG(N ) |= ϕ?
The logics FO(P) (atomic formulae restricted to predicates in P) induce restricted variants of the two model checking problems that we denote by MC URG (FO(P)) and MC UG (FO(P)), respectively.Formulae in FO can express standard structural properties, for instance deadlock-freeness with ∀x ∃y x − → y, existence of a 1-loop with ∃x x − → x, or cyclicity with ∀x∀y x * − → y ⇒ y * − → x.Automatic structures form a large class of structures having a decidable model checking problem for FO.These structures have presentations in which k-ary relations are defined by synchronous automata (see [6] for more details).
Theorem 2.4.[6] Let S be an automatic structure, then MC S (FO) is decidable.
From [16], semilinear sets and semilinear relations are automatic.In particular, this means that (N n , − →, =) is automatic.Propositions 2.5, 2.6 and 2.7 are consequences of Theorem 2.4; they are provided below to present more explicitly what is the current state of knowledge.Proposition 2.5.MC UG (FO(− →, =)) is decidable.
Note that given ϕ in FO(− →, =), one can effectively build a Presburger formula that characterizes exactly the valuations satisfying ϕ in UG(N ).Decidability is preserved with Presburger-definable properties on markings and with labelled transition relations [t .However, having N n as a domain does not always guarantee decidability, see the undecidability result in [40, Theorem 2] about a structure with domain N n but equipped with successor relations for each dimension and with reachability predicates constrained by regular languages.Likewise, subproblems of MC URG (FO) may require additional assumptions to achieve decidability, as the semilinearity assumption made in the statement below.The proposition also follows from Theorem 2.4.Proposition 2.6.Let C be a class of Petri nets for which the restriction on reachable markings of the reachability relation x * − → y is effectively semilinear.Then, MC URG (FO) restricted to C is decidable.
Proof.Let N = (P, T, F, M 0 ) be a Petri net in C with card(P ) = n.We represent its markings by vectors M ∈ N n .By assumption, Reach(N ) and the set To evaluate predicate − →, we resort to ϕ ′ .With ϕ, we relativize the quantifiers to taking only positions in Reach(N ) into account.
Again, decidability is preserved with Presburger-definable properties on markings and with labelled transition relations of the form t − →.To give an example application of this result, MC URG (FO(− →, =)) restricted to cyclic Petri nets is decidable.This follows from Proposition 2.7 combined with the fact that cyclic Petri nets have semilinear reachability sets [9].The restriction to language FO(− →, =) is essential for the decidability in Proposition 2.7.As we shall see in Proposition 4.5, the related model checking problem MC URG (FO(− →, * − →)) is undecidable -even under the assumption of semilinearity for the reachability sets.

2.4.
Standard first-order fragments: modal languages.By moving along edges, modal languages provide a local view to (potentially labelled) graph structures.Note the contrast to first-order logic in which one quantifies over any element of the structure.Applications of modal languages include modelling temporal and epistemic reasoning, and they are central for designing logical specification languages.In this paper, we consider simple modal languages understood as distinguished fragments of first-order logic.Moreover, the modal language ML defined below has no propositional variable (like Hennessy-Milner modal logic [23] but unlike standard modal logic K [5]) and no label on modal operators (unlike in modal languages dedicated to describing labelled transition systems).This allows us to interpret modal formulae on directed graphs of the form (Reach(N ), − →).However, in some places, we shall indicate when decidability or complexity results can be extended to richer versions of ML.The modal formulae in ML are defined by the grammar This language is not only poor compared to first-order logic, but also little expressive compared to other modal dialects.Yet, it is sometimes sufficiently expressive to obtain first undecidability results for model checking Petri net structures.Given a modal formula ϕ, its modal degree is the greatest number of nested occurrences of modal operators in ϕ.We write ML( ) to denote the restriction of ML to the modal operators and ♦.We interpret modal formulae on directed graphs of the form (D, − →) for some Petri net N = (P, T, F, M 0 ) with URG(N ) = (D, init, − →, * − →, + − →, =).We provide the definition of the satisfaction relation |= relatively to an arbitrary directed graph M = (W, R) (and w ∈ W ). The clauses for Boolean connectives and logical constants are standard and we omit them.For the modal operators, we set As usual, and ♦ as well as −1 and ♦ −1 are dual operators that can be defined one from another as soon as negation is part of the language.
The model-checking problem MC URG (ML) is the following: input:: a Petri net N = (P, T, F, M 0 ) and a modal formula ϕ ∈ ML. question:: Let MC URG (ML( )) denote MC URG (ML) restricted to ML( ).Proposition 2.8 proves this model checking problem decidable.The procedure exploits the fact that a modal formula of modal degree d can only induce constraints on nodes at distance at most d from the initial marking, a standard argument, see e.g.[5].
Let ϕ be a modal formula in ML( ) with modal degree d (d is the greatest number of nested occurrences of modal operators in ϕ).We consider the directed graph M = (W, R) so that Observe that M is finite and the cardinal of W is at most exponential in the size of N and d.One can show that M, M 0 |= ϕ iff (D, − →), M 0 |= ϕ.Hence, MC URG (ML( )) is decidable, because the model-checking problem for ML over finite structures is decidable (in polynomial time).The PSpace upper bound can be obtained with an algorithm similar to the one that shows CTL model-checking over 1-safe Petri nets to be in PSpace, see e.g.[13,Section 4.2].Our problem is actually simpler since we can restrict ourselves to the temporal operators AX and EX corresponding to and ♦, respectively.We briefly describe below the nondeterministic algorithm M C((P, T, F, M 0 ), ϕ) that returns true whenever (D, − →), M 0 |= ϕ.We proceed by a case analysis.ϕ = ⊤ return true; ϕ = ¬ϕ ′ : if M C((P, T, F, M 0 ), ϕ ′ ) then return false else return true; false then return false else return true.Note that the depth of recursive calls for M C((P, T, F, M 0 ), ϕ) is bounded by the modal degree of ϕ and each call requires only polynomial space in the size of (P, T, F, M 0 ) and ϕ.Hence, M C((P, T, F, M 0 ), ϕ) runs in nondeterministic polynomial space.By Savitch Theorem, we get the bound PSpace.
To establish PSpace-hardness, we give a reduction from QBF.Let alternating strictly ∃ and ∀, and ψ is a quantifier-free propositional formula built over the propositional variables in {p 1 , . . ., p 2n }.We consider a modal formula ϕ of the form (♦ ) n ψ ′ where ψ ′ is obtained from ψ by replacing each propositional variable p i by ♦ i ⊥.Construct a Petri net N = (P, T, F, M 0 ) as follows.The set of places P contains a subset {p 1 , . . ., p 2n }, in bijection with the atomic propositions and initially empty, plus auxiliary places.From M 0 , N executes first a sequence of 2n independent choices (t ) where t ′ i puts i tokens in place p i to represent the truth of the corresponding atomic proposition while t ′′ i puts no tokens in p i to indicate the proposition does not hold.After this sequence of binary choices, N executes a non-deterministic choice (x where x i removes one token from p i and puts one token in a place p ′ i which was initially empty.Each control place p ′ i is set in self-loop with a transition t i that removes at each firing one token from p i .
Existential quantifications are replaced by ♦, and universal ones by .A path relative to a formula (♦ ) n then ends up in a configuration where truth values have been chosen for all variables.Note that the formula needs to be true for one continuation at each ♦ position and true for each continuation at positions.The last part of the formula needs to check the truth values of individual variables.For each p i , we have a formula ♦ i ⊥ that is true only when there is precisely a path of length i, which corresponds to our encoding of truth values.The selection of each individual variable (and only one) is performed by the transition ( For simple models (like finite structures), adding −1 to ML( ), often does not change the decidability status or the computational complexity of model checking, see e.g.[5].When it comes to Petri net reachability graphs PURG(N ), adding the backward operator −1 preserves decidability but at the cost of performing reachability checks.
where T −1 is a set of formal inverses of the transitions in T , i.e., F (p, t −1 ) = F (t, p) and F (t −1 , p) = F (p, t) for all t ∈ T .To model check URG(N ) against ϕ, the idea is to consider a depth d unrolling of URG(N ).However, when following inverse transitions M ′ [t −1 M , reachability checks are needed to guarantee the target marking M belongs to the domain D of structure URG(N ).These checks are effective by Theorem 2.1 quoted from [35,30,31].More formally, we consider the directed graph Checking M 0 [s M is easy whereas M ∈ D requires a reachability check.Observe that M ′ is finite and effectively constructible.The cardinal of ) is decidable, because model-checking ML over finite structures is a decidable problem that takes polynomial time.
The best known decision procedures for Petri net reachability are non primitive recursive, which provides the worst possible and hopefully not tight upper bound to the complexity of the model-checking problem MC URG (ML( , −1 )).Unfortunately, it might well be the case that this upper complexity bound is tight, for we shall (in turn) reduce Petri net reachability to the above model-checking problem in Section 3.4.
We introduce another decision problem about ML that is closely related to first-order model-checking over reachability graphs.The validity problem VAL URG (ML), also known as global model-checking, is stated as follows: As observed earlier, formulae from ML( , −1 ) can be viewed as first-order formulae in FO(− →).Therefore, using modal languages in specifications is a way to consider fragments of FO(− →).Indeed, given a modal formula ϕ in ML( , −1 ), one can compute in linear time a first-order formula ϕ ′ with only two individual variables (see e.g.[5]) that satisfies: for every Petri net N we have PURG(N ) |= ϕ ′ iff PURG(N ), M |= ϕ for every marking M in Reach(N ).Hence, the validity problem VAL URG (ML) appears as a natural counterpart to the model-checking problem for FO over unlabelled reachability graphs of Petri nets.We will see in the next section that both problems are undecidable.
We conclude the section by introducing an extension of ML that admits quantifier-free formulae from Presburger arithmetic as atomic propositions.The idea is to pose arithmetical constraints on the numbers of tokens in places, and thus to increase the expressiveness of ML.We call this logic PAML and it will be mainly used in decidability results in Section 3.3.The domain of the structure for PAML needs to be of the form N P .More precisely, with terms t ::= a × p | t + t where p is a place and a ∈ Z we define PAML from ML by adding atomic formulae ψ defined by Here, ⊤ is the truth constant, c ∈ N \ {0, 1}, k ∈ Z and k ′ ∈ N. The definition of (Reach(N ), M ) |= ψ depends on the definition of satisfaction of ψ in Presburger arithmetic by a tuple M .The details are as expected and we omit them here.It can be shown that MC URG (PAML( , −1 )) is decidable.The proof is similar to the proof of Proposition 2.9.

Structural Properties of Unlabelled Net Reachability Graphs
We study the decidability status of model checking unlabelled reachability graphs of Petri nets against the first-order and modal logics defined in the previous section.Recall that the logics are designed to expressing purely graph-theoretical properties of reachability graphs.

3.1.
A proof schema for undecidability of FO(− →).To establish undecidability of MC URG (FO(− →)), model checking reachability graphs against first-order specifications, we provide a reduction of the equality problem for reachability sets.For two Petri nets N 1 and N 2 with identical sets of places, Hack proved it to be undecidable whether the sets of reachable markings Reach(N 1 ) and Reach(N 2 ) coincide (Theorem 2.2 recalls this result from [21]).To encode the equality problem into a first-order model checking problem, we join N 1 and N 2 in a third Petri net N .The construction ensures that equality of the reachability sets can be checked with a first-order query: Reach(N 1 ) = Reach(N 2 ) if and only if PURG(N ) |= ϕ.Interestingly, ϕ is a fixed formula and thus independent of the inputs N 1 and N 2 .Before we turn to the technicalities, we sketch the idea of the construction and comment on why it yields so much expressiveness.With an initial guess, N decides to simulate either N 1 or N 2 .At any time, N may stop the simulation.Then N either starts behaving in different ways according to the initial choice between N 1 and N 2 .Alternatively, N may forget this choice and enter a deadlock marking M that reflects the last marking of N 1 or N 2 in the simulation.
The reachability sets of N 1 and N 2 are equal if and only if every simulation result M can be obtained from both, N 1 and N 2 .But inspecting M in isolation does not reveal whether it stemmed from N 1 or N 2 .The idea is in the different behaviours that recall the initial guess when the simulation ends.They yield a neighbourhood of M in the reachability graph of N that reveals the origin of the marking.Indeed, with finite experiments we can check whether M is found in the simulation of N 1 or N 2 .Equality of the reachability sets is then checked by a formula ϕ which requires that, for any simulation result M , both experiments witnessing for N 1 and N 2 succeed.The experiments consist of one backward transition and some forward transitions.Backward transitions reconstruct the initial choice, and forward transitions distinguish the nets N 1 and N 2 .
The strength of this construction stems from the combination of two ideas.A Petri net can (i) store choices over arbitrarily long histories and (ii) reveal this propagated information in local structures.These structures can be characterised by finite back and forth experiments that are expressed in terms of first-order formulae.Construction.The two nets N 1 and N 2 to be compared for equality of reachability sets share all places.The constructed net, N , has these places together with an initialization place p, two control places p 1 and p 2 , and additional places p ′ 1 , p ′′ 1 , and p ′ 2 that we will elaborate on below.The initialization place is the only place that is initially marked, by a single token.
As transitions, N has the disjoint union of the transitions of N 1 and N 2 , plus additional transitions that we introduce now together with an explanation of their intended behaviour.The original transitions are put in self-loop with the respective control places.Furthermore, we have two concurrent transitions t 1 c , t 2 c that consume the initial token and mark either p 1 and all places marked in the initial configuration of N 1 or p 2 and all places marked in the initial configuration of N 2 .Firing t 1 c starts the simulation of N 1 , and similar for t 2 c .Each subnet N 1 and N 2 may be stopped at any time by firing transitions t 1 end and t 2 end that move the token from the control place p 1 or p 2 to the place p ′ 1 or p ′ 2 , respectively.As a result, the token count on the places of N 1 and N 2 is not changed any more.
When the transitions t 1 end and t 2 end have been fired, N behaves as indicated in Figure 3.1 below M 1 and M 2 , respectively.At a marking M 1 , place p ′ 1 enables a transition t 1 ℓ which puts a token on p ′′ 1 , depicted by M in the figure.The place enables a transition t sl in self-loop.Furthermore, two transitions t 1 dl and t 2 dl (from M 1 to M ℓ and from M 2 to M r ) empty the places p ′ 1 and p ′ 2 .The markings reached by these transitions are designed to be deadlocks.Moreover, by construction of N , deadlock markings can only be reached this way (as M ℓ or M r or both).Since, firing t 1 dl or t 2 dl lets N forget the index 1 or 2 of the net that was simulated, we have the following relationship.Whenever a marking M is reached both in N 1 and N 2 , the corresponding markings in N lead to A formula expressing equality of the reachability sets of N 1 and N 2 (without recycling variables) is defined hereafter: indicates that x has a successor that has a 1-loop.
Proof.For the implication from left to right, consider a deadlock M .Marking M is reachable only via t 1 dl or t 2 dl , say M 1 [t 1 dl M .Then marking M 1 satisfies ϕ l and stems from a marking The hypothesis on equal reachability sets yields a marking M ′ 2 of N 2 that leads by transition t 2 end to a marking M 2 satisfying ¬ϕ l as required.In turn, if ϕ holds we establish two inclusions.To show Reach(N 1 ) ⊆ Reach(N 2 ), consider marking M ′ 1 reachable via sequence s 1 in N 1 .In N , the marking can be prolonged to a deadlock M with 2 coincide up to the token on the control place.Hence, M ′ 1 ∈ Reach(N 2 ) as required.
By recycling variables in ϕ above, we get a sharp result that marks the undecidability border of model checking against FO(− →) by two variables.Model checking FO(− →) restricted to one variable is decidable.Proof.It is sufficient to observe that formula ϕ below Recycling of variables is explained e.g. in [15].
Moreover, combined with the fact that model checking first order logic for automatic structures is decidable, Theorem 3.3 leads to the following impossibility result.

Corollary 3.4.
There is no algorithm to construct an automatic graph isomorphic to the unlabelled reachability graph of a Petri net.
Note that this negative result cannot follow directly from complexity-theoretic considerations.Indeed, even if the unlabelled reachability graph of a Petri net could be represented as an automatic graph, this automatic graph could not be used to decide on reachability of markings unless this representation were in effective bijection with N n (where n is the number of places).
Restricted to a single variable, model checking FO(− →) becomes decidable.
(1) can be checked by solving one instance of the covering problem for each neutral transition of the net whereas (3) can be checked by solving a single instance of the reachability problem.Indeed, let T be the subset of transitions of the net that leave markings unchanged (neutral transitions).
Then the set of markings specified hereafter is effectively semilinear: [21,Lemma 4.3] this reduces to an instance of the reachability problem.
It is possible to play further with parameters.For instance, our undecidability proof uses several reachability graphs with constant formulae.It is open whether there is a fixed Petri net reachability graph for which the model-checking problem for FO(− →) is undecidable.
3.2.Robustness of the proof schema.Based on the previous proof schema, this section presents undecidability results for subproblems of MC URG (FO(− →)).More specifically, we consider the positive fragment, the forward fragment, the restriction when the direction of edges is omitted, and ML( , −1 ).For all these fragments, we establish undecidability of model checking.
Expressing properties about PURG(N ) in FO(λ) amounts to getting rid of the direction of edges of this graph.Despite this weakening, undecidability is still present for general Petri nets.To instantiate the above argumentation, we have to identify deadlock markings and analyse their environment.In FO(λ), we augment markings encountered during the simulation by 3cycles.Then, the absence of 3-cycles and an environment without such cycles characterises deadlock markings.Proposition 3.6.MC URG (FO(λ)) is undecidable.
Proof.We take advantage of the fact that FO(λ) can express that a node x belongs to an undirected cycle of length three.A possible formula is: Now consider two Petri nets N 1 and N 2 with identical sets of places.For 1 ≤ i ≤ 3, add to each net new places p i and transitions t i such that p 1 contains initially one token, while p 2 and p 3 are empty.Transition t i takes one token from p i and puts one token in p i+1 mod 3 .The resulting Petri nets have identical reachability sets if and only if N 1 and N 2 have identical reachability sets.Therefore, equality of reachability sets is undecidable for nets in which every reachable marking belongs to some cycle of length three.Assuming that N 1 and N 2 have this property, let N be the net constructed from N 1 and N 2 as in the proof of Proposition 3.3 (see also Figure 3.1).We can assume without loss of generality that every transition of N 1 and N 2 changes the current marking (the other transitions do not affect the reachability sets and can be removed).As a consequence, the reachability graphs of the augmented nets N 1 and N 2 have no 1-loops, which is required for the effectiveness of 3cycle(x).The deadlock markings of N are then exactly the markings that have no cycle of length one or three and that are surrounded by nodes without cycles of length three: Equality of the reachability sets of N 1 and N 2 is then expressed by the formula ϕ below where ϕ l (z) def = ∃y λ(z, y) ∧ λ(y, y).We have Reach(N 1 ) = Reach(N 2 ) iff N |= ϕ.By Theorem 2.2, MC URG (FO(λ)) is undecidable.
Proof.Consider two Petri nets N 1 and N 2 with identical sets of places.We rely on the construction of N in Section 3.1, but give a modal formula ϕ (independent of N 1 and N 2 ) that yields the following equivalence: N 1 and N 2 have the same reachability set iff PURG(N ), M |= ϕ for every marking M in Reach(N ).For all deadlocks, there is one predecessor (from N 1 ) that is able to do two more steps and another predecessor (from N 2 ) that is not: Formula ϕ is semantically equivalent to the first-order formula ϕ f o defined below: This undecidability result is tight.In Section 3.3.2,we establish decidability of an extended variant of VAL URG (ML( )) where the backward modality −1 is excluded.Moreover, by translating formulae in ML( , −1 ) to FO(− →) restricted to two individual variables, we get another evidence that MC URG (FO(− →)) restricted to two individual variables is undecidable.

FO(− →)
restricted to positive or forward formulae.Although VAL URG (ML( , −1 )) and MC URG (FO(− →)) are undecidable in general, we have identified decidable fragments of modal logic in Section 2. 4. By analogy, one may expect to find decidability of related fragments of first-order logic.We prove here that this is not the case.We consider forward FO(− →) and positive FO(− →) and show that their model checking problems are undecidable.In a positive formula, atomic propositions occur only under the scope of an even number of negations.Let FO + (P) denote the set of positive first order formulae over predicates in P. Proposition 3.8.MC URG (FO + (− →)) is undecidable.
Proof.We rely on the previously introduced proof schema.Let N 1 and N 2 be two Petri nets and N their combination sketched in Figure 3.1.We propose a positive formula ϕ so that inclusion Reach(N 2 ) ⊆ Reach(N 1 ) holds if and only if PURG(N ) |= ϕ: The formula considers an arbitrary marking M .If M is no deadlock, nothing is required by ϕ.If M is a deadlock, then ϕ asks for vertices M 1 and M so that M 1 is a common direct ancestor of M and M and moreover M has a 1-loop.
By construction of N , formula ϕ is satisfied if and only if every deadlock marking M reachable in N (in particular, a simulation of N 2 ) can be reached in N 1 .This means Reach(N 2 ) ⊆ Reach(N 1 ).

− →)).
A forward formula is a formula in which every occurrence x − → y is in the scope of a quantifier sequence of the form Q 1 x . . .Q 2 y where x is bound before y.Let FO f (P) denote the set of forward formulae over predicates in P. Proposition 3.9.MC URG (FO f (− →)) is undecidable.
Proof.We again reduce the equality problem for reachability sets of two Petri nets N 1 and N 2 .Let N be the net presented in Figure 3.1.We propose a forward formula ϕ so that Reach(N 2 ) = Reach(N 1 ) if and only if PURG(N ) |= ϕ: Forward formulae make it harder to quantify over deadlock markings M .Before presenting how formula ϕ enables the reduction, a short comment on quantification: this formula intends to quantify over z, but the forward constraint imposes first to quantify over z 2 , then on z 1 , and only afterwards on z.This is not a problem since, once z 2 is fixed, variable z 1 may be fixed, and then z may be chosen.The idea of ϕ is to capture the situation in Figure 3.1, potentially with the roles of M 1 and M 2 swapped.In detail, the formula considers an arbitrary marking M 2 , a corresponding marking M 1 (if it exists), and an arbitrary marking M .If M 2 and M are not connected, then ϕ requires nothing.If M 2 and M are connected and M is no deadlock, there are also no requirements.Otherwise M 2 and M are connected and M is a deadlock.In this case, there must be a marking M (valuation for y ℓ ) so that formula ψ is true for (M 1 , M 2 , M, M ).The formula ψ checks that deadlock M is reachable in both N 1 and N 2 , see Figure 3 While forward formulae can well identify the deadlock markings used in the proof schema, the difficulty is in the description of the local environment witnessing the simulation results.

3.3.
Taming undecidability with fragments.In this section, we present the restrictions of FO(− →) that we found to have decidable model checking or validity problems.

Existential fragment.
Our undecidability results follow a common principle, namely identifying a local pattern in the reachability graph that characterizes an undecidable property.The pattern may depend on the specification language.Below, we state a result that, at first glance, might seem to contradict the previous findings: decidability of MC URG (FO(− →)) restricted to the existential fragment.This decidability, however, simply implies that universal quantification is needed to characterize undecidable properties by local patterns.We write ∃FO for the fragment of FO consisting of those formulae that use only existential quantification when written in prenex normal form.(1) Given a Presburger formula ϕ( x 1 , . . ., x α ) with n × α free variables such that each x i is a sequence of n distinct variables interpreted as a marking of N , one can decide whether ϕ(M 1 , . . ., M α ) holds true for some (not necessarily distinct) markings M 1 , . . ., M α in Reach(N ).Proposition 2.3 corresponds to the case α = 1.(2) One can effectively construct a quantifier-free Presburger formula ϕ − → ( x 1 , x 2 ) so that for all markings Before we turn to the proofs of ( 1) and ( 2), we explain how these results yield decidability of MC URG (∃FO(− →, =)).Consider ψ = ∃ x 1 , . . ., x α ψ ′ where ψ ′ is a quantifier-free formula with atomic propositions of the form x i − → x j and x i = x j .With (2), one constructs a quantifier-free Presburger formula ϕ( x 1 , . . ., x α ) so that for all markings M 1 , . . ., M α in Reach(N ), formula ϕ(M 1 , . . ., M α ) holds true iff PURG(N ), v |= ψ ′ where v( , it is decidable whether ϕ(M 1 , . . ., M α ) holds for some markings M 1 , . . ., M α ∈ Reach(N ).This is equivalent to URG(N ) |= ψ.
It remains to prove ( 1) and ( 2).The formula ϕ − → ( x 1 , x 2 ) for statement (2) encodes the definition of enabledness and firing for transitions, For statement (1), we adapt the proof of Proposition 2.3.We construct a Petri net N ′ that simulates α copies of N .Technically, N ′ is defined as the disjoint union of α instances of N .The initial marking of N ′ is α times M 0 .For all markings M 1 , . . ., M α we now have the following equivalence: the markings are reachable in N and satisfy ϕ(M 1 , . . ., M α ) iff (M 1 , . . ., M α ) is a possible simulation result in N ′ and ϕ(M 1 , . . ., M α ) holds.An application of Proposition 2.3 on N ′ and ϕ yields the desired decidability result.
Again, decidability is preserved with Presburger-definable properties on markings and with labelled transition relations of the form

ML(
) with arithmetical constraints.Section 3.2.2proves that VAL URG (ML( , −1 )) is undecidable.To our surprise, and in contrast to the negative result on model checking the forward fragment of FO, this undecidability depends on the backward modality.The following Proposition 3.12 shows decidability of the validity problem for ML( ), even in the presence of arithmetical constraints at the atomic level.
Proof.Let N be a Petri net, and ϕ a formula in PAML( ).According to Lemma 3.13 stated hereafter, the set of markings satisfying ¬ϕ is effectively semilinear.Let X ¬ϕ be this set.Proving validity of ϕ amounts to checking that no element of X ¬ϕ is reachable in N .This is decidable from Proposition 2.3.Lemma 3.13.Given a Petri net N with n places and a formula ϕ in PAML( ), the set of markings in N n satisfying ϕ in UG(N ) is effectively semilinear.
Proof.We proceed by induction on the structure of ϕ, using the fact that semilinear sets are (effectively) closed under Boolean operations and the fact that, if X is semilinear, then pre(X) = {M ∈ N n : ∃ M ′ ∈ X, M − → M ′ } is effectively semilinear too.The latter set pre(X) contains all markings with a successor marking in X.
Each atomic formula is a quantifier-free Presburger formula, and as such, defines a semilinear set.Throughout the induction on the structure of ϕ, formulae with outermost Boolean connectives are treated in the obvious way by applying Boolean operations on semilinear sets.Eventually one has to prove that ψ defines a semilinear set whenever ψ does.Using the induction hypothesis, let X ψ be the semilinear set of markings satisfying ψ.The set satisfying ψ is then equal to N n \ pre(N n \ X ψ ), which is effectively semilinear.This concludes the induction, and the proof.This decidability result can be extended by allowing labels on edges (transitions).
3.4.On the hardness of decidable problems.Some of our decision procedures call subroutines for checking reachability in Petri nets, even though the reachability problem is not known to be primitive recursive.We provide here some complexity-theoretic justification for these costly invocations: we reduce the reachability problem for Petri nets to the decidable problems MC URG (ML( , −1 )) and MC URG (∃FO(− →)).Besides reachability, we proposed decision procedures that exploit the effective semilinearity of reachability sets or relations (see e.g.Proposition 2.7).The next proposition shows that, already for bounded Petri nets, MC URG (FO(− →)) is of high complexity.
Proof.We perform a reduction from the finite containment problem for Petri nets, known to have nonprimitive recursive complexity [36].Let N 1 and N 2 be two bounded Petri nets with identical sets of places, and construct N as in Section 3.1.This net is bounded.The formula ϕ in FO(− →) that checks inclusion is derived from the formula in Section 3.1: Indeed, a deadlock is either reachable from N 2 or from N 1 .But to satisfy the formula, if the deadlock is reachable from N 1 it also has to be reachable from N 2 .Note that the formula ϕ is again independent of N 1 and N 2 .
We have seen that VAL URG (ML( ) is decidable by reduction to the reachability problem for Petri nets (see Proposition 3.12).Below, we state that there is a reduction in the reverse direction, from non-reachability to VAL URG (ML( ).Proposition 3.15.There is a logarithmic-space reduction from the non-reachability problem for Petri nets to VAL URG (ML( )).
Proof.Without any loss of generality, we can assume that the non-reachability problem is restricted to the target marking 0 (no place has any token).Consider the Petri net N = (P, T, F, M 0 ) where we assume w.l.o.g. that every transition has a place in its preset.We build a variant Petri net N ′ from N by adding a new transition t p for every place p ∈ P .The new transitions are put in self-loop with their places, F ′ (p, t p ) = 1 = F ′ (t p , p) and F ′ (p ′ , t p ) = 0 = F ′ (t p , p ′ ) for all p ′ ∈ P with p ′ = p.Intuitively, t p witness for the presence of tokens on p by the existence of at least one transition from M in the reachability graph.As a result, 0 ∈ Reach(N ) iff for every marking M ∈ Reach(N ′ ), some transition can be fired: (D, − →), M |= ♦⊤.Note that our reduction uses a constant formula.Proposition 3.16.There is a logarithmic-space reduction from the reachability problem for Petri nets to MC URG (ML( , −1 )).
Proof.We reduce reachability of marking M 2 from marking M 1 in a Petri net N to an instance of MC URG (ML( , −1 )) for a larger net N .The idea is to introduce a marking M w (see Figure 3.2) such that the existence of a path to M w of length greater than 1 is a witness for the existence of some path from M 1 to M 2 in PURG(N ).To reach M w by an ML formula, we place it close to the new initial marking.We sketch the argumentation.The initial marking M 0 of N contains a single marked place p i for which two transitions t try and t 0 compete.Transition t try moves the unique token from p i to another place p w and thus produces the marking M w where no other place is marked.Transition t 0 loads M 1 in the places of N and moves the control token from p i to another control place p c set in self-loop with all transitions of N .This starts the simulation of N from M 1 .The simulation may get stuck or proceed forever, or it may be interrupted whenever it reaches a marking of N greater than or equal to M 2 .Then, transition t stop consumes M 2 from the places of N and moves the control token from p c to a place p w ′ .The control token is finally moved from p w ′ to p w by firing t win .M w is reached, after firing t stop t win , iff M 2 is reached.Therefore M 2 is reachable from M 1 iff M w is reachable from M 1 (its restriction to the places of N is M 1 ).This is equivalent to stating that M w has a predecessor different from M 0 .The shape of the reachability graph allows us to formulate the latter as a local property in ML( , −1 ): Without loss of generality, we can assume that M 1 is no deadlock and M 2 = M 1 .Formula ϕ requires that M 0 has a deadlock successor which has an incoming path of length two.That the successor is a deadlock means it is not M 1 but M w obtained by firing t try .The path from M 0 to M w is of length one and M 0 has no predecessor.So the path of length two to M w is not via t try but stems from t win .This means M w is reachable from M 1 , which means M 2 is reachable from M 1 in N .
The proof of Proposition 3.16 can be adapted to ∃FO(− →) for which we also have shown decidability of model-checking by reduction to the reachability problem for Petri nets.Proposition 3.17.There is a logarithmic-space reduction from the reachability problem for Petri nets to MC URG (∃FO(− →)) restricted to a single variable.
whereas the formula sl(y), requiring that one can always come back to y, is false at such markings since the transitions t 1 end and t 2 end cannot be undone.Furthermore, neither dl nor sl is satisfied by the markings M 1 or M 2 .Hence, formulae ϕ lef t (z) and ϕ right (z) are not satisfied by any marking z reached in the course of simulating N 1 or N 2 : any such marking has at least one successor of the type M 1 or M 2 , thus invalidating the subformulae ∀y z + − → y ⇒ (sl(y) ∨ dl(y)) and ∀y z + − → y ⇒ dl(y).Now, it is straightforward to verify the following facts: ⋆ dl(z) is satisfied precisely at markings M r and M ℓ ; ⋆ sl(y) is satisfied precisely at marking M ; ⋆ ϕ lef t and ϕ right are satisfied respectively at markings M 1 and M 2 .The formula ϕ may be written ∀z ϕ ′ (z) with ϕ ′ (z) of the form dl(z) ⇒ ψ(z).Formula ϕ ′ (z) is true whenever z evaluates to a non-deadlock marking.Otherwise, when z is a deadlock, validity of ψ requires that it has two distinct predecessors z 1 and z 2 of the types M 1 and M 2 , entailing the equality of the reachability sets of N 1 and N 2 .Conversely, if both reachability sets are equal, then all markings of N 1 and N 2 are connected as described in Figure 3.1, entailing the validity of ϕ in N .We define the following formulae: Thus in Figure 4.1, the markings M r and M ℓ satisfy dl, and the markings M 1 and M 2 satisfy predl, but no other marking satisfies these predicates.
The formula ϕ is defined as follows: Observe that ¬z

4.2.
When semilinearity enters into the play.We saw that MC URG (FO(− →, =)) restricted to Petri nets with effectively semilinear reachability sets is decidable, using a translation into Presburger arithmetic (see Proposition 2.7).This section is devoted to discovering what happens when the relation * − → is added.We establish that MC URG (FO(− →, * − →)) restricted to Petri nets with semilinear reachability sets is undecidable, by a reduction from MC URG (FO(− →)).Given a Petri net N and a sentence ϕ ∈ FO(− →), we reduce the truth of ϕ in PURG(N ) to the truth of a formula ϕ in PURG(N ) where N is an augmented Petri net with a semilinear reachability set.The Petri net N is defined from N by adding the new places p 0 , p 1 and p 2 ; each transition from N is in self-loop with p 1 .Moreover, we add a new set of transitions in self-loop with p 2 , each of which adds tokens to or removes tokens from a corresponding (original) place of N (thus modifying its contents arbitrarily).These transitions form a subnet denoted by Br.Three other transitions are added; see Figure 4.2 for a schematic representation of N (the initial marking M ′ 0 of N restricted to places in N is M 0 , while M ′ 0 (p 0 ) = M ′ 0 (p 1 ) = 1 and M ′ 0 (p 2 ) = 0).Our intention is to force Reach(N ) to be semilinear while staying able to identify a subset from Reach(N ) in bijection with Reach(N ); this is a way to drown Reach(N ) into Reach(N ).Indeed, Reach(N ) contains all markings such that the sum of p 1 and p 2 is 1 and p 0 is at most 1.Nevertheless, if the transition t is fired first, then the subsequently reachable markings are exactly those of N (except that p 1 contains one token); PURG(N ) embeds isomorphically into PURG(N ).Until t is fired, one may always come back to M ′ 0 , using the brownian subnet Br, but this is impossible afterwards.interpreted as the initial marking M ′ 0 , and x 1 is interpreted as a successor of x 0 from which x 0 cannot be reached again.This may only happen by firing t from M ′ 0 .Now the relativization of every other variable to x 1 in ϕ ensures that PURG(N ) |= ϕ iff PURG(N ) |= ϕ.To remove init, we construct a Petri net N ′ very similar to N .N ′ has an extra place p ′ 0 , initially marked with one token, and a new transition that consumes this token and produces two tokens in p 0 and p 1 , which were initially empty.By construction, the initial marking of N ′ is the sole marking in PURG(N ′ ) with no incoming edge and one outgoing edge.With this modified net, we use the modified formula ϕ ′ as follows:   For each place p i in N , there is a transition t i in self-loop with it.First, let N ′ = (P ′ , T ′ , F ′ , M ′ 0 ) be the Petri net defined with P ′ = P ∪ {p ℓ }, T ′ = T ∪ {t i | p i ∈ P ′ }, for all (p, t) in P × T , F ′ (p, t) = F (p, t) and F ′ (t, p) = F (t, p), for all p i ∈ P ′ , F (p i , t i ) = F (t i , p i ) = 1, for all t ∈ T, F (t, p ℓ ) = F (p ℓ , t) = 1, for all p ∈ P , M ′ 0 (p) = M 0 (p), and M ′ 0 (p ℓ ) = 1.Restricted to places in P (all places but p ℓ ), the reachable markings of N ′ coincide with those of N .By construction, p ℓ contains always a single token.In URG(N ′ ), every marking has a 1-loop.Similarly, every marking of N ′ in which some place is positive possesses a 1-loop in the graph U G(N ′ ).The tuple (0, 0, . . ., 0), on the other hand, enables no transition (the empty place p ℓ inhibits every transition).Now, we construct N from N ′ .N has the same places and transitions as N ′ , plus an extra place p 0 and two extra transitions t e and t 0 .Transition t e removes tokens from p 0 , one at a time.Transition t 0 consumes one token from p 0 and produces M ′ 0 in the places of N ′ .The initial marking M 0 of N has a single token in place p 0 .
We claim the following: ⋆ The reachable graph of N is identical to the reachable graph of N , up to the first transition and up to the 1-loops which have no influence on formulas in FO( *

− →). ⋆
This formula contains a subformula (¬ x − → x) that expresses the absence of a 1-loop, thus ϕ init (x) may only be satisfied in markings with all places p ∈ P ′ empty.But (¬ x − → x) may be satisfied in a marking x with an arbitrary number of tokens in p 0 .Now consider markings with all places in P ′ empty, and an arbitrary number of tokens in p 0 .Three cases must be considered.First, suppose that p 0 contains a single token (i.e., x is interpreted by M 0 ), then (∃ y∀ z x − → y ∧ ¬(y − → z)) is satisfied: x has a successor y (reached by firing t e ) which is a deadlock.Second, if p 0 is empty, then the marking x has no successor at all.If p 0 contains at least two tokens, then no successor of x is a deadlock: every marking reached by t 0 has a 1-loop and t e can be executed at least twice.Putting everything together, the only tuple in N n satisfying ϕ init (x), is the marking M 0 = (1, 0, . . ., 0), establishing the second claim.Proposition 4.6 holds even when the reachability set of the net is effectively semilinear.Proof.We pile up (adaptations of) the proofs of Propositions 4.3, 4.5, and 4.6.
Given arbitrary two nets N 1 and N 2 without neutral transitions , let N 3 denote the net N constructed from N 1 and N 2 like in the proof of Proposition 4.3, and let M 3 denote the initial marking of this net.By the proof of Proposition 4.3, Reach(N 1 ) = Reach(N 2 ) if and only if PURG(N 3 ) |= ϕ, where: then, in UG(N 5 ), ψ init (x) holds exclusively for x interpreted by M 4 + {p ℓ }.The subgraph of UG(N 5 ) reachable from the marking M 4 + {p ℓ } is isomorphic to PURG (N 4 ).Therefore, in UG(N 5 ), ψ init (x) ∧ x − → y ∧ ¬(y * − → x) holds for x, y if and only if x is interpreted by M 4 + {p ℓ } and y is interpreted by M 3 + {p 1 } + {p ℓ }.The subgraph of UG(N 5 ) reachable from the marking M 3 + {p 1 } + {p ℓ } is isomorphic to PURG (N 3 ).Therefore, PURG (N 3 ) |= ϕ if and only if UG(N 5 ) |= ϕ where ϕ is the formula: where f (•) is homomorphic for Boolean connectives and f (∀x ψ)  In this section we have examined several first-order sublanguages involving the reachability predicate.We obtained undecidability results, even when the reachable markings form a semilinear set, and even when the global structure UG(N ) is considered instead of URG(N ).

Concluding Remarks
We investigated mainly the model-checking problem over unlabelled reachability graphs of Petri nets with the first-order language FO(− →) (no label on transitions, no property on markings).The robustness of our main undecidability proof has been tested against standard fragments of FO(− →) (for instance the two-variable fragment), modal fragments from ML( , −1 ) and against the additional assumption that reachability sets are effectively semilinear.Table 1 provides a summary of the main results (observe that whenever the reachability relation * − → is effectively semilinear, each problem is decidable).Results in bold are proved in the paper, whereas unbold ones are their consequences; furthermore each undecidability result holds for a fixed formula.
We have investigated several types of borderlines to distinguish decidable problems from undecidable ones.For instance, MC URG (FO(− →)) restricted to the two-variable fragment is undecidable whereas MC URG (FO(− →)) restricted to the existential fragment is decidable (even though this problem is at least as hard as the reachability problem for Petri nets).Similarly, on the modal side, MC URG (ML( , −1 )) is decidable (again as hard as the reachability problem for Petri nets) whereas VAL URG (ML( , −1 )) is undecidable.Despite the numerous results we obtained, we can identify the following rules of thumb.
(1) Undecidability of MC URG (FO(− →)) is robust for numerous fragments of FO(− →) including both universal and existential quantifications (a single alternation is enough).(2) Decidability results with simple restrictions such as considering bounded Petri nets or ∃FO(− →) lead to computationally difficult problems, some of them being non primitive recursive or as hard as the reachability problem for Petri nets (see Section 3.4).(3) The above points are still relevant for modal languages.
Let us conclude the paper by mentionning possible continuations of this work.A first direction would be to investigate the model checking of fragments of second-order languages with respect to Petri net unlabelled reachability graphs.Knowing that MC URG (FO(− →)) is already undecidable, this makes sense only if one disallows first-order quantification, while keeping of course second-order quantification.A possible primitive atomic formula could be for instance: X =⇒ Y def ⇔ for all x ∈ X, there is y ∈ Y such that x − → y and for all y ∈ Y , there is x ∈ X such that x − → y.With this definition, it is easily shown that MC URG (MSO(⇒)) is undecidable, but many other fragments of MSO are worth investigating and comparing with the fragments considered in the paper.
A second direction for extending this work would be to consider the geometrical properties of the set of markings reachable from a given marking, taken as a subset of N n .It is for instance trivial to determine whether there is at least one marking reachable from the initial marking and different from it.It is slightly more difficult to prove that there is at least one non-reachable marking.
A third direction, diverging significantly from our approach, would be to investigate decidability questions about infinite unfoldings of nets instead of net reachability graphs.Unfolding Petri nets produces local event structures that induce in turn local trace languages [24].Safe Petri nets, as opposed to unbounded Petri nets, may in particular be modelled with regular trace event structures [34].The decidability of FO over regular trace event structures has been shown in [34], as well as the decidability of MTL, a fragment of MSO where quantification is restricted to conflict-free sets of events.The proofs of these results rely strongly on regularity and do not extend easily to local event structures representing general Petri nets.
(N ) = (D, init, − →, * − →, + − →, =) where init = {M 0 }, and relations * − → and + − → are the iterative and strictly iterative closures of − →, respectively.The unlabelled transition graph of N is the structure UG(N ) = (N P , init, − →, * − →, and FO(init, − →, + − →, * − →, =) are equally expressive.FO indicates that one can quantify over markings.Note that predicates + − → or * − → exceed the expressiveness of usual first-order logics on graphs.We omit the standard definition of the satisfaction relation U , v |= ϕ with U a structure (PURG(N ), URG(N ) or UG(N )) and v a valuation of the free variables in ϕ.For example, ∀x ϕ holds true whenever the formula ϕ holds true for all elements (markings) of the considered structure.Sentences are closed formulae, i.e., without free variables.If U |= ϕ then U is called a model of ϕ.
ℓ : new place in self-loop with each transition of N .

Figure 4 .
3 presents some key elements for the construction of N .
There is a formula ϕ init (x) ∈ FO(− →, * − →) which is satisfied in UG(N ) only at M 0 .Assuming these claims, validity of a formula in FO( * − →) with respect to URG(N ) may be reduced to the validity of a formula of FO(− →, * − →) with respect to UG(N ), using a similar technique as in the proof of Corollary 4.4.For this purpose, we should relativize the given formula in FO( * − →) to the vertices of UG(N ) that may be reached from the marking M 0 ′ defined by M 0 [t 0 M 0 ′ .This can actually be done in FO(− →, * − →), because M 0 ′ is the sole marking of N that satisfies the formula ∃y ϕ init (y) ∧ y − → x ∧ x − → x.Therefore, to complete the proof of the proposition, it suffices to establish the two claims made above.Now, the first claim derives immediately from the construction of N .The second claim may be established by setting:
be the extended reachability graph obtained from PURG(N 3 ) by adding a 1-loop in every marking.Then clearly, PURG(N 3 ) |= ϕ if and only if PURG (N 3 ) |= ϕ.By Hack's result, PURG (N 3 ) |= ϕ is undecidable from the input {N 1 , N 2 }.Now put N = N 3 in the net shown in Figure 4.2.Denote the resulting net N by N 4 , and let M 4 be its initial marking.By construction, N 4 has a semilinear reachability set.Moreover, if we put: θ(x, y)def = init(x) ∧ x − → y ∧ ¬(y * − → x), then, in PURG(N 4), this statement holds exclusively for x interpreted by M 4 and y interpreted by M 3 + {p 1 }.Let PURG (N 4 ) be the extended reachability graph obtained from PURG(N 4 ) by adding a 1-loop in every marking.Then clearly, in PURG (N 4 ), θ(x, y) holds exclusively for x interpreted by M 4 and y interpreted by M 3 + {p 1 }.Finally put N = N 4 in the net shown in Figure4.3.Denote the resulting net N by N 5 , and let M 5 be its initial marking.Thus, N 5 has a semilinear reachability set.As was shown in the proof of Proposition 4.6, if we put:ϕ init (x) def = (¬ x − → x) ∧ (∃ y∀ z x − → y ∧ ¬(y − → z)),then, in UG(N 5 ), ϕ init (x) holds exclusively for x interpreted by M 5 .Therefore, if we put:
[39]emilinear sets are closed under projection (quantifier elimination in Presburger arithmetic), ∆ 2 is effectively semilinear.Now {(M, M ′ ) | M ∈ Reach(N ) and ′ } is equal to ∆∪∆ 2 .Hence this set is effectively semilinear.Therefore, through the effective correspondence between semilinear sets and sets definable in Presburger arithmetic, any sentence ϕ of FO translates to a sentence ϕ ′ of Presburger arithmetic logic such that URG(N ) |= ϕ if and only if ϕ ′ is true.The proposition follows from the decidability of Presburger arithmetic[39].Let C be a class of Petri nets N for which Reach(N ) is effectively semilinear.Then, MC URG (FO(− →, =)) restricted to C is decidable.Proof.Consider a Petri net N = (P, T, F, M 0 ) in C. Assume the Presburger formula ϕ(x 1 , . . ., x n ) characterizes Reach(N ) where |P | = n.There is a second Presburger formula ϕ ′ (x 1 , . . . ,x n , x ′ 1 , . . ., x ′ n ) that characterizes the binary relation − → in UG(N ).Given a sentence ψ in FO(− →, =), one can build a sentence f (ψ) in Presburger arithmetic such that URG(N ) |= ψ iff f (ψ) is satisfiable in Presburger arithmetic.The map f (•) is homomorphic for Boolean connectives.Furthermore,