1 / 43

Performance Evaluation := (Process Algebra + Model Checking) x Markov Chains

Performance Evaluation := (Process Algebra + Model Checking) x Markov Chains. Holger Hermanns and Joost-Pieter Katoen with contributions of Christel Baier, Ed Brinksma, Boudewijn Haverkort, Ulrich Herzog, Joachim Meyer-Kayser, Markus Siegle. and its stabilising unit.

oksana
Download Presentation

Performance Evaluation := (Process Algebra + Model Checking) x Markov Chains

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Performance Evaluation := (Process Algebra + Model Checking)x Markov Chains Holger Hermanns and Joost-Pieter Katoen with contributions of Christel Baier, Ed Brinksma, Boudewijn Haverkort, Ulrich Herzog, Joachim Meyer-Kayser, Markus Siegle

  2. and its stabilising unit A reactive, embedded system:The ‘Hubble Space Telescope’ A reactive, embedded system:The ‘Hubble Space Telescope’

  3. Each gyroscope may fail (f). The telescope turns into sleep mode if less than 3 gyroscopes remain operational (s). Without operational gyro the telescope eventually crashes. The base station prepares a shuttle mission to repair the telescope (r). f f f f f f crash 6 5 4 3 2 1 s s f r sleep sleep f r A simple model of the Hubble

  4. A model A stochastic model A continuous-time Markov model Prediction of the system behaviour Computer-assisted analysis of Correctness Performance Dependability on the basis of a model, instead of the real system f f f f f f crash 6 5 4 3 2 1 s s f r sleep sleep f r What is this? What is it good for?

  5. Quantitative Verification Information technology is finally reaching a scale where probabilistic methods should play a larger role in system design. D. Tennenhouse, director research Intel Corp. Proactive Computing, Communications of the ACM, May 2000

  6. Why probabilities? practically relevant for • deterministically unsolvableproblems: randomised distributed algorithms. • unreliable and unpredictable system behaviour: fault tolerant systems, ... • performance and dependability analysis: ‘quality of service’, ... • wheighting important (likely/frequent) and unimportant (unlikely/rare) aspects in the specification. • approximating large ‘populations’ of discrete structures

  7. Each gyroscope posesses a failure rate f. To turn on sleep mode requires some time (s). Without operational gyroscope the telescope eventually crashes. The base station prepares a shuttle mission to repair the telescope (r). 6 f 5 f 4 f 3 f 2 f f crash 6 5 4 3 2 1 s s f r sleep sleep 2 f r A Markov model of the Hubble

  8. Specification formalisms for CTMCs • stochastic Petri nets [Molloy] • Markovian queueing networks [Muppala & Trivedi] • stochastic automata networks [Plateau] • stochastic process algebra [Herzog et al] • probabilistic I/O automata [Stark et al] and many variants/combinations thereof.

  9. (finite state) automata, all times are exponentially distributed, sojourn time in states are memory-less, very well investigated class of stochastic processes, widely used in practice, best guess, if only mean values are known, efficient and numerically stable algorithms for stationary and transient analysis are available. h • Pr(X >t) = e-ht Continuous-time Markov chains (CTMCs)

  10. 2 1 3 3 1 stationary (‘steady state’) probability Transient and Stationary Behaviour of CTMCs transient probability

  11. Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications

  12. Model Checking • Automated verification technique • Checks whether a given finite-state model satisfies a given requirement, by • systematic state-space exploration • effective means to combat the state-space explosion • Some model checkers: Spin, SMV, Mur, Uppaal • Application areas: • hardware verification (VHDL-code, ...) • software validation (storm surge barrier, ...) • software bug hunting (web server design, e-commerce, ...)

  13. trueU =    = CTL - Computation Tree Logic a branching-timetemporal logic powerful specification language for requirements widely used • state-formula: • true • a atomic proposition’ •  1  2 ‘and’ •   ‘not’ •  ‘for All paths’ •  ‘there Exists a path’ • path-formula: • X ‘neXt’ •  1U  2 ‘Until’ • ‘eventually’ • ‘invariantly’ [Clarke & Emerson 83]

  14. crash 6 5 4 3 2 1  =( 6Usleep) sleep sleep second iteration fourth iteration third iteration first iteration initialisation fifth iteration fixed point! Sat(6) Sat(6) Sat(sleep) Model checking CTL by example Given: a finite-state model and a CTL state-formula : Strategy: calculate recursively the sets for all sub-formulas  of  ssatisfies Sat()

  15. Basic idea • specify a desired performance/reliability property using appropriate extension oftemporal logic, e.g., P<0.01(<10 error) , S<10-6(error), or similar • probability that an error occurs within 10 years is less than 1 % • probability that an error occurs in equilibrium is less than 10-6. • interpret and check these formulas on CTMCs

  16. state-formula : • true • a atomic proposition •  1  2and •  not • S~p() stationary probability • P~p() path probability CSL - Continuous Stochastic Logic CTLplus • probabilistic path-quantifier [Hansson and Jonsson] • probabilistic ‘time-bounded until’ [Aziz et al] • stationary probability quantifier • state-formula : • true • a atomic proposition •  1  2and •  not •  for all paths • there is a path • path-formula : • XItimed neXt •  1UI 2 timed Until • path-formula : • X neXt •  1U 2Until [Baier et al]

  17. availability?S>p( (sleep crash)) gyroscope failure between 1993 and 1997?P>q([3,7] 6) sleep mode between 1997 and September 1999? Pr( sleepU[7,9.8]sleep) risk of a crash before 2010?P<10-2([0,20]crash) 0.6 0.5 0.4 0.3 0.2 0.1 crash 6 5 4 3 2 1 100 100 0.1 6 6 sleep sleep 0.2 A few requirements for the Hubble 1990

  18. s P~p() iff state in  at time t probability that “on the long run” the system is in a -state (when starting in s) Formal semantics of CSL (1) State formulas: • s a iff a  L(s) • s 1  2 iff s i, i=1,2 • s  iff s / requires -algebra and probability measure Prob on paths of CTMC • s S~p() iff

  19. XI iff s1 and Formal semantics of CSL (2) Path formulas: interpretation over the paths (from state )in a CTMC state wins the race after time units, and so on •  1UI2iff

  20. Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications

  21. Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all sub-formulas  of  For the non-probabilistic fragment: as for CTL

  22. matrix-vector multiplication system of linear equations system of linear equations steady state probability for s’ in the BSCC B Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all sub-formulas  of  Steady-state operator requires slight adaptations of standard methods for steady-state probabilities å ( ) iff s p s,s' p ~ S~p() s ' F where graph algorithm 

  23. BSCC B1 BSCC B2   An example S0.5 (P0.98( 1.5stable)) 2 1 3 3 s {unstable} {stable} {initial} {stable} 1

  24. X • vector U is the least fixed point in [0,1] of • if s 2 then • if s / 1  2 then • if s 1  2 then iterative solution Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all subformulas  of  P~p() Probabilistic state-formula with ‘neXt step’ X and ‘until’ U are treated as in the discrete-time case [Hansson & Jonsson] matrix-vector multiplication system of linear equations

  25. x 0 t Ut-x 1   2 2   s s’ • values Ut are the least solution in [0,1] of • if s 2 then • if s / 1  2 then • if s 1   2 then Model checking ‘time-bounded until’ system of integral equations probability to move from s to s’ at time x t t-x

  26. Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications

  27. transient analysis determines a snapshot of the state probabilities at time t (if starting in state s at time 0) state-of-the-art: uniformisation numerically stable (relatively) easy to implement: boils down to iterative matrix-vector multiplications a priori calculation of number of iterations based on user-given accuracy on-the-fly steady-state detection possible Model checking ‘time bounded until’ Pr(s,  1UI 2) via transient analysis

  28. transient probability distribution (s,t ): the (snapshot) probability at time t when starting in state s at time 0 • steady-state probability(s): • Chapman-Kolmogorov equation Transient analysis of CTMCs • in CSL expressed as: P~p([t,t]ats’) and S~p(ats’) • calculating transient probabilities:

  29. Transient analysis of CTMCs • Techniques: Runge-Kutta and (more efficient and accurate): Uniformisation (“Jensen’s Method”) • Basic idea of uniformisation: • transform CTMC into a corresponding DTMC, • normalise transition rates w.r.t. shortest (average) residence time

  30. different outgoing rates per state no self-loops *= + same outgoing “rate” * per state branching probabilities self-loops (mimic delays) CTMC DTMC  / ( +)    / ( +)   + 0 1 2 0 1 2   +  / ( +)  / ( +)   Uniformisation

  31. probability distribution in DTMC aftern steps, starting from state s probability of n arrivals in [0,t] in a Poisson process with rate * • compute recursively • (Fox-Glynn) • matrix-vector multiplication • number of steps in DTMC • exact • computed • required accuracy Uniformisation (given stepping rate *) Round-off error can be calculated a priori:

  32.  1 2  12 s  1 2  1  2 Reduction to transient analysis Aim: ComputePr(s,  1UI2) via (...,...)

  33.  1 2  12 s’ (s,t) s’ (s,t) s  1 2  12 s  1 2  1  2  1 2  1  2 Lemma A Assume all 2-states are absorbing Pr(s, 1U[0,t]2) =  1 2  12 s  1 2  1  2

  34. Pr(s, 1U[0,t]2) Pr(s, 1U[0,t]2) Pr(s, 1U[0,t]2)  1 2  12 s  1 2  12  1 2  1 2  12  12 s s s  1 2  1  2  1 2  1  2  1 2  1 2  1  2  1  2 = s’ (s,t ) Theorem 1 Pr(s, 1U[0,t]2) = then apply Lemma A

  35. ‘Bottom-up’ strategy along the property of interest, recursively collects states satisfying sub-formulae Ingredients: graph algorithms, and matrix-vector multiplication solvers for linear equation systems model transformations and uniformisation Worst-case time complexity: O(|formula| x (M.q.tmax + N2.81)) number of transitions M uniformisation rate q maximal time-bound tmax number of states N Model checking CSL

  36. Two CTMCs are lumping equivalent, if they can mimic their cumulated rates stepwise, and stay bisimilar in doing so ifthen ,  such that = ,   2    2  and vice versa, and so on    Lumping Lumping ensures that cumulated (transient/steady)-state probabilities of equivalent states can be computed on the quotient CTMC

  37. Two states in a CTMC are lumping equivalent if and only if they satisfy the same CSL-formulas Lumping and CSL (... if the bisimulation respects the state labelling)

  38. Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications

  39. T E MC2 The model checker • implemented in JAVA (version 1.2 with Swing) • about 8,000 lines of code, 15 man months • implements iterative numerical algorithms to solvelinear system of equations (standard) • uses backwards uniformisation for UI • uses dedicated algorithms for P=1() and P=0() • uses sparse data structures for matriceswww7.informatik.uni-erlangen.de/etmcc/

  40. T E MC2 The model checker Tool Driver GUI CSL parser Property Manager S~p() P~p()    Numerical Engine Linear systems of equations Numerical integration Backwards uniformisation Analysis Engine ( 1U 2) ( 1U 2) BSCC Verification parameters Model input State Space Manager Filter Result output Sat States Transitions Rates

  41. Current developments • Application/case studies: • performance assessment of cyclic polling system • dependability analysis of a workstation cluster • performance and availability analysis of distributed database server • Extensions towards CTMCs with costs (rewards):“with probability at most 0.01 at most 10 jobs have been processed before the first error occurs” • extension of CSL has been defined • model checking combined reward- and time-bounded formulas? • Using symbolic data structures (MTBDDs) in Prism • Extension of model checking algorithms for Markov decision processes

  42. CTMC algebra: compositional and abstract specification automated generation of CTMCs reduction and comparison of performance models CTMC model checking: specification language for performance properties automated verification technique with property-driven transformation allows model reduction Summary cross-fertilisation of formal verification and performance analysis techniques cross-fertilisation of formal specification and performance modeling techniques

More Related