Title: Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook
1Monte Carlo Model Checking Radu Grosu SUNY at
Stony Brook
- Joint work with Scott A. Smolka
2Model Checking
?
Is system S a model of formula f?
3Model Checking
- S is a nondeterministic/concurrent system.
- ? is a temporal logic formula.
- in our case Linear Temporal Logic (LTL).
4LTL Model Checking
- Every LTL formula ? can be translated to a Büchi
automaton B? such that L(?) L(B?) - Automata-theoretic approach
- S ? iff L(BS) ? L(B? ) iff L(BS ?
B?? ) ? - Checking non-emptiness is equivalent to finding a
reachable accepting cycle (lasso).
5Checking Non-Emptiness
Lassos Computation tree (CT)
recurrence diameter
LTL
Explore all lassos in the CT DDFS,SCC time
efficient DFS memory efficient
6Randomized Algorithms
- Huge impact on CS (distributed) algorithms,
complexity theory, cryptography, etc. - Takes of next step algorithm may depend on random
choice (coin flip). - Benefits of randomization include simplicity,
efficiency, and symmetry breaking.
7Randomized Algorithms
- Monte Carlo may produce incorrect result but
with bounded error probability. - Example Elections result prediction
- Las Vegas always gives correct result but
running time is a random variable. - Example Randomized Quick Sort
8Monte Carlo Approach
Lassos Computation tree (CT)
recurrence diameter
LTL
flip a k-sided coin
Explore N(?,?) independent lassos in the CT Error
margin ? and confidence ratio ?
9Lassos Probability Space
- Sample Space lassos in BS ? B??
- Bernoulli random variable Z
- Outcome 1 if randomly chosen lasso accepting
- Outcome 0 otherwise
- pZ ? pi Zi (expectation of an accepting
lasso) - where pi is lasso prob. (uniform random walk)
10Example Lassos Probability Space
1
pZ 1/8
1
1
2
qZ 7/8
2
½
4
3
3
4
4
1
4
¼
?
4
?
11Geometric Random Variable
- Value of geometric RV X with parameter pz
- No. of independent lassos until success.
- Probability mass function
- p(N) PX N qzN-1 pz
- Cumulative Distribution Function
- F(N) PX ? N ?i ? Np(i) 1 - qzN
12How Many Lassos?
- Requiring PX ? N 1- d yields
- N ln (d) / ln (1- pz)
- Lower bound on number of trials N needed to
achieve success with confidence ratio d.
13What If pz Unknown?
- Requiring pz ? e yields
- M ln (d) / ln (1- e) ? N ln (d) / ln
(1- pz) - and therefore PX ? M ? 1- d
- Lower bound on number of trials M needed to
achieve success with - confidence ratio d and error margin e .
14Statistical Hypothesis Testing
- Null hypothesis H0 pz ? e
- Alternative hypothesis H1 pz lt e
- If no success after N trials, then reject H0
- Type I error a P X gt M H0 lt d
- Since P X ? M H0 ? 1- d
15Monte Carlo Model Checking (MC2)
input B(S,Q,Q0,d,F), e, d N ln (d) / ln
(1- e) for (i 1 i ? N i) if (RL(B) 1)
return (1, error-trace) return (0, reject H0
with a Pr XgtN H0 lt d) where RL(B)
performs a uniform random walk through B to
obtain a random lasso.
16Correctness of MC2
- Theorem Given a Büchi automaton B, error margin
e, and confidence ratio d, if MC2 rejects H0,
then its type I error has probability - a P X gt M H0 lt d
17Complexity of MC2
- Theorem Given a Büchi automaton B having
diameter D, error margin e, and confidence ratio
d, MC2 runs in time O(ND) and uses space O(D),
where N ln(d) / ln(1- e)
Cf. DDFS which runs in O(2Sf) time for B
BS ? B?? .
18Implementation
- Implemented DDFS and MC2 in jMocha model checker
for synchronous systems specified using Reactive
Modules. - Performance and scalability of MC2 compares very
favorably to DDFS.
19DPh Symmetric Unfair Version
(Deadlock freedom)
20DPh Symmetric Unfair Version
(Starvation freedom)
21DPh Asymmetric Fair Version
(Deadlock freedom)
d 10-1 e 1.810-3 N 1278
22DPh Asymmetric Fair Version
(Starvation freedom)
d 10-1 e 1.810-3 N 1278
23Related Work
- Random walk testing
- Heimdahl et al Lurch debugger.
- Random walks to sample system state space
- Mihail Papadimitriou (and others)
- Monte Carlo Model Checking of Markov Chains
- Herault et al LTL-RP, bonded MC, zero/one ET
- Younes et al Time-Bounded CSL, sequential
analysis - Sen et al Time-Bounded CSL, zero/one ET
- Probabilistic Model Checking of Markov Chains
- ETMCC, PRISM, PIOAtool, and others.
24Conclusions
- MC2 is first randomized, Monte Carlo algorithm
for the classical problem of temporal-logic model
checking. - Future Work Use BDDs to improve run time.
Also, take samples in parallel! - Open Problem Branching-Time Temporal Logic
(e.g. CTL, modal mu-calculus).
25Talk Outline
- Model Checking
- Randomized Algorithms
- LTL Model Checking
- Probability Theory Primer
- Monte Carlo Model Checking
- Implementation Results
- Conclusions Open Problem
26Model Checking
- S is a nondeterministic/concurrent system.
- ? is a temporal logic formula.
- in our case Linear Temporal Logic (LTL).
- Basic idea intelligently explore Ss state space
in attempt to establish S ?.
27Linear Temporal Logic
- LTL formula made up inductively of
- atomic propositions p, boolean connectives ?, ?,
? - temporal modalities X (neXt) and U (Until).
- Safety nothing bad ever happens
- E.g. G(? (pc1cs ? pc2cs)) where G is a
derived modality (Globally). - Liveness something good eventually happens
- E.g. G( req ? F serviced ) where F is a
derived modality (Finally).
28Emptiness Checking
- Checking non-emptiness is equivalent to finding
an accepting cycle reachable from initial state
(lasso). - Double Depth-First Search (DDFS) algorithm can be
used to search for such cycles, and this can be
done on-the-fly!
29Bernoulli Random Variable(coin flip)
- Value of Bernoulli RV Z
- Z 1 (success) Z 0 (failure)
- Probability mass function
- p(1) PrZ1 pz
- p(0) PrZ0 1- pz qz
- Expectation EZ pz
30Statistical Hypothesis Testing
- Example Given a fair and a biased coin.
- Null hypothesis H0 - fair coin selected.
- Alternative hypothesis H1 - biased coin
selected. - Hypothesis testing Perform N trials.
- If number of heads is LOW, reject H0 .
- Else fail to reject H0 .
31Statistical Hypothesis Testing
H0 is True H0 is False
reject H0 Type I error w/prob. a Correct to reject H0
fail to reject H0 Correct to fail to reject H0 Type II error w/prob. ß
32Random Lasso (RL) Algorithm
33Randomized Algorithms
- Huge impact on CS (distributed) algorithms,
complexity theory, cryptography, etc. - Takes of next step algorithm may depend on random
choice (coin flip). - Benefits of randomization include simplicity,
efficiency, and symmetry breaking.
34Randomized Algorithms
- Monte Carlo may produce incorrect result but
with bounded error probability. - Example Rabins primality testing
- Las Vegas always gives correct result but
running time is a random variable. - Example Randomized Quick Sort
35Lassos Probability Space
- L1 11 L2 1244 L3 1231 L4
12344 - PrL1 ½ PrL2 ¼ PrL3 ? PrL4 ?
- qZ L1 L2 ¾ pZ L3 L4 ¼
36Alternative Sampling Strategies
- Multilasso sampling ignores backedges that do
not lead to an accepting lasso.
PrLn O(2-n)
- Probabilistic systems there is a natural way
to assign a probability to a RL.
- Input partitioning partition input into classes
that trigger the same behavior (guards).