1 / 30

Quantitative Model Checking Radu Grosu SUNY at Stony Brook

Quantitative Model Checking Radu Grosu SUNY at Stony Brook. Joint work with Scott A. Smolka. Model Checking. ?. Is system S a model of formula φ ?. Model Checking. S is a nondeterministic/concurrent system.  is a temporal logic formula. in our case Linear Temporal Logic (LTL).

liluye
Download Presentation

Quantitative Model Checking Radu Grosu SUNY at Stony Brook

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantitative Model CheckingRadu GrosuSUNY at Stony Brook Joint work with Scott A. Smolka

  2. Model Checking ? Is systemS a model of formula φ?

  3. Model Checking • S is anondeterministic/concurrent system. •  is atemporal logic formula. • in our case Linear Temporal Logic (LTL). • Basic idea: intelligently explore S’s state space in attempt to establish S|=.

  4. Monte Carlo Approach computation tree recurrence diameter LTL Monte Carlo: N(,) independent samples Error margin andconfidence ratio 

  5. Linear Temporal Logic • An LTL formula is made up of atomic propositions p, boolean connectives, ,  and temporal modalities X (neXt) and U (Until). • Safety: “nothing bad ever happens” • E.g. G( (pc1=cs  pc2=cs)) where G is a derived modality (Globally). • Liveness: “something good eventually happens” • E.g. G( req  F serviced ) where F is a derived • modality (Finally).

  6. LTL Model Checking • Every LTL formula can be translated to a BüchiautomatonBwhose language is the set of infinite words satisfying . • Automata-theoretic approach: • S|=iff L(BS)  L(B ) iffL(BS  B )= • Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).

  7. Bernoulli Random Variable(coin flip) • Value of Bernoulli RV Z: Z = 1 (success) & Z = 0 (failure) • Probability mass function: p(1) = Pr[Z=1] = pz p(0) = Pr[Z=0] = 1- pz= qz • Expectation: E[Z] = pz

  8. of Z: • Solution: Compute an (,)-approximation Monte Carlo Approximation • Problem: Compute the mean value μZof a random variable Zdistributed in [0,1] when exact computation of μZ proves intractable. witherror margin andconfidence ratio .

  9. Compute as the mean value of N independent • random variables (samples) identically distributed • according toZ: • Problems: is unknown and can be large. Naive Solution • Compute Nusingthe Zero-One estimation theorem:

  10. Problem: is in most interesting casestoo large. Stopping Rule Algorithm (SRA) • Innovation: compute correct Nwithout using • Theorem: • E[N] 4 ln(/) / Z2;

  11. Optimal Approx Algorithm (OOA) • Compute Nusinggeneralized Zero-One estimation: • Apply sequential analysis (prediction/correction): • 1.Compute assuming with SRA( ) • 2.Compute  using and • 3.Compute using to correctly estimate N. • Expected number of samples is optimal to within a • constant factor!

  12. Monte Carlo Model Checking • Sample Space: lassos in BS  B • Bernoulli random variable Z : • Outcome = 1 if rand. chosen lasso is notaccepting • Outcome = 0 otherwise • Z = pZ= ∑ pi Zi (expect. of a nonaccepting lasso) where pi is lasso prob. (uniform random walk).

  13. Lassos Probability Space L1 = 11L2 = 1244 L3 = 1231 L4 = 12344 Pr[L1]= ½ Pr[L2]= ¼ Pr[L3]= ⅛ Pr[L4]= ⅛ qZ = L1 + L3 = 58 pZ = L3 + L4 = 38 1 2 3 4

  14. input:,  and Büchi automaton B; • output: s.t. • = OAA(, , RL(B)); return • where • RL(B) performs a uniform random walk through B (storing states encountered in hash table) to obtain a random sample (lasso). QMC Algorithm

  15. Properties of QMC Theorem: Given aBüchi automaton B, error margin ε, and confidence ratio δ, if QMC returns then with probabiliy 1- δ, the confidence interval (CI) [1 / (1+ε) , 1 / (1- ε) ] covers the unknown lasso probabilityZ. Corollary:Indecision mode(DM)theCI is[1 / (1+ε) , 1].

  16. Properties of QMC Theorem: Given aBüchi automaton B having diameter D, error margin ε, and confidence ratio δ, QMCruns in DM in time O(N∙D) and uses space O(D), where N = 4 ln(2 / δ) / ε. Cf. DDFS which runs in O(2|S|+|φ|) time for B= BS B.

  17. Implementation • Implemented DDFS and QMC in jMocha model checker for synchronous systems specified using Reactive Modules. • Performance and scalability of QMC compares very favorably to DDFS.

  18. DPh: Symmetric Unfair Version (Deadlock freedom)

  19. DPh: Symmetric Unfair Version (Starvation freedom)

  20. DPh: Asymmetric Fair Version (Deadlock freedom) δ = 10-1 ε = 1.8*10-4 N = 1257

  21. DPh: Asymmetric Fair Version (Starvation freedom) δ = 10-1 ε = 1.8*10-4 N = 1257

  22. Related Work • Heimdahl et al.’s Lurch debugger. • Mihail & Papadimitriou (and others) use random walks to sample system state space. • Herault et al. use bounded model checking to compute an (ε,δ)-approx. for “positive LTL”. • Probabilistic Model Checking of Markov Chains: ETMCC, PRISM, PIOAtool, and others.

  23. Conclusions • QMC is first randomized, Monte Carlo algorithm for the classical problem of temporal-logic MC. • Future Work: Use BDDs to improve run time. Also, take samples in parallel! • Open Problem: Branching-Time Temporal Logic (e.g. CTL, modal mu-calculus).

  24. ? Model Checking Is systemS a model of formula φ?

  25. Talk Outline • Model Checking • Randomized Algorithms • LTL Model Checking • Optimal Monte Carlo Estimation • Quantitative Model-Checking (QMC) • Implementation & Results • Conclusions & Open Problem

  26. computation tree diameter Model Checking’s Fly in the Ointment:State Explosion Symbolic MC (OBDDs) Symmetry Reduction Partial Order Reduction Abstraction Refinement Bounded Model Checking Size of S’s state transition graph is O(2|s|)!

  27. Randomized Algorithms Huge impacton CS: (distributed) algorithms, complexity theory, cryptography, etc. Takes of next step algorithm may depend on random choice(coin flip). Benefitsof randomization include simplicity,efficiency, and symmetry breaking.

  28. Randomized Algorithms • Monte Carlo: may produce incorrect result but with bounded error probability. • Example: Rabin’s primality testing algorithm • Las Vegas: always gives correct result but running time is a random variable. • Example: Randomized Quick Sort

  29. sn sk+3 sk+2 sk+1 DFS2 DFS1 s1 s2 s3 sk-2 sk-1 sk Emptiness Checking • Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). • Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!

  30. Random Lasso (RL) Algorithm

More Related