Event-condition-action (ECA) [ 12 ] rules are expressive enough to describe complex events and reactions. Thus, this event-driven formalism is widely used to specify complex systems [ 1, 3 ], e.g., for industrial-scale management, and to improve efficiency when coupled with technologies such as embedded systems and sensor networks. Analogously, active DBMSs enhance security and semantic integrity of traditional DBMSs using ECA rules; these are now found in most enterprise DBMSs and academic prototypes thanks to the SQL3 standard [ 9 ]. ECA rules are used to specify a system’s response to events, and are written in the format “on the occurrence of a set of events, if certain conditions hold, perform these actions.” However, for systems with many components and complex behavior, it may be difficult to correctly specify these rules.

Termination, guaranteeing that the system does not remain “busy” internally forever without responding to external events, and confluence , ensuring that any possible interleaving of a set of triggered rules yields the same final result, are fundamental correctness properties. While termination has been studied extensively and many algorithms have been proposed to verify it, confluence is particularly challenging due to a potentially large number of rule interleavings [ 2 ].

Researchers began studying these properties for active databases in the early 90’s [ 2, 4, 11, 14 ], by transforming ECA rules into some form of graph and applying various static analysis techniques on it to verify properties. These approaches based on a static methodology worked well to detect redundancy, inconsistency, incompleteness, and circularity. However, since static approaches may not explore the whole state space, they could easily miss some errors. Also, they could find scenarios that did not actually result in errors due to the found error states may not be reachable. Moreover, they had poor support to provide concrete counterexamples and analyze ECA rules with priorities. [ 2 ] looked for cycles in the rule-triggering graph to disprove termination, but the cycle-triggering conditions may be unsatisfiable. [ 4 ] improved this work with an activation graph describing when rules are activated; while its analysis detects termination where previous work failed, it may still report false positives when rules have priorities. [ 5 ] proposed an algebraic approach emphasizing the condition portion of rules, but did not consider priorities. Other researchers [ 11, 14 ] chose to translate ECA rules into a Petri Net (PN), whose nondeterministic interleaving execution semantics naturally model unforeseen interactions between rule executions. However, as the analysis of the set of ECA rules was through structural PN techniques based on the incidence matrix of the net, false positives were again possible.

To overcome these limitations, dynamic analysis approaches using model checking tools such as SMV [ 15 ] and SPIN [ 6 ] have been proposed to verify termination. While closer to our work, these approaches require manually transforming ECA rules into an input script, assume a priori bounds for all variables, provide no support for priorities, and require the initial system state to be known; our approach does not have these limitations. [ 8 ] analyzes both termination and confluence by transforming ECA rules into Datalog rules through a “transformation diagram”; this supports rule priority and execution semantics, but requires the graph to be commutative and restricts event composition. However, most of these works show limited results, and none of them properly addresses confluence; we present detailed experimental results for both termination and confluence. UML Statecharts [ 17 ] provide visual diagrams to describe the dynamic behavior of reactive systems and can be used to verify these properties. However, event dispatching and execution semantics are not as flexible as for PNs [ 13 ].

Our approach transforms a set of ECA rules into a PN, then dynamically verifies termination and confluence and, if errors are found, provides concrete counterexamples to help debugging. It uses our tool SmArT, which supports PNs with priorities to easily model ECA rules with priorities. Moreover, a single PN can naturally describe both the ECA rules as well as their nondeterministic concurrent environment and, while our MDD-based symbolic model-checking algorithms [ 18 ] require a nfiite state space, they do not require to know a priori the variable bounds (i.e., the maximum number of tokens each place may contain). Finally, our framework is not restricted to termination and confluence, but can be easily extended to verify a broader set of properties.

The rest of the paper is organized as follows: Sect. 2 recalls Petri nets; Sect. 3 introduces our syntax for ECA rules; Sect. 4 describes the transformation of ECA rules into a Petri net; Sect. 5 presents algorithms for termination and confluence; Sect. 6 shows experimental results; Sect. 7 concludes.

As an intermediate step in our approach, we translate a set of ECA rules into a self-modifying Petri net [ 16 ] (PN) with priorities and inhibitor arcs, described by a tuple (P, T , π, D− , D+, D◦ , xinit), where: – P is a finite set of places, drawn as circles, and T is a finite set of transitions, drawn as rectangles, satisfying P ∩ T = ∅ and P ∪ T 6 = ∅ . – π : T → N assigns a priority to each transition. – D− : P ×T × NP → N, D+ : P ×T × NP → N, and D◦ : P ×T × NP → N∪{∞} are the marking-dependent cardinalities of the input, output, and inhibitor arcs. – xinit ∈ NP is the initial marking, the number of tokens initially in each place. Transition t has concession in marking m ∈ NP if, for each p ∈ P , the input arc cardinality is satisfied, i.e., mp ≥ D− (p, t, m), and the inhibitor arc cardinality is not, i.e., mp < D◦ (p, t, m). If t has concession in m and no other transition t0 with priority π (t0) > π (t) has concession, then t is enabled in m and can fire and lead to marking m0, where mp0 = mp − D− (p, t, m) + D+(p, t, m), for all places p (arc cardinalities are evaluated in the current marking m to determine the enabling of t and the new marking m0). In our figures, tk(p) indicates the number of tokens in p for the current marking, a thick input arc from p to t signifies a cardinality tk(p), i.e., a reset arc, and we omit arc cardinalities 1, input or output arcs with cardinality 0, and inhibitor arcs with cardinality ∞ .

The PN defines a discrete-state model (Spot, Sinit, A, {N t : t ∈ A} ). The potential state space is Spot = NP (in practice we assume that the reachable set of markings is finite or, equivalently, that there is a finite bound on the number of tokens in each place, but we do not require to know this bound a priori). Sinit ⊆ Spot is the set of initial states, { xinit} in our case (assuming an arbitrary finite initial set of markings is not a problem). The set of (asynchronous) model events is A = T . The next-state function for transition t is Nt, such that Nt(m) = { m0} , where m0 is as denfied above if transition t is enabled in marking m, and Nt(m) = ∅ otherwise. Thus, the next-state function for a particular PN transition is deterministic, although the overall behavior remains nondeterministic due to the choice of which transition should fire when multiple transitions are enabled. 3

ECA rules have the format “ on events if condition do actions.” If the events are activated and the boolean condition is satisfied, the rule is triggered and its actions will be performed. In active DBMSs, events are normally produced by explicit database operations such as insert and delete [ 1 ] while, in reactive systems, they are produced by sensors monitoring environment variables [ 3 ], e.g., temperature. Many current ECA languages can model the environment and distinguish between environmental and local variables [ 2, 4, 6, 11, 14, 15 ]. Thus, we designed a language to address these issues, able to handle more general cases and allow different semantics for environmental and local variables (Fig. 1). env_vars := environmental env_var read-only bounded natural loc_vars := local loc_var read-and-write bounded natural f actor := loc_var | env_var | ( exp ) | number term := f actor | term ∗ term | term / term exp := exp − exp | exp + exp | term

= rel_op := ≥ | ≤ | assignment := env_var into loc_var [, assignment] “ /” is integer division “ number” is a constant ∈ N ext_ev_decl := external ext_ev [ activated when env_var rel_op number ] [ read (assignment) ] int_ev_decl := internal int_ev ext_evs := ext_ev | (ext_evs or ext_evs) | (ext_evs and ext_evs) int_evs := int_ev | (int_evs or int_evs) | (int_evs and int_evs) condition := (condition or condition) | (condition and condition) |

not condition | exp rel_op exp action := increase (loc_var, exp) | decrease (loc_var, exp) |

set (loc_var, exp) | activate (int_ev) actions := action | (actions seq actions) | (actions par actions) ext_rule := on ext_evs [if condition] do actions int_rule := on int_evs [if condition] do actions [with priority number] system := [env_vars]+[loc_vars]∗ [ext_ev_decl]+[int_ev_decl]∗ [ext_rule]+[int_rule]∗

Environmental variables are used to represent environment states that can only be measured by sensors but not directly modified by the system. For instance, if we want to increase the temperature in a room, the system may choose to turn on a heater, eventually achieving the desired effect, but it cannot directly change the value of the temperature variable. Thus, environmental variables capture the nondeterminism introduced by the environment, beyond the control of the system. Instead, local variables can be both read and written by the system. These may be associated with an actuator, a record value, or an intermediate value describing part of the system state; we provide operations to set (absolute change) their value to an expression, or increase or decrease (relative change) it by an expression; these expressions may depend on environmental variables.

Events can be combinations of atomic events activated by environmental or internal changes. We classify them using the keywords external and internal. An external event can be activated when the value of an environmental variable crosses a threshold; at that time, it may take a snapshot of some environmental variables and read them into local variables to record their current values. Only the action of an ECA rule can instead activate internal events. Internal events are useful to express internal changes or required actions within the system. These two types of events cannot be mixed within a single ECA rule. Thus, rules are external or internal, respectively. Then, we say that a state is stable if only external events can occur in it, unstable if actions of external or internal rules are being performed (including the activation of internal events, which may then trigger internal rules). The system is initially stable and, after some external events trigger one or more external rules, it transitions to unstable states where internal events may be activated, triggering further internal rules. When all actions complete, the system is again in a stable state, waiting for environmental changes that will eventually trigger external events.

The condition portion of an ECA rule is a boolean expression on the value of environmental and local variables; it can be omitted if it is the constant true.

The last portion of a rule specifies which actions must be performed, and in which order. Most actions are operations on local variables which do not directly affect environmental variables, but may cause some changes that will conceivably be reflected in their future values. Thus, all environmental variables are readonly from the perspective of an action. Actions can also activate internal events. Moreover, to handle complex action operations, the execution semantics can be specified as any partial order described by a series-parallel graph; this is obtained through an appropriate nesting of seq operators, to force a sequential execution, and par operators, to allow an arbitrary concurrency. The keyword with priority enforces a priority for internal rules. If no priority is specified, the default priority of an internal rule is 1, the same as that of external rules.

We now discuss the choices of execution semantics for our language, to support the modeling of reactive systems. The first choice is how to couple the checking of events and conditions for our ECA rules. There are (at least) two options: immediate and deferred. The event-condition checking is immediate if the corresponding condition is immediately evaluated when the events occur, it is deferred if the condition is evaluated at the end of a cycle with a predefined frequency. One critical requirement for the design of reactive systems is that the system should respond to external events from the environment [ 10 ] as soon as possible. Thus, we choose immediate event-condition checking: when events occur, the corresponding condition is immediately evaluated to determine whether to trigger the rule. We stress that deferred checking can still be modeled using immediate checking, for example by adding an extra variable for the system clock and changing priorities related to rule evaluation to synchronize rule evaluations. However, the drawback of deferred checking is that the design must tolerate false ECA rule triggering or non-triggering scenarios. Since there is a time gap between event activation and condition evaluation, the environmental conditions that trigger an event might change during this period of time, causing rules supposed to be triggered at the time of event activation to fail because the “current ” condition evaluation are now inconsistent.

Another important choice is how to handle and model the concurrent and nondeterministic nature of reactive systems. We introduce the concept of batch for external events, similar to the concept of transaction in DBMSs. Formally, the boundary of a batch of external events is defined as the end of the execution of all triggered rules. Then, the system starts to receive external events and immediately evaluates the corresponding conditions. The occurrence of an external event closes a batch if it triggers one or more ECA rules; otherwise, the event is added to the current batch. Once the batch closes and the rules to be triggered have been determined, the events in the current batch are cleaned-up, to prevent multiple (and erroneous) triggerings of rules. For example, consider ECA rules ra: “ on a do · · · ” and rac: “ on (a and c) do · · · ”, and assume that the system finishes processing the last batch of events and is ready to receive external events for the next batch. If external events occur in the sequence “ c, a, . . .”, event c alone cannot trigger any rule so it begins, but does not complete, the current batch. Then, event a triggers both rule ra and rac, and thus, closes the current batch. Both rules are triggered and will be executed concurrently. This example shows how, when the system is in a stable state, the occurrence of a single external event may trigger one or more ECA rules, since there is no “contention” within a batch on “using” an external event: rule ra and rac share event a and both rules are triggered and executed. If instead the sequence of events is “ a, c, . . .”, event a by itself constitutes a batch, as it triggers rule ra. This event is then discarded by the clean-up so, after executing ra and any internal rule (recursively) triggered by it, the system returns to a stable state and the subsequent events “ c, . . .” begin the next batch. Under this semantic, all external events in one batch are processed concurrently. Thus, unless there is a termination error, the system will process all triggered rules, including those triggered by the activation of internal events during the current batch, before considering new external events. This batch definition provides maximum nondeterminism on event order, which is useful to discover design errors in a set of ECA rules.

We also stress that, in our semantics, the system is frozen during rule execution and does not respond to external events. Thus, rule execution is instantaneous, while in reality it obviously requires some time. However, from a verification perspective, environmental changes and external event occurrences are nondeterministic and asynchronous, thus our semantic allows the verification process to explore all possible combinations without missing errors due to the order in which events occur and environmental variables change. 3.1

We now explain the procedure to transform a set of ECA rules into a PN. First, we put each ECA rule into a regular form where both events and condition are disjunctions of conjunctions of events and relational expressions, respectively. All rules in Fig. 2 are in this form. While this transformation may in principle cause the expressions for events and conditions to grow exponentially large, each ECA rule usually contains a small number of events and conditions, hence this is not a problem in practice. Based on the immediate event-condition checking assumption, a rule is triggered iff “ trigger ≡ events ∧ condition” holds.

Next, we map variables and events into places, and use PN transitions to model event testing, condition evaluation, and action execution. Any change of variable values is achieved through input and output arcs with appropriate cardinalities. Additional control places and transitions allow the PN behavior to be organized into “phases”, as shown next. ECA rules r1 through r10 of Fig. 2 are transformed into the PN of Fig. 3 (dotted transitions and places are duplicated and arcs labeled “ if (cond)” are present only if cond holds). 4.1

The first step towards verifying correctness properties is to define Sinit, the set of initial states, corresponding to all the possible initial combinations of system variables (e.g., ExtLgt can initially have any value in [ 0, 10 ]). One could consider all these possible values by enumerating all legal stable states corresponding to possible initial combinations of the environmental variables, then start the analysis from each of these states, one at a time. However, in addition to requiring the user to explicitly provide the set of initial states, this approach may require enormous runtime, also because many computations are repeated in different runs. Our approach instead computes the initial states symbolically, thanks to the nondeterministic semantics of Petri nets, so that the analysis is performed once starting from a single, but very large, set Sinit.

To this end, we add an initialization phase that puts a nondeterministically chosen legal number of tokens in each place corresponding to an environmental variable. This phase is described by a subnet consisting of a transition InitEnd InitEnd 4

Init

InitExtLgt 4

InitSlp 4 InitMtn 4 10 with priority P + 3, a place Init with one initial token, and an initializing transition with priority P +3 for every environmental variable, to initialize the number of tokens in the corresponding place. Fig. 7 shows this subnet for our running example. We initialize the Petri net by assigning the minimum number of tokens to every environmental variable place and leaving all other places empty, then we let the initializing transitions nondeterministically add a token at a time, possibly up to the maximum legal number of tokens in each corresponding place. When InitEnd fires, it disables the initializing transitions, freezes the nondeterministic choices, and starts the system’s normal execution.

This builds the set of initial states, ensuring that the PN will explore all possible initial states, and avoids the overhead of manually starting the PN from one legal initial marking at a time. Even though the overall state space might be larger (it equals the union of all the state spaces that would be built starting from each individual marking), this is normally not the case, and, anyway, having to perform just one state space generation is obviously enormously better.

After the initialization step, we proceed with verifying termination and confluence using our tool SmArT, which provides symbolic reachability analysis and CTL model checking with counterexample generation [ 7 ]. Reactive systems constantly respond to external events. However, if the system has a livelock, a finite number of external events can trigger an infinite number of rule executions (i.e, activate a cycle of internal events), causing the system to remain “busy” internally, a fatal design error. When generating the state space, all legal batches of events are considered, due to the PN execution semantics, again avoiding the need for an explicit enumeration, this time, of event batches.

A set G of ECA rules satisfies termination if no infinite sequence of internal events can be triggered in any possible execution of G. This can be expressed in CTL as ¬ EF(EG(unstable)), stating that there is no cycle of unstable states reachable from an initial, thus stable, state.

Both traditional breadth-first-search (BFS) and saturation-based [ 19 ] algorithms are suitable to compute the EG operator. Fig. 8 uses saturation, which tends to perform much better in both time and memory consumption when analyzing large asynchronous systems. We encode transitions related to external • provide error trace • p unprimed • p[i] is the node pointed edge i of node p bool Term(mdd Sinit, mdd2 Nint) 1 mdd Srch ← StateSpaceGen(Sinit, Next ∪ N int); 2 mdd Sunst ← Intersection(Srch, ExtractUnprimed(Nint)); 3 mdd Sp ← EF(EG(Sunst)); 4 if Sp 6= ∅ then return false 5 else return true; mdd ExtractUnprimed(mdd2 p) 1 if p = 1 then return 1; 2 if CacheLookUp(EXTRACTUNPRIMED, p, r) return r; 3 foreach i ∈ V p.v do 4 mdd ri ← 0; 5 if p[i] 6= 0 then 6 foreach j ∈ V p.v s.t. p[i][j] 6= 0 do 7 ri ← Union(ri, ExtractUnprimed(p[i][j])) 8 mdd r ← UniqueTableInsert({ ri : i ∈ V p.v} ); 9 CacheInsert(EXTRACTUNPRIMED, p, r); 10 return r; events and environmental variable changes into Next. Thus, the internal transitions are Nint = N \Next. After generating the state space Srch using constrained saturation [ 18 ], we build the set of states Sunst by symbolically intersecting Srch with the unprimed, or “from”, states extracted from Nint. Then, we use the CTL operators EG and EF to identify any nonterminating path (i.e., cycle). Confluence is another desirable property to ensure consistency in systems exhibiting highly concurrent behavior.

A set G of ECA rules satisfying termination also satisfies confluence if, for any legal batch b of external events and starting from any particular stable state s, the system eventually reaches a unique stable state.

We stress that what constitutes a legal batch b of events depends on state s, since the condition portion of one or more rules might affect whether b (or a subset of b) can trigger a rule (thus close a batch). Given a legal batch b occurring in stable state s, the system satisfies confluence if it progresses from s by traversing some (nondeterministically chosen) sequence of unstable states, eventually reaching a stable state uniquely determined by b and s. Checking confluence is therefore expensive [ 2 ], as it requires verifying the combinations of all stable states reachable from Sinit with all legal batches of external events when the system is in that stable state. A straightforward approach enumerates all legal batches of events for each stable state, runs the model, and checks that the set of reachable stable states has cardinality one. We instead only check that, from each reachable unstable state, exactly one stable state is reachable; this avoids enumerating all legal batches of events for each stable state. Since bool ConfExplicit(mdd Sst, mdd Sunst, mdd2 Nint) 1 foreach i ∈ S unst 2 mdd Si ← StateSpaceGen(i, Nint); 3 if Cardinality(Intersection(Si, Sst)) > 1 then return false; • provide error trace 4 return true; bool ConfExplicitImproved(mdd Sst, mdd Sunst, mdd2 Nint, mdd2 N ) 1 mdd Sfrontier ← Intersection(RelProd(Sst, N ), Sunst); 2 while Sfrontier 6= ∅ do • if Sfrontier is empty, it explores all Sunst 3 pick i ∈ S frontier; 4 mdd Si ← StateSpaceGen(i, Nint); 5 if Cardinality(Intersection(Si, Sst)) > 1 then return false; • provide error trace 6 else Sfrontier ← S frontier \ Intersection(Si, Sunst); • exclude all unstable states reached by i 7 return true; bool CheckConf (mdd2 p) 1 if p = 1 then return true 2 if CacheLookUp(CHECKCONF , p, r) return r; 3 foreach i ∈ V p.v, s.t. exist j, j0 ∈ V p.v, j 6= j0, p[i][j] 6= 0, p[i[j0] 6= 0 do 4 foreach j, j0 ∈ V p.v, j 6= j0 s.t. p[i][j] 6= 0, p[i[j0] 6= 0 do 5 if p[i][j] = p[i][j0] return false; • Confluence does not hold 6 mdd fj ← ExtractUnprimed(p[i][j]); • Result will be cached 7 mdd fj0 ← ExtractUnprimed(p[i][j0]); • No duplicate computation 8 if Intersection(fi, fj0 ) 6= 0 then return false; 9 foreach i, j ∈ V p.v s.t. p[i][j] 6= 0 do 10 if CheckConf (p[i][j]) = false return false; 11 CacheInsert(CHECKCONF , p, true); 12 return true; nondeterministic execution in performing phase is the main reason to violate confluence and the system is in unstable states in our definition, checking the evolution starting from unstable states will fulfill the purpose.

The brute force algorithm ConfExplicit in Fig. 9 enumerates unstable states and generates reachable states only from unstable states using constrained saturation [ 18 ]. Then, it counts the stable states in the obtained set. We observe that, starting from an unstable stable u, the system may traverse a large set of unstable states before reaching a stable state. If unstable state u is reachable, so are the unstable states reachable from it. Thus, the improved version ConfExplicitImproved first picks an unstable state i and, after generating the states reachable from i and verifying that they include only one stable state, it excludes all visited unstable states (Line 6). Furthermore, it starts only from states i in the frontier, i.e., unstable states reachable in one step from stable

Termination (time: sec, memory: MB) Model PN t PN c PN 1 PN 2 PN 3

PN 4 Model PN c PN 1 PN 2 PN 3 PN 4

|S rch| 9.665 9.497 states (all other unstable reachable states are by definition reachable from this frontier). However, we stress that these, as most symbolic algorithms, are heuristics, thus they are not guaranteed to work better than the simpler approaches.

Next, we introduce a fully symbolic algorithm to check confluence in Fig. 10. It first generates the transition transitive closure (TC) set from Nint using constrained saturation [ 19 ], where the “from”’ states of the closure are in Sunst (Line 1). The resulting set encodes the reachability relation from any reachable unstable state without going through any stable state. Then, it filters this relation to obtain the relation from reachable unstable states to stable states by constraining the “to” states to set Sst. Thus, checking conuflence reduces to verifying whether there exist two different pairs (i, j) and (i, j0) in the relation: Procedure CheckConf implements this check symbolically. While computing TC is a an expensive operation [ 19 ], this approach avoids separate searches from distinct unstable states, thus is particularly appropriate when Sunst is huge. 6

Table 1 reports results for a set of models run on an Intel Xeon 2.53GHz workstation with 36GB RAM under Linux. For each model, it shows the state space size (|S rch| ), the peak memory (Mp), and the final memory ( Mf ). For termination, it shows the time used to verify the property (Tt) and to find the shortest ... lgtsTmr = 1 r6Act1 r6Trg1= 1 lgtsTmr = 1 LgtsOn=1 r6Tst lgtsTmr = 1 r6Trg1Seq1= 1 intLgts = 6 lgtsTmr = 1 ChkMtn = 1 intLgts = 6 ... ... ... counterexample (Tc). For confluence, it reports the best runtime between our two explicit algorithms (Tbe) and for our symbolic algorithm (Ts). Memory consumption accounts for both decision diagrams and operation caches.

Net PN t is the model corresponding to our running example, and fails the termination check. Even though the state space is not very large, counterexample generation is computationally expensive [ 20 ] and consumes most of the runtime. The shortest counterexample generated by SmArT has a long tail consisting of 1885 states and leads to the 10-state cycle of Fig. 11 (only the nonempty places are listed for each state, and edges are labeled with the corresponding PN transition). Analyzing the trace, we can clearly see (in bold) that, when lights are about to be turned off due to the timeout, lMtn = 0, and the external light is low, ExtLgt ≤ 5, the infinite sequence of internal events (LgtsOff , ChkExtLgt, LgtsOn, ChkMtn)ω prevents the system from terminating. Thus, rules r4, r5, r6, and r7 need to be investigated to fix the error. Among the possible modifications, we choose to replace rule r5 with r50 : on ChkExtLgt if ((intLgts= 0 and lExtLgt ≤ 5) and lMtn= 1) do activate (LgtsOn), resulting in the addition of an input arc from lMtn to r5Tst. The new corrected model is called PN c in Table 1, and SmArT verifies it holds the termination property.

We then run SmArT on PN c to verify confluence, and found 72,644 bad states. Fig. 12 shows one of these unstable states, s0, reaching two stables states, s1 and s2. External event ExtLgtLow closes the batch in s0 and triggers rule r8, which sets intLgt to 6 and activates internal event ChkSlp, which in turn sets intLgt to 0 (we omit intermediate unstable states from s0 to s1 and to s2). We correct rules r8 and r9, replacing them with r0 : on ExtLgtLow if lSlp=0 8 do set (intLgt, 6) and r90: on ExtLgtLow if lSlp=1 do set (intLgt, 0); resulting in model PN fc. Checking this new model against for confluence, we find that the number of bad states decreases from 72,644 to 24,420. After investigation, we determine that the remaining problem is related to rules r2 and r3. After changing rule r1 to on SecElp if ((lgtsTmr ≥ 1 and lgtsTmr ≤ 359) and lMtn = 0) do increase (lgtsTmr, 1), the model passes the check. This demonstrates the effectiveness of counterexamples to help a designer debug a set of ECA rules.

We then turn our attention to larger models, which extend our original model by introducing four additional rules and increasing variable ranges. In PN 1 and PN 2, the external light variable ExtLgt ranges in [ 0, 20 ] instead of [ 0, 10 ]; for PN 4, it ranges in [0, 50]. PN 2 also extends the range of the light timer variable lgtTmr to [0, 720]; PN 3 to [0, 3600]. We observe that, when verifying termination or conuflence, the time and memory consumption tends to increase as the model grows; also, our symbolic algorithm scales much better than the best explicit approach when verifying conuflence. For the relatively small state space of PN t, enumeration is effective, since computing TC is quite computationally expensive. However, as the state space grows, enumerating the unstable states consumes excessive resources. We also observe that the supposedly improved explicit confluence algorithm sometimes makes things worse. The reason may lie in the fact that a random selection of a state from the frontier has different statistical properties than for the original explicit approach, and also in the fact that operation caches save many intermediate results. However, both explicit algorithms run out of memory on PN 3 and PN 4. Comparing the results for PN 3 and PN 4, we also observe that larger state spaces might require less resources. With symbolic encodings, this might happen because the corresponding MDD is more regular than the one for a smaller state space. 7

Verifying termination and confluence of ECA rule bases for reactive systems is challenging due to their highly concurrent and nondeterministic nature. We proposed an approach to verify these properties using a self-modifying PN with inhibitor arcs and priorities. Our approach is general enough to give precise answers to questions about other properties, certainly those that can be expressed in CTL. As an application, we showed how a light control system can be captured by our approach, and we verified termination and conuflence for this model using SmArT. In the future, we would like to improve our approach in the following ways. The confluence algorithm must perform constrained state space generation starting from each unstable state, which is not efficient if Sunst is large. In that case, a simulation-based falsification approach might be more suitable, using intelligent heuristic sampling and searching strategies. However, this approach is sound only if the entire set Sunst is explored. Another direction to extend our work is the inclusion of abstraction techniques to reduce the size of the state space.