Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook

1
Monte Carlo Model Checking Radu Grosu SUNY at
Stony Brook

• Joint work with Scott A. Smolka

2
Model Checking

?
Is system S a model of formula f?
3
Model Checking

• S is a nondeterministic/concurrent system.
• ? is a temporal logic formula.
• in our case Linear Temporal Logic (LTL).

4
LTL Model Checking

• Every LTL formula ? can be translated to a Büchi
  automaton B? such that L(?) L(B?)
• Automata-theoretic approach
• S ? iff L(BS) ? L(B? ) iff L(BS ?
  B?? ) ?
• Checking non-emptiness is equivalent to finding a
  reachable accepting cycle (lasso).

5
Checking Non-Emptiness
Lassos Computation tree (CT)
recurrence diameter
LTL
Explore all lassos in the CT DDFS,SCC time
efficient DFS memory efficient
6
Randomized Algorithms

• Huge impact on CS (distributed) algorithms,
  complexity theory, cryptography, etc.
• Takes of next step algorithm may depend on random
  choice (coin flip).
• Benefits of randomization include simplicity,
  efficiency, and symmetry breaking.

7
Randomized Algorithms

• Monte Carlo may produce incorrect result but
  with bounded error probability.
• Example Elections result prediction
• Las Vegas always gives correct result but
  running time is a random variable.
• Example Randomized Quick Sort

8
Monte Carlo Approach
Lassos Computation tree (CT)
recurrence diameter

LTL
flip a k-sided coin
Explore N(?,?) independent lassos in the CT Error
margin ? and confidence ratio ?
9
Lassos Probability Space

• Sample Space lassos in BS ? B??
• Bernoulli random variable Z
• Outcome 1 if randomly chosen lasso accepting
• Outcome 0 otherwise
• pZ ? pi Zi (expectation of an accepting
  lasso)
• where pi is lasso prob. (uniform random walk)

10
Example Lassos Probability Space
1
pZ 1/8
1
1
2
qZ 7/8
2
½
4
3
3
4
4
1
4
¼
?
4
?
11
Geometric Random Variable

• Value of geometric RV X with parameter pz
• No. of independent lassos until success.
• Probability mass function
• p(N) PX N qzN-1 pz
• Cumulative Distribution Function
• F(N) PX ? N ?i ? Np(i) 1 - qzN

12
How Many Lassos?

• Requiring PX ? N 1- d yields
• N ln (d) / ln (1- pz)
• Lower bound on number of trials N needed to
  achieve success with confidence ratio d.

13
What If pz Unknown?

• Requiring pz ? e yields
• M ln (d) / ln (1- e) ? N ln (d) / ln
  (1- pz)
• and therefore PX ? M ? 1- d
• Lower bound on number of trials M needed to
  achieve success with
• confidence ratio d and error margin e .

14
Statistical Hypothesis Testing

• Null hypothesis H0 pz ? e
• Alternative hypothesis H1 pz lt e
• If no success after N trials, then reject H0
• Type I error a P X gt M H0 lt d
• Since P X ? M H0 ? 1- d

15
Monte Carlo Model Checking (MC2)
input B(S,Q,Q0,d,F), e, d N ln (d) / ln
(1- e) for (i 1 i ? N i) if (RL(B) 1)
return (1, error-trace) return (0, reject H0
with a Pr XgtN H0 lt d) where RL(B)
performs a uniform random walk through B to
obtain a random lasso.
16
Correctness of MC2

• Theorem Given a Büchi automaton B, error margin
  e, and confidence ratio d, if MC2 rejects H0,
  then its type I error has probability
• a P X gt M H0 lt d

17
Complexity of MC2

• Theorem Given a Büchi automaton B having
  diameter D, error margin e, and confidence ratio
  d, MC2 runs in time O(ND) and uses space O(D),
  where N ln(d) / ln(1- e)

Cf. DDFS which runs in O(2Sf) time for B
BS ? B?? .
18
Implementation

• Implemented DDFS and MC2 in jMocha model checker
  for synchronous systems specified using Reactive
  Modules.
• Performance and scalability of MC2 compares very
  favorably to DDFS.

19
DPh Symmetric Unfair Version
(Deadlock freedom)
20
DPh Symmetric Unfair Version
(Starvation freedom)
21
DPh Asymmetric Fair Version
(Deadlock freedom)
d 10-1 e 1.810-3 N 1278
22
DPh Asymmetric Fair Version
(Starvation freedom)
d 10-1 e 1.810-3 N 1278
23
Related Work

• Random walk testing
• Heimdahl et al Lurch debugger.
• Random walks to sample system state space
• Mihail Papadimitriou (and others)
• Monte Carlo Model Checking of Markov Chains
• Herault et al LTL-RP, bonded MC, zero/one ET
• Younes et al Time-Bounded CSL, sequential
  analysis
• Sen et al Time-Bounded CSL, zero/one ET
• Probabilistic Model Checking of Markov Chains
• ETMCC, PRISM, PIOAtool, and others.

24
Conclusions

• MC2 is first randomized, Monte Carlo algorithm
  for the classical problem of temporal-logic model
  checking.
• Future Work Use BDDs to improve run time.
  Also, take samples in parallel!
• Open Problem Branching-Time Temporal Logic
  (e.g. CTL, modal mu-calculus).

25
Talk Outline

1. Model Checking
2. Randomized Algorithms
3. LTL Model Checking
4. Probability Theory Primer
5. Monte Carlo Model Checking
6. Implementation Results
7. Conclusions Open Problem

26
Model Checking

• S is a nondeterministic/concurrent system.
• ? is a temporal logic formula.
• in our case Linear Temporal Logic (LTL).
• Basic idea intelligently explore Ss state space
  in attempt to establish S ?.

27
Linear Temporal Logic

• LTL formula made up inductively of
• atomic propositions p, boolean connectives ?, ?,
  ?
• temporal modalities X (neXt) and U (Until).
• Safety nothing bad ever happens
• E.g. G(? (pc1cs ? pc2cs)) where G is a
  derived modality (Globally).
• Liveness something good eventually happens
• E.g. G( req ? F serviced ) where F is a
  derived modality (Finally).

28
Emptiness Checking

• Checking non-emptiness is equivalent to finding
  an accepting cycle reachable from initial state
  (lasso).
• Double Depth-First Search (DDFS) algorithm can be
  used to search for such cycles, and this can be
  done on-the-fly!

29
Bernoulli Random Variable(coin flip)

• Value of Bernoulli RV Z
• Z 1 (success) Z 0 (failure)
• Probability mass function
• p(1) PrZ1 pz
• p(0) PrZ0 1- pz qz
• Expectation EZ pz

30
Statistical Hypothesis Testing

• Example Given a fair and a biased coin.
• Null hypothesis H0 - fair coin selected.
• Alternative hypothesis H1 - biased coin
  selected.
• Hypothesis testing Perform N trials.
• If number of heads is LOW, reject H0 .
• Else fail to reject H0 .

31
Statistical Hypothesis Testing
H0 is True H0 is False
reject H0 Type I error w/prob. a Correct to reject H0
fail to reject H0 Correct to fail to reject H0 Type II error w/prob. ß
32
Random Lasso (RL) Algorithm
33
Randomized Algorithms

• Huge impact on CS (distributed) algorithms,
  complexity theory, cryptography, etc.
• Takes of next step algorithm may depend on random
  choice (coin flip).
• Benefits of randomization include simplicity,
  efficiency, and symmetry breaking.

34
Randomized Algorithms

• Monte Carlo may produce incorrect result but
  with bounded error probability.
• Example Rabins primality testing
• Las Vegas always gives correct result but
  running time is a random variable.
• Example Randomized Quick Sort

35
Lassos Probability Space

• L1 11 L2 1244 L3 1231 L4
  12344
• PrL1 ½ PrL2 ¼ PrL3 ? PrL4 ?
• qZ L1 L2 ¾ pZ L3 L4 ¼

36
Alternative Sampling Strategies

• Multilasso sampling ignores backedges that do
  not lead to an accepting lasso.

PrLn O(2-n)

• Probabilistic systems there is a natural way
  to assign a probability to a RL.

• Input partitioning partition input into classes
  that trigger the same behavior (guards).