

Analysis of Mobile Agents using Invariants of Object Nets


Electronic Communications of the EASST
Volume 12 (2008)

Formal Modeling of
Adaptive and Mobile Processes

Analysis of Mobile Agents using Invariants of Object Nets

Michael Köhler and Daniel Moldt

18 pages

Guest Editors: Julia Padberg, Kathrin Hoffmann
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

Analysis of Mobile Agents using Invariants of Object Nets

Michael Köhler and Daniel Moldt

University of Hamburg, Department for Informatics
Vogt-Kölln-Straße 30, D-22527 Hamburg

koehler@informatik.uni-hamburg.de

Abstract: Mobility induces new challenges for dynamic systems, which need a new
conceptional treatment: systems, that deal for example with mobile agents, need
extended security concepts to handle the risks, induced by foreign, untrusted agents.

In this contribution we use object nets to model mobile systems. Object nets are
Petri nets which have Petri nets as tokens – an approach known as the nets-within-
nets paradigm. Object nets are called elementary if the net system has a two levelled
structure. In this work we apply structural analysis methods for object nets – namely
place invariants – to a simple case study modelling mobile agents.

Keywords: linear invariants, mobility, nets-within-nets, object nets

1 Introduction

Object nets are Petri nets which have Petri nets as tokens – an approach which is called the
nets-within-nets paradigm, proposed by Valk [Val91, Val03] for a two levelled structure and
generalised in [KR03, KR04, KB09] for arbitrary nesting structures. The Petri nets that are used
as tokens are called net-tokens. Net-tokens are tokens with internal structure and inner activity.
This is different from place refinement, since tokens are transported while a place refinement is
static. Net-tokens are some kind of dynamic refinement of states. Figure 1 shows an example
object net with four net-tokens: two on place p1 and one on p2 and p3 each. The net-tokens on
p1 and p2 share the same net structure, but have independent markings. Object nets are useful to
model the mobility of active objects or agents (cf. [KMR01] and [KMR03]).

It is quite natural to use object nets to model mobility and mobile agents. Each place of the
system net describes a location that hosts agents, which are net tokens. Mobility can be modelled
by moving the net token from one place to another. This hierarchy forms a useful abstraction of
the system: on a high level the agent system and on a lower level of the hierarchy the agent itself.

Without the viewpoint of nets as tokens, the modeller would have to encode the agent differ-
ently, e.g. as a data-type. This has the disadvantage, that the inner actions cannot be modelled
directly, so, they have to be lifted to the system net, which seems quite unnatural. By using
nets-within-nets we can investigate the concurrency of the system and the agent in one model
without loosing the abstraction needed.

Following [KMR03], we distinguish four different kinds of mobility, which are know as spon-
taneous, subjective, objective and consensual moves of the mobile agent (cf. Figure 2, where A
is the agent net as a net token):

• Spontaneous Move: Neither the agent nor its environment initiate the transport. The move-

1 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

t

p1

p2 p5

p6p3

b1

t1

t1

t2

a1

a1

a2

b2
c2

b1

p4a1 t1

b1

< t1, t2 >

Figure 1: An Elementary Object Net

ment can take place, but it is not enforced. No coupling of the environment and the agent
is needed.

• Subjective Move: The agent itself initiates the movement, so agent and environment have
to be coupled. This is described by the channel move, which has to be enabled in the agent.
The movement takes places if the environment is able to execute it.

• Objective Move: The environment initiates the movement of the agent. The agent is forced
to be transported. The initiative of the environment is modelled by the place travel ticket.

• Consensual move: Both the environment and the agent come to an agreement on the move-
ment. This is modelled by a combination of the channel move, which has to be enabled in
the agent, and the external condition modelled by the travel ticket.

a a a a a a

[]

location Ylocation Ylocation X

travel
ticket

location X location Y location Xa:move()
A A A

consensual
move

a a

[]

location Y

travel
ticket

location X

A
a:move()

subjective
move

objective
move

spontaneous
move

Figure 2: Types of mobility

The multi-agent architecture MULAN [KMR01] provides facilities for subjective moves as
well as for objective moves.

Among the wealth of research on defining mobile systems, in recent years a variety of for-
malisms have been introduced or adopted to cover mobility: The approaches can be roughly
separated into process calculi and Petri net based approaches. The π -calculus [MPW92], the
Ambient-calculus [CGG00] and the Seal calculus [VC98] are just three of the more popular cal-
culi. Approaches dealing with mobility and Petri nets can be found in [Val98], [Bus99], [Lom00],
[XD00], [Hir02], [KMR03], [BBPP04], [Lak05], [HEM05], and [KF06].

Adaptive and Mobile Processes 2 / 18


ECEASST

The paper has the following structure. Section 2 recalls basic definitions. Section 3 defines
elementary object systems (EOS) and presents some expressivity results. The section 4 presents
the reference semantics for EOS, defined as a P/T net, and investigates the structural subclass of
Generalised State Machines. Section 5 investigates the invariance calculus for EOS and demon-
strates its compositionality. The paper ends with a conclusion.

2 Preliminaries

The definition of Petri nets relies on the notion of multisets. A multiset m on the set D is a
mapping m : D → N. Multisets are generalisations of sets in the sense that every subset of D
corresponds to a multiset m with m(d) ≤ 1 for all d ∈ D. The notation is used for sets as well as
for multisets. The meaning will be apparent from its use. Multiset addition m 1, m2 : D → N is
defined component-wise: (m1 + m2)(d) := m1(d) + m2(d). The empty multiset 0 is defined as
0(d) = 0 for all d ∈ D. Multiset-difference m1 −m2 is defined by (m1 −m2)(d) := max(m1(d)−
m2(d), 0). We use common notations for the cardinality of a multiset |m| := ∑d∈D m(d) and
multiset ordering m1 ≤ m2 where the partial order ≤ is defined by m1 ≤ m2 ⇐⇒ ∀d ∈ D :
m1(d) ≤ m2(d). A multiset m is finite if |m| < ∞. The set of all finite multisets over the
set D is denoted MS(D). The set MS(D) naturally forms a monoid with multiset addition +
and the empty multiset 0. Multisets can be identified with the commutative monoid structure
(MS(D), +, 0). Multisets are the free commutative monoid over D since every multiset has the
unique representation in the form m = ∑d∈D m(d) · d where m(d) denotes the multiplicity of d.
Multisets can be represented as a formal sum in the form m = ∑

|m|
i=1 xi where xi ∈ D.

Any mapping f : D → D′ can be extended to a homomorphism f ] : MS(D) → MS(D′) on
multisets: f ] (∑ni=1 xi) = ∑

n
i=1 f (xi). This includes the special case f

](0) = 0. We simply write f
to denote the mapping f ]. The notation is in accordance with the set-theoretic notation f (A) =
{ f (a)|a ∈ A}.

Definition 1 A p/t net N is a tuple N = (P, T, pre, post), such that P is a set of places, T is a
set of transitions, with P ∩ T = /0, and pre, post : T → MS(P) are the pre- and post-condition
functions. A marking of N is a multiset of places: m ∈ MS(P). A p/t net with initial marking m
is denoted N = (P, T, pre, post, m).

We use the usual notations for nets like •x for the set of predecessors and x• for the set of
successors for a node x ∈ (P ∪ T ).

A transition t ∈ T of a p/t net N is enabled in marking m iff ∀p ∈ P : m(p) ≥ pre(t)(p)
holds. The successor marking when firing t is m′(p) = m(p) − pre(t)(p) + post(t)(p) for all
p ∈ P. Using multiset notation enabling is expressed by m ≥ pre(t) and the successor marking
is m′ = m − pre(t) + post(t). We denote the enabling of t in marking m by m t−→

N
. Firing of t is

denoted by m t−→
N

m′. The net N is omitted if it is clear from the context.

Firing is extended to sequences w ∈ T ∗ in the obvious way: (i) m ε−→ m; (ii) If m w−→ m′ and
m′ t−→ m′′ hold, then we have m wt−→ m′′.

We write m ∗−→ m′ whenver there is some w ∈ T ∗ such that m w−→ m′ holds.

3 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

The set of reachable markings is RS(m0) : {m | ∃w ∈ T ∗ : m0
w
−→ m}.

3 Elementary Object Systems

An elementary object system (EOS) is composed of a system net, which is a p/t net given as
N̂ = (P̂, T̂ , pre, post) and a set of object nets N = {N1, . . . , Nn}, which are p/t nets given as
N = (PN , TN , preN , postN ). W.l.o.g. we assume that all nodes (places and transitions) are disjoint.

The system net places are typed by the mapping d : P̂ → {•}∪ N with the meaning, that the
place p̂ of the system net contains black tokens only if d(p̂) = • or net-tokens of the object net
type N if d(p̂) = N. No place of the is mapped to the system net itself.

Since the tokens of an EOS are instances of object nets a marking µ ∈ M of OS is a nested
multiset. The set of all markings which are syntactically consistent with the typing d is denoted
M (Here d−1(N) ⊆ P̂ describes the set of system net places of the type N):

M := MS

((
d−1(•) ×{0}

)
∪
⋃

N∈N

(
d−1(N) × MS(PN )

)
)

(1)

A marking of an EOS OS is denoted µ = ∑
|µ|
k=1(p̂k , Mk) where p̂k is a place in the system net

and Mk is the marking of the net-token of type d(p̂k ). To emphasise the nesting markings are
also denoted as µ = ∑

|µ|
k=1 p̂k[Mk]. Tokens of the form p̂[0] and d(p̂) = • are abbreviated as p̂[].

The EOS firing rule is defined for three cases: system-autonomous firing (only a transition
of the system net fires), object-autonomous firing (only a transition of an object net fires), and
synchronised firing (a transition of the system net fires together with object net transitions). For
the sake of uniformity of the firing rule we add the idle-transitions εN for each object net N
where preN (εN ) = postN (εN ) = 0 and the set of idle transitions {ε p̂ | p̂ ∈ P̂} where pre(ε p̂) =
post(εp̂) = p̂ for the system net. Using the idle transitions the firing rule can be reduced to the
case of synchronisation (see below).

The transition labelling functions l̂N : T̂ → C ∪ {ε} and lN : TN → C ∪ {ε} define a synchro-
nisation relation between system and object net transitions: Whenever the system net transi-
tion t̂ is labelled with a channel inscription, i.e. l̂N (̂t) ∈ C for the object net N, then t̂ must
fire synchronously with an object net transition t of this object net N with the same label, i.e.
lN (t) = l̂N (̂t). Whenever l̂N (̂t) = ε for all N ∈ N , then the system net transition fires system-
autonomously. Analogously, the object net transition t fires object-autonomously whenever
lN (t) = ε . In the graphical representation the synchronisation labelling (l̂N , lN )N∈N is defined
by transition inscriptions and ε is omitted.

Definition 2 (EOS) An elementary object system (EOS) is a tuple OS = (N̂, N , d, l) such that:

1. N̂ is a p/t net, called the system net.

2. N is a finite set of disjoint p/t nets, called object nets.

3. d : P̂ → {•}∪ N \{N̂} is a typing of the system net places.

4. l = (l̂N , lN )N∈N is the synchronisation labelling.

Adaptive and Mobile Processes 4 / 18


ECEASST

An EOS with initial marking is a tuple OS = (N̂, N , d, l, µ0) where µ0 ∈ M is the initial
marking of the system net.

We name special properties of EOS:

• An EOS is minimal iff it has exactly one type of object nets: |N | = 1.

• An EOS is pure iff it has no places for black tokens: d −1(•) = /0.

• An EOS is p/t-like iff it has only places for black tokens: d(P̂) = {•}.

• An EOS is unary iff it is pure and minimal.

• An EOS is monotonous iff its typing d is. A typing is called monotonous iff for each place
in the preset of t̂ typed with an object net there is place in the postset typed with the same
net: (d(•t̂) ∩ N ) ⊆ (d(t̂•) ∩ N ).

The synchronisation labelling (l̂N , lN )N∈N generates the set of system events Θ. An event is a
pair (τ̂ , θ ) – also denoted τ̂ [θ ] in the following – where τ̂ is a transition of the system net or ε p̂ for
some p̂ and θ : N →

⋃
N∈N (TN ∪{εN}) maps object nets N ∈ N to its transitions TN including

the idle transition εN , i.e. θ (N) ∈ (TN ∪{εN}). The idle map εN is defined εN (N) = εN for all
N ∈ N . We extend the labelling to idle transitions by lN (εp̂) = lN (εN ) = ε for all p̂ ∈ P̂ and
N ∈ N .

Θ :=
{

t̂[θ ] | ∀N ∈ N : l̂N (̂t) = lN (θ (N))
}

∪
{

εp̂[θ ] | ∃t ∈ Td(p̂) : (θ (N ) \ εN ) = {t}∧ lN (t) = ε
} (2)

An event τ̂ [θ ] has the meaning that τ̂ fires synchronously with all the object net transitions
θ (N), N ∈ N . Note, that (ε p̂, εN ) is excluded because it has no effect. By the construction of
Θ each system net transition has exactly one synchronisation partner in each object net N ∈ N .
This partner might be an idle-transition. System-autonomous events have the form (t̂, εN ). For
a single object-autonomous event at the location p̂ we have τ̂ = εp̂ and for all except one object
net N we have τN = εN , i.e. |θ (N ) \ εN | = 1.

Example 1 Figure 1 shows an EOS with the system net N̂ and the object nets N = {N1, N2}.
The nets are given as N̂ = (P̂, T̂ , pre, post) with P̂ = {p1, . . . , p6} and T̂ = {t}.

The object nets are N1 = (P1, T1, pre1, post1) with P1 = {a1, b1} and T1 = {t1}
and N2 = (P2, T2, pre2, post2) with P2 = {a2, b2, c2} and T2 = {t2}.

The typing is d(p1) = d(p2) = d(p4) = N1 and d(p3) = d(p5) = d(p6) = N2. The typing is
illustrated in Figure 1 by different colours for the places.

There is only one synchronous event: Θ = {t[N1 7→ t1, N2 7→ t2]}. If there is at most one
transition for each label c ∈ C then we can simply denote the corresponding transitions, like in
the inscription 〈t1, t2〉 at transition t in Figure 1.

The initial marking has two net-tokens on p1, one on p2, and one on p3:

µ = p1[a1 + b1] + p1[0] + p2[a1] + p3[a2 + b2]

Note, that for Figure 1 the structure is the same for the three net-tokens on p1 and p2 but the
net-tokens’ markings are different.

5 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

3.1 Projections and Firing Rule

Let µ = ∑
|µ|
k=1(p̂k, Mk) be a marking of an EOS. The projection Π

1 on the first component ab-
stracts away the substructure of all net-tokens:

Π1
(
∑|µ|k=1 p̂k[Mk]

)
:= ∑|µ|k=1 p̂k (3)

The projection Π2N on the second component is the abstract marking of all net-tokens of the
type N ∈ N ignoring their local distribution within the system net.

Π2N
(
∑|µ|k=1 p̂k[Mk]

)
:= ∑|µ|k=1 1N (p̂k) · Mk (4)

where the indicator function 1N : P̂ → {0, 1} is 1N (p̂) = 1 iff d(p̂) = N. Note, that Π2N (µ ) results
in an marking of the object net N.

A system event τ̂[θ ] removes net-tokens together with their individual internal markings. Fir-
ing the event replaces a nested multiset λ ∈ M that is part of the current marking µ , i.e. λ ≤ µ ,
by the nested multiset ρ . The enabling condition is expressed by the enabling predicate φ OS (or
just φ whenever OS is clear from the context):

φ (τ̂ [θ ], λ , ρ ) ⇐⇒ Π1(λ ) = pre(τ̂ ) ∧ Π1(ρ ) = post(τ̂ ) ∧
∀N ∈ N : Π2N (λ ) ≥ preN (θ (N)) ∧
∀N ∈ N : Π2N (ρ ) = Π

2
N (λ ) − preN (θ (N)) + postN (θ (N))

(5)

With M̂ = Π1(λ ) and M̂′ = Π1(ρ ) as well as MN = Π2N (λ ) and M
′
N = Π

2
N (ρ ) for all N ∈ N

the predicate φ has the following meaning:

1. The first conjunct expresses that the system net multiset M̂ corresponds to the pre-condition
of the system net transition t̂, i.e. M̂ = pre(̂t).

2. In turn, a multiset M̂′ is produced, that corresponds with the post-set of t̂.

3. An object net transition τN is enabled if the combination MN of the markings net-tokens
of type N enable it, i.e. MN ≥ preN (θ (N)).

4. The firing of τ̂[θ ] must also obey the object marking distribution condition M ′N = MN −
preN (θ (N)) + postN (θ (N)) where postN (θ (N)) − preN (θ (N)) is the effect of the object
net’s transition on the net-tokens.

Note, that (1) and (2) assures that only net-tokens relevant for the firing are included in λ and
ρ . Conditions (3) and (4) allows for additonal tokens in the net-tokens.

For system-autonomous events t̂[εN ] the enabling predicate φ can be simplified further. We
have preN (εN ) = postN (εN ) = 0. This ensures Π

2
N (λ ) = Π

2
N (ρ ), i.e. the sum of markings in the

copies of a net-token is preserved w.r.t. each type N. This condition ensures the existence of
linear invariance properties (cf. Theorem 5).

Analogously, for an object-autonomous event we have an idle-transition τ̂ = εp̂ for the system
net and the first and the second conjunct is: Π1(λ ) = pre(̂t) = p̂ = post(t̂) = Π1(ρ ). So, there
is an addend λ = p̂[M] in µ with d(p̂) = N and M enables tN := θ (N).

Adaptive and Mobile Processes 6 / 18


ECEASST

Definition 3 (Firing Rule) Let OS be an EOS and µ , µ ′ ∈ M markings. The event τ̂[θ ] is
enabled in µ for the mode (λ , ρ ) ∈ M 2 iff λ ≤ µ ∧ φ (τ̂ [θ ], λ , ρ ) holds.

An event τ̂[θ ] that is enabled in µ for the mode (λ , ρ ) can fire: µ
τ̂[θ ](λ ,ρ )
−−−−−→

OS
µ′. The resulting

successor marking is defined as µ ′ = µ − λ + ρ .

We write µ
τ̂[θ ]
−−→

OS
µ′ whenever µ

τ̂ [θ ](λ ,ρ )
−−−−−→

OS
µ′ for some mode (λ , ρ ).

Example 2 Consider the EOS of Figure 1 again. The current marking µ of the EOS enables
t[N1 7→ t1, N2 7→ t2] in the mode (λ , ρ ) where

λ = p1[a1 + b1] + p2[a1] + p3[a2 + b2]
ρ = p4[a1 + b1 + b1] + p5[0] + p6[c2]

t

p1

p2 p5

p6p3
a2

b1

a1 b1

c2
b2

b2
c2

t2

t1

t2

t1

t1

t2

a1

a1

a2

b2
c2

b1

p4a1 t1
t1

a1
b1

t1
a1

b1

t2
a2

b2
c2

t2
a2

b2
c2

b1
a2

< t1, t2 >

Figure 3: The EOS of Figure 1 after the firing of t[N1 7→ t1, N2 7→ t2]

The selected net-tokens of λ are highlighted in Figure 3 (Ignore the tokens on p4, p5, and p6
for the moment.). We have the current marking:

µ = p1[0] + p1[a1 + b1] + p2[a1] + p3[a2 + b2]︸ ︷︷ ︸
λ

= p1[0] + λ

The net-tokens’ markings are added. The sub-synchronisation are shown above and below the
transition t. After the synchronisation we obtain the successor marking on p 4, p5, and p6 as
shown in the Figure 3:

µ′ = (µ − λ ) + ρ = p1[0] + ρ
= p1[0] + p4[a1 + b1 + b1] + p5[0] + p6[c2]

EOS are a canonical extension of p/t nets in two ways: The behaviour of the system net in the
EOS when ignoring the net-tokens structure cannot be distinguished from the system net as a p/t
net (Lemma 1) and each p/t-like EOS is isomorphic to the system net as a p/t net (Lemma 2) .

7 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

EOS are a canonical extension of p/t nets, since the behaviour of an EOS when considering only
the system net’s perspective is in accordance with the behaviour of the system net considered as
a p/t net, i.e. if an event t̂ is disabled in the p/t net then for all θ the event t̂[θ ] is disabled in the
EOS.

Lemma 1 For OS = (N̂, N , d, l, µ0) define Π1(OS) = N̂. For each EOS OS we have:

µ
t̂[θ ]
−−→
OS

µ′ =⇒ Π1(µ ) t̂−−−−→
Π1(OS)

Π1(µ′)

Proof. First, we have that Π1(µ ) is a marking of the p/t net N̂. Whenever µ enables t̂[θ ] for a
mode (λ , ρ ) then φ (t̂[θ ], λ , ρ ) holds which implies Π1(λ ) = pre(̂t) and Π1(ρ ) = post(t̂) and
µ′ = µ − λ + ρ .

Since µ ≥ λ we have Π1(λ ) ≥ Π1(λ ) = pre(̂t), i.e. t̂ is enabled in Π1(λ ).
For the system net projection follows:

Π1(µ′) = Π1(µ − λ + ρ ) = Π1(µ ) − Π1(λ ) + Π1(ρ ) = Π1(µ ) − pre(̂t) + post(̂t)

This is the successor marking when firing t̂ in Π1(µ ) for the p/t net N̂.

For a p/t-like EOS we have no object nets: N = /0, synchronisation given as Θ = {t̂[ /0] | t̂ ∈ T̂ },
and the typing is the constant function d = • with •(p̂) = • for all p̂ ∈ P̂. The initial marking
contains no submarking: µ0 ∈ P̂ ×{0} ⊆ M . So, p/t-like EOS have the form:

OS = (N̂, /0,•,{t̂ [ /0] | t̂ ∈ T̂ }, µ0)

Lemma 2 A p/t-like EOS OS = (N̂, /0,•, l, µ0 ) is isomorphic to the p/t net (N̂, Π1(µ0)):

µ
(τ̂, /0)(λ ,ρ )
−−−−−−→

OS
µ′ ⇐⇒ Π1(µ ) τ̂−→

N̂
Π1(µ′)

Proof. For a p/t-like EOS the predicate φ (τ̂ [θ ], λ , ρ ) reduces to Π1(λ ) = pre(τ̂ ) ∧ Π1(ρ ) =
post(τ̂ ) since N = /0. Therefore Π2(µ ) = 0 holds for all reachable markings µ .

Since λ ≤ µ we have Π1(λ ) ≤ Π1(µ ) where Π1(µ ) is the marking in the p/t net N̂. The suc-
cessor marking when firing τ̂[ /0](λ , ρ ) in OS is defined as µ ′ = µ −λ + ρ . Obviously, Π2N (µ

′) = 0
and Π1(µ′) = Π1(µ ) − pre(τ̂ ) + post(τ̂ ) which equals the successor marking when firing t̂ in
N̂.

3.2 Mobile EOS and Marking Equivalence

We define the relation ∼= ⊆ M 2 on nested multisets, that relates nested markings which coincide
in their projections. The projection equivalence ∼= is a relation on M defined by:

α ∼= β : ⇐⇒ Π1(α ) = Π1(β ) ∧∀N ∈ N : Π2N (α ) = Π
2
N (β ) (6)

Obviously, there are several markings µ with the same projection, i.e. µ is not uniquely defined
by Π(µ ). Defining the projection of a marking µ as

Π(µ ) := (Π1(µ ), (Π2N (µ ))N∈N ) (7)

Adaptive and Mobile Processes 8 / 18


ECEASST

Projection equivalence α ∼= β holds if and only if Π(α ) = Π(β ). The projection Π(µ ) is an
representant of the equivalence class [µ ]∼=.

The relation α ∼= β abstracts from the location, i.e. the concrete net-token, in which a object
net’s place p is marked as long as it is present in α and β . For example, for d(p̂) = d(p̂′) we
have

p̂[p1 + p2] + p̂
′[p3] ∼= p̂[p3 + p2] + p̂

′[p1]

which means that ∼= allows the tokens p1 and p3 to change their locations (i.e. between p̂ and
p̂′).

Lemma 3 The enabling predicate is invariant with respect to the relation ∼=:

φ (τ̂ [θ ], λ , ρ ) ⇐⇒ (∀λ ′, ρ′ : λ ′ ∼= λ ∧ ρ′ ∼= ρ =⇒ φ (τ̂ [θ ], λ ′, ρ′))

Proof. From the definition of φ one can see that the firing mode (λ , ρ ) is used only via its
projection by Π. Since λ ′ ∼= λ , ρ′ ∼= ρ expresses equality modulo projection the predicate φ
cannot distinguish between λ ′ and λ , resp. ρ ′ and ρ .

A note on the monotonicity of the typing d: A transition t̂ ∈ T̂ with an object net N that is
present in the postset, but not in the preset (i.e. N 6∈ d(•t̂) and N ∈ d(t̂•)) generates net-tokens
of type N. The firing rule ensures that these net-tokens carry the empty marking since in this
case (τ̂ ,C) is enabled in mode (λ , ρ ) only if all object nets in ρ of this type N carry the empty
marking.

The symmetric case, i.e. N ∈ d(•t̂) and N 6∈ d(t̂•), which destroys net-tokens of type N, is
forbidden by the monotonous typing, since it is problematic: In this case (τ̂ ,C) is enabled in
mode (λ , ρ ) only if all object nets in λ of this type N carry the empty marking: Π2N (λ ) = 0. So,
not all pairs (λ ′, ρ′) with λ � λ ′ (i.e. more tokens in the net-tokens) are also firing modes, i.e.
the firing rule would not be monotonous.

In [KR04] we have shown that the nesting structure of object net markings (which allow an
arbitrary deep nesting) can be used to encode counter automatons. This technique cannot applied
to elementary object nets, because they are restricted to a two levelled structure. Nevertheless,
elementary object nets are very powerful. The interesting part in the firing rule of EOS is the fact
that moving an object net token in the system net has the power to modify the state of an un-
bounded number of tokens, i.e. all the tokens of the object net tokens (including the case of zero
tokens). In [Köh07, Theorem 3.1] we have investigated the consequences for the reachability
problem.

Theorem 1 Reachability is undecidable for non-minimal, pure EOS and for minimal, non-pure
EOS.

Due to the monotonos assumption for the typing d of EOS boundedness remains decidable for
EOS [Köh06, Theorem 7].

9 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

3.3 Mobile Object Nets

Projection equivalence ∼= abstracts from the concrete place in the preset of an event. In [KF07]
we replaced the condition ∀N ∈ N : Π2N (α ) = Π

2
N (β ) of (6) by the more general one using an

equivalence ↔ on the object nets’ places:

α ↔ β ⇐⇒ Π1(α ) = Π1(β ) ∧∀N ∈ N : Π2N (α ) = Π
2
N (β ) (mod ↔) (8)

Iff we modify the firing rule given in Definition 3 using the equivalence ↔ instead of ∼=
we obtain the formalism of mobile object nets (cf. [KF07]) In Figure 4 the infrastructure is
composed of the two buildings A and B represented in the system net. Buildings can be seen
as a metaphor for namespaces, e.g., for different hosts on a distributed network or different
WLAN areas. The two buildings are connected via the mobility transfer transitions t 4 and t6.
One mobile agent is present inside building A as a net token. Inside the building the agent has
access to a workflow describing how the agent is allowed to use services, i.e. the building’s
infrastructure. The agent can decide to use the building’s infrastructure by synchronising with
the access workflow’s transitions.

:a3():a1()

p2

p4

p6 p7

p9

t1

t2

t3

t5

t7

t8

p24
t20 t22t21

p3

p21 p22 p23

t4
t6

p1

p5 p8

p20
t23

Building A

p10

Building B

Mobile Agent

on:a2()

on:a1()

on:a3()

on:a4()

:a2() :a4()

Figure 4: A mobile agent’s environment

When modelling this scenario we have to distinguish two kinds of movement: Movement
within a building and movement from one building to another. When moving whithin a building,
the agent has full access to all services (e.g. service stations, information servers, etc.). On
the other hand, when moving to a different building the environment may change dramatically:
Services may become unavailable, they may change their name or their kind of access protocols.
This leads to the usual problem that within the same environment (e.g. the memory of a personal
computer) we can use pointers to access objects (as done for Java objects), which is obviously
impossible for a distributed space like a computer network: For example when a Java program
transfers an object from machine A to B via remote method invocation (RMI) it does not transfer
the object’s pointers (which are not valid for B); instead Java rather makes a deep copy of the
object (called serialisation) and transfers this value over the network. The value is used to
generate a new object at B which can be accessed by a fresh pointer.

Adaptive and Mobile Processes 10 / 18


ECEASST

The formalism of mobile object nets is well suited to this finer granularity of namespaces
while elementary objects are not since for object nets each place is one single namespace. The
expressibility of mobile object nets leads to the fact that mobile object net can simulate Petri nets
with inhibitor arcs (cf. Theorem 6 in [KF07]) which proves that mobile EOS are more powerful
than EOS since boundedness is undecidable for inhibitor nets, but decidable for EOS.

4 Reference Semantics and Generalised State Machines

For each EOS there is an obvious construction of a p/t net, called the reference net, which is
constructed by taking as the set of places the disjoint union of all places and as the set of tran-
sitions the synchronisations. Since the places of all nets in N are disjoint by definition, the
decomposition (Π1(µ ), (Π2N (µ ))N∈N ) can be identified with the mixed multiset:

Π1(µ ) + ∑
N∈N

Π2N (µ )

This sum is another representant of the equivalence class [µ ]∼=.

Definition 4 Let OS = (N̂, N , d, l, µ0) be an EOS. The reference net RN(OS) is defined as the
p/t net:

RN(OS) =
((

P̂ ∪
⋃

N∈N
PN
)

, Θ, preRN, postRN, RN(µ0)
)

where preRN (and analogously postRN ) is defined by:

preRN(τ̂ [θ ]) = pre(τ̂ ) + ∑N∈N preN (θ (N))
and for markings we define:

RN(µ ) := Π1(µ ) + ∑
N∈N

Π2N (µ )

The net is called reference net because it behaves as if each object net would have been ac-
cessed via pointers and not like a value: A black token on a system net place p̂ is interpreted
as a pointer to the object N̂ = d(p̂) where each object net has exactly one instance but several
pointers referring to it.

Theorem 2 Let OS be an EOS. Every event τ̂ [θ ] that is activated in OS for (λ , ρ ) is so in
RN(OS):

µ
τ̂[θ ](λ ,ρ )
−−−−−→

OS
µ′ =⇒ RN(µ )

τ̂[θ ]
−−−−→
RN(OS)

RN(µ′)

Proof. Whenever τ̂ [θ ] is activated in µ the enabling condition φ holds. This implies that Π1(µ )
enables τ̂ and Π2N (µ ) enables θ (N) for each N ∈ N . Since all the places are disjoint RN(µ )
is isomorphic to the projections Π(µ ) and this implies that the multiset sum τ̂ + ∑N∈N θ (N)
is enabled which is equivalent to the enabling in RN(OS). Analogously one can observe that
the effect on Π1(µ ) an on the Π2N (µ ) is the same which implies that the successor marking in
RN(OS) is RN(µ ′).

11 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

s11

t1

t2

t11 t12
s12 s13

:ch2():ch1()

on:ch1()
s1

t3
on:ch2()

s6
t4

s5

s4s2

s3

net token

system net

Figure 5: A sample EOS

The converse is not true in general, which can be demonstrated using the EOS in Fig. 5 known
as the α -centauri example, cf. [Val98]. Initially we have µ0 = ŝ1[s11]. In the reference net we
have the initial marking RN(µ0) = ŝ1 + s11 which activates the firing sequence:

(ŝ1 + s11)
t̂1[ε ]
−−→ (ŝ2 + ŝ3 + s11)

t̂2[t11]
−−−→ (ŝ4 + ŝ3 + s12)

t̂3[t12]
−−−→ (ŝ4 + ŝ5 + s13)

It is easy to see that in the EOS we can fire only a prefix, depending on the choice of the modes.
The first mode assigns the token on s11 to the net-token on ŝ3:

ŝ1[s11]
t̂1[ε ]
−−→ ŝ2[0] + ŝ3[s11]

The second mode assigns the token on s11 to the net-token on ŝ2:

ŝ1[s11]
t̂1[ε ]
−−→ ŝ2[s11] + ŝ3[0]

t̂2[t11]
−−−→ ŝ4[s12] + ŝ3[0]

Since the effect in the object net is only local, t̂3[t12] is not activated. So w = t̂1[ε ] · t̂2[t11] · t̂3[t12]
is a possible firing sequence for the reference net, but not for the object net system.

From Theorem 2 and the above the following property follows.

Corollary 1 Let OS be an EOS. If µ is reachable from µ0, then RN(µ ) is reachable from
RN(µ0). The reverse does not hold in general.

So, we obtain only a sufficient condition for non-reachability: The marking µ is not reachable
from µ0 whenever RN(µ ) is not reachable from RN(µ0).

Fortunately, many practical models are Generalised State Machines and this sufficient condi-
tion can be strengthened to a necessary one for these. An EOS OS is a generalised state machine
iff for all t̂ there is either exactly one place in the preset and one in the postset typed with the
object net N or there are no such places:

∀N ∈ N : ∀t̂ ∈ T̂ :
∣∣{p̂ ∈ •t̂ | d(p̂) = N}

∣∣ =
∣∣{p̂ ∈ t̂• | d(p̂) = N}

∣∣ ≤ 1 (9)

and the inital marking has at most one net-token of each type:

∀N ∈ N : |{p̂ ∈ P̂ | Π1(µ )(p̂) > 0 ∧ d(p̂) = N}| ≤ 1 (10)

Obviously every p/t like EOS is a generalised state machine since d(p̂) = • for all p̂. In addition
generalised state machines are monotonous.

For generalised state machines we can strengthen Theorem 2.

Adaptive and Mobile Processes 12 / 18


ECEASST

Theorem 3 Let OS be an EOS with the generalised state machine property.
A transition τ̂[θ ] is activated in OS for (λ , ρ ) iff it is in RN(OS):

µ
τ̂[θ ](λ ,ρ )
−−−−−→

OS
µ′ ⇐⇒ RN(µ )

τ̂ [θ ]
−−−−→
RN(OS)

RN(µ′)

Proof. Define the property ψ as follows:

ψgsm(µ ) = ∀N ∈ N : |{p̂ ∈ P̂ | Π1(µ )(p̂) > 0 ∧ d(p̂) = N}| ≤ 1

By (10) the property holds initially, i.e. ψgsm(µ0) is true. It is easy to observe that that the
property ψgsm(µ ) remains true in all reachable markings, since whenever there is at most one
net-token for each object net in marking µ , then (9) implies that there are equally many in the
successor marking µ ′.

Therefore in each reachable marking µ we have for each object net N that is present in the
initial marking exactly one marked system net place p̂N which contains the net-token of type N.

In this case all tokens in the projection Π2N (µ ) belong to the marking of the net-token on p̂N .
The net-token can be reconstructed as p̂N [Π2N (µ )].

Therefor, we can uniquely reconstruct µ from RN(µ ) and reachability in the net RN(OS) is a
necessary and sufficient condition for reachability.

A generalised state machine OS is therefor isomorphic with its reference net RN(OS).
Note that the formalism defined in [BBPP04] is restricted to generalised state machines – the

general case is not considered which simplifies notations considerably but limits the expressive-
ness.

5 The Invariance Calculus for Object Nets

There is a well elaborated connection of Petri nets and linear algebra (cf. [Lau87, STC98]). Let
∆ : T → (P → Z) be the function defined by:

∆(t)(p) = post(t)(p) − pre(t)(p)

∆(t) denotes the effect of firing t. The function ∆ is linear, in the sense that the effect ∆(t 1 + t2)
of a transition multiset is their cumulated effect:

∆(t1 + t2) = ∆(t1) + ∆(t2)

If 0 < |P|,|T | < ∞ then ∆ can be expressed as a |P| · |T | matrix (called incidence matrix)
defined by ∆(p, t) = post(t)(p) − pre(t)(p). Using ∆(t) the firing step m t−→ m′ of a p/t net can
be expressed as:

m′ = m − pre(t) + post(t) = m + ∆(t)

It is well known that all solutions i ∈ Z|P| \{0} of the equation

∆>i = 0

which are called place-invariants (short: P-invariants) result into a linear equation for all reach-
able markings m ∈ RS(N, m0).

13 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

Theorem 4 (Lautenbach) Let i ∈ Z|P| be a P-invariant of the p/t net N. Then we have:

∀m ∈ RS(N, m0) : i · m = i · m0

This invariance calculus for p/t nets can be extended to EOS in a compositional way, i.e. in-
variance equations can be obtained from the invariance equations of the constituting components
separately.

Theorem 5 Let OS = (N̂, N , d, l, µ0) be an EOS, î a P-invariant of the system net N̂ and iN
one for each object net N ∈ N . For all reachable markings µ it holds:

î · Π1(µ ) = î · Π1(µ0)
∀N ∈ N : iN · Π2N (µ ) = iN · Π

2
N (µ0)

Proof. Proof by induction on the length of the firing sequence. Induction base: For the empty
sequence we have µ = µ0 and the property is obvious.

Induction step: Assume we have µ0
∗
−→
OS

µ
t̂[θ ](λ ,ρ )
−−−−−→

OS
µ′. Since î is an invariant of the system

net we have î · (post − pre) = 0. It follows:

î · Π1(µ′) = î · Π1(µ − λ + ρ ) = î · (Π1(µ ) − Π1(λ ) + Π1(ρ ))
= î · Π1(µ ) − î · pre(̂t) + î · post(̂t) = î · Π1(µ )

For all N ∈ N we have iN · (postN − preN ) = 0. It follows:

iN · Π2N (ρ ) = iN ·
(
Π2N (λ ) − preN (θ (N)) + postN (θ (N))

)
= iN · Π2N (λ )

This proves the property.

This extension of linear invariants to EOS shows that safety properties of object nets – when
considered as p/t nets – are conservatively embedded. Of course, this embedding does not extend
to liveness properties, since e.g. a deadlock-free system net may block when embedded into an
EOS, simply because it may be synchronised with a deadlocked object net.

Example 3 As mentioned in the introduction structural analysis is useful for the system’s as
well as for the mobile agent’s side. The mobility infrastructure given in Fig. 6 consists of the
three localities pool, public, and private. The net itself is a variant of the reader/writer problem.
The parameter n ∈ N denotes the capacity of the public location.

In the first step only the agent system (i.e. the system net N̂) is shown, since an agent (i.e. the
object net N) cannot be restricted by a platform in advance. The synchronisation relation is also
omitted for the same reason.

We show how invariants of the system net extend towards properties of the whole EOS. The
following analysis holds for arbitrarily structured agents.

There are three locations: pool, public, and private. The pool location is the initialisation
area; the public area is open for any agent, while the private area has restricted access: It is
allowed that many agents are simultaneously in the public location, but there can be at most

Adaptive and Mobile Processes 14 / 18


ECEASST

move
pool -> private

move
public -> pool

pool

move
pool -> public

n

n

n

public prvivate

move 
private -> pool

n

semaphor

t1

t2

t3

t4

∆ =

t1 t2 t3 t4
pool −1 1 −1 1
public 1 −1
semaphor −1 1 −n n
private 1 −1

Figure 6: The Multi-Agent System Net N̂

one agent in the private location. This prevents agents from being spied out. The transitions
between the locations model movement, which are either objective or consensual (depending on
the synchronisation relation).

In the following the system net N̂ is analysed using invariants.
We obtain î = (0, 1, 1, n)′ as a solution of the equation î · ∆ = 0. Using Theorem 5 we have

î1 · Π1(µ ) = î1 · Π1(µ0) for all reachable markings µ :

î1 · Π1(µ ) = Π1(µ )(public) + Π1(µ )(semaphor) + n · Π1(µ )(private) = î1 · Π1(µ0) = n

Therefore Π1(µ )(private) > 0 implies Π1(µ )(private) = 1 and Π1(µ )(public) = 0.

public prvivate

move
pool -> public

flag 1

flag 2

move
pool -> private

move
public -> pool

move 
private -> pool

[]

[] []
ready for

public
ready for
private

Figure 7: The Agent

In the following we analyse the agent net N̂ given in Fig. 7. The two places flag1 and flag2 are
used to toggle the agent’s choice between the public and the private place. The incidence matrix

15 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

is given as (with slight abbreviations):

∆ =

pool → pub pub → pool pool → prv prv → pool
ready public −1 1
public 1 −1
ready private −1 1
private 1 −1
flag1 −1 1
flag2 1 −1

Solving the equation i · ∆ = 0 we obtain i = (0, 1, 0, 1, 1, 1)′ as an invariant of the agent-net.
Using Theorem 5 we have i2 · Π2(µ ) = i1 · Π2(µ0) for all reachable markings µ :

i · Π2(µ ) = Π2(µ )(public) + Π2(µ )(private) + Π2(µ )(flag1) + Π
2(µ )(flag2)

= i · Π2(µ0) = 1

This implies:

Π2(µ )(public) + Π2(µ )(private) ≤ 1

So, the agent proves that it does not attempt to enter the private and the public place at the same
time.

6 Conclusion

In this presentation we have introduced the formalism of elemntary object nets and its invari-
ant calculus, which has the compositionality property, i.e. invariants of the whole system are
deducible from the components. The usefulness of structural analysis combined with composi-
tionality of multi-agent systems is obvious in the context of mobility, since the system is open
and only parts of the systems are known in advance. Using this approach we could establish
a correctness proof for our example scenario without any knowledge about the structure of the
mobile agents in the system.

Bibliography

[BBPP04] M. A. Bednarczyk, L. Bernardinello, W. Pawlowski, L. Pomello. Modelling mobility
with Petri hypernets. In Fiadeiro et al. (eds.), Recent Trends in Algebraic Develop-
ment Techniques (WADT 2004). Lecture Notes in Computer Science 3423, pp. 28–44.
Springer-Verlag, 2004.

[Bus99] N. Busi. Mobile nets. In Ciancarini et al. (eds.), Formal Methods for Open Object-
Based Distributed Systems. Volume 139, pp. 51–66. Kluwer, 1999.

[CGG00] L. Cardelli, A. D. Gordon, G. Ghelli. Ambient groups and mobility types. Technical
report, Microsoft Research and University of Pisa, 2000.

Adaptive and Mobile Processes 16 / 18


ECEASST

[HEM05] K. Hoffmann, H. Ehrig, T. Mossakowski. High-Level Nets with Nets and Rules as
Tokens. In Application and Theory of Petri Nets and Other Models of Concurrency.
Lecture Notes in Computer Science 3536, pp. 268 – 288. Springer-Verlag, 2005.

[Hir02] K. Hiraishi. PN2: An Elementary Model for Design and Analysis of Multi-agent
Systems. In Arbab and Talcott (eds.), Coordination Models and Languages, COOR-
DINATION 2002. Lecture Notes in Computer Science 2315, pp. 220–235. Springer-
Verlag, 2002.

[KF06] M. Köhler, B. Farwer. Modelling Global and Local Name Spaces for Mobile Agents
Using Object Nets. Fundamenta Informaticae 72(1-3):109–122, 2006.

[KF07] M. Köhler, B. Farwer. Object Nets for Mobility. In Kleijn and Yakovlev (eds.), Inter-
national Conference on Application and Theory of Petri Nets 2007. Lecture Notes in
Computer Science 4546, pp. 244–262. Springer-Verlag, 2007.

[KMR01] M. Köhler, D. Moldt, H. Rölke. Modeling the Behaviour of Petri Net Agents. In
Colom and Koutny (eds.), International Conference on Application and Theory of
Petri Nets. Lecture Notes in Computer Science 2075, pp. 224–241. Springer-Verlag,
2001.

[KMR03] M. Köhler, D. Moldt, H. Rölke. Modelling Mobility and Mobile Agents using Nets
within Nets. In Aalst and Best (eds.), International Conference on Application and
Theory of Petri Nets 2003. Lecture Notes in Computer Science 2679, pp. 121–140.
Springer-Verlag, 2003.

[Köh06] M. Köhler. The Reachability Problem for Object Nets. In Moldt (ed.), Proceedings of
the Workshop on Modelling, object, components, and agents (MOCA’06). University
of Hamburg, Department for Computer Science, 2006.

[Köh07] M. Köhler. Reachable Markings of Object Petri Nets. Fundamenta Informaticae
79(3-4):401 – 413, 2007.

[KB09] M. Köhler-Bußmeier. Hornets: Nets within Nets combined with Net Algebra. In
Wolf and Franceschinis (eds.), International Conference on Application and Theory
of Petri Nets (ICATPN’2009). Lecture Notes in Computer Science. Springer-Verlag,
2009.

[KR03] M. Köhler, H. Rölke. Concurrency for Mobile Object-Net Systems. Fundamenta In-
formaticae 54(2-3), 2003.

[KR04] M. Köhler, H. Rölke. Properties of Object Petri Nets. In Cortadella and Reisig (eds.),
International Conference on Application and Theory of Petri Nets 2004. Lecture
Notes in Computer Science 3099, pp. 278–297. Springer-Verlag, 2004.

[Lak05] C. Lakos. A Petri Net View of Mobility. In Formal Techniques for Networked
and Distributed Systems (FORTE 2005). Lecture Notes in Computer Science 3731,
pp. 174–188. Springer-Verlag, 2005.

17 / 18 Volume 12 (2008)


Analysis of Mobile Agents using Invariants of Object Nets

[Lau87] K. Lautenbach. Linear algebraic techniques for place/transition nets. In Brauer et al.
(eds.), Petri Nets: Central Models and their Properties. Advances in Petri Nets 1986.
Lecture Notes in Computer Science 254, pp. 142–167. Springer-Verlag, 1987.

[Lom00] I. A. Lomazova. Nested Petri Nets – a Formalism for Specification of Multi-agent
distributed systems. Fundamenta Informaticae 43(1-4):195–214, 2000.

[MPW92] R. Milner, J. Parrow, D. Walker. A calculus of mobile processes, parts 1-2. Informa-
tion and computation 100(1):1–77, 1992.

[STC98] M. Silva, E. Teruel, J. M. Colom. Linear Algebraic and Linear Programming Tech-
niques for the Analysis of Place/Transition Net Systems. In Reisig and Rozenberg
(eds.), Lecture Notes in Computer Science: Lectures on Petri Nets I: Basic Models.
Advances in Petri Nets 1491, pp. 309–373. Springer-Verlag, 1998.

[Val91] R. Valk. Modelling Concurrency by Task/Flow EN Systems. In 3rd Workshop on
Concurrency and Compositionality. GMD-Studien 191. Gesellschaft für Mathematik
und Datenverarbeitung, St. Augustin, Bonn, 1991.

[Val98] R. Valk. Petri Nets as Token Objects: An Introduction to Elementary Object Nets.
In Desel and Silva (eds.), Application and Theory of Petri Nets. Lecture Notes in
Computer Science 1420, pp. 1–25. 1998.

[Val03] R. Valk. Object Petri nets: Using the nets-within-nets paradigm. In Desel et al. (eds.),
Advanced Course on Petri Nets 2003. Lecture Notes in Computer Science 3098,
pp. 819–848. Springer-Verlag, 2003.

[VC98] J. Vitek, G. Castagna. Seal: A Framework for Secure Mobile Computations. In ICCL
Workshop: Internet Programming Languages. Pp. 47–77. 1998.

[XD00] D. Xu, Y. Deng. Modeling Mobile Agent Systems with High Level Petri Nets. In
IEEE International Conference on Systems, Man, and Cybernetics’2000. 2000.

Adaptive and Mobile Processes 18 / 18


	Introduction
	Preliminaries
	Elementary Object Systems
	Projections and Firing Rule
	Mobile EOS and Marking Equivalence
	Mobile Object Nets

	Reference Semantics and Generalised State Machines
	The Invariance Calculus for Object Nets
	Conclusion