# Efficient Restrictions of Immediate Observation Petri Nets

In a previous paper we introduced immediate observation Petri nets, a subclass of Petri nets with application domains in distributed protocols (population protocols) and theoretical chemistry (chemical reaction networks). IO nets enjoy many useful properties, but like the general case of conservative Petri nets they have a PSPACE-complete reachability problem. In this paper we explore two restrictions of the reachability problem for IO nets which lower the complexity of the problem drastically. The complexity is NP-complete for the first restriction with applications in distributed protocols, and it is polynomial for the second restriction with applications in chemical settings.

## Authors

• 5 publications
• 8 publications
02/08/2019

### Parameterized Analysis of Immediate Observation Petri Nets

We introduce immediate observation Petri nets, a class of interest in th...
01/27/2020

### On the Flatness of Immediate Observation Petri Nets

In a previous paper we introduced immediate observation (IO) Petri nets,...
12/31/2021

### Structural Liveness of Immediate Observation Petri Nets

We show that the structural liveness problem for immediate observation n...
09/12/2019

### Tracking Down the Bad Guys: Reset and Set Make Feasibility for Flip-Flop Net Derivatives NP-complete

Boolean Petri nets are differentiated by types of nets τ based on which ...
07/16/2018

### Verification of Immediate Observation Population Protocols

Population protocols (Angluin et al., PODC, 2004) are a formal model of ...
04/26/2022

### Distributed controller synthesis for deadlock avoidance

We consider the distributed control synthesis problem for systems with l...
06/10/2020

### Checking marking reachability with the state equation in Petri net subclasses

Although decidable, the marking reachability problem for Petri nets is w...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

In this paper we refine our results about the complexity of verifying immediate observation Petri nets [9] in the case of two restrictions of such nets. Petri nets and their subclasses are widely used and studied in the context of software and system verification (e.g. [7]

), but also others such as game theory (e.g.

[11]), chemical reaction networks (e.g. [3]) etc. Unfortunately many important problems there have high complexity, and reachability is at least -hard in the general case [6]. This motivates the study of subclasses of Petri nets.

Immediate observation Petri nets (IO nets) are a reformulation of immediate observation population protocols, which have been introduced by Angluin et al. in [2]. Initially, they were studied from the point of view of computing predicates in a distributed system, where their expressive power is lower than general population protocols (conservative Petri nets) but still considerable. Many verification problems for IO nets are -complete; among them set-parametrized problems for sets defined by boolean combinations of bounds on token counts. This is a significant improvement compared to the general or conservative case of Petri nets, where -hard [4] and even harder verification problems are the norm. IO nets provide a natural description of some distributed systems, but also can be used to describe enzymatic chemical networks [1].

Of course, a subclass of reachability problems with a better computational complexity raises some natural, even if informal, questions. What allows better complexity and can it be generalized to some wider subclass? What keeps the complexity from being even lower and are there useful subclasses without these obstacles? Are there applications where a typical problem can be solved more efficiently? We believe that branching immediate observation nets, a generalization of IO nets and basic parallel processes with reachability problem in [12], answer the first question. The present paper is devoted the last two questions.

We consider two restrictions, the first one a syntactic restriction defining a subclass of IO nets, and the second a condition on the initial and final markings considered in the reachability problem for IO nets. Such restrictions are plausible in applications to some distributed systems (delayed observation population protocols,[2]) and to some chemical systems (enzymatic chemical reaction networks, [1]). We show the first restriction entails an NP-complete reachability problem, and for the second restriction we provide a polynomial algorithm deciding reachability or giving a witness that the restriction does not hold.

The rest of the paper is organized as follows. In section 2, we recall some general definitions regarding Petri nets, as well as the classic maximum flow minimum cut problem. Section 3 defines immediate observation Petri nets. Then we show the effects for reachability complexity of two restrictions on IO nets: keeping transitions enabled once enabled in Section 4, and requiring all token counts and their combinations to be large or zero in Section 5. Finally, we summarize our results in the conclusion and outline some further directions.

## 2 Preliminaries

Multisets. A multiset on a finite set is a mapping , i.e. for any , denotes the number of occurrences of element in . Let denote the multiset such that . Operations on like addition or comparison are extended to multisets by defining them component wise on each element of . We call the size of .

Place/transition Petri nets with weighted arcs. A Petri net is a triple consisting of a finite set of places , a finite set of transitions and a flow function . A marking is a multiset on , and we say that a marking puts tokens in place of . The size of , denoted by , is the total number of tokens in . The preset and postset of a transition are the multisets on given by and . A transition is enabled at a marking if , i.e. is component-wise smaller or equal to . If is enabled then it can be fired, leading to a new marking . We let denote this. Given we write when , and call a firing sequence. We write if for some , and say that is reachable from .

Flows and cuts. A flow graph is a triple where is a finite set of vertices, is a finite set of arcs, and is a nonnegative capacity function on arcs A flow graph contains two special vertices and , called the inlet and outlet, such that the has no incoming arc and has no outgoing arc. A flow of a flow graph is a function such that for each arc , and for each vertex , the sum of the flow over ’s incoming arcs is equal to the sum of the flow over ’s outgoing arcs. The value of a flow is the sum of the flow over all arcs from the inlet, or equivalently the sum of the flow over all arcs to the outlet. A cut in a flow graph is a pair of disjoint subsets such that the inlet is in and the outlet is in . The capacity of a cut is the sum of the capacities of all the arcs going from vertices in to vertices in .

We recall two classic theorems.

###### Theorem 2.1 (Max-flow min-cut theorem [10])

In a flow graph, the maximum value of a flow is equal to the minimum capacity of a cut.

###### Theorem 2.2 (Dinic algorithm [8])

Given a flow graph, a flow with the maximum value and a cut with the minimum capacity can be found in polynomial time.

## 3 Immediate observation Petri nets

We recall the definition of immediate observation nets (IO nets) from [9].

###### Definition 1

A transition of a Petri net is an immediate observation transition (IO transition) if there are places , not necessarily distinct, such that and . We call the source, destination, and observed places of , respectively. A Petri net is an immediate observation net (IO net) if all its transitions are IO transitions.

IO nets are conservative, i.e. there is no creation or destruction of tokens.s

###### Example 1

Figure 1 shows an IO net taken from the literature on population protocols [2]. Intuitively, it models a protocol allowing a crowd of undistinguishable agents that can only interact in pairs to decide whether they are at least 3. Initially all agents are in state , modelled by tokens in place . If two agents in state interact, one of them moves to state (transition ). If two agents in state interact, one of them moves to (transition ). Finally, an agent in state can “attract” all other agents to state (transitions and ). Given a marking with tokens only in , if and the pairs of tokens that interact next are chosen uniformly at random, then eventually all tokens reach .

In [9], we showed that given an IO net and two markings , deciding whether is reachable from

is a -complete problem. The proof of -hardness for the reachability problem in IO nets uses a reduction from the halting problem of linear-space Turing machines. The reduction is done by simulating the runs of the Turing machine: places describe the state of the head and of the tape cells, and transitions model the movement of the head and the change in the symbols on the tape cells. In the construction a specific “success” place becomes marked if and only if the machine reaches the halting state without exceeding the permitted space.

We observe that the nets provided by this reduction have two common properties. First, the transitions get enabled and disabled a very large number of times. Second, the markings put at most one token per place. We show how avoiding at least one of these conditions leads to much easier verification.

## 4 First restriction: transition enabling

The -hardness proof for IO reachability relies on the observation requirements of some transitions switching between satisfied and unsatisfied many times. In some distributed systems observations correspond to irrevocable declarations of the agents, for example in some multi-phase commit protocols. Correspondingly, we consider IO nets where token moves once enabled remain enabled. Sometimes this is not the case for the system on the whole, but it is useful to have indefinite enabling when considering reachability questions. This is the case for example in the delayed observation population protocols introduced by Angluin et al. in [2]. In this model, agents can send an unlimited amount of messages containing their current state. These messages can then be received at any later time by any other agent in the system, who can change their state based on this information. By sending a large amount of messages as soon as a first agent reaches a certain state in a run of the system, certain transitions can become enabled and stay enabled throughout the run. We formalize such a property in the following definition.

###### Definition 2

An IO net is non-forgetting if for each transitions and there is also a transition .

In other words, once it becomes possible to move a token from to , it stays possible. The reachability problem for such IO nets becomes much simpler.

###### Theorem 4.1

The reachability problem for non-forgetting IO nets is in .

###### Proof

First, we show that the reachability problem in an IO net with a fixed set of enabled transitions is equivalent to the maximum flow problem on graphs.

Let be an IO net, let be two markings of . We define as the flow graph with vertices identified with the places of , as well as two additional vertices and , the inlet and outlet of the flow graph. For each transition , there is an arc from to in with infinite capacity. Each vertice identified with a place of has one incoming arc from the inlet with capacity , and one outgoing arc to the outlet with capacity . Figure 2 illustrates such a flow graph for a non-forgetting IO net.

A firing sequence from to in corresponds naturally to an integer flow on , where for all vertices and corresponding to places of the IO net, and is equal to the number of transitions from to in . This flow has value .

Conversely, an integer flow of value corresponds to a firing sequence in , provided has a fixed set of enabled transitions. Let us consider such a flow . There exists a multiset of transitions of containing exactly transitions with source place and destination place for every pair of places . To prove existence of a firing sequence for each such multiset, we consider the following (simple but inefficient) procedure. We repeatedly fire an arbitrary remaining transition such that its source place has more tokens in the current marking than in the final one. As IO nets are conservative, we will be able to pick such a transition unless we have reached the final marking. The transition is enabled because all transitions of are enabled by assumption.

We proceed to prove that reachability problem for non-forgetting IO nets is in . The certificate for reachability corresponding to a firing sequence is defined to consist of the markings where some transition is enabled for the first time. As the number of transitions is less than the length of the input, such a certificate has polynomial length. We use the above reduction to maximum flow to verify the existence of firing sequences between the provided markings where the set of enabled token moves does not change. This can be checked in polynomial time, for example using the Dinic algorithm.

In fact the reachability problem is -complete.

###### Theorem 4.2 ()

Reachability problem for non-forgetting IO nets is -hard.

###### Proof (Sketch)

-hardness of reachability is proved by a reduction from the -complete SAT problem. Consider a SAT instance represented as a circuit of binary “NAND” () operations. One can construct a net such that its runs correspond to the input nodes of the circuit nondeterministically picking arbitrary input values, and the operation nodes of the circuit evaluating the function given the chosen values of the inputs. The technical details are provided in the appendix.

## 5 Second restriction: token counts

Another property of the -hardness reduction for IO nets is the low number of tokens in each place. Specifically, no reachable marking puts more than one token in any place. Some systems exhibit a very different behaviour. For instance in most cases of chemical reaction networks, we expect the number of individual molecules to be much larger than the number of species of molecules. Additionally, we do not expect any chance “near-misses” between the configuration of the molecules before and after a reaction sequence. In other words, if the total amount of molecules of some group of species before the reaction sequence is approximately equal to the amount of molecules of some other group of species afterwards, there must be a precise equality. Informally, we can consider an example from [5] cited in [1]. Five species of molecules are considered in a milliliter-scale cell with nanomolar (picomole per milliliter) concentrations of molecules. As a picomole contains more than molecules, equalities that hold up to molecules have a relative error of . Such equalities can reasonably be expected to follow from some conservation laws and be precise.

This behaviour can be formalized by the following condition.

###### Definition 3

A pair of markings and of an IO net with the set of places is a near-miss pair, if for there exists sets of places and such that . A pair which is not a near-miss is called a no-near-miss pair.

In terms of our informal example, even for a hundred molecular species a near-miss corresponds to an absolute error of at most molecules, which is low compared to the molecule numbers in many applications.

Observe that each place of markings and such that are a no-near-miss pair can be either unmarked or contain at least tokens. This can be seen by examining sets and , or and .

Applications avoiding near-miss markings enjoy easier reachability problem.

###### Theorem 5.1

The reachability problem for no-near-miss pairs of markings is in P. Moreover, there is a polynomial-time algorithm such that for every pair of markings it either resolves reachability, giving a witness firing sequence if it exists, or reports a near-miss in and .

###### Remark 1

Requiring only that the initial and final markings of a firing sequence have many tokens in the non-empty places does not give us a better complexity than the general -complete case.

The basic idea of the algorithm is to maintain an increasing set of restrictions. Once we cannot prove any new restrictions, we can either construct a firing sequence from to satisfying the obtained restrictions and no other ones, show that the set of restrictions is unsatisfiable, or find a near-miss.

### 5.1 Restriction inference

Given an IO net and two markings and , the algorithm expands an initially empty set of restrictions of the form “no token can go from place to place via place ”. We say that a pair of places is forbidden if for all the restriction “no token can go from to via ” is in . Forbidding a pair means adding the restriction “no token can go from to via ” for all . A pair of places that is not forbidden is allowed.

The algorithm alternatingly applies two operations which infer new restrictions, a reachability-based inference step and a cut-based inference step.

#### 5.1.1 Reachability-based inference

For each allowed pair , we keep two growing sets of places: the initially-reachable set of places reachable from , and the finally-reachable set of places backwards-reachable from .

A reachability-based inference step is performed as follows. We initialize as and as . For every allowed pair , add place to if:

• there is a transition for some places ,

• is in and is not,

• is in for some places , and

• the restriction “no token can go from to via ” is not in .

Symmetrically, for every allowed pair , add place to if:

• there is a transition for some places ,

• is in and is not,

• is for some places , and

• the restriction “no token can go from to via ” is not in .

Once no initially-reachable or finally-reachable set can be extended, we define the reachable set for each pair as the intersection of and if they exist, and the empty set otherwise. If does not contain both and , we forbid the pair, i.e. we add the restriction “no token can go from to via ” to for all . Otherwise, for every place not in , we add the restriction “no token can go from to via ” to .

#### 5.1.2 Cut-based inference

To describe the second kind of inference step, we define a correspondence between the reachability problem in an IO net with a restriction set and the maximum flow problem for a special graph.

Let be an IO net of place set , let be two markings of , and let be a set or restrictions of the form “no token can go from to via ”. We define a flow graph with vertices. There are two vertices for each place , an “initial” copy and a “final” copy , as well as a distinguished inlet vertex and a distinguished outlet vertex . For each place , there is an arc with capacity , and an arc with capacity . For each pair of places such that is not forbidden in , there is an arc from the initial -labeled vertex to the final -labeled vertex with infinite capacity. Note that the maximum flow value in graph thus constructed is at most .

Given such a flow graph , we define two operations on the capacity relative to a place pair and a integer :

• Increasing by along consists in increasing and by .

• Decreasing by along consists in decreasing and by . This operation is not possible if or are smaller than .

A cut-based inference step is performed as follows. We construct the flow graph . If the maximum flow value on is smaller than , we terminate the algorithm and report that is unreachable from . Otherwise, we forbid each allowed pair such that decreasing by along is impossible or reduces the maximum flow value to .

The idea is to root out any pair for which the path from to via and crosses the minimum cut twice.

###### Example 2

Figure 3 illustrates the flow graph constructed for the IO net of Figure 1, the markings and , and the forbidden pairs . The path contains two arcs crossing the cut.

### 5.2 Firing sequence construction

When no new restrictions can be produced by applying any of the two kinds of inference steps, we say the set of restrictions is stable. Given a stable set of restrictions with allowed pairs , a solution flow is a result of the following procedure: Construct the flow graph . Decrease the capacity by along each allowed pair; if this step fails because some arc has insufficient capacity, terminate the algorithm and report that is a near-miss pair. Otherwise, compute a maximal flow. If it has value less than , terminate the algorithm and report that is a near-miss pair. Otherwise, increase its capacity by along each (allowed) pair.

Observe that a solution flow does not always exist, and when it exists it might not be unique. The algorithm builds a firing sequence from the solution flow. For this we recall some definitions from [9].

#### 5.2.1 Trajectories and histories

Since the transitions of IO nets do not create or destroy tokens, we can give tokens identities. Given a firing sequence, each token of the initial marking follows a trajectory through the places of the net until it reaches the final marking of the sequence. The trajectories of the tokens between given source and target markings constitute a history.

A trajectory of IO net is a sequence of places. We let denote the -th place of . The -th step of is the pair . A history of length is a multiset of trajectories of length . Given an index , the -th marking of , denoted , is defined as follows: for every place , is the number of trajectories such that . The markings and are the initial and final markings of , and we write . A history of length is realizable if there exist transitions and numbers such that

• , where for every we define iff .

• For every , there are exactly trajectories such that , where are the source and target places of , and all other trajectories satisfy . Moreover, there is at least one trajectory in such that , where is the observed place of . We say that realizes step of .

We say that realizes . Intuitively, at a step of a realizable history only one transition occurs, although perhaps multiple times, for different tokens. From the definition of realizable history we immediately obtain:

• iff there exists a realizable history with and as initial and final markings.

• Every firing sequence that realizes a history of length has accelerated length at most .

#### 5.2.2 From solution flow to firing sequence

Let be a solution flow, and the final stable restrictions set of the algorithm. Intuitively, our construction of the solution flow makes sure the flow has value at least along each pair which is allowed by . We use the procedure for reachability-based inference to construct a realizable history from this flow, such that for every pair there are at most trajectories from to .

###### Definition 4

A place is an initially-reachable child of place for pair if was added to because of some transition . The notion of initially-reachable descendant is defined by transitive and reflexive closure over the initially-reachable child relation. The corresponding notions of finally-reachable child and finally-reachable descendant are defined symmetrically.

The defined relations and functions can be computed by rerunning a reachability-based inference step with the stable set . Notice also that a reachability-based inference step on provides no new restrictions, so .

We define three markings and . Let be the marking such that is equal to the cardinality of the set for all . Let be the marking such that . Note that as we have . Symmetrically, let be the marking such that ; we have . We are going to construct a history from to and from to .

We construct the realizable history from to by running a reachability-based inference step. The first step of the history consists in trajectories of length such that there is exactly one trajectory in for each triple such that . We label each trajectory with its triple. This first step corresponds to the marking . The idea is to extend each trajectory of labeled from until it reaches place , and then to do the same, working backwards, for each trajectory of labeled from until .

At each step of the construction of the history we maintain the fact that a -labeled trajectory is in place such that is the latest place with as initially-reachable descendant to be added to . In the first step described above, this holds by initialization of the sets.

At each step, we pick the next pair and place such that the reachability-inference step adds to . It is added because of a transition . For every place which is a descendant of , we extend trajectories labeled with a step from to . The rest of the trajectories in the history are extended with steps preserving their corresponding current places. By definition of a reachability-inference step, is already in for some so the history thus defined is realizable. Eventually all the trajectories reach the place of their label .

We construct a realizable history from to in a symmetrical way. We concatenate these two histories (identifying the trajectories labeled in them) to obtain a history from to with trajectories from to . We pick an arbitrary trajectory from to and increase its multiplicity in the multiset by . This provides a realizable history from to .

Finally, we extract a firing sequence from the realizable history from to by associating a transition and an iteration count to each step of the history. Each step with trajectories going from to with is associated to a transition iterated times from to , where realizes the step. This is possible by realizability.

### 5.3 Algorithm Correctness

We recall the general structure of the algorithm. The algorithm initializes the set of restrictions to be empty, then alternates reachability-based and cut-based inference steps until a stable set of restrictions is reached (or an early termination occurs). The stable set of restrictions is then used to build a solution flow (or report a near miss); a solution flow can always be converted into a firing sequence from to . We now prove that the algorithm runs in polynomial time and always returns a correct answer. In case of a near-miss, both reporting the near-miss and correctly resolving reachability is considered a correct answer.

###### Lemma 1 ()

The algorithm runs in polynomial time.

The runtime analysis is straightforward, and can be found in the appendix. To prove that the algorithm is correct, we prove that the inference steps only produce correct restrictions and that the algorithm’s reports of non-reachability and near-misses are correct.

###### Lemma 2 ()

The restrictions and non-reachability reports are correct.

###### Proof (Sketch)

We say that a restriction “no token can go from to via ” is correct if there exists no realizable history from to with a trajectory from to passing through . The proof follows from the fact that if can reach , there exists a realizable history from to with trajectories from to for each such that and , and which induces a flow of size over the flow graph of the cut-inference step. The existence of this flow of size also entails that the non-reachability reports are correct. The details are in the appendix.

The correctness proof of the near-miss reports is more involved, and interesting.

###### Lemma 3 ()

The near-miss reports are correct.

###### Proof

The algorithm only reports a near-miss in the solution flow procedure, over a stable set of restrictions . Such a report entails that we have flow graph with the following properties:

• the maximal flow value is ,

• decreasing by along any allowed pair of decreases the maximum flow value to (by stability of ),

• decreasing by along all the allowed pairs of is either impossible or leads to a maximum flow value less than .

If decreasing by along all the allowed pairs of is impossible, then either there is some place such that the arc has capacity less than , or there is some place such that the arc has capacity less than . This is equivalent to either , which is a near-miss as ; or , which is a near-miss as .

Assume that instead, decreasing by along all the allowed pairs of leads to a maximum flow value less than . We call the capacity post-decrease, and note . Theorem 2.1 on equality of the minimum cut and the maximum flow gives existence of a cut in with capacity less than . Consider such a cut of capacity . We write the capacity of cut in before the decrease operation. Since the maximum flow, and thus minimum cut, of is , we have . Therefore there exists an allowed pair such that the arcs and both cross the cut, as otherwise . We also know that as the cut-based inference did not produce new restrictions, decreasing by along any allowed pair keeps any cut capacity in bigger or equal to . Thus we have . By structure of and , the decreasing operation can reduce a cut capacity by at most . So , and using the inequalities above as well as the fact that there are at most allowed pairs, we get .

Consider the following two vertex sets based on cut . Let and . Our cut is finite, so only finite capacity arcs cross it, namely the arcs from the inlet to vertices and from vertices to the outlet. The capacity in of this cut is thus . Since and , we know . By set considerations , and so finally . The sets prove that are a near-miss.

If the algorithm does not report non-reachability or a near-miss, it returns a solution flow. We have shown that we can construct a firing sequence from to from this flow, and it can be done in polynomial time.

## 6 Conclusion and future work

We have considered two restrictions of the IO net reachability problem with a promise for much simpler verification for some applications and established the reachability complexity in both these cases, which is -complete in one case and polynomial in the other.

We leave the question of complexity of set-set reachability under these restrictions for future research. Another related question is defining a notion of “approximate” reachability that would provide a reduction in complexity for IO nets, as merely bounding the maximum difference between token counts or the sum of differences preserves -hardness of the reachability problem.

## References

• [1] David Angeli, Patrick De Leenheer, and Eduardo D Sontag. A petri net approach to the study of persistence in chemical reaction networks. Mathematical biosciences, 210(2):598–618, 2007.
• [2] Dana Angluin, James Aspnes, David Eisenstat, and Eric Ruppert. The computational power of population protocols. Distributed Computing, 20(4):279–304, 2007.
• [3] Paolo Baldan, Nicoletta Cocco, Andrea Marin, and Marta Simeoni. Petri nets for modelling metabolic pathways: a survey. Nat. Comput., 9(4):955–989, 2010.
• [4] E. Cardoza, Richard J. Lipton, and Albert R. Meyer. Exponential space complete problems for petri nets and commutative semigroups: Preliminary report. In Ashok K. Chandra, Detlef Wotschke, Emily P. Friedman, and Michael A. Harrison, editors,

Proceedings of the 8th Annual ACM Symposium on Theory of Computing, May 3-5, 1976, Hershey, Pennsylvania, USA

, pages 50–54. ACM, 1976.
• [5] Gheorghe Craciun, Yangzhong Tang, and Martin Feinberg. Understanding bistability in complex enzyme-driven reaction networks. Proceedings of the National Academy of Sciences of the United States of America, 2006.
• [6] Wojciech Czerwinski, Slawomir Lasota, Ranko Lazic, Jérôme Leroux, and Filip Mazowiecki. The reachability problem for petri nets is not elementary. In Moses Charikar and Edith Cohen, editors, Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, STOC 2019, Phoenix, AZ, USA, June 23-26, 2019, pages 24–33. ACM, 2019.
• [7] René David and Hassane Alla. Petri nets for modeling of dynamic systems: A survey. Autom., 30(2):175–202, 1994.
• [8] E. A. Dinits.

Algorithm for solution of a problem of maximum flow in a network with power estimation.

Sov. Math., Dokl., 11:1277–1280, 1970.
• [9] Javier Esparza, Mikhail A. Raskin, and Chana Weil-Kennedy. Parameterized analysis of immediate observation petri nets. In Petri Nets, volume 11522 of Lecture Notes in Computer Science, pages 365–385. Springer, 2019.
• [10] L. R. Ford and D. R. Fulkerson. Maximal flow through a network. Canadian Journal of Mathematics, 8:399–404, 1956.
• [11] Huimin Lin. Stratifying winning positions in parity games. In Kees M. van Hee and Rüdiger Valk, editors, Applications and Theory of Petri Nets, 29th International Conference, PETRI NETS 2008, Xi’an, China, June 23-27, 2008. Proceedings, volume 5062 of Lecture Notes in Computer Science, pages 9–11. Springer, 2008.
• [12] Mikhail A. Raskin, Chana Weil-Kennedy, and Javier Esparza. Flatness and complexity of immediate observation petri nets. CONCUR 2020 (to appear), 2020.

## Appendix 0.A First restriction: transition enabling

We describe the reduction from SAT to the reachability problem for non-forgetting IO nets.

See 4.2

###### Proof

-hardness of reachability is proved by a reduction from the SAT problem. Consider a SAT instance represented as a circuit of binary “NAND” () operations (any propositional formula can be converted into such form in linear time). We construct a net with the following places.

• For each input of the SAT circuit we add places , , . Informally, marking these places corresponds to the input value being unknown, set to and to respectively.

• For each operation node , we add places , , , , . Informally, these places correspond to our knowledge about the inputs and the output value of the node : we can know neither input, know that one of the inputs is , or know the output value of the node being or (if one output is , the node has the value regardless of the other input).

The transitions are as follows.

• A token can move from a place to either of the places or .

• A token in one of the places , , can observe a token in or where is an input to and move to the place corresponding to its updated information about the arguments.

• Let be the output operation node. Any token can observe a token in and perform any move that would be allowed by some observation (ensuring the non-forgetting property), or move to .

The initial marking puts one token into each and .

Such a net is a non-forgetting IO net, and it is easy to see that any execution in this net from the initial marking corresponds to guessing some inputs and evaluating the circuit. In particular, the marking with all the tokens in is reachable iff the circuit is satisfiable. This completes the proof.

## Appendix 0.B Second restriction: token counts

Below are the omitted or sketched proofs of the correctness of the polynomial algorith for reachability of no-near-miss pairs.

See 1

###### Proof

A reachability-based inference step tries to increase the initially-reachable and finally-reachable place sets of each allowed pair . There are at most such pairs and such sets, each of which have size at most . Increasing a set takes polynomial time. A cut-based inference step computes the maximum flow of a flow graph at most times. A single computation of the maximum flow can be done in polynomial time, for example by the Dinic algorithm.

A set of restriction can have size at most so the number of inference steps which add to it is polynomial. Once we obtain a stable set of restrictions, we compute a solution flow by computing a maximum flow, taking polynomial time.

Having a solution flow, we construct a realizable history. To do so we rerun a reachability-based inference step with a polynomial slowdown caused by the need to update the trajectories. Increasing the multiplicity of one trajectory for pair of places takes just a polynomial number of arithmetic operations. Each step of converting a realizable history to a description of a firing sequence requires reading all the (distinct) trajectories and their multiplicities, finding the non-horizontal steps, selecting a transition realizing the step and writing it and its multiplicity. All these operations are feasible in polynomial time.

See 2

###### Proof

We say that a restriction “no token can go from to via ” is correct if there exists no realizable history from to with a trajectory from to passing through . The restrictions set is initialized with restrictions for every such that or . These restrictions are correct.

##### Reachability-based inference is correct

Consider a pair of places . If there exists a realizable history from to with a trajectory from to passing through , it is straightforward to see that is in the initially-reachable and finally-reachable sets for . Therefore if is not in the reachable set , there is no realizable history containing a trajectory from to via . If or are not in the reachable set , there is no realizable history containing a trajectory from to .

##### Cut-based inference is correct

Consider a pair of places forbidden by a cut-based refinement. Any realizable history from to induces a flow of value : the flow that saturates all the arcs with the finite capacities (i.e. the arcs from the inlet and to the outlet), and assigns to an infinite-capacity arc from some to some the number of trajectories from to . If there is a realizable history from to , then consider such a flow. if this flow includes any flow from to , i.e. if , we decrease the capacity by along the pair .‘ The remaining flow has value . But since the cut-based inference forbids this pair, the maximum flow value should be strictly less than . The contradiction proves that there is no flow from to , and correspondingly, there are no trajectories from to in the history.

##### Non-reachability reports are correct

Reports of non-reachability are given when the algorithm finds a maximum flow value less than in the cut-inference step. As a realizable history induces a flow of value , non-reachability cannot be reported if such a history exists, therefore all non-reachability reports are also correct.