Luca de Alfaro

1

Compositional Methods forProbabilistic Systems

• Luca de Alfaro
• Thomas A. Henzinger
• Ranjit Jhala
• UC Berkeley

2
Introduction

• Compositional Model
• Construct large systems from models of components
  
• Shallow Compositionality Syntactic
• Given P, Q can construct PkQ
• Deep Compositionality Semantic
• P k Q a function of P , Q

3
Deep Compositionality Example

• Transition systems with Trace Semantics
• Variable-based version
• System made of variables X
• X-State A valuation of the variables in X
• X-Trace A sequence of X-States, corresponding
  to a run
• P Set of X-Traces corresponding to all
  possible runs
• Private variables projected away
• Given components P, Q
• Read variables written by each other
• P k Q P Å Q

4
Deep Compositionality

• Composition of properties
• Allows decomposition of large verification tasks
• Simple Refinement Decomposition
• To check P1 k P2 ¹ Q1 k Q2
• Suffices that P1 ¹ Q1 and P2 ¹ Q2
• Assume-Guarantee Decomposition
• To check P1 k P2 ¹ Q1 k Q2
• Suffices that P1 k Q2 ¹ Q1 and Q1 k
  P2 ¹ Q2
• Crucial for non-deterministic systems
• Even more beneficial in the probabilistic setting

5
Our Contribution

• First Deeply compositional model for systems with
  both Probabilistic and Non-deterministic choice
• Generalise semantic properties of trace-based
  models to the probabilistic setting
• First Assume-Guarantee rule for decomposing
  refinement checks for such systems

6
Previous Work

• A large body of work on the modelling and
  verification of probabilistic systems
• Vardi 85, Courcoubetis Yannakakis 89
• Basic Model Markov Decision Processes
• Defining the behaviour using schedulers
• Branching-time models based on Process
  Algebras
• Jonson Larsen 91
• Probabilistic Process Algebras
• Performance properties
• Models based on I/O Automata by Segala 95
• Semantics described as Trace Distributions
• Refinement as trace distribution inclusion

7
Plan

• Systems with Probabilistic and
  Non-determinisitic choice
• Why is deep compositionality tricky ?
• Atoms, the solution to the scheduler problem
• Concrete Model Probabilistic Modules
• Bundle Algebra
• Theorems
• Conclusions etc.

8
Probabilistic Systems

• We wish to model transition systems that can make
  both Probabilistic and Non-deterministic choice

• At a state, the system does the following
• Picks one of several available distributions (or
  moves) over next state non-deterministically
• Picks a next state randomly out of the chosen
  distribution

9
Prob. Systems Example

• There are 2 possible behaviors arising from
  the non-deterministic choice at
• ¼ , ¾
• ½ , ½

10
Semantics dealing with choices

• Non-deterministic, Probabilistic choice are
  orthogonal
• Factor out non-determinism using schedulers
• Derman70, Vardi 1985, Courcoubetis Yannakakis
  1989
• Given a scheduler, the execution is fully
  probabilistic
• Outcome A sequence of bundles of length i, 8 i gt
  0
• Semantics Sum of the outcomes for all the
  different schedulers

11
Schedulers Example
1/2
1/2
4 Possible Schedulers, one outcome (bundle) for
each
Outcomes (Bundles)
Schedulers
½ , ½ ½ , ½ ½ , ½ ½ , ½
12
Non-Det. Choice Vs Prob. Choice
A
B

• Non-deterministic choice is more flexible than
  probabilistic choice
• We want A ¹ B, but

Bundle of A
Bundles of B
½ , ½
1
1
1
13
Non-Det. Choice Vs Prob. Choice
1/2
1/2
A
B

• Solution Let the scheduler be randomized
• The scheduler of B can flip a coin to select
  nondeterministic choice
• The move of B is then the convex combination of
  its simple moves

e , 1-e
Bundles of B For every e 2 0,1 In particular
e ½ matches As bundle
14
Semantics of Probabilistic Systems
Given a set of variables X
15
Semantics of Probabilistic Systems
Given a Probabilistic system P with variables X,
semantics P is an X-Probabilistic language

• Refinement corresponds to bundle inclusion
• P ¹ Q if P µ Q

16
Plan

• Systems with Probabilistic and
  Non-determinisitic choice
• Why is deep compositionality tricky ?
• Atoms, the solution to the scheduler problem
• Concrete Model Probabilistic Modules
• Bundle Algebra
• Theorems
• Conclusions etc.

17
Why is it tricky ? (1)
1/2
1/2
1/4
P Priv P Ctr X Extl Y
Q Priv Q Ctr Y Extl X
PkQ Priv P, Q Ctr X , Y
This is the ONLY bundle of P k Q ) P
Å Q ¾ P k Q !!
A bundle in P and Q
18
Why is it tricky ? (1)

• External variable was scheduled looking at
  private variable
• this breaks compositionality
• ) must have two schedulers
• CONTROLLED-VAR scheduler can look at private
  variables
• EXTERNAL-VAR scheduler cannot look at private
  variables

P Å Q ¾ P k Q !!
19
Why is it tricky ? (2)
P Ctr X, non-det Extl Y
Q Ctr Y, non-det Extl X

• No matching bundle in P or Q
• P Å Q ½ P k Q !!
• ) A composed system must be made up of
  schedulers for individual components

PkQ Ctr X , Y X,Y are non-det. set
With a single scheduler we get
20
Schedulers and Compositionality
Compose
Q Why are previous models not deeply
compositional ? A Monolithic Schedulers are bad
!!
21
Atoms The Solution to the Scheduler Problem
Atoms Units of Scheduling Variables written by
the atom Variables read on whose history
non-det. is resolved
A single scheduler associated with each atom -
Module Scheduler is the composition of atomic
schedulers Atomic (scheduling) structure
preserved after parallel composition
22
The Importance of Atoms

• A ¹ B because
• A has a bundle where x,y have correlated values
  ½ 0,0 ½ 1,1
• In Bs bundle it is not possible to get
  correlation, despite complete non-det in
  each atom, as the schedulers are independent

23
Plan

• Systems with Probabilistic and
  Non-determinisitic choice
• Why is deep compositionality tricky ?
• Atoms, the solution to the scheduler problem
• Concrete Model Probabilistic Modules
• Bundle Algebra
• Theorems
• Conclusions etc.

24
Probabilistic Modules
Update To each state, associate a set of
distributions (moves), for next state
The atom scheduler Chooses between moves
25
Operations Parallel Composition
26
Operations Parallel Composition
27
Module Semantics
28
Module Semantics
29
Composing Atomic Schedulers
30
Semantics Atomic Schedulers

• Composing Atom Schedulers
• For schedulers s1 from X1 to Y1, s2 from X2 to
  Y2, s.t. Y1 Å Y2 ?,
• (s1 s2) from X1 X2 to Y1 Y2 s.t.
  (s1 s2)(t) s1(tX1) s2(tX2)
• For sets of schedulers S1 from X1 to Y1, S2 from
  X2 to Y2,
• S1 S2 s1 s2 s1 2 S1, s2 2 S2

31
Module Semantics

• Schedulers of P
• extlå(P) set of all schedulers from extlX(P)
  intfX(P) to extlX(P)
• modå(P) extlå(P) PA 2 Atoms(P) atomå(A)
• Language of P
• L(P) s 2 modå(P) Outcome(s)
• Trace Semantics of P
• P L(P)obsX(P)
• the language projected to the observables

32
Plan

• Systems with Probabilistic and
  Non-determinisitic choice
• Why is deep compositionality tricky ?
• Atoms, the solution to the scheduler problem
• Concrete Model Probabilistic Modules
• Bundle Algebra
• Theorems
• Conclusions etc.

33
Semantics of Probabilistic Systems
Given a set of variables X
34
Bundle Algebra

• For reasoning about parallel composition
• Decomposing Projection
• Given sets of variables X, X s.t. X µ X
• X-Bundle a X-Bundle
• Composing Product
• Given sets of variables X, Y
• X-Bundle Y-Bundle a (X Y) Bundle

35
Projection States
36
Projection Moves
X Move
X Move
37
Projection Bundles
X Bundle
X Bundle
38
Product States
X
X Y State
X Z State
X Y Z State
39
Product Moves, Bundles


X Y Move
X Y Z Move
X Z Move
40
Operations Product

• Product
• Given 2 sets of variables X1, X2
• Given an X1-State s1, a X2-State s2
• s1, s2 can be multiplied if s1 X1 Å X2
  s2X1 Å X2
• Same condition for for Traces and Bundles
• Given an X1-Bundle b1, X2-Bundle b2
• (b1 b2) X1 X2 Bundle s.t.
• (b1 b2)(t) b1 (tX1) b2 (tX2) / b1
  (tX1 Å X2)
• Given an X1-Language L1, X2-Language L2
  
• L1 L2 b1 b2 b1 2 L1 and b2 2 L2 can be
  multiplied

41
Plan

• Systems with Probabilistic and
  Non-determinisitic choice
• Why is deep compositionality tricky ?
• Atoms, the solution to the scheduler problem
• Concrete Model Probabilistic Modules
• Bundle Algebra
• Theorems
• Conclusions etc.

42
Compositional Semantics

• Theorem P1 k P2 P1 Å P2
  
• This is because L(P1 k P2) L(P1) L(P2)
• For every b1 2 L(P1), b2 2 L(P2),
• s.t. b1X(P1) Å X(P2) b2X(P1) Å X(P2)
  are multipliable
• b1 b2 2 L(P1 k P2)
• For every b 2 L(P1 k P2)
• bX(P1) 2 L(P1) and bX(P2) 2 L(P2)

43
Recall Probabilistic Refinement
Given a Probabilistic system P with variables X,
semantics P is an X-Probabilistic language

• Refinement corresponds to bundle inclusion
• P ¹ Q if P µ Q

44
Refinement Is Compositional

• Module Refinement P ¹ Q iff P µ
  Q
• Theorem Refinement is Compositional
• P k Q ¹ P
• If P ¹ Q , then P k R ¹ Q k R
• Follows from deep compositionality
• Theorem Assume-Guarantee
• If P1 k Q2 ¹ Q1 and Q1 k P2 ¹ Q2,
• then P1 k P2 ¹ Q1 k Q2
• Deep compositionality
• Induction

45
Conclusions

• Deeply compositional semantics for systems
  with Non-deterministic and Probabilistic choice
• Assume-Guarantee rule
• Only possible by restricting the visibility and
  influence of schedulers
• Checking Bundle Inclusion
• Simulation based approach
• Adding combinational (0-delay) dependencies
• Logics for Specification
• Correctness and performance properties
• Compositional reasoning