Causality in Labeled Transition Systems Georgiana Caltais 1 joint - PowerPoint PPT Presentation

Causality in Labeled Transition Systems Georgiana Caltais 1 joint work with: Stefan Leue 1 , Mohammad Reza Mousavi 2 1 University of Konstanz, Germany 2 CERES, Sweden OPCT 2017, IST Austria (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 1 / 17

A Railway Crossing Hazard Safety goal: “It shall always be the case that there is never a car and a train in crossing at the same time” (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 2 / 17

What is a Cause? [Lewis 1973] “ Causation ”. Journal of Philosophy (1973) possible world semantics for counterfactuals c is causal for e if were c not to occur, then e would not occur either [Halpern, Pearl 2005] “ Causes and explanations: A structural-model approach. Part I: Causes ”. The British Journal for the Philosophy of Science (2005) more complex causal dependencies between events [Leitner-Fischer, Leue 2013] “ Causality Checking for Complex System Models ”. VMCAI (2013) adaptation of [Halpern, Pearl 2005] to concurrent computations and (LTL) reachability properties considers ordering and non-occurrence of events as potential causal factors (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 3 / 17

LTS’s & HML Labeled Transition Systems (LTS’s) T = ( S , s 00 , A , → ) 1 a − → s 10 s 00 2 bch s 00 − − → → s 31 , ε – empty word 3 computations, e.g. , 4 π = ( s 00 , b , [ ε, d , e , ee , . . . ]) , ( s 11 , c , [ h , ε, ε, ε . . . ]) , s 21 (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 4 / 17

LTS’s & HML Labeled Transition Systems (LTS’s) T = ( S , s 00 , A , → ) 1 a − → s 10 s 00 2 bch s 00 − − → → s 31 , ε – empty word 3 computations, e.g. , 4 π = ( s 00 , b , [ ε, d , e , ee , . . . ]) , ( s 11 , c , [ h , ε, ε, ε . . . ]) , s 21 traces ( π ) = { bch , bdc , bec , beec , . . . } ( s 00 , b , [ ε, c , ch , bec ]) , s 11 ∈ sub ( π ) (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 4 / 17

LTS’s & HML Labeled Transition Systems (LTS’s) T = ( S , s 00 , A , → ) 1 a − → s 10 2 s 00 bch − − → → s 31 , ε – empty word s 00 3 computations 4 interleaving ( || ) & non-deterministic choice (+) 5 T = ( S , s 0 , A , → ) a ∈ A , s , s ′ , p , p ′ ∈ S → s ′ || p whenever s a a → s ′ whenever s a a s || p − − → s ′ s + p − − → s ′ → s || p ′ whenever p → p ′ whenever p a a a a s || p − → p ′ − s + p − − → p ′ . (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 5 / 17

LTS’s & HML Hennessy-Milner Logic (HML). Syntax & Semantics. φ, ψ ::= ⊤ | � a � φ | [ a ] φ | ¬ φ | φ ∧ ψ | φ ∨ ψ ( a ∈ A ) . Consider T = ( S , s 0 , A , → ), φ, ψ . It holds that: s � ⊤ for all s ∈ S s � ¬ φ whenever s does not satisfy φ ; also written as s � � φ s � φ ∧ ψ if and only if s � φ and s � ψ s � φ ∨ ψ if and only if s � φ or s � ψ → s ′ for some s ′ ∈ S such that s ′ � φ a s � � a � φ if and only if s − s � [ a ] φ if and only if s ′ � φ for all s ′ ∈ S such that s a → s ′ . − (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 6 / 17

Causality for LTS’s – AC1 Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 1. Positive causality, AC1 l 0 l n s 0 − → . . . s n − → s n +1 ∧ s n +1 � φ φ = � h �⊤ π 1 = ( s 40 , a , D 1 π 2 = ( s 40 , a , D 2 40 ) , ( s 42 , b , D 2 40 ) , s 42 42 ) , s 43 (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 7 / 17

Causality for LTS’s – AC2(a) Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 2. Counter-factual, AC2(a) ∃ χ ∈ A ∗ , s ′ ∈ S : s 0 → s ′ ∧ s ′ � ¬ φ χ − → φ = � h �⊤ e.g. , χ = acb , χ = ah (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 8 / 17

Causality of non-occurrence What if the car leaves ( Cl ) the crossing before the train enters the crossing? Cl is causal by its non-occurrence... (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 9 / 17

Causality for LTS’s – AC2(c) Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 4. Causality of non-occurrence, AC2(c) ∀ χ ′ ∈ ( traces (( l 0 , D 0 ) . . . ( l n , D n )) \ { l 0 . . . l n } ) , s ′ ∈ S : χ ′ → s ′ ⇒ s ′ � ¬ φ − → s 0 φ = � h �⊤ π 1 = ( s 40 , a , [ c , cb , h , bh ]) , s 42 π 2 = ( s 40 , a , [ c , ε ]) , ( s 42 , b , [ ε, h ]) , s 43 (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 10 / 17

Causality for LTS’s – AC2(b) Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 3. Causality of occurrence, AC2(b) ∀ χ ′ = l 0 χ 0 . . . l n χ n ∈ ( A ∗ \ traces (( l 0 , D 0 ) . . . ( l n , D n ))) ∪ { l 0 . . . l n } , χ ′ → s ′ ⇒ s ′ � φ − → s 0 φ = � h �⊤ π 1 = ( s 40 , a , [ c , cb , h , bh ]) , s 42 π 2 = ( s 40 , a , [ c , ε ]) , ( s 42 , b , [ ε, h ]) , s 43 (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 11 / 17

Causality for LTS’s – AC3 Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 5. Minimality, AC3 ∀ π ′ ∈ sub ( π ) : π ′ does not satisfy AC1–AC2(c) φ = � h �⊤ π 1 = ( s 40 , a , [ c , cb , h , bh ]) , s 42 π 2 = ( s 40 , a , [ c , ε ]) , ( s 42 , b , [ ε, h ]) , s 43 π 1 ∈ sub ( π 2 ) satisfies AC1–AC2(c) (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 12 / 17

Causality for LTS’s – AC3 Consider T = ( S , s 0 , A , → ) and a HML property φ in T . π = ( s 0 , l 0 , D 0 ) , . . . , ( s n , l n , D n ) , s n +1 ∈ Causes ( φ, T ) iff: 5. Minimality, AC3 ∀ π ′ ∈ sub ( π ) : π ′ does not satisfy AC1–AC2(c) φ = � h �⊤ π 1 = ( s 40 , a , [ c , cb , h , bh ]) , s 42 π 2 = ( s 40 , a , [ c , ε ]) , ( s 42 , b , [ ε, h ]) , s 43 π 1 ∈ sub ( π 2 ) satisfies AC1–AC2(c) ⇒ π 1 is causal! (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 12 / 17

Causal Projection Consider T = ( S , s 0 , A , → ) and a HML property φ in T . We write T ↓ φ (or s 0 ↓ φ ) to denote the causal projection of T w.r.t. φ e.g. , s 0 ↓ � h �⊤ and p 0 ↓ � h ′ �⊤ : (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 13 / 17

(De-)Composing Causality From causality in s 0 || p 0 to causality in s 0 and/or p 0 ? (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 14 / 17

(De-)Composing Disjunction Consider LTS’s T = ( S , s 0 , A , → ) and T ′ = ( S ′ , s ′ 0 , B , → ′ ) such that A ∩ B = ∅ . Assume two HML formulae φ and ψ over A and B , respectively. The following holds: T || T ′ ↓ ( φ ∨ ψ ) ≃ T ↓ φ + T ′ ↓ ψ. Example: � h �⊤ ∨ � h ′ �⊤ (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 15 / 17

(De-)Composing Conjunction Consider LTS’s T = ( S , s 0 , A , → ) and T ′ = ( S ′ , s ′ 0 , B , → ′ ) such that A ∩ B = ∅ . Assume two HML formulae φ and ψ over A and B , respectively. The following holds: T || T ′ ↓ ( φ ∧ ψ ) = ( T ↓ φ ) || ( T ′ ↓ ψ ) . Example: � h �⊤ ∧ � h ′ �⊤ (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 16 / 17

Conclusions & Future Work Our contributions: defined causality for LTS’s & HML (reachability properties) established first compositionality results for non-communicating LTS’s Future work: reasoning on causality in an algorithmic / automatic fashion work in progress: encoding causality in mCLR2 extension to communicating LTS’s (in the style of CCS) extension to liveness properties (via HML with recursion) (G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 17 / 17