Hyper Partial Order Logic

We deﬁne HyPOL, a local hyper logic for partial order models, expressing properties of sets of runs. These properties depict shapes of causal dependencies in sets of partially ordered executions, with similarity relations deﬁned as isomorphisms of past observations. Unsurprisingly, since comparison of projections are included, satisﬁability of this logic is undecidable. We then address model checking of HyPOL and show that, already for safe Petri nets, the problem is undecidable. Fortunately, sensible restrictions of observations and nets allow us to bring back model checking of HyPOL to a decidable problem, namely model checking of MSO on graphs of bounded treewidth.


Introduction
Hyperproperties.A way to address information security in systems is to guarantee various information flow properties.Examples of such properties are non-interference [17] (an attacker of a system cannot obtain confidential information from its observation of the system), or opacity of secrets [2] (an attacker cannot decide whether the system is in some particular secret configuration).For a long time since the seminal work of [17] introducing non-interference, security properties have been characterized as equivalences between partially observed behaviors of systems.This idea was later formalized [22] as combinations of language closure properties, the so-called "basic security predicates".We refer to [27] for a survey on language based information flow properties.More recently, logics with path equivalences [1] encompassing indistinguishability among partially observed executions have been proposed as a generic framework to define security conditions.Security properties are now frequently called hyperproperties [10,9], i.e. properties of sets of runs.
Most proposals address verification questions in an interleaved setting, ignoring concurrency aspects.For instance, non-interference properties were considered for Petri nets [7], but still with techniques relying on interleaved interpretation of behaviors.Recently, [6] showed how to characterize some non-interference properties that cannot be handled in an interleaved model.This result is interesting, as it shows that even if complexity gains are not straightforward, considering causal dependences in systems leads to characterize types of attacks of a system that cannot be characterized in an interleaved setting.Local logics.We focus here on local logics, that account for causal dependencies and concurrency in behaviors of models.Several variants of local logic have been proposed : T LC − , LD 0 , P DL, LP OC, or even MSO.The first one, proposed by [25], is a logic tailored for Message Sequence Charts (MSCs).The logic features propositions, a next and an until operator and is interpreted over causal paths of MSCs.Model checking T LC − is decidable for families of partial orders generated by High-level Message Sequence Charts (HMSCs).It is linear in the size of the considered HMSC, but exponential in the size of the formula.
The logic LD 0 [24] addresses properties of causal paths in partial orders.It resembles LTL in that its atomic propositions are attached to events, but it follows causal paths rather than linearizations, and is equipped with successor/predecessor relations.
An extension of T LC − called Propositional Dynamic logic (PDL), which also subsumes LD 0 , is given in [8] to express properties of Communicating Finite State Machines (CFSM).This logic is divided into path formulas and local formulas.Path formulas make it possible to navigate forward or backward in partially ordered executions via two relations: One that indicates whether an event f is the next executed event after e on the same process, and one that indicates whether a pair (e, f ) forms a message.At each event along a followed path, truth of a local formula can be checked.Local formulas are used to check whether some atomic proposition holds at a given event, or whether some path formula holds at an event together with another PDL subformula.In general, verification of PDL for CFSM is undecidable, but checking whether some B-bounded execution of a CFSM (in which buffer contents can remain of size smaller than B) satisfies a PDL formula is PSPACE-complete.This result extends to HMSC specifications, which executions are naturally bounded.Another approach to study properties of partial orders generated by system executions is to express them directly as MSO properties.As MSO verification can easily be undecidable for some families of graphs, decidability is proved for families of partial orders generated by Message Sequence Charts in [20].The result is obtained thanks to the particular shape of orders generated by MSCs that are "layered".Similarly, [21] considers restrictions in executions of CFSMs that have to synchronize frequently.
LPOC [16] is a logic for partially ordered computations.It describes the shape of partial orders, and not only of their causal paths.In addition to standard local operators, the logic has the ability to require existence of a particular partial order pattern in the causal past of an event.It was used as a specification formalism for diagnosis purposes, but without restriction, satisfiability of an LPOC formula is undecidable.Contributions.We propose a framework unifying path equivalence logics, hyperproperties and partial order approaches.The logic borrows ingredients from LPOC [16]: in particular, it expresses existence of a pattern in a partial order, rather than on a causal path.It also borrows the idea of comparing executions up to observation, as proposed in CT L ≡ , one of the branching logics with path equivalence proposed in [1].Events in a pair of executions are considered as equivalent if the (partial) observations of their causal pasts are isomorphic.One of the artifacts used by [1] to obtain decidability of CT L ≡ is to require equivalence to hold only among events located at the same depth in executions.We do not use such an interpretation of equivalence, and rather exhibit sufficient conditions on behaviors of systems, that are almost a layeredness property [20], to obtain decidability.
We first define a partial order logic called Hyper Partial Order Logic (HyPOL for short).While we show undecidability for the satisfiability of this logic, we address model checking on true concurrency model, and start with Labeled Safe Petri Nets (LSPN).The universe of all behaviors of an LSPN can be defined as the set of processes of its complete unfolding [23].
We denote by LP O(Σ) the set of labeled partial orders over Σ.
Figure 2 A partial order O, its projection O1(O) on events that carry label a or b, and its restriction O2(O) to causal dependencies from any event carrying label a to other events.λ T (h(e)) ⊆ λ(e), and e < T e implies h −1 (e) < h −1 (e ).The partial order T is called a template and we say that h is witnessing the matching.
In the sequel, we constrain the mapping witnessing a matching, using the notion of anchored matching.We say that there exists an anchored matching of template T at event e in O and f in T iff O matches T , and there exists a mapping h e,f witnessing this matching such that h e,f (e) = f .In the example shown in Figure 1, the order O matches template T : the mapping h (depicted by dashed arrows) is defined by An observation function is a mapping O : LP O(Σ) → LP O(Σ ), representing the visible part of the system.In what follows, we focus on observation functions that are the identity function id (i.e., the function such that id(O) = O), relabelings, and various restrictions of orders, for instance associating with O = (E, ≤, λ) the order O |F for some F ⊆ E.
With a slight abuse, if O = (E, ≤, λ) and F ⊆ E, we write O(F ) for the corresponding subset of events of O(O).With observation functions like those described above, either an event is kept by observation (but it can be relabeled) or deleted.When event e ∈ E has an image in O(E), we denote this image by O(e).
Consider the example of Figure 2. The partial order O contains events labeled by atomic propositions a, b, c.Let observation O 1 be the projection of orders on events carrying a proposition in {a, b}.Such a projection can be used to indicate which actions are observed by a particular user.Now, consider observation O 2 , that restricts an order to causal dependencies in ≤ ∩{(e, f ) | a ∈ λ(e)}.This kind of observation can encode the fact that a particular user observing the execution of a system is not able to know if some events are causally related or not.Last, we can combine projections and order restriction: the observation defined by ) describes what would be visible to a user of the system that logs events tagged with propositions a and b, and can only know dependencies from events tagged by a.For the order O in Figure 2

Hyper Partial Order Logic
We are now ready to define HyPOL, a hyperproperty partial order logic.HyPOL is designed to express properties of partially observed sets of executions described by LPOs in LP O(Σ).

Syntax and semantics
We consider a set A of atomic propositions, a finite set T of templates labeled over A, and a finite set Obs of observation functions producing LPOs over A. We assume that Σ ⊆ A but, since event labeling can be modified by observations, it is not always the case that A = Σ.The syntax of HyPOL is given by: where D ⊆ A, T ∈ T , f is an event of T , and O ∈ Obs an observation function.
A formula is equivalence-free iff it does not use the EX ≡,O operator.To reduce the number of primitives in our logic, we address labeling of events via templates.For D ⊆ A, we define a template T D composed of a single event f D labeled by all propositions in D. In particular, when D = {a} for some proposition a ∈ A, we write T a instead of T {a} and f a instead of f {a} .When template T a is matched at some event e in an order O under observation O, this means that the image of e by O carries proposition a.
We define derived operators (with D ⊆ A): Proof Sketch.The proof is a reduction of Post's Correspondence Problem (PCP): given an instance I of PCP, we build a HyPOL formula φ I such that I has a solution iff φ I is satisfiable.(See Appendix 6.1 for details).

An example: Causal Non-Interference
We begin with a small example showing that, in the context of concurrent models, languages are not discriminative enough.In Figure 3, the set W = {O 1 , O 2 } represents behaviors of a concurrent system, where h labels a non observable secret action, while events with labels a and b can be observed by an attacker.In a language-based setting, an attacker only observes the linearizations a.b and b.a of these orders.Hence it is not possible to deduce whether h has occurred or not.On the other hand, if causal dependencies are considered, observing that a precedes b reveals the occurrence of h, thus leaking the information that h occurred.
Two orders where observing linearizations is not enough to leak information.For a more general example showing the discriminating power of HyPOL, consider noninterference.In the setting proposed by [17], a system is non-interferent if users cannot infer that classified actions have occurred only from observation of the system, i.e. execution of a classified event does not affect what a user can see or do.Such situations occur in a distributed system which can be accessed by two kinds of users: those with a high accreditation level and low-level users, that have limited access to operations and observations of the system.We suppose that high-level users can perform classified actions, the occurrences of which shall not be detected by low-level users.In a standard setting for non-interference properties, this situation is modeled by associating with each event occurring in the system a particular operation name.Let Σ be the set of all these names, with Σ high the subset of confidential ones and Σ low = Σ \ Σ high containing those which can be observed by low-level users.Observation O low projects orders on events that carry at least one label in Σ low .We can define a causal non-interference property with HyPOL as follows: where λ ∈Σ high stands for ¬λ / ∈Σ high , P red h ::= a∈Σ match(O h,a , T h≤a , f ), and T h≤a is the template containing a pair of events f h , f such that f h ≤ f , f h carries proposition h, f carries proposition a and O h,a is the observation that projects orders on Σ high ∪ {a} and relabels events representing confidential operations with h.
Intuitively, satisfying P red h means that a confidential operation occurred in the causal past of an event.Hence, an order O satisfies φ CNI if, for every high-level event e in O, there exists an order O and an event e ∈ O such that e = e , no high-level operation has occurred in the causal past of e , and a low level user cannot distinguish e from e (i.e., O low (↓e) ≡ O low (↓e )).A system is (causally) non-interferent iff every order generated by this system satisfies φ CNI , i.e. every order that contains a confidential operation cannot be distinguished from other orders that do not contain confidential operations.Note that O low (O) is a partial order, hence φ CNI uses the discriminating power of causal dependencies.

Model-checking HyPOL
We address the question of model checking of HyPOL formulas for a model for which at least reachability is decidable.As a starting point, we choose labeled safe Petri nets (LSPN).Definition 6.A Petri net is a tuple N = (P, T, F, M 0 ) where P is a set of places, T is a set of transitions with P ∩ T = ∅, F ⊆ P ×T ∪ T ×P is the flow relation, and M 0 ∈ N P is the initial marking.
A net is labeled if it is equipped with a (not necessarily injective) mapping λ : T → Σ labeling the transitions.A marking is a multiset M ∈ N P .For x ∈ P ∪ T , we define its preset by • x = {y | (y, x) ∈ F } and its postset by x • = {y | (x, y) ∈ F }.The interleaved semantics of Petri nets can be defined as a (possibly infinite) transition system LT S(N ) where states are markings, the initial state is M 0 , and the transition relation is defined by: is the new marking reached by firing t.We write M 0 * −→ M iff there exists a sequence of transition firings reaching M from M 0 .The set of reachable markings is denoted by We henceforth consider only safe Petri nets, where Reach(N ) is a subset of {0, 1} P ; we also assume that all transitions have at least one pre-and one post-place, i.e. ∀ t ∈ T :  Nodes x and y are in concurrency relation, denoted x || y, if neither x < y, x > y nor x#y holds.Note that every occurrence net is safe, and that occurrence net ON is conflict free iff for every b ∈ B, one has |b for all e ∈ E, the restriction of µ to • e is a bijection from • e to • µ(e), and the restriction of µ to e • is a bijection from e • to µ(e) • , and The "unfolding" semantics of a safe labeled Petri net yields a labeled occurrence net.

F S T T C S 2 0 1 8 NN:8
Hyper Partial Order Logic Definition 10 (Unfolding).A branching process of a labeled Petri net N = (P, T, F, M 0 , λ) is a triple BR = (ON, µ, λ ) where ON = (B, E, F , Cut 0 ) is an occurrence net, µ is a homomorphism and ∀e ∈ E, λ (e) = λ(µ(e)).A process of a net N is a branching process of N such that for every condition Cut 0 , µ 1 , λ 1 ) and BR 2 = (B 2 , E 2 , F2 , Cut 0 , µ 2 , λ 2 and F1 , µ 1 , λ 1 are the  respective restrictions of F2 , µ 2 , λ 2 to B 1 and E 1 .The unfolding of N , denoted by U(N ), is the maximal branching process w.r.t. the prefix relation.Appendix 6.2 gives an algorithm for constructing the unfolding of a labeled safe Petri net.With every process BR = (ON, µ, λ) contained in U(N ), with ON = (B, E, F, Cut 0 ), is associated an LPO Ord(BR) = (E, ≤, λ).Note that events in such LPOs are labeled by a singleton (transition label), which is a sub-case of the LPOs defined in Section 2. We define PR(N ), the set of processes -up to isomorphism -that can be built from N .Given a HyPOL formula φ, we say that N satisfies φ iff Ord(PR(N )) |= φ.
Theorem 11.The HyPOL model checking problem for safe Petri nets is undecidable.
Proof (Sketch).We reuse the encoding of PCP from the proof of Theorem 5, and build a safe Petri net whose behaviors (processes) are exactly concatenations of the templates used in the HyPOL formula φ I associated with an instance I of PCP (see Appendix 6.3).

Decidability
The reason for the undecidability results above is that projections give a huge expressive power to HyPOL.Indeed, the difference in depth of equivalent events can be arbitrary large, and labeling allows for the design of a pair of growing sequences of letters w 1 , w 2 where w 1 is always a prefix of w 2 , yielding a non-terminating instance of PCP.We show in this section that one can recover decidability when restricting to Petri nets in which the difference in the depth of equivalent events is bounded.
Since the set of processes of a safe Petri net can be depicted in a compact way by its unfolding (as recalled in Section 4), a natural question is whether validity of a HyPOL formula expressing hyperproperties of the processes of a safe Petri net N can be rewritten as a property of its unfolding U(N ).We first prove that this unfolding can be seen as a graph and defined as the production of a Hyperedge Replacement Grammar (HRG) [18].Proposition 1.Let N be a safe labeled Petri net.Then, there exists a hyperedge replacement grammar G N that generates U(N ).
We detail the construction of G N in Appendix 6.4.Note that G N does not define a semantics of N via application of one rewriting rule per transition firing, as proposed in [3,4], but rather builds the unfolding.The grammar G N starts from an axiom Ax.Denoting by G ω N (Ax) the (unique) graph generated from Ax, we have G ω N (Ax) = U(N ).G N exhibits a certain form of regularity, but this is not yet sufficient to check HyPOL formulas, nor to express HyPOL properties in terms of properties of G N .Indeed, the graphical representation of U(N ) does not address equivalences.We adapt the idea of [1], and represent isomorphism of causal pasts of events w.r.t. an observation function as a new relation connecting events.In other words, we augment U(N ) with additional edges connecting equivalent events.

Definition 12 (Execution Graph). Given a set of observation functions
, where E and B are the sets of events and conditions in U(N ), and We write e i −→ e for (e, i, e ) ∈−→.So far, we have simply recast ordering and equivalence of events into a graph setting, but this translation does not change decidability of hyperproperties.Even if the unfolding U(N ) can be generated by an HRG, this is not the case for G U (N ) .Indeed, to produce edges, hyperarcs of an HRG need to memorize nodes that will be at the origin or destination of an edge in future productions of the grammar.In particular, for G U (N ) , this means that hyperarcs of any HRG producing this graph have to memorize a list of events that will be declared as equivalent to some event (w.r.t. a particular observation O i ) generated in future rewritings.
Proposition 2. There exist labeled safe Petri nets and observation functions whose execution graphs are not of bounded treewidth, and cannot be represented by an hyperedge replacement grammar.
Proof (Sketch).We exhibit a net, and an observation function whose execution graph contains grid minors of arbitrary sizes.It is well known [26] that a family of graphs F G has bounded treewidth iff there exists a constant m such that no graph G ∈ F G has a minor isomorphic to the m × m grid and that HRGs can only generate graphs of bounded treewidth (see for instance [11]).See appendix 6.5 for a complete proof.
Definition 13.Let ON = (B, E, F, Cut 0 ) be an occurrence net.The height of en event e or condition b in ON is the function H : B ∪ E → N be defined recursively by Intuitively, dist(e, e ) measures the maximal number of edges between e, e and their common past.This distance dist defines a pseudometric.Using this notion of distance, we can define the K-Ball of an event e in the unfolding U(N ) as the set of nodes in U(N ) that are at distance at most K from e. Formally, Ball K (e) = {n ∈ U(N ) | dist(n, e) ≤ K}.In the rest of the paper, we consider classes of unfoldings where two events can only be equivalent w.r.t.any observation O i if they are in the K-Ball of one another.
An important remark is that even for a safe Petri net N , given an integer K ∈ N, the K-Ball of an event e may not be finite.Furthermore, the graph (E ∪ B, 0 −→) depicting the unfolding U(N ) without equivalence edges is always a graph of finite incoming degree, but this is not necessarily the case for G U (N ) .In the rest of the paper, we will see that HyPOL formulas can be encoded as MSO properties of G U (N ) .The reason for undecidability of HyPOL is hence the nature of execution graphs, that cannot be generated in general by context free graph grammars, are not of bounded treewidth,... nor enjoy any of the properties that usually make MSO decidable.We can recover decidability with some restrictions.Let In the sequel, we assume that observation functions O 1 , . . .O k are given, and we say that a safe Petri net N is K−layered iff it is K−layered for every O i .Intuitively, a Petri net is K−layered w.r.t.observation O i iff one can decide equivalence of a pair of events e, e w.r.t.O i from their K−bounded past.Proof (sketch).First, one can notice that in the unfolding of a K−layered safe Petri net, for every observation O i , every event e has a bounded number of events connected to it via relation i −→.This is due to the fact that this set is contained in its finite K-Ball.The hyperedge replacement grammar G K,N starts from an axiom representing a complete finite prefix of the unfolding of N with hyperarcs.Its hyperarcs represent possible extensions of this prefix from its maximal markings.Rules of G K,N are of the form r = (h t,lab , HG t,lab ) where h t,lab contains all conditions and events appearing in the K-Balls of the next occurrence of a transition t that can be appended after a maximal marking, and lab is a labeling providing sufficient information to know the ordering among events and a part of their common past.HG t,lab is an hypergraph containing the newly generated occurrences of events and conditions in the execution graph, the flow relation among them, and connects equivalent events (contained in the events of h t,lab and HG t,lab ) and creating one hyperarc per new maximal marking.Appendix 6.7 gives a complete construction of this grammar.
We now show that model checking HyPOL on K−layered execution graphs can be brought back to verification of an equivalent MSO property.But the first question to address is decidability of MSO on execution graphs.An MSO formula uses the following syntax: where x, y, ... are first order variables representing vertices in a graph, and X, Y, ... are second order variables representing sets of vertices in a graph.In execution graphs, first order variables will represent events or conditions, and an edge the flow relation or isomorphism.
An interpretation I of an MSO formula φ over a graph G is an assignment of nodes of G to first order variables used in φ and of subsets of nodes of G to second order variables.An MSO formula φ holds for G under interpretation I iff replacing variables in φ by their interpretation yields a tautology.A graph satisfies formula φ iff there exists an interpretation I such that φ holds for G under I. Classes of graphs with decidable MSO theory have been considered for a long time (see for instance [11] for a complete monograph on this topic).As MSO is decidable for context free graphs such as the graphs generated by HRGs ([12], Corollary 4.10), we immediately have the following property: Corollary 15.MSO is decidable on execution graphs of K−layered labeled safe Petri nets.
Note that the decidability highlighted in corollary 15 does not necessarily hold outside the class of K−layered nets.As shown in Proposition 2, execution graphs of safe Petri nets may contain grids minors of arbitrary sizes and hence in general do not have a bounded treewidth [26].MSO is also undecidable in general for execution graphs: one can use a safe Petri net whose unfolding is a binary tree and an observation that implements the "same level" relation on this tree.It is well known that MSO is undecidable on this graph [28].We will use MSO to address decidability of HyPOL, by converting formulas to MSO, and in particular equivalences into i −→ relations among events.Proposition 4. Let φ be a HyPOL formula.Then there exists an MSO formula ψ such that Proof (sketch).We first encode in MSO a succ(e, e ) relation that relates pairs of events such that e • ∩ • e = ∅.Then, causal precedence ≤ in an order can be encoded with MSO.A property of the form x |= EX ≡,Oi φ asks existence of an edge x i −→ y where y satisfies the MSO translation of φ.Until operations are described as properties of chains of events, that can again be encoded with MSO, and patterns embedding are MSO properties checking existence of some subgraph.A complete translation is given in Appendix 6.6.Proposition 4 holds for any net N and its execution graph G U (N ) .However, in general, G U (N ) is not of bounded treewidth.One can always choose an integer K, and build a context free graph grammar G K,N as proposed in Proposition 3, but in general, the graph generated by G K,N is only a subgraph of G U (N ) , where some i −→ edges are missing.This is not surprising: in non-layered nets, the sizes of equivalence classes in G U (N ) need not be finite.If N is K−layered, the graph generated by G K,N and G U (N ) are equivalent.Further, isomorphism is one of the building block of HyPOL, but in general cannot be expressed in MSO.The translation from HyPOL to MSO applies to any HyPOLformula for any type of net and observation.We know that MSO is decidable for HRGs [12,19].So, in general, G U (N ) is not the production of an HRG.Altogether, these remarks give the following corollaries: Corollary 16.It is undecidable whether the execution graph of a net N satisfies an MSO formula.
Corollary 17. Model checking equivalence-free HyPOL properties on labeled safe Petri nets is decidable.
Corollary 18. HyPOL model checking is decidable for K−layered safe Petri nets.
K−layeredness is a semantic property, that should hold on the possibly infinite unfolding of a net.However, some syntactic classes of nets meet the conditions needed to layer equivalences.In the following, we only consider observations that are projections.Slightly abusing our notations, for a transition t we will denote by O i (t) the LPO obtained by applying observation O i to the LPO O t that contains a single event e with λ(e) = λ(t).
Observation Oa projects LPOs on events labeled a. N1 is not observable: Oa cannot distinguish behaviors in u1.e.(u1.e + u2.f ) k from those in u2.f.(u1.e + u2.f ) k Definition 19.Let N be a safe Petri net.Two transitions t, t are independent iff there is no link from t to t in the flow relation of N .We will say that N is observable iff, i) for every observation O i , and every cyclic behavior t For every reachable marking M of N , every observation O i and every pair of conflicting transitions t 1 , t 2 enabled in M , there exists a bound k c such that for every pair of path Condition i) forbids cyclic behaviors that cannot be observed.This is a sensible restriction often required for diagnosis (where it is called convergence, as in [5]).It guarantees that an event cannot be equivalent to an arbitrary number of predecessors.Condition ii) indicates that each branch of a choice in the net is eventually visible by each observation after a bounded duration.Condition iii) says that parallel sequences of transition cannot grow up to an arbitrary size without becoming distinguishable by all observations.Proposition 5. Let N = (P, T, F, M 0 , λ) be a safe labeled observable Petri net for observations O 1 , . . ., O k .Then N is K−layered, for some Corollary 20.HyPOL model-checking is decidable for observable safe Petri nets.

Conclusion
HyPOL is a local logic for hyperproperties of partially observed set of labeled partial orders.
It is powerful enough to express properties such as non-interference in distributed systems.This logic follows the same line as local logics such as T LC − or LD 0 , as it depicts shapes of causal chains in partially ordered computations.In addition, it is possible to check whether some finite behavior has occurred in the past, and a new modal operator is introduced to move from an event in an LPO to another equivalent event in another LPO.Unsurprisingly, such a powerful logic is undecidable, even for simple models such as safe labeled Petri nets.However, upon some restrictions, one can bring back verification of HyPOL formulas to verification of MSO properties on unfoldings of nets decorated with additional edges that simulate equivalences.The restrictions forbid nets with infinite unobservable runs, and assume bounds on the depth of indistinguishable suffixes.In this context, equivalence of runs only depends on a bounded future and past of each event, and decorated unfoldings have bounded treewidth.So far, we do not know whether K−layeredness is decidable for a fixed K. Another interesting question is existence of a bound K such that a net N is K−layered.
We strongly believe that some restrictions used in observable nets can be relaxed, or adapted to consider larger classes of nets for which decorated unfoldings are of bounded treewidth or split-width [13].A natural question that follows is whether theses classes of nets have sensible and decidable syntactic characterizations.

Proof of Theorem 5
Theorem 5: Satisfiability of a HyPOL formula is undecidable.
Proof.The proof consists of a reduction of the Post Correspondence Problem (PCP).Recall that an instance I of PCP is a sequence (x 1 , y 1 ), . . ., (x n , y n ) of n pairs of words over some alphabet.A (non trivial) solution of size k is a (non empty) sequence of indices σ = i 1 . . .i k such that x i1 . . .x i k = y i1 . . .y i k .If the alphabet contains at least two letters, PCP is undecidable for n ≥ 7.Moreover, we can assume that for all 1 ≤ i ≤ n, x i = y i (otherwise the problem can be trivially decided with a solution of size k = 1).
Given an instance I, we build a formula φ I of HyPOL such that φ I is satisfiable if and only if I has a (non trivial) solution.
Let I be the sequence (x 1 , y 1 ), . . ., (x n , y n ) of words over alphabet A. We write z = z(1) . . .z( ) where = |z| is the length of word z, with i = |x i | and h i = |y i |, 1 ≤ i ≤ n and we consider the family of templates T i , 1 ≤ i ≤ n, as depicted in Figure 6.The set of events of T i is and the global set of labels is P = ∪ n i=1 P i .Intuitively, a solution σ = i 1 . . .i k will be described by the sequence of templates T i1 . . .T i k .
Templates Ti and T .
To detect that a solution ends with an event labeled by , we define the formula stop ::= λ ={ } ∧ ¬EX P,id true.We also need to express that any event with label has at most two predecessors: two-pred :: where T is the pattern depicted on Figure 6 right and O keeps any event with label unchanged and relabels all other events with .Now, if O S denotes the projection on S, keeping only events with labels in S, a solution is decribed by:

F S T T C S 2 0 1 8
where HoldsT i ::= match(id, T i , s i ).
Finally, we consider the subset W of orders of LP O(P ) where all labels are singletons.Note that this condition can be ensured by the formula Sing ::= AG P,id (∨ p∈P λ ={p} ).For an order O = (E, ≤, λ) ∈ W, we write ) and E ind = E ∩ λ −1 (Ind).We define the observation function O sol over W by keeping all events and restricting ≤ to (E × E) \ ((E A × E ind ) ∪ (E ind × E A )), thus removing the order between letters and indices.
The formula φ I is then defined by : where the last sub-formula means that from some final , it will not be possible to distinguish between paths with labels from the x i 's and those with labels from the y i 's.
Then, there is an order O in W satisfying φ I if and only if I has a non trivial solution.

An algorithm to build an unfolding of a safe Petri net
Although the construction is rather standard since [14], we give here, for the sake of completeness, a procedure to build an unfolding U(N ) of an SLPN N .We first define the notion of co-set and cut.A co-set of a branching process BR = (ON, µ, λ) with ON = (B, E, F , Cut 0 ) is a set of conditions that are pairwise concurrent.A maximal co-set (w.r.t.set inclusion) is called a cut.Finite configurations, cuts and markings are related as follows.If C is a configuration of a branching process BR = (ON, µ, λ ), then we can define the co-set The set of places in Cut(C) represents the marking reached after firing transitions in µ(C) in an order compatible with the ordering prescribed by ON.
The construction of an unfolding of a net N = (P, T, F, M 0 ) consists in iteratively extending an initial branching process of N .For convenience, we assume a dummy event ⊥, whose postset fills all places of M 0 .A condition of a branching process built by unfolding N is of the form b = (e, p) where p ∈ P is such that µ(b) = p and e is the (unique) input event of the condition b.Similarly, events are of the form e = (X, t) where X is a set of conditions (and more precisely a co-set) and t the transition such that µ(e) = t.One can notice that with these definitions of events and conditions, the flow relation in an unfolding is implicit : for an event e = (X, t) and a condition b = (e , p), b ∈ • e iff b ∈ X, and e ∈ • b iff e = e.A possible extension of a branching process BR is an event (X, t), where t ∈ T and X is a co-set such that µ(X) = • t and which does not belong to BR.
The initial branching process of the unfolding algorithm is BR 0 = (ON 0 , µ 0 , λ 0 ), where The following steps are then iterated to produce 1) find the set PE of possible extensions of BR i ; 2) if PE is not empty, choose a particular event e = (X, t); Figure 7 shows a part of N I where the first pair of I is (x 1 = aab, y 1 = ab).We observe that at any time, tokens circulate only in one of the subparts (corresponding to some i ∈ 1..n) of the net located between place p 0 and transitions t endi,2 , t i,1 and t i,2 .Transition t endi,2 represents the addition of a PCP domino that is not the last one, while t endi,1 corresponds to the last PCP domino (since no other event can occur after firing t sharp,1 and t ,2 ).Clearly, processes of N I have the shape of concatenations of PCP words encoded with the templates in the proof of Theorem 5. Thus, N I satisfies φ I iff there is a solution for instance I of PCP, and model checking HyPOL on safe Petri nets is undecidable.

Construction of an hyperarc replacement grammar for U(N )
We show how to build a graph grammar that generates the unfolding U(N ).This allows us to prove proposition 1. Proposition 1.Let N be a safe labeled Petri net.Then, there exists a hyperedge replacement grammar G N that generates U(N ).Definition 21.A hyperarc is a pair (l, V ), where l is a label, and V ⊆ N is an ordered set of vertices.A hypergraph is a triple (V, E, H) where V is a set of vertices, E a set of edges, and H a set of hyperarcs.A hyperedge replacement grammar (HRG) is defined as a pair G = (Ax, R), where Ax is a hypergraph called the axiom of the grammar and R is a set of rules.A grammar rule is a pair (L, R) where L, the left part of the rule is a hyperarc, and R, the right part of the rule is a hypergraph that contains all vertices of L.
Let G = (V, E, H) be a hypergraph and h = (l h , V h ) ∈ H a hyperarc.Let r = (L, R) be a rule where L = (l, X) is a hyperarc with label l = l h and the same number of vertices as V h , and R = (V R , E R , H R ).The application of rule r to G simply replaces hyperarc h in G by the right part R.More formally, application of r produces a hypergraph , where α : N → N is a map that associates with the j th vertex of X the identity of the j th vertex in V h , and associates with vertices of V R \ X R a fresh identity that does not appear in V .We denote by  Let N = (P, T, F, M 0 , λ) be a safe labeled Petri net.We fix an arbitrary order < P on places.Given a marking M , and a set of integers 1 . . .|M |, we denote by index(p, M ) ∈ 1 . . .|M | the rank of place p in the sequence of integers representing marked places in M .Similarly, given a marking M and a list of integers representing this marking, we denote by place(i) the place represented by index i.

F S T T C S
We have seen in section 6.2 an algorithm to build inductively an unfolding of a safe Petri net N .This unfolding can be infinite, but exhibits a regular structure.Furthermore, many verification algorithms addressing reachability of coverability questions work on a structure called a complete finite prefix.A complete finite prefix is built inductively as an unfolding, but stops within a finite number of steps, according to some criterion, that forbids the addition of events fulfilling some properties.A stopping criterion frequently met is the reachability criterion: it forbids a possible extension if adding the considered event produces a configuration that ends in a marking that was already visited in the branching process [23].These events are called cut-off events.The principle of the HRG construction described hereafter is to build a complete finite prefix of net N , to find the markings that can be reached when appending cut-off events to maximal configurations of the prefix.We then use these markings as hyperarcs, and the part of the prefix occurring after the marking as the right part of a grammar rule.
Let us first recall some definitions borrowed from [23].Let ON = (B, E, F ) be an occurrence net and let S be a configuration of ON.We denote by S • the set of all places that are maximal w.r.t. to this configuration, i.e. the set X of all places such that ∀p ∈ X, ∀e ∈ S, p ∈ • e and ∀p ∈ X, ∀e ∈ E \ S, p ∈ e • .Let µ be a homomorphism from ON to N .The final state of a configuration F(S) is the marking µ(S • ).The local configuration of an event e is the set ↓ e.
Let BR be a branching process.A possible extension e is a cut-off event (w.r.t. the reachability criterion) iff there exists another event e such that F(↓ e • ) = F(↓ e • ), and Now, the algorithm to compute a complete finite prefix is the following: 0) Start from the initial branching process BR 0 1) find the set PE of possible extensions of BR i , i.e. the fresh pairs (X, t) such that X is a co-set of BR and It is well known (see for instance [23]) that: the construction of a complete finite prefix w.r.t. the reachability criterion terminates,

F S T T C S 2 0 1 8
all cuts of the prefix (and in fact even all those of the unfolding) correspond via µ to a reachable marking, and conversely, all reachable markings of an unfolded net are represented by at least one cut in the prefix.
Let us call CFP(N ) the complete finite prefix thus built; then for every reachable marking M of N , there exists a configuration S of CFP(N ) such that F(S • ) = M .
We can now detail the construction of a HRG that generates the unfolding of N .We first build CFP(N ) using the algorithm above.Then, we compute the set PE of possible extensions in CFP(N ), and add these possible extensions to CFP(N ).Let BR CFP,PE be the branching process obtained by adding these events, and let S 1 , . . .S k be the maximal configurations of BR CFP,PE .For every S i there exists at least one configuration . Note that for the reachability cut-off criterion, there can be more than one configuration of this form.We can choose arbitrarily one of them, for instance the configuration with the minimal number of events.For such a configuration S i we denote by ↑ BR CFP,PE S i the restriction of BR CFP,PE to events and conditions that are descendants of S i • .We build the grammar G N = (Ax, R) as follows.We set Ax = (N 0 , H 0 ) where N 0 = BR CFP,PE and H 0 = {(l i , X i ) | S i is a maximal configuration of BR CFP,PE } where each X i is an ordered set of vertices containing all conditions in S i • (we can order vertices according to < P and according to the place µ(b) represented by each condition b in X i ).
Then, for every maximal configuration S i in BR CFP,PE , we create a rule One can notice that G N may have up to 2 |P | rules.We can show that G ω N (Ax) = U(N ).

Proof of Proposition 2
Proposition 2. There exist labeled safe Petri nets and observation functions whose execution graphs are not of bounded treewidth, and cannot be represented by a hyperedge replacement grammar.
Proof.This proposition is proved by exhibiting a simple example, whose execution graph contains grid minors of arbitrary sizes.
A grid of size m × m is a graph which vertices are words from {0, 1} n with n ∈ 0..m and such that for any such word w, there is an edge from w to w.1 and from w to w.0.A minor of a graph G = (V, E) is a graph G obtained by either removing vertices, removing edges, or collapsing vertices that are connected.A famous theorem by Robertson and Seymour [26] says that a family of graphs F G has bounded treewidth if and only if there exists a constant m such that no graph G ∈ F G has a minor isomorphic to the m × m grid.It is also known that Hyperedge Replacement Grammars can only generate graphs of bounded treewidth (see for instance [11]).Let us consider the example net N of Figure 8, labeled by λ(e) = λ(f ) = a, λ(u 1 ) = λ(u 2 ) = b and an observation function O e,f that projects processes of this net on events labeled by a. Notice that all processes generated by these nets provide a total ordering on events (the execution graph of N is hence a tree).Within this tree, all events labeled a located at the same depth are equivalent w.r.t.O e,f .
Clearly, the execution graph of N has the graph of Figure 9 below as minor (it suffices to collapse conditions with their predecessors, and to keep only nodes corresponding to transitions u 1 and e if they are successors of an occurrence of e. Last, ordering vertices according to lexicographical order e < u 1 < f < u 2 we keep only equivalence edges that go from right to left.
One can clearly see from this picture that a grid of arbitrary size n can be created by first removing all events at depth ≤ 2 • n, then collapsing every occurrence of u 1 , u 2 with its predecessor, and then removing the leftmost part of the grid to have only red chains of at most n event.As a consequence, the execution graph of N has all grids of size n × n as minors.Following the results of Robertson & Seymour, it is then not of bounded treewidth.It is well known that context-free hyperedge replacement grammars and equational graphs are alternative definitions for families of graphs [11].So, an HRG can only generate graphs of bounded treewidth.Hence, there is no context free HRG generating the execution graph for the example considered in Figure 8.

Proof of Proposition 4
Proposition 4. Let φ be a HyPOL formula.Then there exists an MSO formula ψ such that Proof.Without leaving MSO, we can define a particular labeling to differentiate events and conditions in G U (N ) : We write Cond(x) for the predicate that holds for every condition and Event(x) for the predicate that holds on all events.
We first define some basic formulas, holding at some node of G U (N ) : true holds for every element of G U (N ) ; Lab(x) ∩ D = ∅ is equivalent to the formula d∈D lab d (x) ; Event(x) holds under any interpretation that assigns an event of G U (N ) to x; Figure 9 A part of minor of the execution graph for the net of Figure 8 with observation function O e,f that projects processes on events labeled by a.
Cond(x) holds under any interpretation that assigns a condition of G U (N ) to x; edge(x, y) holds under an interpretation that assigns a condition b to x and an event e to y, and such that b ∈ • e, or an event e to x and a condition b to y such that b ∈ e • ; edge i (x, y) holds under any interpretation I that assigns events I(x) and I(y) of G U (N ) to x and y and such that I(x) i −→ I(y).
From these building blocks, we can define more advanced expressions.succ(x, y) is a formula that holds under an interpretation I such that e = I(x) is an event, f = I(y) is an event, and the pair of events e, f is in immediate successor relation in G U (N ) .Formally, this is written as: succ(x, y) ::= ∃z, Event(x) ∧ Event(y) ∧ Cond(z) ∧ edge(x, z) ∧ edge(z, y).isM inimal(x, X) is a formula that holds under an interpretation that maps variable x to an event, X to a set of nodes of G U (N ) , and such that I(x) is minimal in X with respect to the causal ordering of G U (N ) .Formally, we write: isM inimal(x, X) ::= x ∈ X ∧ Event(x) ∧ y ∈ X, succ(y, x).isM aximal(x, X) is similar to the previous formula, and requires I(x) to be maximal in X.It is defined as: isM aximal(x, X) ::= x ∈ X ∧ Event(x) ∧ y ∈ X, succ(x, y) isAChain(x, X) is a formula that holds for any interpretation I in which X is a chain (a totally ordered sequence of events w.r.t. the successor relation) starting from x.It is formulated as follows: x ≤ y can be defined as the formula: More intuitively, this formula says that I(X) is the set of all successors of I(x) in G U (N ) , and it contains I(y).This is a standard formula frequently used when addressing properties of partially ordered sets.
x < y (covering) is defined by x < y :: Let O be a particular observation erasing events that do not carry a label from a particular subset D, and restrict covering of the obtained order to pairs of events carrying specific pairs of labels in R ⊆ Σ × Σ.Then one can define x < O y as the formula stating that the labels attached to x and y are contained in D, that (lab(x), lab(y)) ∈ R, that there exists a path from x to y such that every intermediate event visited between x and y carries a label that does not belong to D. This type of construction applies for all kind of labeling-based projection and order restriction.More formally : We are now ready to transform HyPOL formulas into MSO formulas.For every hypol formula φ we will build inductively an MSO formula ψ.The inductive construction will use fresh first order variables x, y, ... and second order variables X, Y, ... at every induction step.Further, as HyPOL formulas should hold at a particular event, we will design ψ with a particular free variable x depicting the event at which ψ must hold.For every HyPOL formula φ, letting ψ be the MSO formula obtained by translation of φ into MSO, for every order O in Ord(PR(N )) and every event e ∈ E O , O, e |= φ if and only if ψ holds in G U (N ) under an interpretation that assigns e to x.We hence define ψ = M SO(φ, x, C) where C is a context listing variable names already used, x is a free variable in ψ, that appears in C, and ψ is an MSO formula over x and fresh variable names not used in C. For a given HyPOL formula φ, we build inductively ψ = M SO(φ, x, C) as follows: if φ = true then M SO(φ, x, C) = true for any variable x and context C; (φ, y, C ) where y is a fresh variable name (w.r.t.C and to the set C x≤ O y of variables used to encode subformula where x 1 , . . .x |E|−1 are fresh variable names (w.r.t.C); if φ = EX ≡,Oi φ then M SO(φ, X, C)) = ∃y, edge i (x, y) ∧ M SO(φ , y, C ) where y is a fresh variable name (w.r.t.C) and

F S T T C S 2 0 1 8
Process graphs.To give a representation of common pasts of events, we define process graphs as graphs of the form G = (V, −→, α) representing processes of a Petri net, where V = {1 . . .n} is a finite set of integers, −→⊆ V × V , and α : V × P ∪ T associates a place or transition name to each vertex in V .We denote by P G(P, T ) the set of all such process graphs.We will use process graphs to memorize a canonical representation of the (bounded) past of a set of events.Now, we can define a partial function diff(e i , e j , K) : E × E × N → P G(P, T ), such that diff(e i , e j , K) is defined only for pairs of events such that d K (e i , e j ) < ∞.The process graph diff(e i , e j , K) is isomorphic to the part of the unfolding defined by ( • (P ast(e i ) \ P ast(e j ))) • .One can notice that with the implicit flow relation due to events construction ((b, e) ∈ F if e = (X, t) and b ∈ X and (e, b) ∈ F ) if b = (e, p), every vertex in an unfolding has a finite set of predecessors, and diff(e i , e j , K) is always a finite graph.Given an occurrence net ON, a sequence of events e 1 , . . .e n , and a pair of events e i , e j at distance at most K, we can compute P K (e i , e j ) the set of conditions and events that appear in the past of e i and not in the past of e j at distance smaller than K. Let P K (e 1 . . .e n ) denote the union of all P K (e i , e j ) for all pairs of events e i , e j in e 1 , . . ., e n .Note that this is not yet a canonical representation.However, one can easily attach a canonical identity (an integer) to each event or condition in P K (e 1 . . .e n ).Considering an arbitrary ordering on places, transitions, events e 1 , . . .e n and pairs of events, one can define a backward DFS exploration starting from an event e i in P K (e i , e j ), and associate as canonical identity to a condition or event in P K (e 1 . . .e n ) the integer indicating the order of discovery during the exploration.Let can(v i ) be the function associating to a condition or event its canonical number.Then, diff(e i , e j , K) = (V −→, α) is the process graph obtained by first computing P K (e i , e j ) = (B, E, F, Cut 0 ), and then defining = n for some event e = (X, t).As we define diff(e i , e j , K) for events that are at distance at most K, this process is always finite.Notice that we are not interested in processes themselves, but in their general shape (that will be sufficient to decide isomorphism in unfoldings of layered nets).Rule construction.We are now ready to define the construction of a rule from the grammar that generates U(N ).The principle is as follows.Consider a hyperarc h = (l, p 1 ...p k .e 1 ..e n ) of our new grammar.We assume that this hyperarc was correctly built, i.e. the label l attached to the hyperarc is such that p 1 . . .p k can be distingushed from e 1 . . .e n , it associates a place name with each p i (i.e. one can recover the marking M i associated to cut p 1 . . .p k ), a transition name to each e i , and functions rel and diff.
We use the rule r i = (L i , R i ) of grammar G N with hyperarc L i = (l i , p 1 ...p k ) such that the marking described by L i is the same as the marking described by h.This rule is unique, and as our new rule only adds events to cuts already used in G N , it exists.As the execution graph does not add new events nor conditions to the unfolding of N we can safely use the right part R i of rule r i to add events, conditions, and the flow relation to an already built part of G U (N ) containing hyperarc h.Let V Ri denote the set of events appended by application of rewriting rule r i , B Ri the set of conditions and E Ri the set of edges.For every pair of events e, f in the set of events V Ri ∪ {e 1 ..e n } we can decide whether e i −→ f as follows: Suppose e, f ∈ e 1 . . .e n : then, every equivalence arc that needed to be appended is already drawn, and no additional edge needs to be appended between e and f .Suppose e ∈ e 1 . . .e n and f ∈ V Ri .Let P f = {e 1 . . .e n }∩ ↓ f .Then, one can compute an occurrence net ON i = (B i , X i , F i ) where X i is the set of events appearing in Then, for every x in X i , one can decide if the distance between x and F S T T C S 2 0 1 8 NN:26 Hyper Partial Order Logic f is greater than K, and if it is smaller compute it: if dist(x, f ) > K for every x ∈ P f then dist(e, f ) > K.As N is K−layered there is no edge of the form i −→ between e and f .If dist(x, e) ≤ K, then dist(e, f ) can also be computed.Assume that there exists x ∈ P f such that e ∈↓ x.Then P ast(e) ∩ P ast(f ) = P ast(e) and dist(e, f ) = max As the two values dist(x, e) and dist(x, f ) are known, one can easily check whether dist(e, f ) ≤ K and if this is the case, compute the frontier H as the set of predecessors of the maximal places in (↓ e) • , compute Fe,f and as Now, assume that for every x ∈ P f , e ∈↓ x.Then, for every x ∈ P f , e is either in conflict or concurrent with x.For every node v n in P ast K (x), the past of x at distance at most K either the distance dist(v n , e) between v n and e is already greater than K, or we know precisely the distance dist(v n , e) ≤ K.The distance between e and f is hence dist(e, f ) = max Like for the case e ≤ x we can compute H, Fe,f from ON i , and check We do not detail the case where e, f are newly generated events, that is similar to the former situation where e ∈ e 1 ėn and f ∈ V Ri , with the slight differences that distances have to consider predecessors of both e and f .Hence, starting from an set of conditions l 1 , . . .p k and a set of events in an hyperarc, one can generate the occurrence net ON that contains conditions p 1 , . . .p k in hyperarc, plus additional events and conditions that are obtained by application of a rewriting of the form (L, R) defined in the construction of grammar G N , and augment it with equivalence edges.Generating new hyperarcs.Let us now explain how new hyperarcs are generated.Recall that a hyperarc rewriting by a rule of grammar G K,N is a rewriting of a left part of the form L i = (l i , p 1 . . .p k .e 1 . . .e n ) into a right part HG i = (G i , H i ), where G i is a graph containing an occurrence net ON i = (V i , E i ) generated by unfolding from marking p 1 . . .p k using a rule of grammar G N for unfolding (see the grammar construction in section 6.4), and augmented with equivalence edges, and H i is a set of newly generated hyperarcs.Let us first detail the contents of the hypergraph HG i .The added conditions and events are conditions and events added by some rewriting rule r = (L, R) of G N with L = (l, B) and R = (ON, H) and such that B = b 1 . . .b k represents the same marking as p 1 . . .p k , and ON i (i.e.G i without equivalence edges) is equal to ON.Note that L is not the full hyperarc L i , as events and additional information attached to their distance and common past is missing.However, places p 1 . . .p k suffice to write the needed events and conditions in ON i , as this additional information is only used to detect whether a pair of events is connected by an equivalence edge.We use a slight shortcut, and call h 1 , . . .h q the hyperarcs obtained by application of rule r = (L, R) from G N to a hypergraph that contains a hyperarc of the form L i = (l i , p 1 . . .p k .e 1 . . .e n ).These hyperarcs represent the maximal places in maximal configurations obtained by unfolding a complete prefix once more.We will use them as a base to design hyperarcs of the form L j = (l j , p 1 . . .p kj .e 1 . . .e nj ) and hence complete the construction of rules for G K,N .As seen before, a hyperarc only needs the information about events at distance ≤ K from events produced in the future (and the finite list of considered events to be able to build equivalence edges).That is, for each hyperarc h j ∈ {h 1 , . . .h q } obtained by application of rule r from p 1 . . .p k , we need to compute: F ≤K,hj the set of events that can be at distance ≤ K from events appended in the future when rewriting h i , l i , the label that associates with places and events enough information to know the type of each node, the relations among them, and the differences since their common causal Let G i be the graph generated by rewriting, h j be a set of maximal conditions in G i .Let P lace(h j ) denote the list of places appearing in h j , and let t be a transition such that • t ⊆ P lace(h j ).Then, a rewriting of a hyperarc with conditions h j will append to G i all events of the form e = (X, t) where X is a subset of h j .Note furthermore that for every event f in G i , if the distance dist(x, f ) between f and all predecessors x of a condition in h j is already greater than K then dist(e, f ) ≥ K. Conversely, if the minimal distance between a predecessor x of a condition in h j and f is equal to m ≤ K, then the distance between e and f is m + 2 (one needs to cross two additional edges to go from f to e via x).If we repeat this operation for every event e that can be an immediate successor of conditions in h j , then we can build F ≤K,hj the set of events that can be at distance ≤ K form events that will appear in the future.Then, the causal/conflict/concurrency relation among events in F ≤K,hj is built from the causal dependences in ON i and from the existing information in the original rewritten hyperarc L i = (l i , p 1 . . .p k .e 1 . . .e n ).As in the construction of diff(e, f, K) we can find a unique way to number conditions and events in G i , compute diff(e, f, K) for every pair of events at distance at most K in F ≤K,hj , and integrate this information as a part of a label l j designed for this hyperarc.We hence have a hyperarc L j = (l j , h j .F ≤K,hj ).We repeat this operation for every hyperarc in {h 1 , . . .h q }.To summarize, we have produced a rule of the form (L i , R i ) where L i = (l i , p 1 . . .p k .e 1 . . .e n ), and R i is a hypergraph of the form (G i , H i ) where G i is the graph mentioned above obtained by unfolding and decoration with equivalences, and H i = {L j | ∃h j ∈ G N (L i )} is the set of hyperarcs obtained by adding events and information to hyperarcs of G N that rewrite p 1 . . .p k and are of the form L j = (l j , h j .F ≤K,hj ).One can notice that for a given hyperarc of G N , i.e. for a given marking M = p 1 . . .p k , there is only a bounded number of events that can fire from M .So the K-Ball of this set of events is finite, and the set of K predecessors of this union of balls is finite too.
For every newly produced hyperarc, we can reproduce this unfolding and decoration operation to produce new hyperarcs.We compute an axiom as for G N : we compute a complete finite prefix, decorate it with equivalence edges, and take as hyperarcs the maximal cuts with additional events.We then proceed inductively from each produced hyperarc to build a grammar that generates G U (N ) .As the set of hyperarcs in G N is finite, as the K-Ball of events is finite, and as the set of diff(e, f, K) that can appear for events at distance at most K is also finite, the inductive construction stops.

Proofs of corollaries 16, 17 and 18
Corollary 16 It is undecidable whether the execution graph of a net N satisfies an MSO formula.
Proof.Assume that MSO is decidable.Then, for each instance I of a PCP, one can build the net N I and the formula φ I describing solutions of instance I of the PCP, as proposed in the proof of Theorem 11.As every HyPOL formula can be translated into an MSO formula, checking whether N I |= φ I is equivalent to checking whether the MSO formula M SO(φ I ) is satisfied by the execution graph G U (N I ) .As the PCP is undecidable, this question is undecidable too.
Corollary 17 Model checking equivalence-free HyPOL properties on labeled safe Petri nets is decidable.

F S T T C S 2 0 1 8 NN:28 Hyper Partial Order Logic
Proof.Model checking an equivalence-free HyPOL property φ of a net N amounts to model checking individually property φ on every process.One can express in MSO that a pair of events is not in conflict, so φ can be verified as MSO property M SO(φ) on the graph grammar G N that generates U(N ).
Corollary 18 HyPOL model checking is decidable for K−layered safe Petri nets.
Proof.MSO is decidable for Hyperedge Replacement Grammars [12,19].From proposition 4, we know that we can transform an HyPOL formula φ on processes of N into an MSO formula M SO(φ), and that N |= φ iff G U (N ) |= M SO(φ).Similarly, if N is K−layered for some K, then one can compute a graph grammar G K,N that recognizes G U (N ) .
Proof.Let N be an observable net, with set of transition T and set of places.One can first notice that in a process of N , if a pair of events e, f is connected by a causal chain of length greater than |T | event f can always be differentiated from event e (and vice versa).Indeed, let e < x 1 < . . .x k < f with k > |T |, where x 1 , . . .x k are events.We obviously have ↓ e ⊆↓ f .Furthermore, as k > |T |, ↑ e∩ ↓ f contains a cyclic behavior, and in particular, as N is observable, for every observation O i , O i (e < x 1 < . . .x k < f ) contains at least one observable event.Hence we have that O i (↓ e) = O i (↓ f ).So, an event f in U(N ) is never equivalent to an event e that is located in its causal past at a distance greater that 2.|T |.Now, let us consider a pair of events e, f such that e and f are in conflict.Then, there exists a pair of executions ρ 1 , ρ 2 that end respectively with e and f , and such that ρ 1 = ρ.ρ 1 and ρ 2 = ρ.ρ 2 , i.e. ρ 1 and ρ 2 share a common prefix ρ.We have that O ρ ⊆ O ρ1 ∩ O ρ2 .Let us assume that ρ 1 > k c and ρ 2 > k c .Then, as N is observable, for every observation O i , O i (O ρ1 ) = O i (O ρ2 ).For a pair of conflicting events, there exists a set of conditions b 1 , . . .b k that are maximal (w.r.t. to the flow relation) in ↓ e∩ ↓ f , and such that H(e) is the maximal length of a path of U(N ): 1) from B 0 to e that does not pass through ↓ e∩ ↓ f and hence through b 1 , . . ., b k , 2) from B 0 to e that passes through ↓ e∩ ↓ f and hence through b 1 , . . ., b k , the length of a path of type 1 is at most 2.(|ρ| + |ρ 1 |).One can notice that a part of the events listed in ρ are either in ↓ e and hence must also appear in ↓ f , or are concurrent with e and must also be concurrent with f .So the length of path of type 1 leading from B 0 to e and from B 0 to f differ by at most 2.k c .Now let us consider paths of type 2. These paths contain events that belong to ↓ e∩ ↓ f and also appear in ρ, events that belong to ↓ e∩ ↓ f and appear in ρ 1 (as ρ 1 and ρ 2 are sequential behaviors, on may still find events in ↓ e∩ ↓ f that belong both to ρ 1 and ρ 2 ).Again, the length of such paths is at most 2.(|ρ| + |ρ 1 |).
Hence, e and f are at a distance at most 2.k c in U(N ).So, an event f in U(N ) is never equivalent to another event e located at conflict distance greater than 2.k c in U(N ).
Last, consider a pair of concurrent events e = (X e , t 1 ), f = (X f , t 2 ).Clearly, e and f are occurrences of events that belong to independent sets of transitions T e , T f .As N is observable, for every observation O i , if a cycle ρ containing transitions of T e and T f exists, then there is also a pair of transitions t e , t f appearing in ρ such that O i (t e ) = O i (t f ).Let T ρ denote the set of transitions appearing in such cycle ρ.If the distance between e and f is greater than 2.|T |, then there exists a cyclic behavior of the net.This cyclic behavior B. Bérard, S. Haar and L. Hélouët NN:29 may contain only occurrences of transitions in T e , only occurrences of transitions in T f or occurrences of both.Let us assume that the cycle ρ contains occurrences of T e and T f .Then as N is observable, there exists an event x e ∈↓ e and an event x f ∈↓ f such that O i (x e ) = O i (x f ), and hence e and f cannot be considered as equivalent by O i .Assume that the cycle contains only occurrences of transitions from T e .Then, as N is observable w.r.t. each observation O i , this cycle contains at least one occurrence of a transition that is observable by O i .Hence, after two occurrences of cycle ρ, the next occurrence of transition t 1 has a causal past that cannot be equivalent to the causal past of f .Considering cycles that contain only occurrences of transitions in T f is symmetric.Hence, for every observation O i , if an event f that is at a concurrency distance greater that 3.|T | from an event e, then O i (↓ e) = O i (↓ f ).
It is straightforward that for every e ∈ U(N ) and for every K, Ball K (e) is of bounded size, as every event has at most |P | predecessors and |P | successors, and every condition has only one predecessor ans at most |T | successors.
It now remains to prove existence of a frontier H and of a bound K such that H is contained in the K-causal past of e and f , and such that e ≡ i f iff ↓ e \ Fe,f ≡ i ↓ f \ F e,f \ H.
First, let us assume that e and f are not equivalent.Then, it is sufficient to remember at most |T | events in their causal past if e and f are causally related to be able to differentiate them, and to take as frontier the minimal event in this bounded set.Similarly, if e and f are conflicting events, it is sufficient to remember k c events in their causal past to differentiate the observation of their past.Last, if e and f are concurrent events, considering 3.|T | events in their past suffices to notice that they are not equivalent.
Conversely, assume that a pair of events e, f is equivalent w.r.t observation O i .Then, these events are at a distance d smaller than max(2.kc , 3.|T |).If e, f are causally related, and e ≤ f then it suffices to remember the maximal events of ↓ e as frontier (this frontier is finite).Then, checking that ↓ e ≡ i ↓ f amounts to checking that (↓ f ∩ Ball d (f )) \ (↓ e ∩ Ball d (f )) is an empty observation.Now, assume that e and f are conflicting events.As e and f are at distance at most 2.k c , they share a common past, whose events are located at distance at most k c .It is then sufficient to take as frontier the maximal event in ↓ e∩ ↓ f , which are contained in the 2.k c -Ball of e and f and then check that ↓ e \ Fe,f ≡ i ↓ f \ F e,f \ H.A similar reasoning holds for concurrent events.Hence, It suffices to set K = max(2.kc , 3.|T |) and to consider the nature of pairs of events to find an appropriate frontier allowing to check equivalence of any pair of events located at distance smaller than K.
Proof.The proof directly follows from corollary 18 and Proposition 5: as an observable net N is K−layered, for K = max(2.kc , 3.|T |), it suffices to build the grammar G K,N that generates the execution graph G U (N ) for a K = 3.|T |.Then, for every HyPOL formula, one can compute an equivalent MSO formula, and verify that this property is satisfied on G K,N .

F
For O = (E, ≤, λ), we denote by max(O) = {e ∈ E | f = e, e ≤ f } the set of its maximal events, and by min(O) = {e ∈ E | f = e, f ≤ e} the set of its minimal events.The covering relation of O is a relation <⊆ E × E such that e < f iff e ≤ f , e = f and ∀e : (e ≤ e ≤ f ) ⇒ (e ∈ {e, f }).A causal path of O is a sequence of events e 1 .e 2 . . .e n such that e i < e i+1 .If e ∈ E, the ideal of e is the set ↓ e = {f | f ≤ e} and its ending section is the set ↑ e = {f | e ≤ f }.The arrows and relations may be indexed by the order in case of ambiguity.A set H ⊆ E of events is downward closed iff H = e∈H ↓e, and upward closed iff H = e∈H ↑ e. Definition 2. The restriction of O = (E, ≤, λ) to a subset H ⊆ E is the LPO O |H = (H, ≤ |H , λ |H ) where ≤ |H =≤ ∩(H × H) and λ |H is the restriction of λ to H.The projection of O on a subset of labels Σ ⊆ Σ is the restriction of O to events that carry labels in Σ .Definition 3. Two partial orders O = (E, ≤, λ) and O = (E , ≤ , λ ) over Σ are isomorphic (written O ≡ O ) iff there exists a bijective function h : E → E such that e ≤ e ⇐⇒ h(e) ≤ h(e ) and λ(e) = λ (h(e)).Note that two discrete LPOs O and O are isomorphic iff their coverings are isomorphic.Definition 4. Let O = (E, ≤, λ) and T = (E T , ≤ T , λ T ) be partial orders over Σ.Then O matches T iff there exists H ⊆ E and a bijective mapping h : H → E T such that

F
O φ ::= true EU D,O φ AG D,O φ ::= ¬EF D,O ¬φ AX D,O ::= ¬EX D,O ¬φ AX ≡,O ::= ¬EX ≡,O ¬φ The semantics of HyPOL formulas is defined over a set W ⊆ LP O(Σ) of orders, for O = (E, ≤, λ) ∈ W and e ∈ E. Letting λ O be the labeling of O(O) and < O its covering, we say that O ∈ W satisfies φ at event e (denoted by O, e |= φ) if formula φ is satisfied when starting its evaluation from event e in order O: O, e |= true for every event e ∈ E; O, e |= ¬φ iff O, e |= φ and O, e |= φ 1 ∨ φ 2 iff O, e |= φ 1 or O, e |= φ 2 ; O, e |= match(O, T, f ) if and only if f is an event of T , e has image e in O(↓ e), and O(↓e) matches T with at least a witness mapping h e ,f associating f with e ; O, e |= EX D,O φ iff ∃f ∈ E, e has image e ∈ O(↑ e), f has image f ∈ O(↑ f ), e < O f , such that λ O (e ) ∩ D = ∅ and O, f |= φ; O, e |= EX ≡,O φ iff there exists O ∈ W and e = e ∈ O such that O(↓ O e) ≡ O(↓ O e ) and O , e |= φ; O, e |= φ 1 EU D,O φ 2 iff there exists an event f ∈ E such that O, f |= φ 2 , and a finite set of events e 1 , e 2 , . . .e k ∈ O(O) such that e 1 < O e 2 < O • • • < O e k , e 1 = O(e) and e k = O(f ), ∀i ∈ 2..k − 1, e i is the image of some event e i ∈ E by O, λ O (e i ) ∩ D = ∅ and O, e i |= φ 1 ; O, e |= EG D,O φ iff either there exists an infinite sequence of events (e i ) i≥1 in E such that e = e 1 , every e i has an image e i in O(O), and ∀i ≥ 1, e i < O e i+1 , λ(e i ) ∩ D = ∅ and O, e i |= φ, or there exists a finite set of events e 1 , . . .e k ∈ E such that e = e 1 , for every i ∈ 1..k, e i has an image e i by O with e 1 < O e 2 < O • • • < O e k , λ O (e i ) ∩ D = ∅, O, e i |= φ, and e k ∈ max(O(O)).In particular, O, e |= match(id, T a , f a ) iff e carries label a in order O, i.e. a ∈ λ(e).Intuitively, formulas of the form O, e |= EG D,O φ, O, e |= φ 1 EU D,O φ 2 , and O, e |= EX D,O φ describe properties of causal paths in orders, and have the standard interpretation seen for instance in LTL for words.Observation O is used to select successive events along a path, and set D performs an additional filtering among possible next events, by requiring the next considered event in a path to carry a label in D. The definition O, e |= EX ≡,O φ requires existence of another order O ∈ W and of an event e ∈ E O such that e = e, but nothing forces O and O to be different orders.Hence, e and e can be distinct events from the same order that cannot be distinguished by observing their causal past.An order O satisfies φ, denoted by O |= φ, iff there exists e ∈ min(O) such that O, e |= φ.The set of orders W satisfies φ iff every LPO O ∈ W satisfies φ.Last, φ is satisfiable iff there exists a set of LPOs W such that W |= φ.Unsurprisingly, HyPOL is very powerful and satisfiability is undecidable on LPOs: Theorem 5. Satisfiability of a HyPOL formula is undecidable.

Definition 7 .
An occurrence net is a Petri net ON = (B, E, F, Cut 0 ) where the elements of B are called conditions and those of E events, and Cut 0 ⊆ B such that: ON is acyclic, and hence < def = F + and ≤ def = F * are strict and weak partial orders; ∀e ∈ E : ¬(e#e) (no event is in conflict with itself); ∀b ∈ B, | • b| ≤ 1 (every condition has a unique predecessor); ON is finitary: for all x ∈ E ∪ B, the set P ast(x) def = {y | y ≤ x} is finite; and Cut 0 contains exactly the <-minimal nodes of ON.
↓ K e =↓e ∩ Ball K (e) denote the K−bounded past of e. Definition 14.Let N be a safe Petri net, and O i be an observation function.N is K−layered w.r.t.O i iff ∀e, e ∈ U(N ) : F S T T C S 2 0 1 8 there is a bound S K ∈ N such that |Ball K (e)| ≤ S K ; dist(e, e ) > K implies e ≡ e ; dist(e, e ) ≤ K implies one can compute H = {f 1 , . . .f m } ⊆↓ K e ∪ ↓ K e such that, letting F e,e = i∈1..m ↓f i and Fe,e = F e,e \ H, e ≡ i e iff O i (↓e \ Fe,e ) ≡ i O i (↓e \ Fe,e ).

Figure 4
Figure 4 Equivalence w.r.t.Oi in the unfolding of a K−layered Petri net Proposition 3. Let N be a K−layered safe Petri net.Then, one can effectively compute an hyperedge replacement grammar G K,N that recognizes the execution graph G U (N ) .

Figure 7 A
Figure 7 A safe labeled Petri net where processes encode trials of PCP solutions.

F
such that can(b) = n and can(e) = n or ∃(e, b) in F such that can(e) = n and can(b) = n .Last, we define α(n) = p if can(b) = n for some condition b = (e, p) and α(n) = t if can(e) us recall standard vocabulary and notations for nets (we borrow definitions from [15]).Two nodes x, y ∈ P ∪ T are in causal relation iff xF * y.Transitions t and t are in immediate (structural) conflict iff t = t and • where O ρ1 (resp O ρ2 ) is the process of N obtained by successively appending t 1 , t 1,1 , ... (resp.t 2 , t 2,1 , ...) to M 0 .iii) for every observation O i and every cyclic behavior M M of LT S(N ) with ρ = t 1 . . .t n and such that t 1 . . .t n can be partitioned into sets T 1 , T 2 , . . .T k of independent transitions ∀j, j ∈ 1..k, there exists t j ∈ T j and t j ρ −→