A Generic Framework for Reasoning about Dynamic Networks of Infinite-State Processes

. We propose a framework for reasoning about unbounded dynamic networks of inﬁnite-state processes. We propose Constrained Petri Nets ( CPN ) as generic models for these networks. They can be seen as Petri nets where tokens (representing occurrences of processes) are colored by values over some potentially inﬁnite data domain such as integers, reals, etc. Furthermore, we deﬁne a logic, called CML (colored markings logic), for the description of CPN con-ﬁgurations. CML is a ﬁrst-order logic over tokens allowing to reason about their locations and their colors. Both CPN s and CML are parametrized by a color logic allowing to express constraints on the colors (data) associated with tokens. We investigate the decidability of the satisﬁability problem of CML and its applications in the veriﬁcation of CPN s. We identify a fragment of CML for which the satisﬁability problem is decidable (whenever it is the case for the underlying color logic), and which is closed under the computations of post and pre images for CPN s. These results can be used for several kinds of analysis such as invariance checking, pre-post condition reasoning, and bounded reachability analysis.


Introduction
The verification of software systems requires in general the consideration of infinitestate models.The sources of infinity in software models are multiple.One of them is the manipulation of variables and data structures ranging over infinite domains (such as integers, reals, arrays, etc).Another source of infinity is the fact that the number of processes running in parallel in the system can be either a parameter (fixed but arbitrarily large), or it can be dynamically changing due to process creation.While the verification of parameterized systems requires reasoning uniformly about the infinite family of (static) networks corresponding to any possible number of processes, the verification of dynamic systems requires reasoning about the infinite number of all possible dynamically changing network configurations.
There are many works and several approaches on the verification of infinite-state systems taking into account either the aspects related to infinite data domains, or the aspects related to unbounded network structures due to parametrization or dynamic creation of processes.Concerning systems with data manipulation, a lot of work has been devoted to the verification of, for instance, finite-structure systems with unbounded counters, clocks, stacks, queues, etc. (see, e.g., [AvJT96, BEM97, WB98, Boi99, AAB00, FS01, FL02]).On the other hand, a lot of work has been done for the verification of parameterized and dynamic networks of Boolean (or finite-data domain) processes, proposing either exact modelchecking and reachability analysis techniques for specific classes of systems (such as broadcast protocols, multithreaded programs, etc) [EN98, EFM99, DRB02, BT05, BMOT05], or generic algorithmic techniques (which can be approximate, or not guaranteed to terminate) such as network invariants-based approaches [WL89,CGJ97], and (abstract) regular model checking [BJNT00, Bou01, AJNS04, BHV04].However, only few works consider both infinite data manipulation and parametric/dynamic network structures (see the paragraph on related work).
In this paper, we propose a generic framework for reasoning about parameterized and dynamic networks of concurrent processes which can manipulate (local and global) variables over infinite data domains.Our framework is parameterized by a data domain and a firstorder theory on it (e.g., Presburger arithmetics on natural numbers).It consists of (1) expressive models allowing to cover a wide class of systems, and (2) a logic allowing to specify and to reason about the configurations of these models.
The models we propose are called Constrained Petri Nets (CPN for short).They are based on (place/transition) Petri nets where tokens are colored by data values.Intuitively, tokens represent different occurrences of processes, and places are associated with control locations and contain tokens corresponding to processes which are at a same control location.Since processes can manipulate local variables, each token (process occurrence) has several colors corresponding to the values of these variables.Then, configurations of our models are markings where each place contains a set of colored tokens, and transitions modify the markings as usual by removing tokens from some places and creating new ones in some other places.Transitions are guarded by constraints on the colors of tokens before and after firing the transition.We show that CPNs allow to model various aspects such as unbounded dynamic creation of processes, manipulation of local and global variables over unbounded domains such as integers, synchronization, communication through shared variables, locks, etc.
The logic we propose for specifying configurations of CPNs is called Colored Markings Logic (CML for short).It is a first order logic over tokens and their colors.It allows to reason about the presence of tokens in places, and also about the relations between the colors of these tokens.The logic CML is parameterized by a first order logic over the color domain allowing to express constraints on tokens.
We investigate the decidability of the satisfiability problem of CML and its applications in verification of CPNs.While the logic is decidable for finite color domains (such as booleans), we show that, unfortunately, the satisfiability problem of this logic becomes undecidable as soon as we consider the color domain to be the set of natural numbers with the usual ordering relation (and without any arithmetical operations).We prove that this undecidability result holds already for the fragment ∀ * ∃ * of the logic (in the alternation hierarchy of the quantifiers over token variables) with this color domain.
On the other hand, we prove that the satisfiability problem is decidable for the fragment ∃ * ∀ * of CML whenever the underlying color logic has a decidable satisfiability problem, e.g., Presburger arithmetics, the first-order logic of addition and multiplication over reals, etc.Moreover, we prove that the fragment ∃ * ∀ * of CML is effectively closed under post and pre image computations (i.e., computation of immediate successors and immediate predecessors) for CPNs where all transition guards are also in ∃ * ∀ * .We show also that the same closure results hold when we consider the fragment ∃ * instead of ∃ * ∀ * .
These generic decidability and closure results can be applied in the verification of CPN models following different approaches such as pre-post condition (Hoare triples based) reasoning, bounded reachability analysis, and inductive invariant checking.More precisely, we derive from our results mentioned above that (1) checking whether starting from a ∃ * ∀ * pre-condition, a ∀ * ∃ * condition holds after the execution of a transition is decidable, that (2) the bounded reachability problem between two ∃ * ∀ * definable sets is decidable, and that (3) checking whether a formula defines an inductive invariant is decidable for Boolean combinations of ∃ * formulas.
These results can be used to deal with non trivial examples of systems.Indeed, in many cases, program invariants and the assertions needed to establish them fall in the considered fragments of our logic.We illustrate this by carrying out in our framework the verification of several parameterized systems (including the examples usually considered in the literature such as the Bakery mutual exclusion protocol [Lam74]).In particular, we provide an inductive proof of correctness for the parametric version of the Reader-Writer lock system introduced in [FFQ02].Flanagan et al. give a proof of this case study for the case of one reader and one writer.We consider here an arbitrarily large number of reader and writer processes and carry out (for the first time, to our knowledge) its verification by inductive invariant checking.We provide experimental results obtained for these examples using a prototype tool we have implemented based on our decision and verification procedures.

Related work:
The use of unbounded Petri nets as models for parameterized networks of processes has been proposed in many existing works such as [GS92, EN98, DRB02].However, these works consider networks of finite-state processes and do not address the issue of manipulating infinite data domains.The extension of this idea to networks of infinite-state processes has been addressed only in very few works [AJ98,Del01,BD02,AD06].In [AJ98], Abdulla and Jonsson consider the case of networks of 1-clock timed systems and show, using the theory of well-structured systems and well quasi orderings [AvJT96,FS01], that the verification problem for a class of safety properties is decidable.Their approach has been extended in [Del01,BD02] to a particular class of multiset rewrite systems with constraints (see also [AD06] for recent developments of this approach).Our modeling framework is actually inspired by these works.However, while they address the issue of deciding the verification problem of safety properties (by reduction to the coverability problem) for specific classes of systems, we consider in our work a general framework, allowing to deal in a generic way with various classes of systems, where the user can express assertions about the configurations of the system, and check automatically that they hold (using post-pre reasoning and inductive invariant checking) or that they do not hold (using bounded reachability analysis).Our framework allows to reason automatically about systems which are beyond the scope of the techniques proposed in [AJ98, Del01, BD02, AD06] such as, for instance, the parameterized Reader-Writer lock system presented in this paper.
In parallel to our work, Abdulla et al. developed in [ADHR07, AHDR08] abstract backward reachability analysis for a restricted class of constrained multiset rewrite systems.Basically, they consider constraints which are boolean combinations of universally quantified formulas, where data constraints are in the particular class of existentially quantified gap-order constraints.The abstraction they consider consists in taking after each pre-image computation the upward closure of the obtained set.This helps termination of the iterative computation and yields an upper-approximation of the backward reachability set.However, the used abstract analysis can be too imprecise for some systems.Our approach allows in contrast to carry out pre-post reasoning, invariance checking, as well as bounded analysis, for a larger class of systems.Techniques like those used in [ADHR07, AHDR08] could be integrated into our framework in the future in order to discover (local) invariants automatically.
In a series of papers, Pnueli et al. developed an approach for the verification of parameterized systems combining abstraction and proof techniques (see, e.g., [APR + 01]).This is probably one of the most advanced existing approaches allowing to deal with unbounded networks of infinite-state processes.We propose here a different framework for reasoning about these systems.In [APR + 01], the authors consider a logic on (parametric-bound) arrays of integers, and they identify a fragment of this logic for which the satisfiability problem is decidable.In this fragment, they restrict the shape of the formula (quantification over indices) to formulas in the fragment ∃ * ∀ * similarly to what we do, and also the class of used arithmetical constraints on indices and on the associated values.In a recent work by Bradley et al. [BMS06b], the satisfiability problem of the logic of unbounded arrays with any kind of elements values is investigated and the authors provide a new decidable fragment, which is incomparable to the one defined in [APR + 01], but again which imposes similar restrictions on the quantifiers alternation in the formulas, and on the kind of constraints on indices that can be used.In contrast with these works, we consider a logic on multisets of elements with any kind of associated data values, provided that the used theory on the data domain is decidable.For instance, we can use in our logic general Presburger constraints whereas [APR + 01] allows limited classes of constraints.On the other hand, we cannot specify faithfully unbounded arrays in our decidable fragment because formulas of the form ∀ * ∃ * are needed to express that every non extremal element has a successor/predecessor.Nevertheless, for the verification of safety properties and invariant checking, expressing this fact is not necessary, and therefore, it is possible to handle (model and verify) in our framework all usual examples of parameterized systems (such as mutual exclusion protocols) considered in the works cited above.
Let us finally mention that there are recent works on logics (first-order logics, or temporal logics) over finite/infinite structures (words or trees) over infinite alphabets (which can be considered as abstract infinite data domains) [BMS + 06a, BDM + 06, DL06].The obtained positive results so far concern logics with very limited data domain (basically infinite sets with only equality, or sometimes with an ordering relation), and are based on reduction to complex problems such as reachability in Petri nets.

Colored Markings Logic
2.1.Preliminaries.Consider an enumerable set of tokens and let us identify this set with the set of natural numbers N. Intuitively, tokens represent occurrences of (parallel) processes.We assume that tokens may have colors corresponding for instance to data values attached to the corresponding processes.We consider that each token has N colors, for some fixed natural number N > 0. Let C be a (potentially infinite) token color domain.
Examples of color domains are the set of natural numbers N and the set of real numbers R. Also, we consider that tokens can be located at places.Let P be a finite set of such places.Intuitively, places represent control locations of processes.A N -dim colored marking is a mapping M ∈ [N → (P ∪ {⊥}) × C N ] which associates with each token its place (if it is defined, or ⊥ otherwise) and the values of its colors.
Let M be a N -dim colored marking, let t ∈ N be a token, and let M (t) = (p, c 1 , . . ., c N ) ∈ (P ∪ {⊥}) × C N .Then, we consider that place M (t) denotes the element p, that color M (t) denotes the vector (c 1 , . . ., c N ), and that for every k ∈ {1, . . ., N }, color M,k (t) denotes the element c k .We omit the subscript M when it is clear from the context.

Colored Markings Logic (CML).
The logic CML is parameterized by a (first-order) logic on the considered token color domain C, FO(C, Ω, Ξ), i.e., by the set of operations Ω and the set of basic predicates (relations) Ξ allowed on C. In the sequel, we omit all or some of the parameters of CML when their specification is not necessary.
Let T be a set of token variables ranging over N (set of tokens) and let C be a set of color variables ranging over C, and assume that T ∩ C = ∅.Then, the set of terms of CML(C N , Ω, Ξ) (called token color terms) is given by the grammar: where z ∈ C, k ∈ {1, . . ., N }, x ∈ T , and o ∈ Ω. Intuitively, the term δ k (x) represents the kth color (data value) attached to the token associated with the token variable x.We denote by ≡ the syntactic equality relation on terms.
The notions of free/bound occurrences of variables in formulas and the notions of closed/open formulas are defined as usual in first-order logics.Given a formula ϕ, the set of free variables in ϕ is denoted FV (ϕ).In the sequel, we assume w.l.o.g. that in every formula, each variable is quantified at most once.
We define a satisfaction relation between colored markings and CML formulas.For that, we need first to define the semantics of CML terms.Given valuations θ ∈ [T → N], ν ∈ [C → C], and a colored marking M , we define a mapping • M,θ,ν which associates with each color term a value in C: Then, we define inductively the satisfaction relation |= θ,ν between colored markings M and CML formulas as follows: For every formula ϕ, we define [[ϕ]] θ,ν to be the set of colored markings M such that M |= θ,ν ϕ.A formula ϕ is satisfiable iff there exist valuations θ and ν s.

Prenex normal form:
A formula is in prenex normal form (PNF) if it is of the form where (1) Q 1 , . . ., Q m are (existential or universal) quantifiers, (2) y 1 , . . ., y m are variables in T ∪ C, and ϕ is a quantifier-free formula.It can be proved that for every formula ϕ in CML, there exists an equivalent formula ϕ ′ in prenex normal form.

Quantifier alternation hierarchy:
We consider two families {Σ n } n≥0 and {Π n } n≥0 of fragments of CML defined according to the alternation depth of existential and universal quantifiers in their PNF: • Let Σ 0 = Π 0 be the set of formulas in PNF where all quantified variables are in C, • For n ≥ 0, let Σ n+1 (resp.Π n+1 ) be the set of formulas Qy 1 . . .y m .ϕ in PNF where y 1 , . . ., y m ∈ T ∪ C, Q is the existential (resp.universal) quantifier ∃ (resp.∀), and ϕ is a formula in Π n (resp.Σ n ).It is easy to see that, for every n ≥ 0, Σ n and Π n are closed under conjunction and disjunction, and that the negation of a Σ n formula is a Π n formula and vice versa.For every n ≥ 0, let B(Σ n ) denote the set of all boolean combinations of Σ n formulas.Clearly, B(Σ n ) subsumes both Σ n and Π n , and is included in both Σ n+1 and Π n+1 .

Special form:
The set of formulas in special form is given by the grammar: where x, y ∈ T , z ∈ C, p ∈ P ∪ {⊥}, r ∈ Ξ, and t 1 , . . ., t n are token color terms.So, formulas in special form do not contain atoms of the form p(x).
It is not difficult to see that for every closed formula ϕ in CML, there exists an equivalent formula ϕ ′ in special form.The transformation is based on the following fact: since variables are assumed to be quantified at most once in formulas, each formula ∃x.φ can be replaced by p∈P∪{⊥} ∃x ∈ p. φ x,p where φ x,p is obtained by substituting in φ each occurrence of p(x) by true, and each occurrence of q(x), with p = q, by false.

Examples of properties expressible in CML:
The fact that "the place p is empty" is expressed by the Π 1 formula ∀x.¬p(x).The fact that "p contains precisely one token" is expressed by the B(Σ 1 ) formula: (∃x ∈ p. true) ∧ (∀y, z ∈ p. y = z).The Π 1 formula ∀x, y ∈ p. x = y expresses the fact that p has one or zero token.
The properties above do not depend on the colors of the token.The following examples show that the number of tokens in a place is also determined by properties of colors attached to tokens.Let consider now the logic CML(N, {0}, {≤}).Then, the fact that "p contains an infinite number of tokens" is implied by the Π 2 formula: Conversely, the fact that "p has a finite number of tokens" is implied by the Σ 2 formula:

Satisfiability Problem: Undecidability
We show hereafter that the satisfiability problem of the logic CML is undecidable as soon as we consider formulas in Π 2 , and this holds even for simple theories on colors.
Proof.The proof is done by reduction of the halting problem of Turing machines.The idea is to encode a computation of a machine, seen as a sequence of tape configurations, using tokens with integer colors.Each token represents a cell in the tape of the machine at some computation step.Therefore, the token has two integer colors: its position in the tape, and the position of its configuration in the computation (the computation step).The place of a token identifies uniquely the letter stored in the associated cell, the control state of the machine in the computation step of the cell, and the position of the head.Then, it is possible to express using formulas in Π 2 that two consecutive configurations correspond indeed to a valid transition of the machine.Intuitively, this is possible because Π 2 formulas allow to relate each cell at some configuration to the corresponding cell at the next configuration.
Let us fix the notations used for Turing machine.A Turing machine is defined by M = (Q, Γ, B, q 0 , q f , ∆) where Q is its finite set of states, Γ is the finite tape alphabet containing the default blank symbol B, q 0 , q f ∈ Q are the initial resp.the final state, and ∆, called the transition relation, is a subset of A configuration of the machine is given by a triplet (q, T , i) where q ∈ Q, T ∈ [N → Γ] is the tape of cells identified by their position j ∈ N and storing a letter T (j) ∈ Γ, and i is the position of the head on the tape.
A transition (q, X, q ′ , Y, d) ∈ ∆ defines a relation between two configurations (q, T , i) and (q ′ , T ′ , i ′ ) iff either i ′ = i + 1 and d = R or i ′ = i − 1 and d = L, the machine reads X at position i, i.e.T (i) = X, and writes Y at the same position, i.e.T ′ (i) = Y , and in any other position k different from i, the tapes T and T ′ are equal, i.e. ∀k.
The initial configuration of the machine is (q 0 , T 0 , 0) where T 0 is the tape with all cells containing the blank symbol B.
Without loss of generality, we suppose that (a) the machine has no deadlocks, (b) the head never goes left when it is at position 0, and (c) when the final state is reached the machine loops in this state.
We proceed now to the encoding of a computation that reaches the final state using a Π 2 formula of CML(N 2 , {0}, {≤}).
Instead of generic names δ 1 and δ 2 for color functions we use more intuitive names step and cell respectively.A token x with step(x) = j and cell(x) = i represents the i th cell of the j th configuration in a computation.
We define the set of places P = Γ×{Head , Nohead }×Q and, for convenience, we denote members of P by strings, e.g., A Head q with A ∈ Γ and q ∈ Q.A token x in a place named A Head q encodes a cell labeled by the letter A in a configuration where the head is at the position cell(x) and the current state is q.Since in a given configuration the head and the control state have a unique occurence, our encoding includes the property that, among all tokens that have the same step color, there is only one token in a place containing Head in its name.
First, we encode the properties of tapes.For this, we introduce the shorthand notation Head(x), parametrized by a token variable x, expressing that the token represented by x encodes a cell that carries the head, i.e, the name of its place has Head as substring.
The following Π 2 formula Tapes expresses that, for any tape j in an infinite computation, any cell i is represented by a unique token x (conditions (3.1) and (3.2)), and there is exactly one token z which represents the position of the head (conditions (3.3) and (3.4)).
Second, we encode the initial configuration using the following B(Σ 1 ) formula: Third, we encode the termination condition saying that, at some step, the computation reaches the final state: Finally, we encode each transition, i.e., the condition defining when two successive configurations correspond to a valid transition in the machine.For this, we have to fix the token storing the head in the current configuration (x), the tokens at the left (x l ) and at the right (x r ) of the head in the current configuration, and the tokens in the next configuration having the same position than x, x l , and x r (x ′ , x ′ l , resp.x ′ r ).When this identification is done (see the left part of the implication), we have to decompose the global transition over all transitions δ ∈ ∆: where Trans δ relates its parameters accordingly to transition δ.For example, if the transition δ is of the form (q, X, q ′ , Y, L) (the case of head moving at right is symmetrical), then we obtain the following Π 1 formula: where the shorthand notation Same(y, y ′ ) stands for A∈Γ,p∈Q and expresses that the two tokens y and y ′ carry the same letter.Then, the Trans formula is in B(Σ 1 ).The conjunction Tapes ∧ Init ∧ Trans ∧ Acceptance is a Π 2 formula which is satisfiable iff there is an accepting run.This reduction shows the undecidability of satisfiability for Π 2 fragment of CML(N 2 , {0}, {≤}).

Satisfiability problem: A Generic Decidability Result
We prove in this section that the satisfiability problem for formulas in the fragment Σ 2 of CML is decidable whenever this problem is decidable for the underlying color logic.
Proof.The idea of the proof is to reduce the satisfiability problem of Σ 2 formulas to the satisfiability problem of Σ 0 formulas.We proceed as follows: we prove first that the fragment Σ 2 has the small model property, i.e., every satisfiable formula ϕ in Σ 2 has a model of a bounded size (where the size is the number of tokens in each place).This bound corresponds actually to the number of existentially quantified token variables in the formula.Notice that this fact does not lead directly to an enumerative decision procedure for the satisfiability problem since the number of models of a bounded size is infinite in general (due to infinite color domains).Then we use the fact that over a finite model, the universal quantifications in ϕ can be transformed into finite conjunctions in order to build a formula ϕ in Σ 1 which is satisfiable if and only if the original formula ϕ is satisfiable.Actually, ϕ defines precisely the upward-closure of the set of markings defined by ϕ (w.r.t. the inclusion ordering between sets of colored markings, extended to vectors of places).Finally we show that the Σ 1 formula ϕ is satisfiable if and only if the Σ 0 formula obtained by transforming existential quantification over tokens into existential quantification over colors is decidable.
We define the size of a marking M to be the number of tokens x for which place M (x) = ⊥.A marking M ′ is said to be a sub-marking of a marking M if all tokens in M ′ for which place M (x) = ⊥ are mapped identically by M and M ′ .We also define the upward closure of a set of markings M to be the set of all the markings that have a sub-marking in M.
First, we show the following lemma: Given any universally quantified formula it is always the case that if it is satisfied by a marking then it is also satisfied by all its sub-markings (w.r.t inclusion ordering).In particular, we define M ′ to be the sub-marking of M that agrees only on tokens in − → t .Then, we have M ′ |= θ,ν ∀ − → y .φ, and therefore M ′ |= ∃ − → x .∃ − → z .∀ − → y .φ. Therefore, for the fragment Σ 2 , every satisfiable formula ϕ = ∃ − → x .∃ − → z .∀ − → y .φ has a model of size less or equal than | − → x |.However this fact does not imply the decidability of the satisfiability problem since the color domain is infinite.Point (2): We show that for any formula ϕ in Σ 2 it exists a formula ϕ such that any model M of ϕ has a sub-marking M ′ which is a model of ϕ, i.e., the upper closure of the set of models of ϕ is given by the set of models of ϕ.
Let Θ be the set of all (partial or total) mappings σ from elements of − → y to elements of − → x .Then, we have that any model M of ϕ is also a model of ∃ − → x .∃ − → z .ϕ (1) where This means that there exists a vector of tokens − → t ⊂ N, a vector of colors − → c ⊂ C, and two mappings θ : . Consider now M ′ to be the sub-marking of M that agrees only on tokens in − → t .Then, M |= θ,ν ϕ (1) implies that: By definition of ϕ, any of its minimal models is also a model of ϕ, and any of the models of ϕ has a sub-model that is a model of ϕ.
A direct consequence of the lemma above is that it is possible to reduce the satisfiability problem from Σ 2 to Σ 1 .To prove the main theorem, we have to show that the satisfiability problem of Σ 1 can be reduced to one of Σ 0 .Let us consider a Σ 1 formula ϕ = ∃ − → x .φ with φ in Σ 0 .
We do the following transformations: (1) we eliminate token equality by enumerating all the possible equivalence classes for equality between the finite number of variables in − → x , then (2) we eliminate formulas of the form p(x) by enumerating all the possible mappings from a token variable x to places in P, and (3) we replace terms of the form δ k (x) by fresh color variables.Let us describe more formally these three transformations.
Step 1: Let B( − → x ) be the set of all possible equivalence classes (w.r.t. the equality relation) over elements of − → x : an element e in B( − → x ) is a mapping from − → x to a vector of variables − → x (e) ⊆ − → x that contains only one variable for each equivalence class.
We define φ e to be φ[ − → x (e) / − → x ] where, after the substitution, each atomic formula that is a token equality is replaced by "true" if it is a trivial equality x = x and by "false" otherwise.Clearly ϕ is equivalent to Step 2: Similarly, we eliminate from φ e the occurrences of formulas p(x).For a mapping σ ∈ [ − → x (e) → P] and a variable x, σ(x)(x) is a formula saying that the variable x is in the place σ(x).We use the notation σ( − → x )( − → x ) instead of i σ(x i )(x i ).Again, for each value of σ and e we define φ e,σ to be φ e where each atomic sub-formula p(x) is replaced by "true" if σ(x) = p and by "false" otherwise.
Then, we obtain an equivalent formula ϕ =,p : where sub-formulas φ e,σ do not contain any atoms of the form x i ).Still, ϕ e,σ is not a Σ 0 formula, because it contains terms of the form δ k (x).
Step 3: For each coloring symbol δ k and each token variable x ∈ − → x (e) , we define a color variable s k,x .Let − → s (e) be a vector containing all such color variables for each variable in − → x (e) .Then the formula ϕ =,p is satisfiable iff the following Σ 0 formula is satisfiable: Therefore, the satisfiability problem of Σ 2 can be reduced to satisfiability problem of Σ 0 , which is decidable by hypothesis.
Complexity: From the last part of the proof, it follows that the satisfiability problem of a Σ 1 formula can be reduced in NP time to the satisfiability problem of a formula in the color logic FO(C, Ω, Ξ).Indeed, in Step 1 an equivalence relation between the existentially quantified variables − → x is guessed and in Step 2 a place in P for the representative of each equivalence class is guessed, and given these guesses, a Σ 0 formula of linear size (w.r.t. the size of the original Σ 1 ) is built.
From the first part of the proof, it follows that the reduction from the satisfiability problem of a Σ 2 formula to the satisfiability of a Σ 1 formula is in general exponential.More precisely, if Therefore, the reduction of a Σ 2 formula to an equi-satisfiable formula in Σ 0 is in NEXPTIME.
If the number of universally quantified variables (i.e., | − → y |) is fixed, the reduction to an equi-satisfiable Σ 1 formula ϕ becomes polynomial in the number of existentially quantified variables (i.e., | − → x |).Then, in this case, the complexity of the reduction from Σ 2 formulas to equi-satisfiable Σ 0 formulas is in NP.

Constrained Petri Nets
We introduce hereafter models for networks of processes based on multiset rewriting systems with data.
Configurations of CPNs are colored markings.Intuitively, the application of a constrained transition to a colored marking M (leading to a colored marking M ′ ) consists in (1) deleting tokens represented by the variables x i from the corresponding places p i , and in (2) creating tokens represented by variables y j in the places q j , provided that the formula ϕ is satisfied.The formula ϕ expresses constraints on the tokens in the marking M (especially on the tokens which are deleted) as well as constraints on the colors of created tokens (relating these colors with those of the tokens in M ).
Given a colored marking M let post S (M ) = {M ′ : M → S M ′ } be the set of all immediate successors of M , and let pre S (M ) = {M ′ : M ′ → S M } be the set of all immediate predecessors of M .These definitions can be generalized straightforwardly to sets of markings.Given a set of colored markings M, let pre S (M) = pre S (M), where ( • ) denotes complementation (w.r.t. the set of all colored markings).
Given a fragment Θ of CML, we denote by CPN[Θ] the class of CPN where all transition guards are formulas in the fragment Θ.Due to the (un)decidability results of sections 3 and 4, we focus in the sequel on the classes CPN[Σ 2 ] and CPN[Σ 1 ].

Modeling Power of CPN
We show in this section how constrained Petri nets can be used to model (unbounded) dynamic networks of parallel processes.We assume that each process is defined by an extended automaton, i.e., a finite-control state machine supplied with variables and data structures ranging over potentially infinite domains (such as integer variables, reals, etc).Processes running in parallel can communicate and synchronize using various kinds of mechanisms (rendez-vous, shared variables, locks, etc).Moreover, they can dynamically spawn new (copies of) processes in the network.
More precisely, let Q be the finite set of control locations of the extended automata, and let − → l = (l 1 , . . ., l N ) and − → g = (g 1 , . . ., g G ) be the sets of local respectively global variables manipulated by these automata.Transitions between control locations are labeled by actions which combine (1) tests over the values of local/global variables, (2) assignments of local/global variables, (3) creation of a new process in a control location, (4) synchronization (e.g., CCS-like rendez-vous, locks, priorities, etc.).Tests over variables are first-order assertions based on a set of predicates Ξ. Variables are assigned with expressions built from local and global variables using a set of operations Ω.
Example 6.1.Reader-writer is a classical synchronization scheme used in operating systems or other large scale systems.It allows processes to work (read and write) on shared data.Reader processes may read data in parallel but they are exclusive with writers.Writer processes can only work in exclusive mode with other processes.A reader-writer lock is used to implement such kind of synchronization for any number of readers and writers.For this, readers have to acquire the lock in read mode and writers in write mode.
Let us consider the program proposed in [FFQ02] and using the reader-writer lock given in Table 6.1.It consists of several Reader and Writer processes.The code of each process is given in Table 6.1.(To keep the example readable, we omit the processes spawning the readers and writers.)The program uses a global reader-writer lock variable l and a global variable x representing the shared data.Each Reader process has a local variable y.Then, the extended automata model for the program in Table 6.1 is obtained by associating a control location to each line of the program and by labeling transitions between control locations with the statements of the program.The extended automata model is provided on Figure 6.1.
We show hereafter how to build a CPN model for a network of extended automata described above.The logic of markings used by the CPN model is defined by CML(C N , Ω, Ξ) where N ≥ 1 is the (maximal) number of local variables of each process.To each control location in Q and to each global variable in − → g is associated a unique place in P.Then, each running process is represented by a token, and in every marking, the place associated with the control location q ∈ Q contains precisely the tokens representing processes which are at the control location q.The value of a local variable l i of a process represented by token t is given by δ i (t).For global variables which are scalar, the place associated in P (for convenience, we use the same name for the place and the global variable) contains a single token whose first color stores the current value of the global variable.Global variables representing parametric-size collections may also be modeled by a place storing for each element of the collection a token whose first color gives the value of the element.However, we cannot express in the decidable fragment Σ 2 of CML the fact that a multiset indeed encodes an array of elements indexed by integers in some given interval.The reason is that, while we can express in Π 1 the fact that each token has a unique color in the interval, we need to use Π 2 formulas to say that for each color in the interval there exists a token with that color.Nevertheless, for the verification of safety properties and for checking invariants, it is not necessary to require the latter property.
In the modeling above, we consider that the execution of the process action is atomic.When tests and assignments are not atomic, we must transform each of them into a sequence of atomic operations: read first the global variables and assign their to local variables, compute locally the new values to be assigned/tested, and finally, assign/test these values.
Process creation: An action spawning a new process q spawn(q 0 ) −−−−−−→ q ′ is modeled using a transition which creates a new token in the initial control location q 0 of the new process: q ֒→ q ′ , q 0 : ϕ id (1) ∧ ϕ 0 where ϕ 0 is N i=1 δ i (y 2 ) = null with null the general initial value for local variables.Moreover, it is possible to associate with each newly created process an identity classically defined by a positive integer number.For that, let us consider that the first color δ 1 gives the identity of the process represented by the token.To ensure that different processes have different identities, we express in the guard of every transition which creates a process the fact that the identity of this process does not exist already among tokens in places corresponding to control locations.This can easily be done using a universally quantified (Π 1 ) formula.Therefore, a spawn action q spawn(q 0 ) −−−−−−→ q ′ is modeled by: q ֒→ q ′ , q 0 : ϕ id (1) ∧ ϕ ′ 0 where The modeling of other actions (such as local/global variables assignment/test) can be modified accordingly in order to propagate the process identity through the transition.Notice that process identities are different from token values.Indeed, in some cases (e.g., for modeling value passing as described further in this section), we may use different tokens (at some special places representing buffers for instance) having the same identity δ 1 .
Synchronization using locks: Locks can be simply modeled using global variables storing the identity of the owner process, or a special value (e.g.−1) if it is free.A process who acquires the lock must check if it is free, and then write his identity: q, lock ֒→ q ′ , lock : To release the lock, a process assigns −1 to the lock, which can be modeled in a similar way.Other kinds of locks, such as reader-writer locks, can also be modeled in our framework as we show in the following example.
Example 6.2.Let us consider the extended automaton using the reader-writer lock given on Figure 6.1.For each of its states we introduce a place (e.g., place r3 for state r3).For the scalar global variable x, we create a place x containing a single token.The global variable representing the reader-writer lock is modeled following the classical implementation [Ari05] which uses two variables: • a global integer w to store the identifier of the process holding the lock in write mode or −1 if no such process exists (process identifiers are supposed to be positive integers), and • a global set of integers r to represent the processes holding the lock in read mode.Acquire (acq read, acq write) and release ( rel read , rel write ) operations are accessing variables w and r atomically.Then, we introduce a place w (containing a single token) for the scalar global variable w.For the global set variable r we introduce a place which contains a token for each Reader process owning the lock.By consequence, we need two colors for each token in the system: δ 1 to store the identity of processes and δ 2 to store the local variable y for tokens representing Reader processes and the value of global variables w and x for tokens in places w resp.x.
Value passing, return values: Processes may pass/wait for values to/from other processes with specific identities.They can use for that shared arrays of data indexed by process identities.Such an array A can be modeled in our framework using a special place containing for each process a token.Initially, this place is empty, and whenever a new process is created, a token with the same identity is added to this place.Then, to model that a process reads/writes on A[k], we use a transition which takes from the place associated with A the token with color δ 1 equal to i, reads/modifies the value attached with this token, and puts the token again in the same place.For instance, an assignment action by some process is modeled by the transition: Rendez-vous synchronization: Synchronization between a finite number of processes can be modeled as in Petri nets.CPNs allow in addition to put constraints on the colors (data) of the involved processes.
Priorities: Various notion of priorities, such as priorities between different classes of processes (defined by properties of their colors), or priorities between different actions, can be modeled in CPNs.This can be done by imposing in transition guards that transitions (performed by processes or corresponding to actions) of higher priority are not enabled.These constraints can be expressed using Π 1 formulas.In particular, checking that a place p is empty can be expressed by ∀x.¬p(x).(Which shows that, as soon as universally quantified formulas are allowed in guards, our models are as powerful as Turing machines, even for color logics over finite domains.)

Computing Post and Pre Images
We address in this section the problem of characterizing in CML the immediate successors/predecessors of CML definable sets of colored markings.Proof.Let ϕ be a closed formula, and let τ be a transition − → p ֒→ − → q : ψ of the system S. W.l.o.g., we suppose that ϕ and ψ are in special form (see definition in Section 2.3.3).Moreover, we suppose that variables in − → x and − → y introduced by τ have fresh names, i.e., different from those of variables quantified in ϕ and ψ.We define hereafter the formulas ϕ post = post S ([[ϕ]]) and ϕ pre = pre S ([[ϕ]]) for this single transition.The generalization to the set of all transitions is straightforward.
The construction of the formulas ϕ post and ϕ pre is not trivial because our logic does not allow to use quantification over places and color mappings in [N → C].Intuitively, the idea is to express first the effect of deleting/adding tokens, and then composing these operations to compute the effect of a transition.
Let us introduce two transformations ⊖ and ⊕ corresponding to deletion and creation of tokens.These operations are inductively defined on the structure of special form formulas in Tables 3 and 4.
The operation ⊖ is parameterized by a vector − → z of token variables to be deleted, a mapping loc associating with token variables in − → z the places from which they will be deleted, and a mapping col associating with each token variable in − → z and eack k ∈ {1, . . ., N } a fresh color variable in C. Intuitively, ⊖ projects a formula on all variables in − → z .Rule ⊖ 2 substitutes in a color formula r( − → t ) all occurences of colored tokens in − → z by fresh color variables given by the mapping col.A formula x = y is unchanged by the application of ⊖ if the token variables x and y are not in − → z ; otherwise, rule ⊖ 3 replaces x = y by "true" if it is trivially true (i.e., we have the same variable in both sides of the Table 3: Definition of the ⊖ operator. Table 4: Definition of the ⊕ operator.equality) or by "false" if x (or y) is in − → z .Indeed, each token variable in − → z represents (by the semantics of CPN) a different token, and since this token is deleted by the transition rule, it cannot appear in the reached configuration.Rules ⊖ 4 and ⊖ 5 are straightforward.Finally, rule ⊖ 6 does a case splitting according to the fact whether a deleted token is precisely the one referenced by the existential token quantification or not.
The operation ⊕ is parameterized by a vector − → z of token variables to be added and a mapping loc associating with each variable in − → z the place in which it will be added.Intuitively, ⊕ transforms a formula taking into account that the tokens added by the transition were not present in the previous configuration (and therefore not constrained by the original formula describing the configuration before the transition).Then, the application of ⊕ has no effect on color formulas r( − → t ) (rule ⊕ 2 ).When equality of tokens is tested, rule ⊕ 3 takes into account that all added tokens are distinct and different from the existing tokens.For token quantification, rule ⊕ 6 says that quantified tokens of the previous configuration cannot be equal to the added tokens.
Therefore, we define ϕ post τ to be the formula: In the formula above, we first delete the tokens corresponding to − → x from the current configuration ϕ intersected with the guard of the rule ψ.Then, we add tokens corresponding to − → y .Finally, we close the formula by quantifying existentially (1) the color variables − → c corresponding to colors of deleted tokens − → x and (2) the token variables − → y corresponding to the added tokens.Similarly, we define ϕ pre τ to be the formula: In the formula above, we first add to the current configuration the tokens represented by the left hand side of the rule − → x in order to obtain a configuration on which the guard ψ can be applied.Then, we remove the tokens added by the rule using token variables − → y .Finally, we close the formula by quantifying existentially (1) the color variables − → c corresponding to colors of removed tokens − → y and (2) the token variables − → x corresponding to the added tokens.It is easy to see that if ϕ and ψ are in the Σ n fragment, for any n ≥ 1, then both of the formulas ϕ post τ and ϕ pre τ are also in the same fragment Σ n .
Complexity: Let ϕ be a Σ 2 formula, and let τ = − → p ֒→ − → q : ψ be a transition of a system S ∈ CPN[Σ 2 ].Then the sizes of formulas post τ (ϕ) and pre τ (ϕ) are in general exponential in the number of quantifiers in ϕ ∧ ψ.More precisely, the size of the post times greater than the size of the formula ϕ ∧ ψ, where n is the number of quantifiers in ϕ ∧ ψ.This exponential blow-up is due to the rule ⊖ 6 in Table 3.If the number of the quantified variables in ϕ ∧ ψ is fixed, then the size of post τ (ϕ) (resp.pre τ (ϕ)), increases polynomially w.r.t. the size of the formula ϕ ∧ ψ.
Example 7.2.To illustrate the construction given in the proof above, we consider the logic CML(N, {0}, {≤}) and the CPN S = (P, ∆) with P = {p, q, r} and ∆ containing the following transition: Intuitively, this transition moves a token with positive color from place p to place q and assigns to its color a value non-deterministically chosen in N but different from all colors of tokens in place q.
We illustrate the computation of post-image of τ on two formulas in special form ϕ 1 = (∃x ∈ r. true) and ϕ 2 = (∀x, y ∈ p. x = y).Intuitively, ϕ 1 says that the place r contains at least a token, and ϕ 2 says that any two tokens in place p are equal, i.e., place p contains at most one token.Since ϕ 1 is not speaking about places involved in the transition τ (i.e., p and q), we expect to obtain a stable post-image by τ , i.e., ϕ 1,post τ =⇒ ϕ 1 .Conversely, ϕ 2 speaks about a place changed by τ , so its image cannot be stable.In the remainder of this example we give the details of the construction of the post-images by τ for ϕ 1 and ϕ 2 .
By applying the equation 7.1 to ϕ 1 we obtain: In the following, we denote by loc x 1 , col x 1 , and loc y 1 the mappings First, we compute the effect of applying the ⊖ operation on ϕ 1 and the guard of τ using the rules given in Table 3.By applying several times rules ⊖ 4 and ⊖ 5 to distribute ⊖ over ∧ and ¬ we obtain: By applying rule ⊖ 6 two times, ⊖ 2 one time, and by replacing the empty disjunction by false, we obtain: Rules ⊖ 1 and ⊖ 2 are applied to obtain the final result: On the above formula is applied the ⊕ transformation using the rules given in Table 4.By applying several times rules ⊕ 4 and ⊕ 5 to distribute ⊕ over ∧ and ¬, we obtain: By applying two times rules ⊕ 6 and ⊕ 2 , and by replacing empty conjunctions by true we obtain: Rules ⊕ 1 and ⊕ 2 are applied to obtain the final result: Therefore, the immediate successors of ϕ 1 by τ are given by the following CML formula: where the last equality has been obtained by applying classical rules for quantifiers.It is easy now to see that ϕ 1,post τ =⇒ ϕ 1 .Now, we consider ϕ 2 and we apply the equation 7.1 to obtain: We only detail the effect of ⊕ and ⊖ operators on ϕ 2 since the computation for the conjunct representing the guard of τ is the same as for ϕ 1 .
In order to apply ⊖ on ϕ 2 , we use the equivalent form of ϕ 2 , i.e., ¬(∃x ∈ p. ∃y ∈ p. ¬(x = y)).Then, the effect of the ⊖ operation on ϕ 2 is obtained by applying two times the rules ⊖ 4 and ⊖ 6 as follows: By applying several times rules ⊖ 3 , ⊖ 4 , and ⊖ 6 we obtain: The last equivalence above is obtained from the classical properties of quantifiers.The final result is the one expected intuitively: the effect of removing the token x 1 in p from a configuration where there is at most one token in p (see meaning of ϕ 2 ) is a configuration with no token in p.
It is easy to show that the effect of ⊕({y 1 }, loc y 1 ) on the last formula above is null.Therefore, the immediate successors of ϕ 2 by τ are given by the following CML formula: More complex examples of post-image computations for the reader-writer lock example are provided in Section 9.1.

Applications in Verification
We show in this section how to use the results of the previous section to perform various kinds of analysis.Let us fix for the rest of the section a first order logic FO(C, Ω, Ξ) with a decidable satisfiability problem and a CPN S.
then the problem whether ϕ, τ, ϕ ′ is a Hoare triple is decidable for every transition τ of S, every formula ϕ ∈ Σ 2 , and every formula ϕ ′ ∈ Π 2 .8.2.Bounded reachability analysis.An instance of the bounded reachability analysis problem is a triple (Init, T arget, k) where Init and T arget are two sets of configurations, and k is a positive integer.The problem consists in deciding whether there exists a computation of length at most k which starts from some configuration in Init and reaches a configuration in T arget.In other words, the problem consists in deciding whether T arget ∩ 0≤i≤k post i S (Init) = ∅, or equivalently whether Init ∩ 0≤i≤k pre i S (T arget) = ∅.The following result is a direct consequence of Theorem 7.1 and Theorem 4.1.Of course, the difficult part in applying the deductive approach is to find useful auxiliary inductive invariants.One approach to tackle this problem is to try to compute the largest inductive invariant included in ϕ inv which is the set k≥0 pre k S (ϕ inv ).Therefore, a method to derive auxiliary inductive invariants is to try iteratively the sets ϕ inv , ϕ inv ∩ pre S (ϕ inv ), ϕ inv ∩ pre S (ϕ inv ) ∩ pre 2 S (ϕ inv ), etc.In many practical cases, only few strengthening steps are needed to find an inductive invariant.(Indeed, the user is able in general to provide accurate invariant assertions for each control point of his system.)The result below implies that the steps of this iterative strengthening method can be automatized when CPN[Σ 1 ] models and Π 1 invariants are considered.
Theorem 8.5.If S is a CPN[Σ 1 ], then for every closed formula ϕ in Π 1 and every positive integer k, it is possible to construct a formula in Π 1 defining the set 0≤i≤k pre i S ([[ϕ]]).The theorem above is a consequence of the fact that, by Theorem 7.1, for every S in CPN[Σ 1 ] and for every formula ϕ in Π 1 , it is possible to construct a formula ϕ f pre also in Π Complexity: Let τ = − → p ֒→ − → q : ψ be a transition of a system S ∈ CPN[Σ 2 ], and let ϕ be a B(Σ 1 ) formula.The satisfiability of post τ (ϕ) ∧ ¬ϕ can be reduced in nondeterministic doubly-exponential time to the satisfiability problem of the color logic.This is due to the fact that (1) the reduction to the satisfiability problem of the color logic is in nondeterministic exponential time w.r.t. the maximal number of universally quantified variables in the formulas ¬ϕ and post τ (ϕ), and that (2) the number of universally quantified variables in post τ (ϕ) is exponential in the number of universally quantified variables in ϕ ∧ ψ.Now, for fixed sizes of − → p and − → q , and for a fixed number of the quantified variables in ϕ∧ψ, the reduction to the satisfiability problem of the color logic is in NP.Such assumptions are in fact quite realistic in practice (as shown in the following section for different examples of parameterized systems).Indeed, in models of parametrized systems (see Section 6), communication involves only few processes (usually at most two).This justifies the bound on the sizes of left and right hand sides of the transition rules.Moreover, invariants are usually expressible using a small number of process indices (for instance mutual exclusion needs two indices) and relates only few of their local variables.

Case Studies and Experimental Results
We illustrate the use of our framework on several examples of parameterized systems.First, we consider the parameterized version of the Reader-Writer lock example provided in [FFQ02].We give for this case study the inductive invariant allowing to prove a suitable safety property, and we show significant parts of its proof.
Then, we describe briefly a prototype tool for checking invariance properties based on our framework, and we give the experimental results obtained on several examples of parameterized mutual exclusion protocols and on the Reader-Writer lock case study.9.1.Verification of the Reader-Writer Lock.A safety property of our example is "for all Reader processes at control location 3, the local variable y has the same value, equal to f (x)", whose specification in CML is the following Π 1 formula: Of course, this property is true only if all Reader and Writer processes respect the procedure of acquiring the lock, i.e., there are no other processes in the system which are accessing the global variable x.Therefore, a correct initial configuration of the CPN model given on Table 6.2 has no token in places r2, r3, w2, and w3, and only one token in place x.Moreover, all process identities stored in color δ 1 are positive.We suppose that the lock is free initially, i.e., the place r is empty and the place w contains a unique token with negative δ 2 color.Then, a correct initial configuration of the system is given by the following Init formula in B(Σ 1 ): where G x = (∃t ∈ x. true) ∧ (∀t, t ′ ∈ x. t = t ′ ) expresses that the place x contains a unique token, Ids = ∀t.δ 1 (t) ≥ 0 expresses that all tokens have a positive color δ 1 (representing their identity), and specifies the initial state of the lock: there is only one token in place w and its color δ 2 is negative, and the place r is empty.
The premises of Theorem 8.4 are fulfilled since the model proposed on Table 6.2 is in CPN[Π 1 ], and Init and RF are both in B(Σ 1 ).It follows that we have to find an inductive invariant ϕ aux ∈ B(Σ 1 ) such that Init =⇒ ϕ aux and ϕ aux =⇒ RF .We consider the following B(Σ 1 ) formula as candidate for ϕ aux : where G x , Ids and RF are defined above and specifies that the place w contains only one token which color δ 2 is positive when a writer process is accessing the global variable (because δ 2 stores the identity of the writer), and expresses that the place r must contain a token when a reader process is accessing the global variable (i.e., it is at locations r2 or r3).
Therefore, to check the safety property RF we have to show that: (1) Init =⇒ Aux , (2) for any transition τ in the system, post τ (Aux) =⇒ Aux , and (3) Aux =⇒ RF .We let the point (1) as an exercise.The point (3) follows trivially from the definition of Aux.In the following, we detail the proof of the point (2) for one transition of the system, namely w 1 , that we recall hereafter for readability: Using equation 7.1, we obtain that the post-image of Aux by the transition w 1 has the following form: Before applying operators ⊖ and ⊕, let us observe that Aux's closed sub-formulas G x , RW r , RF , and ¬(∃z ∈ r. true) concern places which are not involved in the transition w 1 .It can be shown that (and Example 7.2 gives an illustration of this fact) these sub-formulas are not changed by the application of ⊖ and ⊕ operators.Therefore, we have to apply these operators only on the rest of sub-formulas of Aux and on the guard of w 1 , i.e.: By distributing the ⊖ operator over ∧ (rules ⊖ 4 and ⊖ 5 ), and by applying three times the rule ⊖ 2 , we obtain: The application of ⊖ on the Ids sub-formula uses the rules ⊖ 4 and ⊖ 6 and has as effect the introduction of constraints on the c 1,x 1 and c 2,x 1 color variables: The result of applying ⊖ on the RW w sub-formula is (sometimes we omit the arguments of ⊖ for legibility): After some trivial simplification, we obtain: RW w ⊖ ( − → x , loc− → x , col− → x ) = (∀u ∈ w. false) ∧ ((∃t.w2(t) ∨ w3(t)) ⇔ (∃u ∈ w. δ 2 (u) ≥ 0 ∨ c 2,x 2 ≥ 0)) As expected, the first conjunct of the result obtained above says that after the deletion of the x 2 token in w, there is no more token in w.
(∀t. δ 1 (t) ≥ 0 ∨ (t = y 1 ) ∨ (t = y 2 )) ∧ δ 1 (y 1 ) ≥ 0 ∧ δ 1 (y 2 ) ≥ 0∧ (∀u ∈ w. u = y 2 )∧ ⇔ ((∃u ∈ w. δ 2 (u) ≥ 0 ∧ (u = y 2 )) ∨ c 2,x 2 ≥ 0) ∧ c 2,x 2 < 0 ∧ δ 2 (y 2 ) ≥ 0 ∧ δ 2 (y 1 ) = c 2,x 1 Second, RW w sub-formula of Aux is implied by the sub-formula ∃y 1 ∈ w 2 .∃y 2 ∈ w. . . .(∀u ∈ w. u = y 2 ) ∧ • (∀u ∈ w. u = y 2 ), the left member of the equivalence: (∃t. (w2(t) ∨ w3(t)) ∧ (t = y 1 )) ⇔ ((∃u ∈ w. δ 2 (u) ≥ 0 ∧ (u = y 2 )) ∨ c 2,x 2 ≥ 0) is false, so we can replace it by ¬(∃t.(w2(t)∨w3(t))∧(t = y 1 )) which expresses, as expected, that only one writer (here y 1 ) can be present at the location w2.9.2.Experimental results.We have implemented the algorithms for the decision procedure of CML, the post and pre-image computations, and the inductive invariant checking.Our prototype tool, implemented in Ocaml, takes as input an invariant ϕ inv in B(Σ 1 ) which is a conjunction of local invariants written in special form (see definition in Section 2.3.3).Indeed, the invariants are usually conjunctions of formulas, each of them being an assertion which must hold when the control is at some particular location.Then, it decomposes the inductive invariant checking problem (i.e., post(ϕ inv ) ∧ ¬ϕ inv is unsatisfiable) in several lemmas, one lemma for each transition of the input CPN model and for each local invariant in ϕ inv which contains places involved in the transition.For example, the tool generates 70 lemmas for the verification of the inductive invariant for the RF property on the Reader-Writer lock example.However, not all lemmas are generated if the decision procedure for CML returns satisfiable for one of them (which implies that ϕ inv is not an inductive invariant).The implemented decision procedure for CML is parameterized by the decision procedure for the logic of colors FO(C, Ω, Ξ).Actually, we generate lemmas in the SMTLIB format and we have an interface with most known SMT solvers.Therefore, we can allow as color logic any theory supported by the state of the art SMT solvers.
Using this prototype, we modeled and verified several parameterized versions for mutual exclusion algorithms.The experimental results are given on Table 5. (The considered models of the Burns and Bakery algorithms use atomic global condition checks over all the processes, although our framework allows in principle the consideration of models where global conditions are checked using non atomic iterations over the set of processes.)For all these examples, the color logic is the difference logic over integers for which we have used the decision procedure of Yices [DdM06].For each example, Table 5 gives the number of rules of the model, the number of conjuncts of the inductive invariant (in CNF), the number of lemmas generated for the SMT solver, and the global execution time.

Conclusion
We have presented a framework for reasoning about dynamic/parametric networks of processes manipulating data over infinite domains.We have provided generic models for these systems and a logic allowing to specify their configurations, both being parametrized by a logic on the considered data domain.We have identified a fragment of this logic having a decidable satisfiability problem and which is closed under post and pre image computation, and we have shown the application of these results in verification.
Our framework allows to deal in a uniform way with all classes of systems manipulating infinite data domains with a decidable first-order theory.In this paper, we have considered instantiations of this framework based on logics over integers or reals (which allows to consider systems with numerical variables).Different data domains can be considered in order to deal with other classes of systems such as multithreaded programs where each process (thread) has an unbounded stack (due to procedure calls).Our future work includes also the extension of our framework to other classes of systems and features such as dynamic networks of timed processes, networks of processes with broadcast communication, interruptions and exception handling, etc.
p r o c e s s Wr iter : 1 : l .a c q w r i t e ( p i d ) ; 2 : x = g ( x ) ; 3 : l .r e l w r i t e ( p i d ) ; 4 : p r o c e s s Reader : 1 : l .a c q r e a d ( p i d ) ; 2 : y = f ( x ) ; 3 : l .r e l r e a d ( p i d ) ; 4 :

Table 1 :
Example of program using reader-writer lock.Figure 1: Extended automata model for the program in Table 6.1.
Moreover, each process has a unique identifier represented by the pid local variable.Let us assume that x, y, and pid are of integer type.Writer processes change the value of the global variable x after acquiring the lock in write mode.Reader processes are setting their local variable y to a value depending on x after acquiring the lock in read mode.