stochastic model checking stochastic model checking
play

Stochastic Model Checking Stochastic Model Checking Marta - PowerPoint PPT Presentation

Jan 03, 2023 •180 likes •1.78k views

Stochastic Model Checking Stochastic Model Checking Marta Kwiatkowska Kwiatkowska Marta University of Birmingham University of Birmingham www.cs.bham.ac.uk/~mzk www.cs.bham.ac.uk/~mzk st May 2007 SFM- -07:PE, 07:PE, Bertinoro Bertinoro,

  1. Probability space over paths • Sample space Ω = Path(s) (infinite paths with initial state s) • Event set Σ Path(s) is the least σ -algebra on Path(s) containing − the cylinder sets C( ω ) = { ω ’ ∈ Path(s) | ω is prefix of ω ’ } for all finite paths ω starting in s • Probability measure Pr s − define probability P s ( ω ) for finite path ω = ss 1 …s n as: • P s ( ω ) = 1 if ω has length one (i.e. ω = s) • P s ( ω ) = P(s,s 1 ) · … · P(s n-1 ,s n ) otherwise − define Pr s (C( ω )) = P s ( ω ) for all finite paths  ω − Pr s extends uniquely to a probability measure Pr s : Σ Path(s) → [0,1] • See [KSK76] for further details SFM-07:PE 21

  2. Probability space - Example • Paths where sending fails the first time 1 − ω = s 0 s 1 s 2 {fail} − C( ω ) = all paths starting s 0 s 1 s 2 … s 2 0.01 {try} − P s0 ( ω ) = P(s 0 ,s 1 ) · P(s 1 ,s 2 ) s 0 s 1 1 0.98 = 1 · 0.01 = 0.01 1 s 3 − Pr s0 (C( ω )) = P s0 ( ω ) = 0.01 {succ} 0.01 • Paths which are eventually successful and with no failures − C(s 0 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 1 s 3 ) ∪ … − Pr s0 ( C(s 0 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 3 ) ∪ C(s 0 s 1 s 1 s 1 s 3 ) ∪ … ) = P s0 (s 0 s 1 s 3 ) + P s0 (s 0 s 1 s 1 s 3 ) + P s0 (s 0 s 1 s 1 s 1 s 3 ) + … = 1·0.98 + 1·0.01·0.98 + 1·0.01·0.01·0.98 + … = 98/99 = 0.9898989898… SFM-07:PE 22

  3. PCTL • Temporal logic for describing properties of DTMCs − PCTL = Probabilistic Computation Tree Logic [HJ94] − essentially the same as the logic pCTL of [ASB+95] • Extension of (non-probabilistic) temporal logic CTL − key addition is probabilistic operator P − quantitative extension of CTL’s A and E operators • Example − send → P ≥ 0.95 [ true U ≤ 10 deliver ] − “if a message is sent, then the probability of it being delivered within 10 steps is at least 0.95” SFM-07:PE 23

  4. PCTL syntax ψ is true with • PCTL syntax: probability ~p − φ ::= true | a | φ ∧ φ | ¬ φ | P ~p [ ψ ] (state formulas) | φ U ≤ k φ − ψ ::= X φ | φ U φ (path formulas) “bounded “unbound “next” until” until” − where a is an atomic proposition, used to identify states of interest, p ∈ [0,1] is a probability, ~ ∈ {<,>, ≤ , ≥ }, k ∈ ℕ • A PCTL formula is always a state formula − path formulas only occur inside the P operator SFM-07:PE 24

  5. PCTL semantics for DTMCs • PCTL formulas interpreted over states of a DTMC − s ⊨ φ denotes φ is “true in state s” or “satisfied in state s” • Semantics of (non-probabilistic) state formulas: − for a state s of the DTMC (S,s init ,P,L): − s ⊨ a ⇔ a ∈ L(s) − s ⊨ φ 1 ∧ φ 2 ⇔ s ⊨ φ 1 and s ⊨ φ 2 − s ⊨ ¬ φ ⇔ s ⊨ φ is false 1 {fail} • Examples s 2 0.01 {try} − s 3 ⊨ succ s 0 s 1 1 0.98 − s 1 ⊨ try ∧ ¬fail 1 s 3 {succ} 0.01 SFM-07:PE 25

  6. PCTL semantics for DTMCs • Semantics of path formulas: − for a path ω = s 0 s 1 s 2 … in the DTMC: − ω ⊨ X φ ⇔ s 1 ⊨ φ − ω ⊨ φ 1 U ≤ k φ 2 ⇔ ∃ i ≤ k such that s i ⊨ φ 2 and ∀ j<i, s j ⊨ φ 1 ⇔ ∃ k ≥ 0 such that ω ⊨ φ 1 U ≤ k φ 2 − ω ⊨ φ 1 U φ 2 • Some examples of satisfying paths: − X succ {try} {succ} {succ} {succ} 1 {fail} s 1 s 3 s 3 s 3 s 2 0.01 {try} − ¬fail U succ s 0 s 1 1 0.98 1 s 3 {try} {try} {succ} {succ} s 0 s 1 s 1 s 3 s 3 {succ} 0.01 SFM-07:PE 26

  7. PCTL semantics • Semantics of the probabilistic operator P − informal definition: s ⊨ P ~p [ ψ ] means that “the probability, from state s, that ψ is true for an outgoing path satisfies ~p” − example: s ⊨ P <0.25 [ X fail ] ⇔ “the probability of atomic proposition fail being true in the next state of outgoing paths from s is less than 0.25” − formally: s ⊨ P ~p [ ψ ] ⇔ Prob(s, ψ ) ~ p − where: Prob(s, ψ ) = Pr s { ω ∈ Path(s) | ω ⊨ ψ } ¬ ψ s ψ Prob(s, ψ ) ~ p ? SFM-07:PE 27

  8. PCTL derived operators • Basic logical equivalences: − false ≡ ¬true (false) − φ 1 ∨ φ 2 ≡ ¬(¬ φ 1 ∧ ¬ φ 2 ) (disjunction) − φ 1 → φ 2 ≡ ¬ φ 1 ∨ φ 2 (implication) • Negation and probabilities − e.g. ¬P >p [ φ 1 U φ 2 ] ≡ P ≤ p [ φ 1 U φ 2 ] • The “eventually” path operator − F φ ≡ true U φ (F = “future”) − sometimes written as ◊ φ (“diamond”) − “ φ is eventually true” − bounded version: F ≤ k φ ≡ true U ≤ k SFM-07:PE 28

  9. More PCTL • The “always” path operator − G φ ≡ ¬(F ¬ φ ) ≡ ¬(true U ¬ φ ) (G = “globally”) − sometimes written as □ φ (“box”) − “ φ is always true” − bounded version: G ≤ k φ ≡ ¬(F ≤ k ¬ φ ) − strictly speaking, G φ cannot be derived from the PCTL syntax in this way since there is no negation of path formulas) • F and G represent two useful classes of properties: − reachability: the probability of reaching a state satisfying φ − i.e. P ~p [ F φ ] − invariance: the probability of φ always remaining true − i.e. P ~p [ G φ ] SFM-07:PE 29

  10. PCTL and measurability • All the sets of paths expressed by PCTL are measurable − i.e. are elements of the σ -algebra Σ Path(s) − see for example [Var85] (for a stronger result in fact) • Recall: probability space (Path(s), Σ Path(s) , Pr s ) − Σ Path(s) contains cylinder sets C( ω ) for all finite paths ω starting in s and is closed under complementation, countable union • Next (X φ ) − cylinder sets constructed from paths of length one • Bounded until ( φ 1 U ≤ k φ 2 ) − (finite number of) cylinder sets from paths of length at most k • Until ( φ 1 U φ 2 ) − countable union of paths satisfying φ 1 U ≤ k φ 2 for all k ≥ 0 SFM-07:PE 30

  11. Qualitative vs. quantitative properties • P operator of PCTL can be seen as a quantitative analogue of the CTL operators A (for all) and E (there exists) • Qualitative PCTL properties − P ~p [ ψ ] where p is either 0 or 1 • Quantitative PCTL properties − P ~p [ ψ ] where p is in the range (0,1) • P >0 [ F φ ] is identical to EF φ − there exists a finite path to a φ -state • P ≥ 1 [ F φ ] is (similar to but) weaker than AF φ − see next slide… SFM-07:PE 31

  12. Example: Qualitative/quantitative • Toss a coin repeatedly until “tails” is thrown • Is “tails” always eventually thrown? {heads} 1 − CTL: AF “tails” s 1 − Result: false 0.5 − Counterexample: s 0 s 1 s 0 s 1 s 0 s 1 … 1 s 0 0.5 • Does the probability of eventually s 2 throwing “tails” equal one? {tails} − PCTL: P ≥ 1 [ F “tails” ] − Result: true − Infinite path s 0 s 1 s 0 s 1 s 0 s 1 … has zero probability SFM-07:PE 32

  13. Quantitative properties • Consider a PCTL formula P ~p [ ψ ] − if the probability is unknown, how to choose the bound p? • When the outermost operator of a PTCL formula is P − we allow the form P =? [ ψ ] − “what is the probability that path formula ψ is true?” • Model checking is no harder: compute the values anyway • Useful to spot patterns, trends • Example − P=? [ F err/total>0.1 ] − “what is the probability that 10% of the NAND gate outputs are erroneous?” SFM-07:PE 33

  14. Some real PCTL examples • NAND multiplexing system − P =? [ F err/total>0.1 ] − “what is the probability that 10% of the NAND gate outputs are erroneous?” • Bluetooth wireless communication protocol − P =? [ F ≤ t reply_count=k ] − “what is the probability that the sender has received k acknowledgements within t clock-ticks?” • Security: EGL contract signing protocol − P =? [ F (pairs_a=0 & pairs_b>0) ] − “what is the probability that the party B gains an unfair advantage during the execution of the protocol?” SFM-07:PE 34

  15. Overview • Introduction to stochastic model checking • Discrete-time Markov chains (DTMCs) − Properties of DTMCs: The logic PCTL − PCTL model checking − Costs and rewards • Continuous-time Markov chains (CTMCs) − Properties of CTMCs: The logic CSL − CSL model checking − Costs and rewards • Stochastic model checking in practice − PRISM software tool − Case study 1: Power Management − Case study 2: Biological Pathway SFM-07:PE 35

  16. PCTL model checking • Algorithm for PCTL model checking [HJ94] − inputs: DTMC D=(S,s init ,P,L), PCTL formula φ − output: Sat( φ ) = { s ∈ S | s ⊨ φ } = set of states satisfying φ • What does it mean for a DTMC D to satisfy a formula φ ? − sometimes, want to check that s ⊨ φ ∀ s ∈ S, i.e. Sat( φ ) = S − sometimes, just want to know if s init ⊨ φ , i.e. if s init ∈ Sat( φ ) • Sometimes, focus on quantitative results − e.g. compute result of P=? [ F error ] − e.g. compute result of P=? [ F ≤ k error ] for 0 ≤ k ≤ 100 SFM-07:PE 36

  17. PCTL model checking • Basic algorithm proceeds by induction on parse tree of φ − example: φ = (¬fail ∧ try) → P >0.95 [ ¬fail U succ ] • For the non-probabilistic operators: − Sat(true) = S → − Sat(a) = { s ∈ S | a ∈ L(s) } − Sat(¬ φ ) = S \ Sat( φ ) ∧ P >0.95 [ · U · ] − Sat( φ 1 ∧ φ 2 ) = Sat( φ 1 ) ∩ Sat( φ 2 ) • For the P ~p [ ψ ] operator try succ ¬ ¬ − need to compute the probabilities Prob(s, ψ ) fail fail for all states s ∈ S SFM-07:PE 37

  18. PCTL next • Computation of probabilities for PCTL next operator − Sat(P ~p [ X φ ]) = { s ∈ S | Prob(s, X φ ) ~ p } − need to compute Prob(s, X φ ) for all s ∈ S • Sum outgoing probabilities for transitions to φ -states − Prob(s, X φ ) = Σ s’ ∈ Sat( φ ) P(s,s’) s φ • Compute vector Prob(X φ ) of probabilities for all states s − Prob(X φ ) = P · φ − where φ is a 0-1 vector over S with φ (s) = 1 iff s ⊨ φ − computation requires a single matrix-vector multiplication SFM-07:PE 38

  19. PCTL next - Example • Model check: P ≥ 0.9 [ X (¬try ∨ succ) ] − Sat (¬try ∨ succ) = (S \ Sat(try)) ∪ Sat(succ) = ({s 0 ,s 1 ,s 2 ,s 3 } ∖ {s 1 }) ∪ {s 3 } = {s 0 ,s 2 ,s 3 } − Prob(X (¬try ∨ succ)) = P · (¬try ∨ succ) = … 1 {fail} 0 1 0 0 1 0 ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0.01 0.01 0.98 0 0.99 s 2 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0.01 = ⋅ = {try} ⎢ 1 0 0 0 ⎥ ⎢ 1 ⎥ ⎢ 1 ⎥ s 0 s 1 1 0.98 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0 0 1 1 1 1 ⎣ ⎦ ⎣ ⎦ ⎣ ⎦ s 3 {succ} 0.01 • Results: − Prob(X (¬try ∨ succ)) = [0, 0.99, 1, 1] − Sat(P ≥ 0.9 [ X (¬try ∨ succ) ]) = {s 1 , s 2 , s 3 } SFM-07:PE 39

  20. PCTL bounded until for DTMCs • Computation of probabilities for PCTL U ≤ k operator − Sat(P ~p [ φ 1 U ≤ k φ 2 ]) = { s ∈ S | Prob(s, φ 1 U ≤ k φ 2 ) ~ p } − need to compute Prob(s, φ 1 U ≤ k φ 2 ) for all s ∈ S • First identify states where probability is trivially 1 or 0 − S yes = Sat( φ 2 ) − S no = S \ (Sat( φ 1 ) ∪ Sat( φ 2 )) • Letting S ? = S \ (S yes ∪ S no ), compute solution of recursive equations: 1 ⎧ if s S yes ∈ ⎪ 0 if s S no ∈ ⎪ Prob(s, φ U k φ ) ≤ = ⎨ 0 1 2 if s S ? and k 0 ∈ = ⎪ ∑ P(s, s' ) Prob(s' , φ U k - 1 φ ) ⋅ ≤ ⎪ if s S ? and k 0 ∈ > 1 2 ⎩ s' S ∈ SFM-07:PE 40

  21. PCTL bounded until for DTMCs • Simultaneous computation of vector Prob( φ 1 U ≤ k φ 2 ) − i.e. probabilities Prob(s, φ 1 U ≤ k φ 2 ) for all s ∈ S • Iteratively define in terms of matrices and vectors − define matrix P’ as follows: P’(s,s’) = P(s,s’) if s ∈ S ? , P’(s,s’) = 1 if s ∈ S yes and s=s’, P’(s,s’) = 0 otherwise − Prob( φ 1 U ≤ 0 φ 2 ) = φ 2 − Prob( φ 1 U ≤ k φ 2 ) = P’ · Prob( φ 1 U ≤ k-1 φ 2 ) − requires k matrix-vector multiplications • Note that we could express this in terms of matrix powers − Prob( φ 1 U ≤ k φ 2 ) = (P’) k · φ 2 and compute (P’) k in log 2 k steps − but this is actually inefficient: (P’) k is much less sparse than P’ SFM-07:PE 41

  22. PCTL bounded until - Example • Model check: P >0.98 [ F ≤ 2 succ ] ≡ P >0.98 [ true U ≤ 2 succ ] − Sat (true) = S = {s 0 ,s 1 ,s 2 ,s 3 }, Sat(succ) = {s 3 } − S yes = {s 3 }, S no = ∅ , S ? = {s 0 ,s 1 ,s 2 }, P’ = P − Prob(true U ≤ 0 succ) = succ = [0, 0, 0, 1] 0 1 0 0 0 0 ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0.01 0.01 0.98 0 0.98 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ Prob (true U 1 succ) P ' Prob (true U 0 succ) ≤ = ⋅ ≤ = ⎢ ⎥ ⋅ ⎢ ⎥ = ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 1 0 0 0 0 0 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0 0 1 1 1 ⎣ ⎦ ⎣ ⎦ ⎣ ⎦ 0 1 0 0 0 0.98 ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ 0 0.01 0.01 0.98 ⎥ ⎢ 0.98 ⎥ ⎢ 0.9898 ⎥ Prob (true U succ) P ' Prob (true U succ) ≤ 2 ≤ 1 ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ = ⋅ = ⋅ = ⎢ 1 0 0 0 ⎥ ⎢ 0 ⎥ ⎢ 0 ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0 0 1 1 1 ⎣ ⎦ ⎣ ⎦ ⎣ ⎦ − Sat(P >0.98 [ F ≤ 2 succ ]) = {s 1 , s 3 } SFM-07:PE 42

  23. PCTL unbounded until • Computation of probabilities Prob(s, φ 1 U φ 2 ) for all s ∈ S • We first identify all states where the probability is 1 or 0 − S yes = Sat(P ≥ 1 [ φ 1 U φ 2 ]) − S no = Sat(P ≤ 0 [ φ 1 U φ 2 ]) • We refer to this as the “precomputation” phase − two precomputation algorithms: Prob0 and Prob1 • Important for several reasons − reduces the set of states for which probabilities must be computed numerically − for P ~p [·] where p is 0 or 1, no further computation required − gives exact results for the states in S yes and S no (no round-off) SFM-07:PE 43

  24. Precomputation algorithms • Prob0 algorithm to compute S no = Sat(P ≤ 0 [ φ 1 U φ 2 ]) : − first compute Sat(P >0 [ φ 1 U φ 2 ]) − i.e. find all states which can, with non-zero probability, reach a φ 2 -state without leaving φ 1 -states − i.e. find all states from which there is a finite path through φ 1 -states to a φ 2 -state: simple graph-based computation − subtract the resulting set from S • Prob1 algorithm to compute S yes = Sat(P ≥ 1 [ φ 1 U φ 2 ]) : − first compute Sat(P <1 [ φ 1 U φ 2 ]), reusing S no − this is equivalent to the set of states which have a non-zero probability of reaching S no , passing only through φ 1 -states − again, this is a simple graph-based computation − subtract the resulting set from S SFM-07:PE 44

  25. PCTL unbounded until • Probabilities Prob(s, φ 1 U φ 2 ) can now be obtained as the unique solution of the following set of linear equations: ⎧ 1 if s S yes ∈ ⎪ ⎪ Prob(s, φ U φ ) 0 if s S no = ∈ ⎨ 1 2 ⎪ ∑ P(s, s' ) Prob(s' , φ U φ ) otherwise ⋅ ⎪ 1 2 ⎩ s' S ∈ − can be reduced to a system in |S ? | unknowns instead of |S| S ? = S \ (S yes ∪ S no ) • This can be solved with (a variety of) standard techniques − direct methods, e.g. Gaussian elimination − iterative methods, e.g. Jacobi, Gauss-Seidel, … SFM-07:PE 45

  26. PCTL unbounded until - Example • Model check: P >0.99 [ try U succ ] − Sat(try) = {s 1 }, Sat(succ) = {s 3 } − S no = Sat(P ≤ 0 [ try U succ ]) = {s 0 ,s 2 } 1 {fail} − S yes = Sat(P ≥ 1 [ try U succ ]) = {s 3 } s 2 − S ? = {s 1 } 0.01 {try} s 0 s 1 1 0.98 • Linear equation system: 1 s 3 − x 0 = 0 {succ} 0.01 − x 1 = 0.01 · x 1 + 0.01 · x 2 + 0.98 · x 3 − x 2 = 0 − x 3 = 1 • Which yields: − Prob(try U succ) = x = [0, 98/99, 0, 1] − Sat(P >0.99 [ try U succ ]) = {s 3 } SFM-07:PE 46

  27. Limitations of PCTL • PCTL, although useful in practice, has limited expressivity − essentially: probability of reaching states in X, passing only through states in Y, and within k time-steps • More expressive logics can be used, for example: − LTL, the non-probabilistic linear-time temporal logic − PCTL* [ASB+95,BdA95] which subsumes both PCTL and LTL • These both allow combinations of temporal operators − e.g. for liveness: P ~p [ G F φ ] - “always eventually φ ” • Model checking algorithms for DTMCs and PCTL* exist but are more expensive to implement (higher complexity) SFM-07:PE 47

  28. Overview • Introduction to stochastic model checking • Discrete-time Markov chains (DTMCs) − Properties of DTMCs: The logic PCTL − PCTL model checking − Costs and rewards • Continuous-time Markov chains (CTMCs) − Properties of CTMCs: The logic CSL − CSL model checking − Costs and rewards • Stochastic model checking in practice − PRISM software tool − Case study 1: Power Management − Case study 2: Biological Pathway SFM-07:PE 48

  29. Costs and rewards • We augment DTMCs with rewards (or, conversely, costs) − real-valued quantities assigned to states and/or transitions − these can have a wide range of possible interpretations • Some examples: − elapsed time, power consumption, size of message queue, number of messages successfully delivered, net profit, … • Costs? or rewards? − mathematically, no distinction between rewards and costs − when interpreted, we assume that it is desirable to minimise costs and to maximise rewards − we will consistently use the terminology “rewards” regardless SFM-07:PE 49

  30. Reward-based properties • Properties of DTMCs augmented with rewards − allow a wide range of quantitative measures of the system − basic notion: expected value of rewards − formal property specifications will be in an extension of PCTL • More precisely, we use two distinct classes of property… • Instantaneous properties − the expected value of the reward at some time point • Cumulative properties − the expected cumulated reward over some period SFM-07:PE 50

  31. DTMC reward structures • For a DTMC (S,s init ,P,L), a reward structure is a pair ( ρ , ι ) − ρ : S →ℝ ≥ 0 is the state reward function (vector) − ι : S × S →ℝ ≥ 0 is the transition reward function (matrix) • Example (for use with instantaneous properties) − “size of message queue”: ρ maps each state to the number of jobs in the queue in that state, ι is not used • Examples (for use with cumulative properties) − “time-steps”: ρ returns 1 for all states and ι is zero (equivalently, ρ is zero and ι returns 1 for all transitions) − “number of messages lost”: ρ is zero and ι maps transitions corresponding to a message loss to 1 − “power consumption”: ρ is defined as the per-time-step energy consumption in each state and ι as the energy cost of each transition SFM-07:PE 51

  32. PCTL and rewards • Extend PCTL to incorporate reward-based properties − add an R operator, which is similar to the existing P operator expected reward is ~r − φ ::= … | P ~p [ ψ ] | R ~r [ I =k ] | R ~r [ C ≤ k ] | R ~r [ F φ ] “instantaneous” “cumulative” “reachability” − where r ∈ ℝ ≥ 0 , ~ ∈ {<,>, ≤ , ≥ }, k ∈ ℕ • R ~r [ · ] means “the expected value of · satisfies ~r” SFM-07:PE 52

  33. Types of reward formulas • Instantaneous: R ~r [ I =k ] − “the expected value of the state reward at time-step k is ~r” − e.g. “the expected queue size after exactly 90 seconds” • Cumulative: R ~r [ C ≤ k ] − “the expected reward cumulated up to time-step k is ~r” − e.g. “the expected power consumption over one hour” • Reachability: R ~r [ F φ ] − “the expected reward cumulated before reaching a state satisfying φ is ~r” − e.g. “the expected time for the algorithm to terminate” SFM-07:PE 53

  34. Reward formula semantics • Formal semantics of the three reward operators: − for a state s in the DTMC: − s ⊨ R ~r [ I =k ] ⇔ Exp(s, X I=k ) ~ r − s ⊨ R ~r [ C ≤ k ] ⇔ Exp(s, X C ≤ k ) ~ r − s ⊨ R ~r [ F Φ ] ⇔ Exp(s, X F Φ ) ~ r where: Exp(s,X) denotes the expectation of the random variable X : Path(s) → ℝ ≥ 0 with respect to the probability measure Pr s SFM-07:PE 54

  35. Reward formula semantics • Definition of random variables: − for an infinite path ω = s 0 s 1 s 2 … X ( ω ) ρ ( s ) = I k k = 0 if k 0 = ⎧ X ( ω ) = ⎨ ∑ k 1 − ρ ( s ) ι ( s , s ) C k ≤ + otherwise ⎩ i i i 1 + i 0 = 0 if s Sat( φ ) ∈ ⎧ 0 ⎪ ⎪ X ( ω ) if s Sat( φ ) for all i 0 = ∞ ∉ ≥ ⎨ F φ i ⎪ ∑ = k - 1 ρ ( s ) ι ( s , s ) otherwise ⎪ + φ ⎩ i i i 1 + i 0 − where k φ =min{ j | s j ⊨ φ } SFM-07:PE 55

  36. Reward formula model checking • Instantaneous: R ~r [ I =k ] − reduces to computation of bounded until probabilities − solution of recursive equations • Cumulative: R ~r [ C ≤ t ] − variant of the method for computing bounded until probabilities − solution of recursive equations • Reachability: R ~r [ F φ ] − similar to computing until probabilities − reduces to solving a system of linear equation SFM-07:PE 56

  37. Model checking PCTL summary • Atomic propositions and logical connectives: trivial • Probabilistic operator P: − X Φ : one matrix-vector multiplications − Φ 1 U ≤ k Φ 2 : k matrix-vector multiplications − Φ 1 U Φ 2 : linear equation system in at most |S| variables • Expected reward operator R − I =k : k matrix-vector multiplications − C ≤ k : k iterations of matrix-vector multiplication + summation − F Φ : linear equation system in at most |S| variables − details for the reward operators are in [KNP07a] SFM-07:PE 57

  38. Model checking PCTL complexity • Model checking of DTMC (S,s init ,P,L) against PCTL formula Φ (including reward operators) − complexity is linear in | Φ | and polynomial in |S| • Size | Φ | of Φ is defined as number of logical connectives and temporal operators plus sizes of temporal operators − model checking is performed for each operator • Worst-case operators are P ~p [ Φ 1 U Φ 2 ] and R ~r [ F Φ ] − main task: solution of linear equation system of size |S| − can be solved with Gaussian elimination: cubic in |S| − and also precomputation algorithms (max |S| steps) • Strictly speaking, U ≤ k could be worse than U for large k − but in practice k is usually small SFM-07:PE 58

  39. Overview • Introduction to stochastic model checking • Discrete-time Markov chains (DTMCs) − Properties of DTMCs: The logic PCTL − PCTL model checking − Costs and rewards • Continuous-time Markov chains (CTMCs) − Properties of CTMCs: The logic CSL − CSL model checking − Costs and rewards • Stochastic model checking in practice − PRISM software tool − Case study 1: Power Management − Case study 2: Biological Pathway SFM-07:PE 59

  40. Continuous-time Markov chains • Continuous-time Markov chains (CTMCs) − labelled transition systems augmented with rates − discrete states and continuous time-steps • Formally, a CTMC C is a tuple (S,s init ,R,L) where: − S is a finite set of states (“state space”) − s init ∈ S is the initial state − R : S × S → ℝ ≥ 0 is the transition rate matrix − L : S → 2 AP is a labelling with atomic propositions • Transition rate matrix assigns rates to each pair of states − used as a parameter to the exponential distribution − transition between s and s’ when R(s,s’)>0 − probability triggered before t time units 1 – e -R(s,s’)·t SFM-07:PE 60

  41. Embedded DTMC • Can determine the probability of each transition occurring − independent of the time at which it occurs ∑ ∈ E ( s ) R ( s , s ' ) = − E(s) is the exit rate of state s s' S • Embedded DTMC: emb(C)=(S,s init ,P emb(C) ,L) − state space, initial state and labelling as the CTMC − for any s,s’ ∈ S R(s, s' )/E(s) if E (s) 0 > ⎧ ⎪ P emb(C) (s, s' ) 1 if E(s) 0 and s s' = = = ⎨ ⎪ 0 otherwise ⎩ • Alternative characterisation of the behaviour: − remain in s for delay exponentially distributed with rate E(s) − probability next state is s’ is given by P emb(C) (s,s’) SFM-07:PE 61

  42. Continuous-time Markov chains • Infinitesimal generator matrix R ( s , s ' ) − ⎧ s s ' ≠ ⎪ Q ( s , s ' ) = ⎨ ∑ ≠ R ( s , s ' ) otherwise ⎪ ⎩ s s ' • Alternative definition: a CTMC is: − a family of random variables { X(t) | t ∈ ℝ ≥ 0 } − X(t) are observation made at time instant t − i.e. X(t) is the state of the system at time instant t • Memoryless (Markov property) P[X(t k )=s k | X(t k-1 )=s k-1 , …,X(t 0 )=s 0 ] = P[X(t k )=s k | X(t k-1 )=s k-1 ] SFM-07:PE 62

  43. Simple CTMC example • Modelling a queue of jobs − initially the queue is empty − jobs arrive with rate 3/2 − jobs are served with rate 3 − maximum size of the queue is 3 3/2 3/2 3/2 {empty} {full} 1 s 0 s 1 s 2 s 3 3 3 3 SFM-07:PE 63

  44. Simple CTMC example 3/2 C = ( S, s init , R, L ) 3/2 3/2 {empty} {full} S = {s 0 , s 1 , s 2 , s 3 } s 0 s 1 s 2 s 3 1 s init = s 0 3 3 3 AP = {empty, full} L(s 0 )={empty} L(s 1 )=L(s 2 )= ∅ and L(s 3 )={full} 0 1 0 0 ⎡ ⎤ 0 3 / 2 0 0 3 / 2 3 / 2 0 0 − ⎡ ⎤ ⎡ ⎤ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 2 / 3 0 1 / 3 0 ⎢ ⎥ 3 0 3 / 2 0 3 9 / 2 3 / 2 0 − ⎢ ⎥ ⎢ ⎥ R Q = P emb(C) = = ⎢ ⎥ ⎢ 0 3 0 3 / 2 ⎥ ⎢ 0 3 9 / 2 3 / 2 ⎥ − ⎢ 0 2 / 3 0 1 / 3 ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ 0 0 3 0 0 0 3 3 − ⎣ ⎦ ⎣ ⎦ ⎢ ⎥ 0 0 1 0 ⎣ ⎦ infinitesimal transition embedded generator matrix rate matrix DTMC SFM-07:PE 64

  45. Paths of a CTMC • Infinite path ω is a sequence s 0 t 0 s 1 t 1 s 2 t 2 … such that − R(s i ,s i+1 ) > 0 and t i ∈ ℝ >0 for all i ∈ ℕ − amount of time spent in the jth state: time( ω ,j)=t j − state occupied at time t: ω @t=s j where j smallest index such that ∑ i ≤ j t j ≥ t • Finite path is a sequence s 0 t 0 s 1 t 1 s 2 t 2 …t k-1 s k such that − R(s i ,s i+1 ) > 0 and t i ∈ ℝ >0 for all i<k − s k is absorbing (R(s,s’) = 0 for all s’ ∈ S) − amount of time spent in the ith state only defined for j ≤ k: time( ω ,j)=t j if j<k and time( ω ,j)= ∞ if j=k − state occupied at time t: if t ≤∑ i ≤ k t j then ω @t as above otherwise t> ∑ i ≤ k t j then ω @t=s k SFM-07:PE 65

  46. Probability space • Sample space: Path s (set of all paths from a state s) • Events: sets of infinite paths • Basic events: sets of paths with common finite prefix − probability of a single finite path is zero − include time intervals in cylinders • Cylinder is a sequence s 0 ,I 0 ,s 1 ,I 1 ,…,I n-1 ,s n − s 0 ,s 1 ,s 2 ,…,s n sequence of states where R(s i ,s i+1 )>0 for i<n − I 0 ,I 1 ,I 2 ,…,I n-1 sequence of of nonempty intervals of ℝ ≥ 0 • C(s 0 ,I 0 ,s 1 ,I 1 ,…,I n-1 ,s n ) set of (infinite and finite paths): − ω (i)=s i for all i ≤ n and time( ω ,i) ∈ I i for all i < n SFM-07:PE 66

  47. Probability space • Define measure over cylinders by induction − Pr s (C(s))=1 − Pr s (C(s,I,s 1 ,I 1 ,…,I n-1 ,s n ,I’,s’)) equals ( ) Pr ( C ( s , I , s , I ,..., I , s )) ⋅ P emb ( C ) ( s , s ' ) e E ( s ) inf I ' e E ( s ) sup I ' − ⋅ − ⋅ ⋅ − n n s 1 1 n 1 n n − probability transition from s n to s’ (defined probability time spent in state s n using embedded DTMC) is within the interval I’ SFM-07:PE 67

  48. Probability space • Probability space (Path(s), Σ Path(s) , Pr s ) • Sample space Ω = Path(s) (infinite and finite paths) • Event set Σ Path(s) − least σ -algebra on Path(s) containing all cylinders starting in s • Probability measure Pr s − Pr s extends uniquely from probability defined over cylinders • See [BHHK03] for further details SFM-07:PE 68

  49. Probability space - Example • Cylinder C(s 0 ,[0,2],s 1 ) • Pr(C(s 0 ,[0,2],s 1 ))= Pr(C(s 0 )) · P emb(C) (s 0 ,s 1 ) · (e -E(s0)·0 - e -E(s0)·2 ) = 1 · 1 · (e -3/2·0 – e -3/2·2 ) = 1– e -3 ≈ 0.95021 • Probability of leaving the initial state s 0 and moving to state s 1 within the first 2 time units of operation 3/2 3/2 3/2 {empty} {full} s 0 s 1 s 2 s 3 1 3 3 3 SFM-07:PE 69

  50. Transient and steady-state behaviour • Transient behaviour, C a CTMC − state of the model at a particular time instant − π C s,t (s’) is probability of, having started in state s, being in state s’ at time t − π C s,t (s’) = Pr s { ω ∈ Path C (s) | ω @t=s’ } • Steady-state behaviour − state of the model in the long-run − π C s (s’) is probability of, having started in state s, being in state s’ in the long run − π C s (s’) = lim t →∞ π C s,t (s’) − the percentage of time, in long run, spent in each state SFM-07:PE 70

  51. Computing transient probabilities • Π t - matrix of transient probabilities − Π t (s,s’)= π s,t (s’) • Π t solution of the differential equation: Π t ’ = Π t · Q − Q infinitesimal generator matrix • Can be expressed as a matrix exponential and therefore evaluated as a power series ∑ ∞ Π e Q t ( Q t ) i / i ! ⋅ = = ⋅ t i 0 = − computation potentially unstable − probabilities instead computed using the uniformised DTMC SFM-07:PE 71

  52. Uniformisation • Uniformised DTMC unif(C)=(S,s init ,P unif(C) ,L) of C=(S,s init ,R,L) − set of states, initial state and labelling the same as C − P unif(C) = I + Q/q − q ≥ max{E(s) | s ∈ S} is the uniformisation rate • Each time step (epoch) of uniformised DTMC corresponds to one exponentially distributed delay with rate q − if E(s)=q transitions the same as embedded DTMC (residence time has the same distribution as one epoch) − if E(s)<q add self loop with probability 1-E(s)/q (residence time longer than 1/q so one epoch may not be ‘long enough’) SFM-07:PE 72

  53. Uniformisation • Using the uniformised DTMC the transient probabilities can be expressed by: unif ( C ) unif ( C ) Π e Q t e q ( P I ) t e ( q t ) P e q t = ⋅ = ⋅ − ⋅ = ⋅ ⋅ ⋅ − ⋅ t ( ) ( ) ∑ i ∞ i e ( q t ) P q t unif ( C ) = − ⋅ ⋅ ⋅ ⋅ i ! i 0 = ( ) ( ) i ∑ ∞ i e q t ( q t ) P unif ( C ) = − ⋅ ⋅ ⋅ ⋅ i ! i 0 = ( ) i ∑ ∞ γ P unif ( C ) = ⋅ q t , i ⋅ i 0 = P unif(C) stochastic (all entries in [0,1] & rows sum to 1), therefore ith Poisson probability computations with P more with parameter q·t numerically stable than Q. SFM-07:PE 73

  54. Uniformisation ( ) i ∑ ∞ Π γ P unif ( C ) = ⋅ ⋅ t q t , i i 0 = • (P unif(C) ) i is probability of jumping between each pair of states in i steps • γ q·t,i is the ith Poisson probability with parameter q·t − the probability of i steps occurring in time t, given each has delay exponentially distributed with rate q • Can truncate the summation using the techniques of Fox and Glynn [FG88], which allow efficient computation of the Poisson probabilities SFM-07:PE 74

  55. Uniformisation • Computing π s,t for a fixed state s and time t − can be computed efficiently using matrix-vector operations − pre-multiply the matrix Π t by the initial distribution − in this π s,0 where π s,0 (s’) equals 1 if s=s’ and 0 otherwise ( ) i ∑ ∞ π π Π π γ P unif ( C ) = ⋅ = ⋅ ⋅ s , t s , 0 t s , 0 q t , i ⋅ i 0 = ( ) i ∑ ∞ γ π P unif ( C ) = ⋅ ⋅ s , 0 q t , i ⋅ i 0 = − compute iteratively to avoid the computation of matrix powers ( ) ( ) i 1 i + π P unif ( C ) π P unif ( C ) P unif ( C ) ⋅ = ⋅ ⋅ s, t s, t SFM-07:PE 75

  56. Overview • Introduction to stochastic model checking • Discrete-time Markov chains (DTMCs) − Properties of DTMCs: The logic PCTL − PCTL model checking − Costs and rewards • Continuous-time Markov chains (CTMCs) − Properties of CTMCs: The logic CSL − CSL model checking − Costs and rewards • Stochastic model checking in practice − PRISM software tool − Case study 1: Power Management − Case study 2: Biological Pathway SFM-07:PE 76

  57. CSL • Temporal logic for describing properties of CTMCs − CSL = Continuous Stochastic Logic [ASSB00,BHHK03] − extension of (non-probabilistic) temporal logic CTL • Key additions: − probabilistic operator P (like PCTL) − steady state operator S • Example: down → P >0.75 [ ¬fail U ≤ [1,2] up ] − when a shutdown occurs, the probability of a system recovery being completed between 1 and 2 hours without further failure is greater than 0.75 • Example: S <0.1 [insufficient_routers] − in the long run, the chance that an inadequate number of routers are operational is less than 0.1 SFM-07:PE 77

  58. CSL syntax ψ is true with • CSL syntax: probability ~p − φ ::= true | a | φ ∧ φ | ¬ φ | P ~p [ ψ ] | S ~p [ φ ] (state formulas) | φ U I φ − ψ ::= X φ (path formulas) in the “long “time bounded run” φ is true “next” until” with probability ~p − where a is an atomic proposition, I interval of ℝ ≥ 0 and p ∈ [0,1], ~ ∈ {<,>, ≤ , ≥ } • A CSL formula is always a state formula − path formulas only occur inside the P operator SFM-07:PE 78

  59. CSL semantics for CTMCs • CSL formulas interpreted over states of a CTMC − s ⊨ φ denotes φ is “true in state s” or “satisfied in state s” • Semantics of state formulas: − for a state s of the CTMC (S,s init ,R,L): − s ⊨ a ⇔ a ∈ L(s) Probability of, − s ⊨ φ 1 ∧ φ 2 ⇔ s ⊨ φ 1 and s ⊨ φ 2 starting in state s, satisfying the path − s ⊨ ¬ φ ⇔ s ⊨ φ is false formula ψ − s ⊨ P ~p [ ψ ] ⇔ Prob(s, ψ ) ~ p − s ⊨ S ~p [ φ ] ⇔ ∑ s’ ⊨ φ π s (s’) ~ p Probability of, starting in state s, being in state s’ in the long run SFM-07:PE 79

  60. CSL semantics for CTMCs • Prob(s, ψ ) is the probability, starting in state s, of satisfying the path formula ψ − Prob(s, ψ ) = Pr s { ω ∈ Path s | ω ⊨ ψ } if ω (0) is absorbing ω (1) not defined • Semantics of path formulas: − for a path ω of the CTMC: − ω ⊨ X φ ⇔ ω (1) is defined and ω (1) ⊨ φ − ω ⊨ φ 1 U I φ 2 ⇔ ∃ t ∈ I. ( ω @t ⊨ φ 2 ∧ ∀ t’<t. ω @t’ ⊨ φ 1 ) there exists a time instant in the interval I where φ 2 is true and φ 1 is true at all preceding time instants SFM-07:PE 80

  61. CSL derived operators • (As for PCTL) can derive basic logical equivalences: − false ≡ ¬true (false) − φ 1 ∨ φ 2 ≡ ¬(¬ φ 1 ∧ ¬ φ 2 ) (disjunction) − φ 1 → φ 2 ≡ ¬ φ 1 ∨ φ 2 (implication) • The “eventually” operator (path formula) − F φ ≡ true U φ (F = “future”) (F = “future”) − sometimes written as ◊ φ (“diamond”) (“diamond”) − “ φ is eventually true” − timed version: F I φ ≡ true U I φ − “ φ becomes true in the interval I” SFM-07:PE 81

  62. More on CSL • Negation and probabilities − ¬P >p [ φ 1 U I φ 2 ] ≡ P ≤ p [ φ 1 U I φ 2 ] − ¬S >p [ φ ] ≡ S ≤ p [ φ ] • The “always” operator (path formula) − G φ ≡ ¬(F ¬ φ ) ≡ ¬(true U ¬ φ ) (G = “globally”) − sometimes written as □ φ (“box”) − “ φ is always true” − bounded version: G I φ ≡ ¬(F I ¬ φ ) − “ φ holds throughout the interval I” − strictly speaking, G φ cannot be derived from the CSL syntax in this way since there is no negation of path formulas − but, as for PCTL, we can derive P ~p [ G φ ] directly... SFM-07:PE 82

  63. Quantitative properties • Consider CSL formulae P ~p [ ψ ] and S ~p [ φ ] − if the probability is unknown, how to choose the bound p? • When the outermost operator of a CSL formula is P or S − allow bounds of the form P =? [ ψ ] and S =? [ φ ] − what is the probability that path formula ψ is true? − what is the long-run probability that φ holds? • Model checking is no harder: compute the values anyway SFM-07:PE 83

  64. CSL example - Workstation cluster • Case study: Cluster of workstations [HHK00] − two sub-clusters (N workstations in each cluster) − star topology with a central switch − components can break down, single repair unit − minimum QoS: at least ¾ of the workstations operational and connected via switches − premium QoS: all workstations operational and connected via switches backbone left right sub-cluster sub-cluster left right switch switch SFM-07:PE 84

  65. CSL example - Workstation cluster • P =? [true U [0,t] ¬minimum ] − the chance that the QoS drops below minimum within t hours • ¬minimum → P <0.1 [F [0,t] ¬minimum] − when facing insufficient QoS, the probability of facing the same problem after t hours is less than 0.1 • S =? [ minimum ] − the probability in the long run of having minimum QoS • minimum → P >0.8 [minimum U [0,t] premium ] − the probability of going from minimum to premium QoS within t hours without violating minimum QoS is at least 0.8 • P =? [ ¬minimum U [t, ∞ ) minimum ] − the chance it takes more than t time units to recover from insufficient QoS SFM-07:PE 85

  66. Overview • Introduction to stochastic model checking • Discrete-time Markov chains (DTMCs) − Properties of DTMCs: The logic PCTL − PCTL model checking − Costs and rewards • Continuous-time Markov chains (CTMCs) − Properties of CTMCs: The logic CSL − CSL model checking − Costs and rewards • Stochastic model checking in practice − PRISM software tool − Case study 1: Power Management − Case study 2: Biological Pathway SFM-07:PE 86

  67. CSL model checking • Algorithm for CSL model checking [BHHK03] − inputs: CTMC C=(S,s init ,R,L), CSL formula φ − output: Sat( φ ) = { s ∈ S | s ⊨ φ }, the set of states satisfying φ • What does it mean for a CTMC C to satisfy a formula φ ? − check that s ⊨ φ for all states s ∈ S, i.e. Sat( φ ) = S − know if s init ⊨ φ , i.e. if s init ∈ Sat( φ ) • Sometimes, focus on quantitative results − e.g. compute result of P=? [true U [0,13.5] minimum ] − e.g. compute result of P=? [true U [0,t] minimum ] for 0 ≤ t ≤ 100 SFM-07:PE 87

  68. CSL model checking • Basic algorithm proceeds by induction on parse tree of φ − example: φ = S <0.9 [¬fail ] → P >0.95 [ ¬fail U I succ ] → P >0.95 [ · U I · ] S <0.1 [·] • For the non-probabilistic operators: succ ¬ ¬ − Sat(true) = S − Sat(a) = { s ∈ S | a ∈ L(s) } fail fail − Sat(¬ φ ) = S \ Sat( φ ) − Sat( φ 1 ∧ φ 2 ) = Sat( φ 1 ) ∩ Sat( φ 2 ) SFM-07:PE 88

  69. Untimed properties • Untimed properties can be verified on the embedded DTMC − properties of the form: P ~p [ X φ ] or P ~p [ φ 1 U [0, ∞ ) φ 2 ] − use algorithms for checking PCTL against DTMCs • Certain qualitative time-bounded until formulae can also be verified on the embedded DTMC − for any (non-empty) interval I s ⊨ P ~0 [ φ 1 U I φ 2 ] if and only if s ⊨ P ~0 [ φ 1 U [0, ∞ ) φ 2 ] − can use pre-computation algorithm Prob0 SFM-07:PE 89

  70. Untimed properties • s ⊨ P ~1 [ φ 1 U [0, ∞ ) φ 2 ] does not imply s ⊨ P ~1 [ φ 1 U I φ 2 ] • Consider the following example − with probability 1 eventually reach state s 1 s 0 ⊨ P ≥ 1 [ φ 1 U [0, ∞ ) φ 2 ] − probability of remaining in state s 0 until time-bound t is greater than zero for any t − s 0 ⊨ ¬P ≥ 1 [ φ 1 U [0,t] φ 2 ] λ 1 s 0 s 1 λ 2 SFM-07:PE 90

  71. Model checking - Time-bounded until • Compute Prob(s, φ 1 U I φ 2 ) for all states where I is an arbitrary interval of the non-negative real numbers − Prob(s, φ 1 U I φ 2 ) = Prob(s, φ 1 U cl(I) φ 2 ) where cl(I) closure of the interval I − Prob(s, φ 1 U [0, ∞ ) φ 2 ) = Prob emb(C) (s, φ 1 U φ 2 ) where emb(C) is the embedded DTMC • Therefore, remains to consider the cases when − I = [0,t] for some t ∈ℝ ≥ 0 − I = [t,t’] for some t,t’ ∈ℝ ≥ 0 such that t ≤ t’ − I = [t, ∞ ) for some t ∈ℝ ≥ 0 SFM-07:PE 91

  72. Model checking - P ~p [ φ 1 U [0,t] φ 2 ] • Computing the probabilities reduces to determining the least solution of the following set of integral equations: • Prob(s, φ 1 U [0,t] φ 2 ) equals probability in state s’ of satisfying − 1 if s ∈ Sat( φ 2 ), until before t-x time units elapse − 0 if s ∈ Sat(¬ φ 1 ∧ ¬ φ 2 ) − and otherwise equals ( ) t ∫ P emb ( C ) ( s , s ' ) E ( s ) e E ( s ) x Prob ( s' , φ U [0, t x] φ ) dx − ⋅ − ⋅ ⋅ ⋅ 1 2 0 integrate over x probability of moving between 0 and t from s to s’ at time x SFM-07:PE 92

  73. Model checking - P ~p [ φ 1 U [0,t] φ 2 ] • Construct CTMC C[ φ 2 ][¬ φ 1 ∧ ¬ φ 2 ] − where for CTMC C=(S,s init ,R,L), let C[ θ ]=(S,s init ,R[ θ ],L) where R[ θ ](s,s’)=R =R(s,s’) if s ∉ Sat( θ ) and 0 otherwise • Make all φ 2 states absorbing − in such a state φ 1 U [0,x] φ 2 holds with probability 1 • Make all ¬ φ 1 ∧ ¬ φ 2 states absorbing − in such a state φ 1 U [0,x] φ 2 holds with probability 0 • Problem then reduces to calculating transient probabilities of the CTMC C[ φ 2 ][¬ φ 1 ∧ ¬ φ 2 ]: ∑ C[ φ ][ φ φ ] Prob(s, φ U φ ) π ¬ ∧ ¬ ( s ' ) [0, t] = 2 1 2 1 2 s, t s' Sat( φ ) ∈ 2 transient probability: starting in state the probability of being in state s’ at time t SFM-07:PE 93

  74. Model checking - P ~p [ φ 1 U [0,t] φ 2 ] • Can now adapt uniformisation to computing the vector of probabilities Prob( φ 1 U [0,t] φ 2 ) − recall Π t is matrix of transient probabilities Π t (s,s’)= π s,t (s’) ( ) ∑ i ∞ − computed via uniformisation: Π γ P unif ( C ) = ⋅ t q t , i ⋅ i 0 = ∑ C[ φ ][ φ φ ] Prob(s , φ U φ ) π ¬ ∧ ¬ ( s ' ) [0, t] = • Combining with: 2 1 2 1 2 s, t s' Sat( φ ) ∈ 2 Prob ( φ U φ ) Π C[ φ ][ φ φ ] φ [0, t] ¬ ∧ ¬ = ⋅ 2 1 2 1 2 t 2 ( ) ( ) ∑ i ∞ γ P unif ( C [ φ ][ φ φ ] ) φ ¬ ∧ ¬ = ⋅ ⋅ 2 1 2 q t , i 2 ⋅ i 0 = ( ) ( ) i ∑ ∞ γ P unif ( C [ φ ][ φ φ ] ) φ ¬ ∧ ¬ = ⋅ ⋅ 2 1 2 q t , i 2 ⋅ i 0 = SFM-07:PE 94

  75. Model checking – P ~p [ φ 1 U [0,t] φ 2 ] • Have shown that we can calculate the probabilites as: ( ) ( ) i ∑ ∞ Pr ob ( φ U [0, t] φ ) γ P unif ( C [ φ ][ φ φ ] ) φ ¬ ∧ ¬ = ⋅ ⋅ 2 1 2 1 2 q t , i 2 ⋅ i 0 = • Infinite summation can be truncated using the techniques of Fox and Glynn [FG88] • Can compute iteratively to avoid matrix powers: ( ) 0 P unif ( C ) φ φ ⋅ = 2 2 ( ) ( ) ( ) i 1 i + P unif ( C ) φ P unif ( C ) P unif ( C ) φ ⋅ = ⋅ ⋅ 2 2 SFM-07:PE 95

  76. P ~p [ φ 1 U [0,t] φ 2 ] - Example • P >0.65 [ true U [0,7.5] full ] − “probability of the queue becoming full within 7.5 time units” • State s 3 satisfies full and no states satisfy ¬true − in C[full][¬true ∧ ¬ full] only state s 3 made absorbing 2 / 3 1 / 3 0 0 ⎡ ⎤ ⎢ ⎥ matrix of unif(C[full][¬true ∧ ¬full]) ⎢ ⎥ 2 / 3 0 1 / 3 0 with uniformisation rate ⎢ ⎥ max s ∈ S E(s)=4.5 ⎢ ⎥ ⎢ ⎥ 0 2 / 3 0 1 / 3 ⎢ ⎥ ⎢ ⎥ 3/2 3/2 3/2 0 0 0 1 {empty} {full} ⎢ ⎥ ⎣ ⎦ s 0 s 1 s 2 s 3 1 s 3 made absorbing 3 3 3 SFM-07:PE 96

  77. P ~p [ φ 1 U [0,t] φ 2 ] - Example • Computing the summation of matrix-vector multiplications ( ) ( ) i ∑ ∞ Pr ob ( φ U [0, t] φ ) γ P unif ( C [ φ ][ φ φ ] ) φ ¬ ∧ ¬ = ⋅ ⋅ 2 1 2 1 2 q t , i 2 ⋅ i 0 = − yields Prob(true U [0,7.5] full) ≈ (0.6482,0.6823,0.7811,1) • P >0.65 [ true U [0,7.5] full ] satisfied in states s 1 , s 2 and s 3 3/2 3/2 3/2 {empty} {full} s 0 s 1 s 2 s 3 1 3 3 3 SFM-07:PE 97

  78. Model checking - P ~p [ φ 1 U [t,t’] φ 2 ] • In this case the computation can be split into two parts: • Probability of remaining in φ 1 states until time t − can be computed as transient probabilities on the CTMC where are states satisfying ¬ φ 1 have been made absorbing • Probability of reaching a φ 2 state, while remaining in states satisfying φ 1 , within the time interval [0,t’-t] − i.e. computing Prob( φ 1 U [0,t’-t] φ 2 ) ∑ ∈ C [ φ ] Prob ( s , φ U φ ) π ¬ ( s ' ) Prob ( s ' , φ U φ ) [0, t] [0, t'-t] = ⋅ 1 s , t 1 2 1 2 s ' Sat ( φ ) 1 probability sum over states φ 1 U [t,t’] φ 2 Probability of reaching state satisfying φ 1 holds in s’ s’ at time t and satisfying φ 1 up until this point SFM-07:PE 98

  79. Model checking - P ~p [ φ 1 U [t,t’] φ 2 ] • Letting Prob φ (s, φ 1 U [0,t] φ 2 )= Prob(s, φ 1 U [0,t] φ 2 ) if s ∈ Sat( φ ) and 0 otherwise, from the previous slide we have: Prob ( φ U [0, t] φ ) Π C [ φ ] ( s ' ) Prob ( φ U [0, t'-t] φ ) ¬ = ⋅ 1 1 2 t 1 2 ( ) ( ) ∑ i ∞ γ P unif ( C [ φ ]) Prob ( φ U [0, t'-t] φ ) = ⋅ ¬ ⋅ 1 q t , i φ 1 2 ⋅ i 0 = 1 ( ) ( ) i ∑ ∞ γ P unif ( C [ φ ]) Prob ( φ U [0, t'-t] φ ) ¬ = ⋅ ⋅ 1 q t , i φ 1 2 ⋅ i 0 = 1 − summation can be truncated using Fox and Glynn [FG88] − can compute iteratively (only scalar and matrix-vector operations) SFM-07:PE 99

  80. Model checking - P ~p [ φ 1 U [t, ∞ ) φ 2 ] • Similar to the case for φ 1 U [t,t’] φ 2 except second part is now unbounded, and hence the embedded DTMC can be used • Probability of remaining in φ 1 states until time t • Probability of reaching a φ 2 state, while remaining in states satisfying φ 1 − i.e. computing Prob( φ 1 U [0, ∞ ) φ 2 ) ∑ ∈ C [ φ ] Prob ( s , φ U φ ) π ¬ ( s ' ) Prob ( s ' , φ U φ ) [0, t] emb(C) = ⋅ 1 s , t 1 2 1 2 s ' Sat ( φ ) 1 probability sum over states φ 1 U [0, ∞ ) φ 2 Probability of reaching satisfying φ 1 holds in s’ state s’ at time t and satisfying φ 1 up until this SFM-07:PE point 100

Recommend

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok,

PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok,

PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games 1 Pranav Ashok, Jan K ret nsk y, Maximilian Weininger Technical University of Munich Highlights of Logic, Automata and Games Warsaw, Poland September

503 views • 14 slides
Model Checking Stochastic Branching Processes Taolue Chen Klaus Dr ager Stefan Kiefer

Model Checking Stochastic Branching Processes Taolue Chen Klaus Dr ager Stefan Kiefer

Model Checking Stochastic Branching Processes Taolue Chen Klaus Dr ager Stefan Kiefer University of Oxford, UK MFCS 2012, Bratislava 27 August 2012 Taolue Chen, Klaus Dr ager, Stefan Kiefer Model Checking Stochastic Branching Processes

419 views • 37 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of compiling one into the other? Both have very different models of time How do they compare? We have seen two widely used temporal logics Relative

510 views • 10 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
Statistical Model Checking and Rare Events Paolo Zuliani Joint work with Edmund M. Clarke

Statistical Model Checking and Rare Events Paolo Zuliani Joint work with Edmund M. Clarke

Statistical Model Checking and Rare Events Paolo Zuliani Joint work with Edmund M. Clarke Computer Science Department, CMU Probabilistic Verification Verification of stochastic system models via statistical model checking Temporal

686 views • 56 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

628 views • 34 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

777 views • 31 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures

639 views • 26 slides
Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron,

Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron,

Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron, P. Sala ) University of Udine Department of Mathematics, Computer Science, and Physics (DMIF) July 27, 2018 MODEL CHECKING Model checking : the

701 views • 38 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/

Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/

Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/ Was popular in semiconductor industry via Cadence SMV Could handle large models A re-implementation of the SMV model checker: Good

110 views • 10 slides
Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University

Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University

Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University Computing Laboratory Quantitative Model Checking PhD School, Copenhagen, March 2010 Overview Tool support for probabilistic model checking The PRISM

317 views • 14 slides
Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo

Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo

Bayesian Statistical Model Checking with Application to Stateflow/Simulink Verification Paolo Zuliani Andr Platzer Edmund M. Clarke Computer Science Department Carnegie Mellon University Problem Verification of Stochastic Systems

752 views • 39 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Specification of Strategic Abilities in ATL* Model checking Multi-Valued ATL* Partial order reductions for sATL* Simpler strategies for Timed ATL Conclusions Towards efficient model checking for variants of ATL under different semantics

1.1k views • 88 slides
Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr anek Masaryk University Czech Republic SFM 2013 1/150 Outline Introduction 1 LTL Model Checking 2 Parallel LTL Model Checking 3 Discrete

2.18k views • 199 slides
Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model checking? Model checking is the method by which a desired behavioral property of a reactive system is verified over a given system (the model )

606 views • 32 slides
Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems Informationsteknologi System Description A No! Debugging Information TOOL TOOL Yes, Requirement F Prototypes C T L Executable Code Test sequences Tools:

637 views • 34 slides

More recommend