New features in CPN-AMI 3 : focusing on the analysis of complex distributed systems A. Hamez, L. Hillah, F. Kordon, A. Linard, E. Paviot-Adet, X. Renault and Y. Thierry-Mieg LIP6, Universit´ e Pierre & Marie Curie, 4 place Jussieu, 75252 Paris cedex 05, France cpn-ami@lip6.fr, http://www.lip6.fr/cpn-ami Due to the state-space size explosion problem, be- havioral analysis techniques are difficult to scale up to industrial size problems. Our group couples research on analysis tools with an introspection on modeling and software engineering techniques. CPN-AMI is an integrated development and analysis environment dedicated to Petri nets. The numerous services it offers are built by a homogeneous integration of tools developed internally, and third-party tools from partner universities. These tools include state of the art algorithms and data-structures. This third major release offers better support for modeling and analysis of very large systems. New features in CPN-AMI 3 This paper briefly presents the new features in CPN- AMI 3. PetriScript responds to a need to program flexible and compositional Petri nets. A symbolic model checker allows to transparently use symmetries, to tackle larger systems. A symbolic unfolder allows to compute structural properties (such as bounded- ness), without state-space exploration. A prototype support for PNML enables connexion with other Petri net tools. The PetriScript language PetriScript [5] has been designed to ease assembling and parametrization of Petri net modules. PetriScript allows to construct large models and test them in various configurations, by us- ing a compositional bottom-up approach : small com- ponent’s behaviors may be modeled separately, then assembled according to a certain configuration, prior to running analysis tools. We successfully applied this approach to model and analyse PolyORB [7], and this tool captures usage patterns identified in that case- study. PetriScript’s main purpose is to automate modeling operations such as merging or connecting places and transitions. To do so, it provides classical control in- structions such as tests, loops,. . . , as well as a macro system to parameterize Petri nets. Supported operations on Petri net objects are: cre- ation, modification, connection, deletion and fusion of nodes. Creation and connection operations, com- bined with control instructions, are of particular inter- est when creating repeated patterns ; fusion operators are useful when assembling patterns and/or modules. The fusion operation can merge either single nodes or lists of nodes. Lists are built by adding nodes one by one, or by using regular expressions on Petri net objects attributes. For example, you can insert into a list all places having a color domain equal to color*. So, by using an appropriate naming scheme and PetriScript, it is very easy to automate construction and assembly of Petri nets. Model checking on the symbolic reachability graph This model-checking service exploits symme- tries to offer better scaling up of verification. The prin- ciple is to construct an aggregated state-space graph (the ”symbolic reachability graph” SRG), where nodes represent equivalence classes of states. Depending on the permittivity of the equivalence relation used, SRG nodes may represent an exponential number of “con- crete” states, thus allow to scale up verification to in- dustrial size examples. Distributed systems frequently contain repeated component instances, that only differ by their iden- tity. Typical examples are processes executing the same code, but having different pid, or memory ad- dresses. Another example is large value domains, ob- tained by discretization of continuous system variables (e.g. altitude), of which only few values are critical for control (“never open landing gear above Max feet”). Analysis techniques to exploit such symmetries have been implemented, like in Murphi [8] or GreatSPN [4]. However these tools require the designer to identify ad- missible symmetries, leading to a cumbersome formal- 1