logic and stochastic modeling with smartweb.cs.iastate.edu/~ciardo/pubs/2006peva-smart.pdf ·...

Logic and stochastic modeling with SmArT ⋆

G. Ciardo a,1 R. L. Jones III b A. S. Miner c R. Siminiceanu d

aDepartment of Computer Science and Engineering, University of California,

Riverside, CA, 92521

bASRC Aerospace Corporation, Williamsburg, VA 23187

cDepartment of Computer Science, Iowa State University, Ames, IA 50011

dNational Institute of Aerospace, Hampton, VA 23666

Abstract

We describe the main features of SmArT, a software package providing a seamlessenvironment for the logic and probabilistic analysis of complex systems. SmArT cancombine different formalisms in the same modeling study. For the analysis of logicalbehavior, both explicit and symbolic state-space generation techniques, as well assymbolic CTL model-checking algorithms, are available. For the study of stochasticand timing behavior, both sparse-storage and Kronecker-based numerical solutionapproaches are available when the underlying process is a Markov chain, whilediscrete-event simulation is always applicable regardless of the stochastic natureof the process, and certain classes of non-Markov models can also be solved nu-merically. Finally, since SmArT targets both the classroom and realistic industrialsettings as a learning, research, and application tool, it is written in a modular waythat allows for easy integration of new formalisms and solution algorithms.

Key words: stochastic modeling, model checking, state-space analysis, Markovchains, simulation2000 MSC: MSC 68Q45, 68Q60, 68Q85, 65C20, 60J22, 60K15, 68U20

⋆ Expanded version of a paper presented at the International Conference on Model-ing Techniques and Tools for Computer Performance Evaluation (TOOLS), Urbana,IL, USA, Sep. 2003.1 The work of this author was partially supported by the National Aeronautics andSpace Administration under NASA Contract NAG-1-02095 and by the NationalScience Foundation under Grants 0219745 and 0203971.

Preprint submitted to Elsevier Science 4 March 2008

1 Introduction

Complex discrete-state systems such as computer and communication net-works, distributed software, and factory assembly lines are increasingly en-gineered and placed in service in environments where their correct logicaland timing behavior is essential. Thus, both their verification and their per-formance and dependability analysis are important tasks in the design anddimensioning of such systems. Logical verification is usually concerned withabsence of design errors such as deadlocks and similar “untimed” and “non-stochastic” properties, while both performance and dependability analysis areusually concerned with timing behavior in a stochastic setting. In the past,the two have traditionally been considered as separate activities.

Individually, both model checking tools such as NuSMV [1] and SPIN [2], andperformability (i.e., combined performance and dependability) tools, such asUltraSAN [3] and Mobius [4] can be very useful to discover potential designflaws and bottlenecks in a system. Recently, however, there has been a cleartrend toward combining these two aspects into a single unifying framework, asdone for example in PRISM [5] and ETMCC [6]. It is worth mentioning thatthere are also tools for verification of real-time systems, such as KRONOS [7]and UPPAAL [8]; however, while these tools combine logic and timing, theydo not target probabilistic aspects. We believe that there are two main reasonsfor this integration trend. First and foremost, in many systems, it might benecessary to discuss correctness in light of timing behavior (e.g., it must notbe possible for events a and b to occur within x time units of each other), andto accept a probabilistic, rather than an absolute, view of correctness (e.g., theprobability of non-termination due to entering a deadlock should be less than10−9). A second reason is that the data structures and techniques requiredto carry on either type of analysis have much in common, and can help eachother. It is on this second aspect that we focus our presentation.

We introduce the tool SmArT, whose development began in 1995. Conceived asa powerful stochastic environment to integrate multiple modeling formalismsfor use both in the classroom and in industrial applications, SmArT has evolvedto include logical analysis as well. Currently, it employs some of the most effi-cient data structures and algorithms for the analysis of discrete-state systems.A detailed example of its use in a real application, CTL verification of theNASA Runway Safety Monitor, can be found in [9].

2 Overview of SmArT

SmArT offers the ability to define parametric models for which a variety of

2

measures can be computed. A modeler may use multiple models to study dif-ferent aspects of a system. Indeed, each model can be expressed in the mostappropriate formalism. Currently, the only implemented high-level formalismis Petri nets [10], with a software-oriented formalism being planned, while theother available formalisms, discrete-time and continuous-time Markov chains(DTMCs and CTMCs), are rather low-level. Models can interact by exchang-ing data: a measure computed in a model can be an input to another model.

For logical analysis, SmArT can generate the (reachable) state space of a modelusing highly optimized algorithms ranging from explicit ones based on “flat”hashing or search trees or “structured” trees of trees [11], to symbolic onesbased on multiway decision diagrams (MDDs) [12,13], see Sect. 4.1. A partic-ularly innovative aspect in SmArT is the symbolic encoding of the transition

relation N , which specifies which states can be reached from each state in onestep. Unlike traditional symbolic approaches where a “double-height” MDDencodes the “from” and “to” states in the relation, SmArT uses either a booleansum of Kronecker products of (small) boolean matrices [14], or a matrix dia-

gram [15,16]. For mostly asynchronous systems, not only are these encodingsenormously more efficient in terms of memory, but they also allow us to ex-ploit the inherent event locality to greatly improve the runtimes as well, inparticular using the saturation algorithm [17–19]. CTL model checking is alsoavailable, based on these same enhancements [20], see Sect. 4.2.

For stochastic timing analysis of models having an underlying DTMC, orCTMC, an explicit solution approach requiring O(η(P)), or O(η(Q)), mem-ory is available, where η(·) is the number of nonzero entries in the argumentand P and Q are the transition probability or infinitesimal generator matri-ces, respectively. However, more advanced structured storage techniques areavailable when solving models with an underlying CTMC, based on Kronecker[21] or matrix diagram [15,22] encoding of the transition rate matrix R (equalto Q except in the diagonal), see Sect. 5.3. When even these techniques failto cope with the size of the (exact) solution vector, SmArT offers a Kronecker-based approximation based on the structure of the MDD storing the exactstate space, see Sect. 5.4.

SmArT also provides exact numerical solutions and a special simulation methodfor certain classes of (semi-)regenerative models, see Sect. 5.1. A stochasticprocess is regenerative if it probabilistically restarts independently and iden-tically at certain random times (for example, the successive times a DTMC orCTMC visits a fixed state forms a regenerative process). A semi-regenerative

process, instead, restarts conditionally ; i.e., it regenerates independently andidentically at certain random times given that it re-enters the same state occu-pied at an earlier regeneration time. In this more general case, there exists anembedded Markov renewal process which SmArT recognizes, builds, and solvesfor its stationary solution. Assuming homogeneity, the expected holding time

3

in each embedded state and the state transition probabilities are obtained bysolving a set of subordinate processes describing the evolution between con-secutive regeneration times. Currently, SmArT can calculate these quantities ifthe subordinate processes are CTMCs, but we plan to extend the approach togeneral cases where the solution of a subordinate process may even require theuse of discrete-event simulation. In SmArT, the same capability to recognizeregeneration instants is also used for regenerative simulation, see Sect. 5.2.

Being able to classify the type of stochastic process underlying a given modelis of course highly desirable [23] when the user specifies a numerical methodinstead of simulation. If the distributions appearing in a model are all geomet-ric or all exponential, SmArT can immediately conclude that the underlyingprocess is a DTMC or a CTMC, respectively (the converse is not true). Semi-regenerative processes, however, are much harder to recognize a priori. Thus,SmArT adopts an efficient on-line classification of the underlying stochasticprocess during its generation [24]. If the model is not clearly Markov, SmArT

attempts to generate its embedded and subordinate processes in the hope thatit falls in the class of semi-regenerative processes it can solve.

In summary, the interface of SmArT presents the user with a unified syntax tospecify a wide variety of systems and ask questions of their models. Internally,the numerous logical, numerical, and simulation solution algorithms are tightlyintegrated, helping each other by sharing important data structures that areefficiently implemented, and, most importantly, are available regardless of themodeling formalism employed by the user.

3 SmArT Language

We now describe the language used to specify models in SmArT. The ac-tual BNF syntax can be found in the appendix. SmArT uses a strongly-typedcomputation-on-demand language with four types of basic statements:

Declaration statements are used to declare functions over some set of ar-

guments. As a special case, the set of arguments for a function can be empty;in this case, the function is a constant. To ensure strict type-checking, thetype of the function and of its arguments must be defined.

Definition statements are used to declare functions in the same way dec-laration statements do, but they also specify how to compute the value ofthe function being declared.

Expression statements are used to print values, although function callsappearing in the expression may have side-effects, such as redirecting theoutput or displaying additional information.

4

Option statements are used to modify the behavior of SmArT. For example,there are options to control the numerical solution algorithms (such as theprecision or the maximum number of iterations), the verbosity level, etc.Option statements appear on a single line beginning with “#”.

In addition, SmArT uses the following three types of compound statements.

for statements define arrays or repeatedly evaluate parametric expressions.This is particularly useful for studies that explore how a result is affectedby a change in the modeling assumptions, such as the rate of an event orthe maximum size of a buffer.converge statements specify fixed-point iterations such as those employedto carry out approximate performance or dependability studies.

Model definition statements are used to define models. Like functions,they have arguments but instead of returning a value, they specify a block ofstatements containing declarations, specifications, and measures, the latterbeing accessible outside the model.

The rules for nesting of compound statements are as follows. A model defini-tion may not appear within another compound statement. Model definitionsmay contain arbitrarily-nested for statements. Outside of a model definition,the for and converge statements may be arbitrarily nested.

3.1 SmArT types and operators

The following basic predefined types are available in SmArT:

void: for functions with no return value. print("Hello world");

bool: the values true or false. bool c := 3 - 2 > 0;

int: integer (machine “int” type) values. int i := -12;

bigint: arbitrary-size integers. bigint i := 12345678901234567890;

real: floating-point (machine “double” type) values. real x := 3.14;

string: character-array values. string s := "Monday";

In addition, composite types can be defined using the concepts of:

aggregate: a grouping of objects via the “:” operator. p:t:3

set : collection of homogeneous objects. {1..8,10,25,50}array : homogeneous objects indexed by set elements, see Sect. 3.3.

A type can be further modified by the following natures, which describestochastic characteristics:

const: (the default) a non-stochastic quantity.

5

Operator Operands Result

- unary minus int int

bigint bigint

real real

rand int rand int

rand real rand real

proc int proc int

proc real proc real

! not bool bool

rand bool rand bool

proc bool proc bool

+ addition int int int

bigint bigint bigint

real real real

ph int∗ ph int∗ ph int ∗ Operandsph real∗ ph real∗ ph real must berand int rand int rand int independentrand real rand real rand real randomproc int proc int proc int variablesproc real proc real proc real

- subtraction int int int


real real real

rand int rand int rand int

rand real rand real rand real

proc int proc int proc int

proc real proc real proc real

* multiplication int int int


real real real

int ph int ph int

ph int int ph int

real ph real ph real

ph real real ph real

rand int rand int rand int


proc int proc int proc int


/ (real) division real real real



& and bool bool bool

| or rand bool rand bool rand bool

proc bool proc bool proc bool

== equal int int bool

!= not equal bigint bigint bool

> greater real real bool

>= greater or equal rand int rand int rand bool

< smaller rand real rand real rand bool

<= smaller or equal proc int proc int proc bool

proc real proc real proc bool

Fig. 1. Operators and the types of their operands.

6

Original type Automatic Promotions Explicit Conversions

bool rand bool

int real, bigint, ph int

bigint real

real rand real int (trunc function)ph int rand int

ph real rand real

rand bool proc bool

rand int rand real, proc int

rand real proc real rand int (trunc function)proc int proc real

proc real proc int (trunc function)

Fig. 2. Automatic and explicit type conversion.

Operator Associativity

! - (unary minus) right to left* / left to right+ - left to right< <= > >= left to right== != left to right& left to right| left to right.. .. (range with step) none.. (range with no step) none: left to right

Fig. 3. Operator precedence, highest (top) to lowest (bottom), and associativity.

ph: a random variable with phase-type distribution, see Sect. 3.5.rand: a random variable with arbitrary distribution.proc: a variable that depends on the state of a stochastic process.

Finally, predefined formalism types can be used to define stochastic processesevolving over time, see Sect. 3.6.

SmArT provides predefined unary and binary operators to build expressions.Each operator requires particular types of operands, as shown in Fig. 1. A“type mismatch” error is issued if an operand is of the wrong type. The sameholds for an actual parameter in a function call. However, a value of a giventype might be automatically promoted to a different type as needed, accordingto Fig. 2. An explicit type conversion of the form type(expression) can alsobe used to force type promotions which would not otherwise happen auto-matically, for documenting automatic promotions, or for converting betweentypes. The allowed explicit conversions are shown in Fig. 2.

The usual precedence rules are used to obtain a nonambiguous interpreta-tion of the meaning of an expression such as x + y * z. Figure 3 shows theexact precedence and associativity of each operator (the range operators are

7

discussed in Sect. 3.3).

3.2 Function declarations

Objects in SmArT are functions, possibly recursive, that can be overloaded:

real pi := 3.14; // a function without arguments

bool close(real a, real b) := abs(a-b) < 0.00001;

int pow(int b, int e) := cond(e==1,b,b*pow(b,e-1));

real pow(real b, int e) := cond(e==1,b,b*pow(b,e-1));

In the above, functions abs (which returns the absolute value of its argument)and cond (which selects the second or third argument, based on the truthvalue of the first argument) are predefined by SmArT. Note that cond itself isan overloaded function.

Functions are called using either a positional parameter notation, or an Ada-like named parameter notation:

pow(5, 3); // type is int, prints 125

pow(0.5, 3); // type is real, prints 0.125

pow(e:=3, b:=5); // type is int, prints 125

pow(b:=0.5, e:=3); // type is real, prints 0.125

The named parameter notation is especially useful to avoid errors and improvereadability when a function has many parameters.

3.3 Arrays

Arrays are declared or defined using a for statement; their dimensionality isdetermined by the enclosing iterators. Since the indices along each dimensionbelong to a finite set, we can define arrays with real indices. For example,

for (int i in {1..5}, real r in {1..i..0.5}) {

real res[i][r]:= MyModel(i,r).out1;

}

fills array res with the value of measure out1 for the parametric modelMyModel, when the first input parameter, i, ranges from one to five and thesecond one, r, ranges from one to the value of the first parameter, with a stepof 1/2. Thus, note that res is not a “rectangular” array of values.

8

3.4 Fixed-point iterations

The approximate solution of a model is often based on a heuristic decomposi-tion, where (sub)models are solved in a fixed-point iteration [25]. This can bespecified with the converge statement:

# ConvergePrecision 1e-6

# ConvergePrecisionTest RELATIVE

converge {

real x guess 1.0;

real y guess 2.0;

real y := ModelA(x, y).measureY;

real x := ModelB(x, y).measureX;

}

A guess statement is a special definition statement that provides an initial“guess” for a variable defined within a converge statement; a guess statementhas no effect if the variable has already been assigned a value via the executionof a definition statement. The converge statement iterates by executing itsblock of statements until the subsequent values of the variables declared in itdiffer by less than ǫ, in either relative or absolute terms, from one iteration tothe next; the above example uses ǫ = 10−6 and relative difference. The valuesof the variables within a converge, x and y in our example, will either beupdated immediately or at the end of each iteration, depending on the optionUseCurrent (the default is to update immediately).

3.5 Random variables

SmArT can manipulate discrete and continuous phase-type distributions ofwhich the exponential (expo), geometric (geom), and non-negative integerconstants are special cases. SmArT knows when combining ph types producesanother ph type, i.e., it knows when phase-type distributions are closed undera particular operation:

ph int X := 2*geom(0.1);

ph int Y := equilikely(1,3); // Y = 1,2,3, each with prob. 1/3

ph int A := min(X,Y);

ph int B := 3*X+Y;

ph int C := choose(0.4:X,0.6:4*Y);

ph real x := expo(3.2);

ph real y := erlang(4,5);

ph real a := min(3*x,y);

Internally, SmArT uses an absorbing DTMC or CTMC to represent a ph int

9

9/10

1/101 0ph int X := 2*geom(0.1);

ph int Y := equilikely(1,3); 11 02/33 2 1/2

1/3 1/2

2 1

11,2 02/33,2 2,1 9/20

1/3 11/20

ph int A := min(X,Y);

Fig. 4. The internal phase-type representation in SmArT.

or ph real, respectively, as suggested in [26]: the random variable has distri-bution equal to the time until absorption of its Markov chain. These repre-sentations are actually built only if needed for a numerical computation. Forexample, if the expression avg(A) needs to be evaluated, SmArT builds theinternal representation of the DTMCs corresponding to X, Y, and A shownin Fig. 4, then computes the mean-time-to-absorption in the third DTMC,1.96667. The number of states in the representation of a phase-type obtainedthrough operators such as max and min can grow very rapidly.

Mixing ph int and ph real or performing operations not guaranteed to resultin a phase-type distribution forces SmArT to consider the resulting type asgenerally distributed. Assuming the ph int and ph real defined above:

rand int D := X-Y;

rand int F := X*Y;

rand real E := x+X;

Such general rand variables can be manipulated only via Monte Carlo sim-ulation (currently under development). SmArT does implement discrete-eventsimulation for models that contain such rand variables or the built-in rand

variables shown in Fig. 5.

To sample rand variables, SmArT employs a pseudo-random number gener-ator, and supports multiple, independent i.i.d. random streams; a differentstream is used for each separate event that requires the sampling of a randomvariable. SmArT users can specify the initial seed for the generator using theSimInitialSeed option, or use the default value.

3.6 Modeling formalisms

Components of a model are declared using formalism-specific types (e.g., theplaces of a Petri net). The model structure is specified by using formalism-specific functions (e.g., set the initial number of tokens in a place of a Petri

10

Generator Range Mean Variance

ph int bernoulli(p) x = 0, 1 p p(1 − p)ph int binomial(p,n) x = 0, 1, ..., n np np(1 − p)ph int equilikely(a,b) x = a, ..., b (a + b)/2 ((b−a+1)2−1)/12ph int geom(p) x = 1, 2, 3, ... 1/p 1/p2

ph int geom(p,n) x = n, 2n, 3n, ... n/p n2/p2

ph int mod geom(p) x = 0, 1, 2, ... (1 − p)/p 1/p2

ph int mod geom(p,n) x = 0, n, 2n, ... n(1 − p)/p n2/p2

rand int pascal(n,p) x = 0, 1, 2, ... n(1 − p)/p n(1 − p)/p2

rand int poisson(µ) x = 0, 1, 2, ... µ µph real expo(µ) x > 0 1/µ 1/µ2

ph real erlang(n,µ) x > 0 n/µ n/µ2

rand real unif(a,b) a < x < b (a + b)/2 (b − a)2/12rand real normal(µ,σ) all x µ σ2

rand real lognormal(a,b) x > 0 e(a+b2/2) (eb2 − 1)e(2a+b2)

rand real chisquare(n) x > 0 n 2nrand real student(n) all x 0 for n > 1 n/(n − 2) for n > 2

Fig. 5. Built-in discrete (ph int) and continuous (ph real) random variables.

net). Measures are user-defined functions that specify some constant quantityof interest (e.g., “the expected number of tokens in a given place in steady-state”, but not “the number of tokens in a given place”, which is randomvariable evolving over time), and are the only components accessible outsideof the model definition block.

The design of SmArT allows for relatively easy addition of model formalisms.Currently, the discrete–time Markov chain (dtmc), continuous–time Markovchain (ctmc), and stochastic Petri net (spn) formalisms are implemented.Note that the spn formalism is not restricted to exponentially–distributedtransitions, and the type of underlying stochastic process is determined bythe distributions specified for the transitions. For example, the model shownon the right of Fig. 6 is defined by the spn Net on the left of the same fig-ure, where place and trans are formalism-specific types; arcs, firing, andinit are (built-in) formalism-specific functions with return type void; tk isa formalism-specific function with type proc int that returns the number oftokens in the specified place (for the “current” state of the stochastic process);measures such as n s and speed are accessed outside the model using “.” no-tation. Since all firing time distributions are specified as expo, the underlyingprocess is automatically recognized to be a CTMC. The statements after themodel produce the output

n=1: 5 states, 8 arcs, throughput = 0.292547




E[tk(p5,..,p1)] = (0.265952,0.469362,0.264686,0.208963,0.525085)

where the measure calls cause SmArT to perform the appropriate analysis,

11

spn Net(int n) := {

place p5, p4, p3, p2, p1;

trans a, b, c, d, e;

arcs(p5:a,a:p4,a:p2,p4:c,c:p3,p3:b,

b:p4,p2:d,d:p1,p1:e,p3:e,e:p5);

firing(a:expo(1.1),b:expo(1.2),

c:expo(1.3),d:expo(1.4),e:expo(1.5));

init(p5:n);

bigint n_s := num_states(false);

bigint n_a := num_arcs(false);

real speed := avg_ss(rate(a));

real e1 := avg_ss(tk(p1));





};

for (int n in {1..4}) {

print("n=",n,": ",Net(n).n_s:2," states, ",

Net(n).n_a:3," arcs, throughput = ",Net(n).speed,"\n");

}

print("E[tk(p5,..,p1)] = (", Net(1).e5,",",

Net(1).e4,",", Net(1).e3,",",Net(1).e2,",", Net(1).e1,")\n");

a

p5

p4

p2

p3

p1

b c d

e

n

expo(1.1)

expo(1.2) expo(1.3) expo(1.4)

expo(1.5)

Fig. 6. SmArT input file for the Petri net on the right, and underlying CTMC (n=1).

steady-state solution of the underlying CTMC in this case. The five-stateCTMC for n=1 is shown at the bottom of the same figure: states are identifiedby the number of tokens in places p5, p4, p3, p2, and p1, in order, and arcs arelabeled with the rate of the transition responsible for each marking change. Forexample, the steady-state probability that p5 contains a token is the same asthe probability of occupying state (10000) in the CTMC, 0.265952; multiplyingit by the rate of transition a gives 0.2925472, the throughput of a, as shownin the print output.

3.7 Advanced modeling features

An important feature is the ability to define arrays of objects in a model. Forexample, consider a local-area network consisting of n workstations and onebus-like communication network, where each workstation i executes locally

12

ctmc Lan(int n, real l, real m, real d) := {

for (int i in {0..n-1}) {

state idle[i], busy[i]; // i counts workstations in backoff

}

init (idle[0]:1.0);


arcs(idle[i]:busy[i]:(n-i)*l, busy[i]:idle[i]:m);

}


arcs(idle[i]:busy[i-1]:i*d, busy[i-1]:busy[i]:(n-i)*l);

real aux[i] := prob_ss(in_state(idle[i])|in_state(busy[i]));

real a[i] := cond(i>1,a[i-1]+i*aux[i],aux[1]);

}

real p := prob_ss(in_state(idle[0])|in_state(busy[0]));

};

real m := 1.0; real d := 0.1; real l := 0.04;

for (int n in {2..20}) {

print("Prob[no backoff|n=",n,"]=",Lan(n,l,m,d).p,"\n");

print("Avg[backoff|n=",n,"]=",Lan(n,l,m,d).a[n-1],"\n");

}

nλ (n-1)λ (n-2)λ (n-3)λ2δ 3δδ

λ(n-1)δ

(n-1)λ (n-2)λ λ(n-3)λ

µ µ µ µ µ

idle[0] idle[2] idle[3]idle[1] idle[n-1]

busy[0] busy[1] busy[2] busy[3] busy[n-1]

Fig. 7. A CTMC model with a parametric number of states.

for an average amount of time 1/λ, then it attempts to access the network.If the network is not in use, workstation i is granted access and sends dataon the network for an average amount of time 1/µ. Otherwise, if some otherworkstation j is already using the network, i goes into a “backoff” state foran average amount of time 1/δ, then it attempts again to access the network.If the network is again busy (either because j is still using it, or becausesome other workstation k has gained access to it in the meantime), i waits foranother backoff period, and so on, until it is finally granted access to it.

Assuming that all times are exponentially distributed, we can model this sys-tem as a CTMC. Since n is unknown, our model is parametric in the numberof CTMC states; this is achieved by declaring arrays of type state (allowedonly within the DTMC and CTMC formalisms), as shown in Fig. 7, where wecompute the steady-state expectation of the number of workstations in thebackoff state and the probability that no workstation is in the backoff statefor µ = 1, δ = 0.1, λ = 0.04, and n = 2, 3, . . . , 20.

13

3.8 Efficiency considerations

One defining aspect of the SmArT language is its computation-on-demandoperational semantics. An input file is parsed and type-checked as it is read,but no computation takes places until it is required to perform an output.Thus, for example, an spn model M may define transient measures tm1 and tm2

and steady-state measures sm1 and sm2, but none of them will be computedwhen the model is parsed. An expression statement “M.sm1;” causes the spn tobe solved in steady-state and the value of M.sm1 to be computed and printed.However, a subsequent request to print M.sm2 should not require the steady-state solution of M again. Thus, SmArT employs a set of heuristics to decideappropriate grouping of measures. In our example, asking for either M.sm1 orM.sm2 would cause the computation of both, but not that of the transientquantities tm1 and tm2s, since these require a different type of solution.

A similar issue arises when a model is solved repeatedly with different param-eters. For example, the spn Net in Fig. 6 requires a new generation of thestate-space and of the underlying CTMC if repeatedly called with a differ-ent value of the parameter n. However, if it also had a parameter lambda forthe rate of transition a, only the underlying CTMC, but not the state space,would have to be recomputed. Thus, SmArT remembers the last set of param-eters and measures a model has been solved for, and recomputes only what isneeded when the same model is exercised again.

4 Logical solution engines

4.1 State-space generation and storage

The generation and storage of the state space of a model is a key component ofany state-space-based solution technique, and it is an integral part of modelchecking. SmArT implements a wide variety of techniques for building statespaces. There are explicit techniques that store each state individually andimplicit techniques that employ multiway decision diagrams to symbolicallystore sets of states. This is governed by the choice of the #StateStorage op-tion. Explicit algorithms, encompassing AVL and splay trees, and hash tables(option values AVL, SPLAY, HASHING), impose no restrictions on the model tobe applicable, but the algorithms require time and memory at least linear inthe number of reachable states. Symbolic algorithms, instead, require a par-

tition of the model to exploit the system structure, but are normally muchmore efficient.

14

A partition of the model into K submodels implies that its (global) state can bewritten as the concatenation of K (local) states. In particular, the partitionis Kronecker-consistent if the global model behavior can be expressed as aproduct of local behaviors for each submodel. For example, from a logicalpoint of view, an event in the model is (globally) enabled iff it is (locally)enabled in each of the K submodels while, from a stochastic point of view, its(global) rate must be obtainable by multiplying some reference rate with theproduct of K dimensionless values, the kth one depending only on the state ofthe kth submodel. SmArT automatically checks whether a partition specifiedby the user is Kronecker-consistent prior to attempting an analysis methodthat requires it (this check requires negligible time).

For Petri nets, a partition can be specified by directly assigning class indices(contiguous, strictly positive numbers) to places:

partition(2:p); partition(1:r); partition(1:t, 2:q, 1:s);

or by simply enumerating (without index information) the places in each class:partition(p:q, r:s:t);

In the latter case, the class indices are assigned automatically, in decreasingparsing order, thus the two examples shown have the same effect.

When a partition is not defined (or a good partition is not known), SmArT

provides an automatic partition heuristic, invoked as a model function withno parameters, bool reorder. This causes SmArT to first compute the finestKronecker-consistent partition. For a Petri net, this means partitioning theplaces so that (1) all marking-dependent arc cardinalities expressions dependon places in the same class as the place the arc is connected to, (2) all guardsare decomposable as a conjunction of boolean expressions, each depending onplaces in a single class, and (3) the input and output places of each immediatetransition (firing in zero time) belong to the same class. In particular, forordinary Petri nets with no immediate transitions, each place is assigned to adifferent class of the partition. Then, a genetic algorithm [27] is employed topermute the classes of the partition with the heuristic goal of minimizing thesum of the “spans” of each event in the model (the span of an event is themaximum distance between any two levels, or classes of the partition, affectedby the event). SmArT employs this static variable ordering throughout theexecution, since it does not implement dynamic variable reordering heuristics[28], which can be expensive. We observe that finding an optimal orderinghas been shown to be an NP-complete problem [29,30]. Several options areavailable to control the execution parameters of the genetic algorithm, suchas population size, number of generations, and mutation and crossover rates.

All symbolic approaches in SmArT use MDDs to encode sets of states. MDDsare a natural extension of the classic binary decision diagrams [31] to boolean

15

S4 = f0; 1; 2; 3gS3 = f0; 1; 2gS2 = f0; 1gS1 = f0; 1; 2g0 1 2 3

0 1 2 0 1 2

0 1 0 1 0 1

0 1 20 1 2 0 1 2

0 1 2

0 1

S = f1000; 1010; 1100;1110; 1210; 2000;2010; 2100; 2110;2210; 3010; 3110;3200; 3201; 3202;3210; 3211; 3212g10

Fig. 8. An MDD example for a system partitioned into K = 4 components.

functions of K multi-valued variables,

f : {0, . . . , nK − 1} × . . . × {0, . . . , n1 − 1} → {0, 1}.

In particular, we employ a quasi-reduced version of MDDs where arcs canonly connect nodes in adjacent levels. Given a partition of a model into Ksubmodels, the local state space of the kth submodel, Sk, can be generatedwith explicit methods. The resulting local states are indexed {0, . . . , nk − 1},for a finite value of nk = |Sk|, hence a set of global states can be encoded asan MDD over the domain SK × . . .×S1 = S, called the potential state-space.An example of an MDD encoding is shown in Fig. 8.

MDD-based algorithms are distinguished by the iteration strategy employedfor state-space exploration. One can choose a variant of breadth-first search(MDD LOCAL PREGEN), a locality-driven heuristics (MDD FORWARD PREGEN andMDD UPSTREAM PREGEN) [17], or a saturation approach (MDD SATURATION andMDD SATURATION PREGEN) [18]. A unique feature of symbolic approaches inSmArT is the use of a Kronecker encoding of the transition relation betweenstates. Unlike the BDD encoding of binary relations in traditional techniques,the Kronecker representation facilitates detecting and exploiting event locality,a property inherently present in all asynchronous systems.

The most efficient iteration strategy in SmArT is saturation, which exhaustivelyfires, in an MDD node at level k, all enabled events that affect only levels k andbelow, until the set encoded by the node reaches a fixed point. The strategyis applied in bottom-up fashion, thus each node is saturated only once afterall the nodes below it have already been saturated, resulting in enormousreductions in computation time. Since only saturated nodes are stored, thereis also a huge reduction in the peak storage requirements. Unlike traditionalapproaches, the peak and final number of nodes are often very close, and theoperation caches are much smaller.

There are two types of symbolic state-space generation approaches in SmArT:the “ PREGEN” ones explicitly generate the local state spaces in isolation a

priori, while the others intertwine (explicit) local and (symbolic) global state-space generation. The former are slightly more efficient, but can be applied

16

only when the submodels can be explored in isolation (i.e., ignoring the effectsof synchronizations between submodels) to obtain finite local state spaces. Thelatter, instead, free the user from worrying about the behavior of submodelsin isolation, and can be applied whenever the overall state-space is finite [19].

Several predefined functions in SmArT can be used to define measures thatrefer to the state space. For example, num states returns the size of the statespace and num arcs returns the number of arcs in the reachability graph (both,optionally, can print the states, or the arcs, as a side-effect), while reachable

returns the state space itself, for further manipulation (see Sect. 4.2).

Compared to other decision-diagrams-based tools, SmArT excels at state-spacegeneration for globally-asynchronous locally-synchronous systems, such as par-allel and distributed protocols, where event locality is pervasive. Fig. 9 showsthe SmArT input file describing the dining philosophers protocol (with dead-lock) and a table reporting the runtime and memory consumption for state-space generation. The model scales up to 10,000 philosophers, while requiringunder four megabytes of memory and six minutes of runtime to generate thestate space.

4.2 CTL model checking

Model checking targets the verification of temporal logic properties of discrete-state systems evolving in time. SmArT implements the branching time Com-

putation Tree Logic (CTL), widely used in practice due to its simple yet ex-pressive syntax [32]. In CTL, operators occur in pairs: the path quantifier,either A (on all future paths) or E (there exists a path), is followed by thetense operator, one of X (next), F (future, finally), G (globally, generally), andU (until). Their semantics are informally shown in Fig. 10, where system statesare depicted as the nodes of the trees and arcs represent transitions betweenstates, so that a node precedes in temporal order the nodes it can reach. Ineach case, the root node is labeled with a CTL formula it satisfies.

CTL model-checking queries are available in SmArT via model-dependent mea-sures with type stateset. Each stateset corresponds to a set of states, subsetof the potential states S = SK × SK−1 × · · · × S1, and is stored as an MDD.All MDDs for a given model instance are stored in one forest where MDDshare nodes for efficiency. All model-checking algorithms in SmArT use sym-bolic techniques (explicit model checking is not yet implemented), thus requirea model partition. A stateset can contain both reachable and unreachablestates; if desired, the unreachable states can be eliminated by performing anintersection with the state space S, which is specified in SmArT by the functionreachable.

17

spn phils(int N) := {

for (int i in {0..N-1}) {

place idle[i],waitL[i],waitR[i],hasL[i],hasR[i],fork[i];

partition(1+div(i,2):idle[i]:waitL[i]:waitR[i]);

partition(1+div(i,2)::hasL[i]:hasR[i]:fork[i]);

init(idle[i]:1, fork[i]:1);

trans Go[i], GetL[i], GetR[i], Stop[i];

firing(Go[i]:expo(1),GetL[i]:expo(1),

GetR[i]:expo(1),Stop[i]:expo(1));

}

for (int i in {0..N-1}) {

arcs(idle[i]:Go[i], Go[i]:waitL[i], Go[i]:waitR[i],

waitL[i]:GetL[i], waitR[i]:GetR[i],

fork[i]:GetL[i], fork[mod(i+1,N)]:GetR[i],

GetL[i]:hasL[i], GetR[i]:hasR[i],

hasL[i]:Stop[i], hasR[i]:Stop[i],

Stop[i]:idle[i], Stop[i]:fork[i], Stop[i]:fork[mod(i+1,N)]);

}

bigint n_s := num_states(false);

};

# StateStorage MDD_SATURATION

print("The model has ", phils(read_int("N")).n_s, " states.\n");

}

Number of States MDD Nodes bytes CPU

philosophers |S| Final Peak Final Peak sec

100 4.97 × 1062 197 246 30,732 38,376 0.041,000 9.18 × 10626 1,997 2,496 311,532 389,376 0.45

10,000 4.26 × 106269 19,997 24,496 3,119,532 3,821,376 314.13

Fig. 9. SmArT code and computational requirements for the dining philosophers.

Temporal logic formulae are defined by means of boolean operators and tem-poral logic connectors over the set of predicates. Since SmArT identifies aformula with the set of states that satisfy it, the operators are implemented asfunctions that handle objects of type stateset. Figure 11 lists the functionsavailable for this purpose, grouped into five categories:

Atom builders: nostates, initialstate, potential, reachable.Set operators: complement, union, intersection, difference, includes,eq, neq.

Temporal logic operators: the CTL operators EX, AX, EF, AF, EG, AG, EU,AU, their dual counterparts in the past, EXbar, AXbar, EFbar, AFbar, EGbar,AGbar, EUbar, AUbar, and other useful functions: prev, next, backward,forward, addprev, addnext.

Execution trace output: EFtrace, EGtrace EUtrace, dist.Utility functions: card, printset.

18

EXp EFp EGp E[pUq]

AXp AFp AGp A[pUq]

p holds q holdsLEGEND: don’t care

Fig. 10. The semantic of CTL operators.

Figure 11 uses the following notation: N : S → 2S is the next-state functionand N ∗=N 0∪N∪N 2∪· · · is its reflexive and transitive closure. P and Q arethe sets corresponding to p and q, respectively. Π(i) and Π(i) are the sets offorward and reverse evolution paths starting at state i, respectively, and πn isthe nth state on path π.

Past-CTL operators are supported in SmArT for convenience. While they donot increase the expressive power of CTL, they can result in (sometimes expo-nentially) more succinct equivalent representations of temporal logic formulae[33]. The forward and backward steps in the transition relation required forPast-CTL and CTL, respectively, are easily implemented in SmArT by simplyusing the Kronecker matrices encoding N , or their transpose, for N−1.

The counterexamples/witnesses feature allows the user to inspect executiontraces for debugging purposes. The computation of traces in SmArT is avail-able for the fixed-point existential-type CTL operators, EF, EU, and EG, forwhich SmArT employs several locality-based enhancements [20]. EF traces fullyexploit the saturation algorithm, in conjunction with either a specific type ofedge-valued decision diagrams (called EV+MDDs [34]), multi-terminal (or al-gebraic) decision diagrams, or simply forests of MDDs. These alternatives arecontrolled by option #TraceStorage. An approach that only partially exploitssaturation is available instead for EU, while EG traces are implemented usingtraditional breadth-first search, but still benefit from the Kronecker represen-tation of the transition relation and event locality. Since this task is com-putationally more expensive than the evaluation of the corresponding CTLexpressions, SmArT computes traces only upon request.

The example in Fig. 12 shows a generic way to check for deadlocks in a

19

SmArT function Semantic

stateset nostates ∅stateset initialstate {sinit}stateset potential(bool b) {i∈S : b(i)}, potential states where b holdsstateset reachable alias for forward(initialstate), i.e., Sstateset complement(p) S \ Pstateset union(p,q) P ∪Qstateset intersection(p,q) P ∩Qstateset difference(p,q) P \ Qbool includes(p,q) P ⊇ Qbool eq(p,q) P = Qbool neq(p,q) P 6= Qstateset EX(p) {i : ∃j∈N (i), j∈P}stateset AX(p) {i : ∀j∈N (i), j∈P}stateset EF(p) {i : ∃j∈N ∗(i), j∈P}stateset AF(p) {i : ∀π∈Π(i),∃n≥0, πn∈P}stateset EG(p) {i : ∃π∈Π(i),∀n≥0, πn∈P}stateset AG(p) {i : ∀j∈N ∗(i), j∈P}stateset EU(p,q) {i : ∃π∈Π(i),∃m≥0, πm∈Q ∧ ∀n<m, πn∈P}stateset AU(p,q) {i : ∀π∈Π(i),∃m≥0, πm∈Q ∧ ∀n<m, πn∈P}stateset EXbar(p) {j : ∃i∈P, j∈N (i)}stateset AXbar(p) {j : ∀i∈S, j∈N (i) ⇒ i∈P}stateset EFbar(p) {j : ∃i∈P, j∈N ∗(i)}stateset AFbar(p) {j : ∀π∈Π(j),∃n≥0, πn∈P}stateset EGbar(p) {j : ∃π∈Π(j),∀n≥0, πn∈P}stateset AGbar(p) {j : ∀i∈S, j∈N ∗(i) ⇒ i∈P}stateset EUbar(p,q) {j : ∃π∈Π(i),∃m≥0, πm∈Q ∧ ∀n<m, πn∈P}stateset AUbar(p,q) {j : ∀π∈Π(i),∃m≥0, πm∈Q ∧ ∀n<m, πn∈P}stateset prev(p) alias for EX(p), one step backwardstateset next(p) alias for EXbar(p), one step forwardstateset backward(p) alias for EF(p), backward reachabilitystateset forward(p) alias for EFbar(p), forward reachabilitystateset addprev(p) efficient alias for union(EX(p),p)stateset addnext(p) efficient alias for union(EXbar(p),p)bool EFtrace(p,q) find a witness for EF(q) starting from Pbool EGtrace(p,q) find a witness for EG(q) starting from Pbool EUtrace(p,q,r) find a witness for EU(q, r) starting from Pint dist(p,q) the length of the shortest path from P to Qbigint card(p) return |P|, the number of elements in Pbool printset(p) print up to MaxPrintedItems elements of P

Fig. 11. Model checking functions (parameters p, q, and r are of type stateset).

model. The stateset d contains all reachable states that have no successors:if it is not empty, MyModel.deadlock is true, and evaluating the expressionMyModel.dead causes all such states to be printed. It also shows how to definea stateset t, from which there is an infinite path (i.e., a path with cycles) ofstates in stateset p. Finally, the expression MyModel.trace can be used to

20

spn MyModel := {

...

stateset r := reachable;

stateset s := EX(potential(true)); // states with a successor

stateset d := difference(r,s); // reachable deadlock states

stateset p := potential(some_expression);

stateset t := EG(p); // infinite run of "p" states

bool deadlock := neq(d,nostates);

bool dead := printset(d);

bool trace := EGtrace(initialstate,p);

}

Fig. 12. CTL queries on a generic model.

generate a witness for such a cycle starting from an initial state.

5 Stochastic solution engines

5.1 Numerical analysis of Markov and non-Markov models

SmArT provides robust implementations of standard numerical solutions forMarkov models: power method and uniformization for transient analysis, iter-ative methods (Jacobi, Gauss-Seidel, SOR) for steady-state analysis. When allevent (transition firing) times are ph int, the underlying stochastic process isa DTMC, but on an expanded state space that encodes the distribution of theremaining firing time (the phase) of each enabled transition along with thestructural state (the marking, for spn models). The probabilistic evolution ofthe phases of each enabled transition is described by the Kronecker product

of the transition probability matrices of the absorbing DTMCs describing thecorresponding firing time distributions. Analogously, with ph real delays, theunderlying process is a CTMC and its evolution is described by the Kronecker

sum of the transition rate matrices of the absorbing CTMCs describing thefiring time distributions.

Mixing ph int and ph real timing delays in a model greatly complicatesmatters, but an spn model may still enjoy the Markov property if the phaseadvancements of the ph int transitions are synchronized [35]. With the re-maining firing time distributions already encoded in the state, the resultingstochastic process is semi-regenerative. As such, a single embedded DTMCarises separately from, but interacting with, many subordinate CTMCs cor-responding to ph real firings. Reducing this otherwise difficult problem toMarkov chain solutions allows it to be tackled efficiently using standard nu-merical methods. SmArT can compute steady-state measures of mixed ph mod-

21

els if it determines (automatically, while generating the state space) that theunderlying process is semi-regenerative [24].

For example, consider the spn Net in Fig. 6 with n=1 but with firing delaysfiring(a:expo(1.1), b:2, c:1, d:equilikely(1,2), e:expo(1.5));

so that both ph real and ph int firing delays are present. The phases oftransition b are taken from {2, 1, 0, •}, where “•” means that the transitionis disabled. Once enabled, b starts in phase 2, delays one unit of time, thenmoves to phase 1, where it delays again until phase 0, where it fires. Transitiond behaves similarly over the same set of phases except it starts either in phase1 or 2 with equal probability. The phase of expo transitions, one of {1, 0, •},does not need to be recorded: it is 1 if the transition is enabled, • if it isdisabled, and 0 only for the instantaneous amount of time just before firing.Transitions b and c can be enabled concurrently and asynchronously with d.However, these transitions are phase-synchronized : c and d become simulta-neously enabled when a fires and the alternation of the enablings of c and bpreserves the phase synchronization with respect to d. This is a unique featureof our class of synchronous spn models, which have an underlying stochasticsemi-regenerative process.

To solve a semi-regenerative process, SmArT first builds its embedded DTMC,by observing the state of the model after each ph int phase change, if at leastone such transition is enabled, or after each ph real phase change otherwise.Unlike ph int phase changes, which occur every unit of time, the time be-tween ph real phase changes is an expo random variable that depends onthe combined phase-change rate for all enabled ph real transitions, but itis unnecessary to explicitly record this time, thanks to the expo memorylessproperty. Fig. 13 shows the resulting embedded DTMC for Net(1) (with thefiring time distributions just mentioned). States are identified by the numberof tokens in p5, p4, p3, p2, and p1, followed by the phase of transitions b, c, andd. The graph of the DTMC shows that expo transitions can fire from any statethat enables them, while each enabled ph int transition must first go througha “phased delay,” until it reaches phase 0, when it immediately fires. The em-bedded state transitions require some more explanation: State (10000,•••),enables transition a and can be exited in two ways, each with probability 0.5,since the firing of a enables transition d, which starts its phased delay fromphase 2 or 1 with equal probability. The sojourn time of this embedded statehas the same distribution as the firing delay of transition a: expo(1.1). Otherstate transitions have probability one except for those associated with the pa-rameter α. These depend on whether the expo transition e fires before theph int transition b moves out of phase 1 or phase 2 in discrete time. As ph

int phase changes occur every time unit, we can compute α, the probabilitythat transition e does not fire in the interval [0, 1), by solving a two-statesubordinate CTMC that starts in state 1 to indicate that transition e is inphase 1 while delaying an expo(1.5) time before transitioning to phase 0 and

22

10000,••• 01010, •12 01010, •11 00110,2•1 00101,2••0.5

1.01−α

00101,1•• 01001,•1•

0.5 1.01.0

α1.0

α

1−α

Fig. 13. Embedded DTMC underlying the synchronous spn derived from Fig. 6.

firing. Such a small CTMC has an easy solution: α = e−1.5, or 0.77687. Sincethe embedded DTMC is irreducible and aperiodic, SmArT computes a uniquestationary probability vector, which, paired with the expected sojourn timesin each state obtained from the subordinate CTMCs, is used to compute mea-sures defined on the original semi-regenerative process. Our example producesthe output


n=1: E[tk(p5,..,p1)] = (0.282382,0.355228,0.36239,0.46593,0.251688)

SmArT also employs embedding with elimination [35,36]: Certain embeddedstates can be eliminated either when only ph int or only ph real transitionsare enabled, or when both types are enabled but the ph int transitions requirelong phase evolutions before firing. In such cases, the embedded states becomegood candidates for elimination when their effect on the defined measurescan just as easily be reformulated for inclusion within neighboring embeddedstates. In Fig. 13, state (00110,2•1) serves no purpose other than imposing a phint delay (no ph real delays and no transition firings). Thus, we can eliminateit and its transitions, bypass it with a new transition from (01010,•12) directlyto (00101,1••), still with probability one, set the sojourn time in (01010,•12)to 2 instead of 1, and, finally associate to state (01010,•12) any informationabout the eliminated state that is pertinent to the measures.

5.2 Discrete-event simulation

The evolution of the stochastic process underlying a model is simulated byscheduling the events activated in the current state. This is done by startingfrom an initial state at time zero and sampling (from the associated probabilitydistribution) the timestamp at which each newly-activated event is scheduledto occur. Each new event and its timestamp is inserted into a future eventlist. To ensure that events are executed in the correct chronological order,the event with the minimum timestamp is removed from this list and used tocompute the next state of the simulation.

The future event list is a priority queue that orders each item according toits timestamp. The data structure used for the priority queue can have asignificant effect on the simulation runtime. While removing an event (with

23

Method Removal Insertion Comments

LIST O(1) O(n) good choice for short event listsHENRIKSEN O(1) O(

√n) consistent performance

PAIRINGHEAP O(1) O(log n)SPLAY O(1) O(log n) often the best choice [37]CALENDAR O(1) O(1) poor with skewed distributions [38]BINOMIAL O(log n) O(1) can have erratic performance [39]

Fig. 14. Cost of removal (of the minimum) and insertion for each event list method.

minimum timestamp) is typically fast, the (amortized) complexity of insertinga new event depends on the data structure, the average size of the queue, andthe distribution of timestamps, since the priority queue must be somehowsearched to determine the correct position at which to insert the event. InSmArT, the data structure is selected with the SimEventListStorage option,whose possible values are shown in Fig. 14.

The simulation of a single sample path is a simulation run; multiple runsare required to obtain statistically significant results. SmArT users specify thenumber of runs with the SimRuns option, the width of the confidence intervalusing the SimWidth option, and the confidence level using the SimConfidence.Using the interrelationship of these three parameters in accord with the Cen-tral Limit Theorem, SmArT allows the user to fix any two out of the three,thereby establishing the stopping criterion for the simulation. Depending onthe purpose and method of the simulation study, each simulation run can bean appropriate portion of a single overall run (the method of batch means forsteady-state analysis) or a separate run (the method of replication for tran-sient analysis) starting from the initial state, along with a new seed for therandom number generator, and terminating at a given point in time or when aparticular condition is satisfied in the state. If there are multiple initial states(this can happen if the initial marking of the Petri net enables immediatetransitions), the initial state for each run is chosen based on a probabilitydensity function.

SmArT also implements a regenerative simulation method for steady-stateanalysis. In the synchronous example of the previous section, i.e., the spn

in Fig. 6 modified with the distributions resulting in the embedded DTMC ofFig. 13, we chose n=1 deliberately because the spn becomes asynchronous if nis greater than one: ph real transition a can enable ph int transition c whenph int transition d is already enabled, but at a time such that their phases areunsynchronized. Indeed, even with n=1, we can achieve asynchronous behaviorby changing the firing delay of transition b to ph real.

For asynchronous models, a separate clock is required in principle for each“group of synchronous phases,” but including these clocks within the state ofthe model results in a general state space Markov chain (GSSMC) with a con-tinuous state space (one can also think of a GSSMC as a precise mathematical

24

model of any discrete-event simulation when considering that the supplemen-tary clock readings are provided by the timestamps contained in the futureevent list). SmArT can recognize a class of asynchronous models that exhibit re-

generative regions on these continuous state spaces. For these models, SmArT

implements a novel regenerative simulation based on identifying hidden re-generative regions within the underlying GSSMC. The regenerative region isdefined by an appropriately extended state, which has enough information forthe simulation to identify regeneration times that occur at integral times. Thesampling of the continuous state space at unit intervals effectively decouplesthe consideration of the discrete component of the state space (markings andphases) from that of the continuous component (real clock reading correspond-ing to the time until the next phase change of each ph int transition, theseare the only non-memoryless aspect in the evolution of the GSSMC).

Identifying regeneration points, as a first step, requires fixing a state (mark-ing and phase) known to be visited infinitely many times with probabilityone; SmArT ensures this property through a trial run to find a candidate setof regenerative regions that are possible to visit. As a second step, SmArT

observes visits to a candidate regenerative region whose clock readings havea distinguished probability distribution, i.e., a probability distribution that isfixed across successive visits to the region and independent of the past. Then,each time the simulation of the GSSMC passes through the same distinguished

regenerative region, it will regenerate independently and identically with somepositive probability less than one [40]. Since regeneration is not certain eachtime the simulation visits a distinguished region, our technique allows the de-termination of an unfair coin toss with an appropriate probability of successthat correctly identifies the visits that can be considered times of regenera-tion (probabilistically speaking) [41]. Through a specialized data structure,the simulation algorithm is efficient and able to identify a broad variety ofpossible regenerative regions. A detailed discussion of the theory, algorithm,and application of this regenerative simulation method can be found in [35].

5.3 Kronecker encoding of the Markov chain matrix

For spn models where all transitions have expo distributions or are immedi-ate, SmArT provides advanced solution methods based on a Kronecker encod-ing of the transition rate matrix R of the underlying CTMC. These methodsare quite effective in reducing the memory requirements and, just like MDDmethods, they require a user-specified partition. Indeed, both MDD and Kro-necker techniques can be employed for the solution process, to store S and R,respectively. This allows SmArT to use probability vectors of size |S|, whichare then the only objects for which the memory requirements effectively limitthe applicability of a numerical solution technique.

25

The technique used to store the transition rate matrix R and the multi-plication algorithm used in the numerical iterations are specified with the#MarkovStorage option. Explicit SPARSE storage is the most general, and thedefault. However, when the model is partitioned into K submodels, SmArT

can use several types of compact structures to represent R, similar to the useof MDDs to encode the state space. In the Kronecker representation of R,each event requires a (small) nk × nk matrix for each submodel k, which istypically extremely sparse [21]. As described in [21], numerical solution us-ing a Kronecker representation can make use of either potential-sized (| S|) oractual-sized (|S|) solution vectors. In addition, both Jacobi-style iterations,based on efficient vector-matrix multiplication algorithms, and Gauss-Seidel-style iterations, which use a slightly slower access by-columns to the matrixbut provide faster convergence, can be used. All four combinations are avail-able in SmArT, by setting #MarkovStorage to either POTENTIAL KRONECKER orKRONECKER and setting option #Solver to either JACOBI or GAUSS SEIDEL.

Another compact representation for R available in SmArT is matrix diagrams

[15,22], which combine the idea of MDDs with that of Kronecker algebra. Ma-trix diagrams can be built from a Kronecker representation and then furthermanipulated as desired (e.g., to remove entries from unreachable states toreachable or unreachable states, which may occur with a Kronecker represen-tation). Alternatively, a matrix diagram can be built explicitly, similar to theconstruction of an explicit representation of R, by adding elements of R oneat a time to the matrix diagram. Many of the efficient Kronecker multiplica-tion algorithms [21] have been adapted for use with matrix diagrams [15,42].However, matrix diagrams allow the use of caching to improve matrix accessby columns, which can greatly reduce the computational overhead required byGauss-Seidel.

To illustrate the effectiveness of these efficient structures, we use a pollingserver model, similar to the ones described in [43], as an example. In thissystem, there are K sites, and M machines per site. Machines at site i failwith rate λi, and are repaired at rate µi when a technician is available at thesite to repair the machine. At most one technician will work on repairing afailed machine at a time. There are S technicians responsible for repairingthe machines at all sites. If there is no machine waiting for repairs at site(i+1) mod K, then an idle technician at site (i+1) mod K will move to site iwith rate γi; otherwise, an idle technician will immediately begin repairing oneof the failed machines. The SmArT input file for this model is shown in Fig. 15;it uses arrays of places and transitions, each with dimension K, with arrayelement i corresponding to site i. The model is partitioned into K submodels.

For this model, the Kronecker and matrix diagram representations are ableto exploit event locality quite well: transitions fail[i], repstay[i], andrepwalk[i] affect only submodel i, while the remaining transitions serve[i]

26

spn polling(int K, int M, int S) := {

for (int i in {0..K-1}) {

place up[i], down[i], busy[i], walk[i];

trans fail[i], repstay[i], repwalk[i], serve[i], skip[i];

partition(up[i]:down[i]:busy[i]:walk[i]);

init(up[i]:M);

}

init(walk[0]:S);

for (int i in {0..K-1}) {

firing( fail[i] : expo(lambda(i)*tk(up[i])),

repstay[i] : expo(mu(i)*max(tk(busy[i]),1)),

repwalk[i] : expo(mu(i)*max(tk(busy[i]),1)),

serve[i] : expo(gamma(i)*tk(walk[mod(i+1, K)])),

skip[i] : expo(gamma(i)*tk(walk[mod(i+1, K)]))

);

arcs( up[i]:fail[i], fail[i]:down[i], repstay[i]:up[i],

down[i]:repstay[i]:tk(busy[i])+1, busy[i]:repstay[i],

repstay[i]:down[i]:tk(busy[i]), repstay[i]:busy[i],

down[i]:repwalk[i], busy[i]:repwalk[i],

repwalk[i]:walk[i], repwalk[i]:up[i],

walk[mod(i+1, K)]:serve[i], down[i]:serve[i]:tk(busy[i])+1,

serve[i]:busy[i], serve[i]:down[i]:tk(busy[i])+1,

walk[mod(i+1, K)]:skip[i], skip[i]:walk[i]

);

inhibit( down[i]:repwalk[i]:tk(busy[i])+1,

down[i]:skip[i]:tk(busy[i])+1

);

real avgbusy[i] := avg_ss(tk(busy[i]));

real avgdown[i] := avg_ss(tk(down[i]));

}

}

Fig. 15. Polling system with K sites, M machines per site, S servers.

and skip[i] affect only submodels i and (i + 1) mod K. When a transition tdoes not affect a given submodel j, the corresponding Kronecker matrix is anidentity; this property can be exploited to further reduce storage requirementsand improve numerical solution speed [21].

Memory requirements for the polling system are shown in Fig. 16. The num-ber of states |S| and of nonzero entries η(R), also shown in the figure, growrapidly with K, M , and S. Explicit sparse storage requires 8 · (|S| + η(R))bytes; this quickly exceeds the memory available on a modern workstation.In contrast, the matrix diagram and Kronecker representations are extremelycompact. For this particular model, matrix diagrams are better able to exploitcommon structure (by automatically merging common behavior of transitionsserve[i] and skip[i]), resulting in a somewhat more compact encoding than

27

States Nonzeros Matr. diagram Kronecker Sparse

M, S |S| η(R) bytes bytes bytes

5, 5 6.45 × 105 4.25 × 106 12,240 25,540 39,148,9286, 6 2.56 × 106 1.80 × 107 18,428 39,908 164,761,8887, 7 8.64 × 106 6.43 × 107 26,462 58,884 583,885,1208, 8 2.58 × 107 2.00 × 108 36,610 83,108 1,809,202,9289, 9 6.95 × 107 5.60 × 108 49,128 113,220 5,032,246,75210, 9 1.07 × 108 8.66 × 108 55,548 129,540 7,784,422,464

Fig. 16. Memory usage for R, for the polling system with K = 4.

the Kronecker representation.

Timing results for the numerical solution of the polling model in SmArT arein Fig. 17, which reports the number of iterations required and the time re-quired for each iteration, in seconds, for the Gauss-Seidel and Jacobi-with-over-relaxation methods (columns GS and JOR, respectively). Experimentswere run on a 933 Mhz Pentium III workstation with 512MB of RAM. Asdiscussed in [21], there is a memory/time trade-off when employing a Kro-necker encoding of the transition rate matrices: the Gauss-Seidel method usesless memory (one single-precision solution vector) and converges in fewer iter-ations, but requires more time per iteration because it must use an algorithmto multiply a vector by a single matrix column; the Jacobi method (in thiscase, using a relaxation parameter ω = 0.95) can use a more efficient matrix-vector multiplication algorithm, but requires more iterations for convergenceand more memory (one single-precision solution vector and a double-precisionaccumulator vector). The same is true for matrix diagrams, but the differ-ence in the iteration times between Gauss-Seidel and Jacobi is less dramatic.Double-precision solution vectors can be used when memory permits, by set-ting the option #SolutionVector appropriately. From the columns showingthe time per iteration, we can conclude that the time overhead imposed by theKronecker approach is smallest when using matrix diagrams. Also, for Jacobi,the iteration times required by matrix diagrams is close to that required bysparse storage (when a comparison is possible). Finally, the ordinary sparsestorage implementation is quite efficient, but only as long as the entries of thetransition rate matrix can all fit in main memory, thus it is not competitivefor large models (a “—” indicates that the model could not be solved due toexcessive memory requirements). Using a matrix diagram or Kronecker repre-sentation, SmArT can solve models having over one order of magnitude morestates than with traditional sparse-storage approaches.

5.4 Approximations

The use of MDDs for S and a Kronecker encoding for R allow us to compactlyrepresent enormous CTMCs. For numerical solution, the only remaining mem-

28

Matrix diagram Kronecker Sparse

M, S GS JOR GS JOR GS JOR

its sec its sec its sec its sec its sec its sec

5, 5 67 0.7 200 0.3 67 2.6 200 0.5 67 0.2 200 0.26, 6 79 3.0 236 1.2 79 10.6 236 2.0 79 1.0 236 1.07, 7 90 11.3 272 4.2 90 37.5 272 6.9 — — — —8, 8 102 35.3 307 13.1 102 114.0 307 21.0 — — — —9, 9 113 105.9 — — 113 321.0 — — — — — —10, 9 139 163.1 — — 139 506.6 — — — — — —

Fig. 17. Iteration times for the polling system, with K = 4.

Local states Sk

0:upk

1:downk

2:upk,walkk

3:downk,walkk

4:downk, busyk

MDD for S0 1 2 3 4

0 10 1 2 3 4

0 10 1 2 3 4

0 12 3 4

1

2

3

5

7

4

6

8

Level 4 CTMC

2:0 2:1 2:2 2:3 2:4�4 4 4 �4

1 � ��4 1 � �

Level 3 CTMC

3:0 3:1 3:2 3:3 3:4�3 3 �3 3 �3

4:0 4:1�3

γ4 · βγ4 · β

r43 r43r34 r34

Fig. 18. Aggregations for the polling system, with K = 4, M = 1, S = 1.

ory bottleneck is the solution vector. When S is too large, the solution vectoralone requires excessive memory and other techniques, such as discrete-eventsimulation or approximations, must be used.

Currently, SmArT provides a novel approximation technique [44] for station-ary analysis of models with an underlying structured CTMC which can stillrely on complete knowledge of S and R, thanks to their extremely compactencodings. The set of states encoded by an MDD corresponds to the pathsthrough the MDD that start at the root and reach terminal node 1. Thus, eachreachable state corresponds to a path in the MDD and vice-versa. The approx-imation used by SmArT makes a single simplifying assumption: a probabilityis associated with each pointer in the MDD encoding S, and it is assumedthat the product of probabilities along a given path is equal to the stationaryprobability for the state corresponding to that path.

This idea is illustrated using the polling model. Figure 18 shows the local statespaces Sk (which are the same for all k) and the overall MDD representing S,when K = 4, M = 1, and S = 1. Local states are indexed, and local states2, 3, and 4 correspond to having the technician on site; the MDD encodes allstates where exactly one submodel is in local state 2, 3, or 4.

29

To determine the probability for each pointer, a CTMC is built and solved ateach level, where the level-k CTMC is an aggregation of the complete CTMC:all states whose path contains a given level-k pointer are grouped togetherinto a state of the level-k CTMC. The rates of transition between aggregatescan be determined exactly for transitions that affect only submodel k; forthe others, the simplifying assumption is applied, so that the transition ratescan be obtained using the Kronecker structure for R and the probabilitiescomputed for the other levels.

For the polling model, the aggregated CTMCs for level 4 and level 3 are shownin Fig. 18. Each CTMC state corresponds to a pointer in the MDD shown andis labeled with a pair n:p, where n is the MDD node index and p is the pointerindex within node n. Local events correspond to the transitions labeled withrates λk (machine failure, local state change from 0 to 1 or 2 to 3), µk (machinerepair, local state change from 4 to 2), and γk (departure of the technician,local state change from 2 to 0 or 3 to 1). In addition, there are transitions due tosynchronizations between submodels. In the level-4 CTMC, transitions labeledwith rate γ1 ·α correspond to the arrival of the technician from site 1; this canonly occur when the technician is departing from site 1, and thus the rate isadjusted by α which equals the probability that submodel 1 is in local state 2 or3. Note that α is determined from the solution of the level-1 CTMC. Similarly,in the level-3 CTMC, the arrival of the technician at site 3 is synchronizedwith the departure of the technician from site 4, producing the transitionslabeled with rate γ4 · β, with β equal to the probability that submodel 4 isin local state 2 or 3. Finally, “change in node” transitions are possible in thelevel-k CTMC due to transitions in levels k + 1 and above, according to theMDD structure. For example, in the level-3 CTMC, transitions from 4:p to 3:poccur with rate r43 equal to the rate of transition from states {2:2, 2:3, 2:4} to{2:0, 2:1} in the level-4 CTMC, since, within node 2 of the MDD, pointers 2,3, and 4 are to node 4, while pointers 0 and 1 are to node 3.

The rates of each aggregated CTMC may depend on probabilities computedfor the aggregations at other levels. Thus, fixed-point iterations are used tobreak cyclic dependencies. The solution vector for level k of the previous iter-ation is used as the initial vector for the current iteration; as the fixed-pointiterations converge, the number of iterations required for numerical solution oflevel k will decrease. The approximation is complete when numerical solutionrequires only one iteration at each level. Performance measures are computedusing the simplifying assumption. The results can be quite accurate, oftenwithin a few percent of the measures computed using an exact solution, butrequiring only a fraction of the time and memory. For the polling model,Fig. 19 shows the relative error (when an exact comparison is possible) forthe measures avgbusy[i] and avgdown[i]. The CPU time required by theapproximation is also shown. Of course, the approximation can handle muchlarger models than the exact solution.

30

M, S |S| Worst avgbusy[i] Worst avgdown[i] CPU

5, 5 6.45 × 105 +1.01% −2.32% 0.016, 6 2.56 × 106 +0.92% −2.24% 1.887, 7 8.64 × 106 +0.84% −2.14% 2.648, 8 2.58 × 107 +0.77% −2.04% 3.819, 9 6.95 × 107 +0.71% −1.94% 5.43

10, 9 1.07 × 108 +0.92% −2.54% 6.1125, 25 9.06 × 1011 — — 178.8050, 50 1.04 × 1015 — — 3,231.06

Fig. 19. Approximation results for the polling system (K = 4).

6 Conclusions and future directions

We have presented the main features of SmArT, a software tool for the logicaland stochastic modeling of discrete-state systems. One of its goals is being ableto solve truly large models, as this is needed to tackle practical systems. Thedata structures and solution algorithms implemented in SmArT reflect years ofresearch advancements, and are the means to make progress toward this goal.The SmArT User Manual, examples, related publications, and instructions onobtaining a copy are available at http://www.cs.ucr.edu/~ciardo/SMART/.

Nevertheless, much work is still required, in both research and implementa-tion. A tighter integration of the logical and stochastic analysis capabilitiesof SmArT is desirable, e.g., Continuous Stochastic Logic (CSL) [45] or PCTL[46]. Research items on our “to-do list” have been mentioned throughout thepaper. Implementation items include the spin-off of libraries for some of themost advanced functionalities, in order to make them available to the re-search community, and the creation of a model database which will containboth benchmark-type and realistic modeling examples, along with a detaileddescription, sample SmArT input code, and resource requirements.

References

[1] A. Cimatti, E. M. Clarke, F. Giunchiglia, M. Roveri, NUSMV: A new symbolicmodel checker, Software Tools for Technology Transfer 2 (4) (2000) 410–425.

[2] G. J. Holzmann, The SPIN Model Checker, Addison-Wesley, 2003.

[3] J. Couvillion, R. Freire, R. Johnson, W. D. O. II, M. A. Qureshi, M. Rai, W. H.Sanders, J. E. Tvedt, Performability modeling with UltraSAN, IEEE Software(1991) 69–80.

[4] D. D. Deavours, G. Clark, T. Courtney, D. Daly, S. Derisavi, J. M. Doyle, W. H.Sanders, P. G. Webster, The Mobius framework and its implementation, IEEETrans. Softw. Eng. (2002) 956–969.

31

[5] M. Z. Kwiatkowska, G. Norman, D. Parker, Probabilistic symbolic modelchecking with PRISM: a hybrid approach, Software Tools for TechnologyTransfer 6 (2) (2004) 128–142.

[6] H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, M. Siegle, A tool for modelchecking Markov chains, Software Tools for Technology Transfer 4 (2) (2003)153–172.

[7] S. Yovine, Model checking timed automata, in: European Educational Forum:School on Embedded Systems, LNCS 1494, Springer-Verlag, London, UK, 1996,pp. 114–152.

[8] G. Behrmann, A. David, K. G. Larsen, A tutorial on UPPAAL, in: FormalMethods for the Design of Real-Time Systems, International School on FormalMethods for the Design of Computer, Communication and Software Systems(SFM-RT 2004), 2004, pp. 200–236.

[9] R. Siminiceanu, G. Ciardo, Formal verification of the NASA Runway SafetyMonitor, in: M. Huth (Ed.), Electronic Notes in Theoretical Computer Science,Proc. Fourth International Workshop on Automated Verification of CriticalSystems (AVoCS’04), London, UK, 2004.

[10] T. Murata, Petri nets: properties, analysis and applications, Proc. of the IEEE77 (4) (1989) 541–579.

[11] G. Ciardo, A. S. Miner, Storage alternatives for large structured state spaces, in:R. Marie, B. Plateau, M. Calzarossa, G. Rubino (Eds.), Proc. 9th Int. Conf. onModelling Techniques and Tools for Computer Performance Evaluation, LNCS1245, Springer-Verlag, St. Malo, France, 1997, pp. 44–57.

[12] T. Kam, T. Villa, R. Brayton, A. Sangiovanni-Vincentelli, Multi-valued decisiondiagrams: theory and applications, Multiple-Valued Logic 4 (1–2) (1998) 9–62.

[13] A. S. Miner, G. Ciardo, Efficient reachability set generation and storageusing decision diagrams, in: H. Kleijn, S. Donatelli (Eds.), Proc. 20th Int.Conf. on Applications and Theory of Petri Nets, LNCS 1639, Springer-Verlag,Williamsburg, VA, USA, 1999, pp. 6–25.

[14] J. W. Brewer, Kronecker products and matrix calculus in system theory, IEEETrans. Circ. and Syst. CAS-25 (1978) 772–781.

[15] G. Ciardo, A. S. Miner, A data structure for the efficient Kronecker solutionof GSPNs, in: P. Buchholz (Ed.), Proc. 8th Int. Workshop on Petri Nets andPerformance Models (PNPM’99), IEEE Comp. Soc. Press, Zaragoza, Spain,1999, pp. 22–31.

[16] A. S. Miner, Implicit GSPN reachability set generation using decision diagrams,Perf. Eval. 56 (1-4) (2004) 145–165.

[17] G. Ciardo, G. Luettgen, R. Siminiceanu, Efficient symbolic state-spaceconstruction for asynchronous systems, in: M. Nielsen, D. Simpson (Eds.), Proc.21th Int. Conf. on Applications and Theory of Petri Nets, LNCS 1825, Springer-Verlag, Aarhus, Denmark, 2000, pp. 103–122.

32

[18] G. Ciardo, G. Luettgen, R. Siminiceanu, Saturation: An efficient iterationstrategy for symbolic state space generation, in: T. Margaria, W. Yi (Eds.),Proc. Tools and Algorithms for the Construction and Analysis of Systems(TACAS), LNCS 2031, Springer-Verlag, Genova, Italy, 2001, pp. 328–342.

[19] G. Ciardo, R. Marmorstein, R. Siminiceanu, Saturation unbound, in:H. Garavel, J. Hatcliff (Eds.), Proc. Tools and Algorithms for the Constructionand Analysis of Systems (TACAS), LNCS 2619, Springer-Verlag, Warsaw,Poland, 2003, pp. 379–393.

[20] G. Ciardo, R. Siminiceanu, Structural symbolic CTL model checking ofasynchronous systems, in: W. Hunt, Jr., F. Somenzi (Eds.), Computer AidedVerification (CAV’03), LNCS 2725, Springer-Verlag, Boulder, CO, USA, 2003,pp. 40–53.

[21] P. Buchholz, G. Ciardo, S. Donatelli, P. Kemper, Complexity of memory-efficient Kronecker operations with applications to the solution of Markovmodels, INFORMS J. Comp. 12 (3) (2000) 203–222.

[22] A. S. Miner, Efficient solution of GSPNs using canonical matrix diagrams, in:R. German, B. Haverkort (Eds.), Proc. 9th Int. Workshop on Petri Nets andPerformance Models (PNPM’01), IEEE Comp. Soc. Press, Aachen, Germany,2001, pp. 101–110.

[23] G. Ciardo, R. German, C. Lindemann, A characterization of the stochasticprocess underlying a stochastic Petri net, IEEE Trans. Softw. Eng. 20 (7) (1994)506–515.

[24] R. L. Jones, G. Ciardo, On phased delay stochastic Petri nets: Definition andan application, in: R. German, B. Haverkort (Eds.), Proc. 9th Int. Workshopon Petri Nets and Performance Models (PNPM’01), IEEE Comp. Soc. Press,Aachen, Germany, 2001, pp. 165–174.

[25] G. Ciardo, K. S. Trivedi, A decomposition approach for stochastic reward netmodels, Perf. Eval. 18 (1) (1993) 37–59.

[26] M. F. Neuts, Matrix-geometric Solutions in Stochastic Models, Johns HopkinsUniversity Press, Baltimore, MD, 1981.

[27] Z. Michalewicz, Genetic Algorithms + Data Structures = Evolution Programs,Springer-Verlag, 1996.

[28] R. Rudell, Dynamic variable ordering for ordered binary decision diagrams, in:Int. Conference on CAD, 1993, pp. 139–144.

[29] R. E. Bryant, Symbolic boolean manipulation with ordered binary-decisiondiagrams, ACM Comp. Surv. 24 (3) (1992) 293–318.

[30] B. Bollig, I. Wegener, Improving the variable ordering of OBDDs is NP-complete, IEEE Trans. Comp. 45 (9) (1996) 993–1002.

[31] R. E. Bryant, Graph-based algorithms for boolean function manipulation, IEEETrans. Comp. 35 (8) (1986) 677–691.

33

[32] E. M. Clarke, E. A. Emerson, Design and synthesis of synchronization skeletonsusing branching time temporal logic, in: Proc. IBM Workshop on Logics ofPrograms, LNCS 131, Springer-Verlag, 1981, pp. 52–71.

[33] F. Laroussinie, P. Schnoebelen, Specification in CTL+Past for verification inCTL, Information and Computation 156 (1/2) (2000) 236–263.

[34] G. Ciardo, R. Siminiceanu, Using edge-valued decision diagrams for symbolicgeneration of shortest paths, in: M. D. Aagaard, J. W. O’Leary (Eds.), Proc.Fourth International Conference on Formal Methods in Computer-Aided Design(FMCAD), LNCS 2517, Springer-Verlag, Portland, OR, USA, 2002, pp. 256–273.

[35] R. L. Jones, Simulation and Numerical Solution of Stochastic Petri Nets withDiscrete and Continuous Timing, Ph.D. thesis, College of William and Mary,Williamsburg, VA (2002).

[36] R. L. Jones, Analysis of phase-type stochastic Petri nets with discrete andcontinuous timing, Tech. Rep. CR-2000-210296, NASA Langley ResearchCenter, Hampton, VA (Jun. 2000).

[37] Sleator, Tarjan, Self-adjusting binary search trees, J. ACM 32 (3) (1985) 652–686.

[38] R. Brown, Calendar queues: a fast O(1) priority queue implementation for thesimulation event set problem, Communications of the ACM 31 (10) (1988) 1220–1227.

[39] M. R. Brown, Implementation and analysis of binomial queue algorithms, SIAMJournal on Computing 7 (1978) 298–319.

[40] S. G. Henderson, P. W. Glynn, Regenerative steady-state simulation of discrete-event systems, ACM TOMACS 11 (4).

[41] R. L. Jones, G. Ciardo, Regenerative simulation of stochastic Petri nets withdiscrete and continuous timing, in: Proc. Sixth Int. Workshop on PerformabilityModeling of Computer and Communication Systems (PMCCS-6), Monticello,IL, USA, 2003, pp. 23–26.

[42] A. S. Miner, Computing response time distributions using stochastic Petri netsand matrix diagrams, in: G. Ciardo, W. H. Sanders (Eds.), Proc. 10th Int.Workshop on Petri Nets and Performance Models (PNPM’03), IEEE Comp.Soc. Press, Urbana-Champaign, IL, USA, 2003, pp. 10–19.

[43] M. Ajmone Marsan, S. Donatelli, F. Neri, A. Scalia, Approximate GSPNanalysis of multiserver polling systems, in: Proc. Int. Conference onTelecommunication, Distribution and Parallelism (TDP’96), La Londe LesMaures, France, 1996.

[44] A. S. Miner, G. Ciardo, S. Donatelli, Using the exact state space of a Markovmodel to compute approximate stationary measures, in: J. Kurose, P. Nain(Eds.), Proc. ACM SIGMETRICS, ACM Press, Santa Clara, CA, 2000, pp.207–216.

34

[45] C. Baier, B. Haverkort, H. Hermanns, J.-P. Katoen, Model checking algorithmsfor continuous-time Markov chains, IEEE Trans. Softw. Eng. 29 (6) (2003) 524–541.

[46] H. Hansson, B. Jonsson, A logic for reasoning about time and reliability, FormalAspects of Computing 6 (5) (1994) 512–535.

A SmArT Language BNF

A SmArT file can contain elements that are not properly part of the language,but are instead managed by its preprocessor:

• Single-line comments (characters from a “//” until the end of the line) orbracketed comments (characters from a “/*” until the first “*/”, possiblyspanning multiple lines) are simply ignored.

• A “# include” directive instructs SmArT to start reading from a differentfile, until that file ends, then continue reading from the current file (nested #

include directives are allowed, as long as there are no circular inclusions).

The following description of the SmArT Language assumes that such commentsand directives have been processed and eliminated, and uses the standard BNFconventions: X ⇒ Y means that the syntax for X is given by Y; X || Y meansone occurrence of either X or Y; slanted font represents nonterminal symbols tobe further defined; typewriter font represent terminal symbols, which mustappear literally. The starting symbol for the SmArT language is statements.

Statements ⇒ Statements Statement || Statement

Statement ⇒ for ( Iterators ) { Statements } || converge { Statements }|| DeclarationStatement || DefinitionStatement || ModelDefinitionStatement

|| ExpressionStatement || OptionStatement

Iterators ⇒ Iterators , Iterator || Iterator

Iterator ⇒ Type Id in SetExpr

SetExpr ⇒ { SetElements }SetElements ⇒ SetElements , SetElement || SetElement

SetElement ⇒ Expr || Expr .. Expr || Expr .. Expr .. Expr

DeclarationStatement ⇒ Type Id ( FormalParms ) ;

|| Type Id FormalIndices ; || Type Id guess Expr ;

|| Type Id FormalIndices guess Expr ;

DefinitionStatement ⇒ Type Id := Expr ;

|| Type Id ( FormalParms ) := Expr ; || Type Id FormalIndices := Expr ;

FormalParms ⇒ FormalParms , FormalParm || FormalParm

FormalParm ⇒ Type Id || Type Id := Expr

FormalIndices ⇒ FormalIndices [ Id ] || [ Id ]

35

ModelDefinitionStatement ⇒ ModelType Id := { ModelStatements } ;

|| ModelType Id ( FormalParms ) := { ModelStatements } ;

ModelStatements ⇒ ModelStatements ModelStatement || ModelStatement

ModelStatement ⇒ for ( Iterators ) { ModelStatements }|| LocalDeclarations || ExpressionStatement || DefinitionStatement

LocalDeclarations ⇒ Type LocalIds ;

LocalIds ⇒ LocalIds , LocalId || LocalId

LocalId ⇒ Id || Id FormalIndices

Expr ⇒ null || Value || FunctionCall || MeasureCall || ( Expr )

|| Expr + Expr || Expr - Expr || Expr * Expr || Expr / Expr || Expr | Expr

|| Expr & Expr || ! Expr || - Expr || Expr == Expr || Expr != Expr

|| Expr > Expr || Expr >= Expr || Expr < Expr || Expr <= Expr || Expr : Expr

|| Type ( Expr )

Value ⇒ BooleanValue || IntegerValue || RealValue || StringValue

FunctionCall ⇒ Id || Id ActualIndices || Id ( ActualParms )

ActualIndices ⇒ ActualIndices [ Expr ] || [ Expr ]

ActualParms ⇒ PositionalParms || NamedParms

PositionalParms ⇒ PositionalParms , PositionalParm || PositionalParm

PositionalParm ⇒ Expr || defaultNamedParms ⇒ NamedParms , NamedParm || NamedParm

NamedParm ⇒ Id := Expr || Id := default

MeasureCall ⇒ ModelCall . Measure

ModelCall ⇒ Id || Id ( ActualParms )

Measure ⇒ Id || Id ActualIndices

ExpressionStatement ⇒ Expr ;

OptionStatement ⇒ # Id Value

The syntax for an IntegerValue, RealValue, or StringValue is as in ANSI C. Inparticular, a string must be enclosed in quotes “"” and the backslash character“\” must be used to “escape” special characters for inclusion in the string, asin \n (newline), \t (tab), \q (a quote), and \\ (a backslash).

36

logic and stochastic modeling with smartweb.cs.iastate.edu/~ciardo/pubs/2006peva-smart.pdf ·...

Documents