Quantitative Model Checking Radu Grosu SUNY at Stony Brook

1
Quantitative Model CheckingRadu GrosuSUNY at
Stony Brook

• Joint work with Scott A. Smolka

2
Model Checking

?
Is system S a model of formula f?
3
Model Checking

• S is a nondeterministic/concurrent system.
• ? is a temporal logic formula.
• in our case Linear Temporal Logic (LTL).
• Basic idea intelligently explore Ss state space
  in attempt to establish S ?.

4
Monte Carlo Approach
computation tree
recurrence diameter
LTL
Monte Carlo N(?,?) independent samples
Error margin ? and confidence ratio ?
5
Linear Temporal Logic

• An LTL formula is made up of atomic propositions
  p, boolean connectives ?, ?, ? and temporal
  modalities X (neXt) and U (Until).
• Safety nothing bad ever happens
• E.g. G(? (pc1cs ? pc2cs)) where G is a
  derived modality (Globally).
• Liveness something good eventually happens
• E.g. G( req ? F serviced ) where F is a
  derived
• modality (Finally).

6
LTL Model Checking

• Every LTL formula ? can be translated to a Büchi
  automaton B? whose language is the set of
  infinite words satisfying ?.
• Automata-theoretic approach
• S ? iff L(BS) ? L(B? ) iff L(BS ?
  B?? ) ?
• Checking non-emptiness is equivalent to finding
  an accepting cycle reachable from initial state
  (lasso).

7
Bernoulli Random Variable(coin flip)

• Value of Bernoulli RV Z
• Z 1 (success) Z 0 (failure)
• Probability mass function
• p(1) PrZ1 pz
• p(0) PrZ0 1- pz qz
• Expectation EZ pz

8
Monte Carlo Approximation

• Problem Compute the mean value µZ of a random
  variable Z distributed in 0,1 when exact
  computation of µZ proves intractable.

with error margin ? and confidence ratio ?.
9
Naive Solution

• Compute N using the Zero-One estimation
  theorem

10
Stopping Rule Algorithm (SRA)

• Innovation compute correct N without using

• Theorem
• EN ? 4 ln(?/?) / ?Z?2

11
Optimal Approx Algorithm (OOA)

• Compute N using generalized Zero-One
  estimation

• Apply sequential analysis (prediction/correction
  )
• 1. Compute assuming
  with SRA( )
• 2. Compute ? using and
• 3. Compute using to correctly
  estimate N.

• Expected number of samples is optimal to within
  a
• constant factor!

12
Monte Carlo Model Checking

• Sample Space lassos in BS ? B??
• Bernoulli random variable Z
• Outcome 1 if rand. chosen lasso is not
  accepting
• Outcome 0 otherwise
• ?Z pZ ? pi Zi (expect. of a nonaccepting
  lasso)
• where pi is lasso prob. (uniform
  random walk).

13
Lassos Probability Space
1
2
4
3

• L1 11 L2 1244 L3 1231 L4
  12344
• PrL1 ½ PrL2 ¼ PrL3 ? PrL4 ?
• qZ L1 L3 5?8 pZ L3 L4 3?8

14
QMC Algorithm
15
Properties of QMC

• Theorem Given a Büchi automaton B, error margin
  e, and confidence ratio d, if QMC returns
  then with probabiliy 1- d, the confidence
  interval (CI)
• 1 / (1e) , 1 / (1- e)
  
• covers the unknown lasso probability ?Z.
• Corollary In decision mode (DM) the CI is 1 /
  (1e) , 1.

16
Properties of QMC

• Theorem Given a Büchi automaton B having
  diameter D, error margin e, and confidence ratio
  d, QMC runs in DM in time O(ND) and uses space
  O(D), where
• N 4 ln(2 / d) /
  e.

Cf. DDFS which runs in O(2Sf) time for B
BS ? B?? .
17
Implementation

• Implemented DDFS and QMC in jMocha model checker
  for synchronous systems specified using Reactive
  Modules.
• Performance and scalability of QMC compares very
  favorably to DDFS.

18
DPh Symmetric Unfair Version
(Deadlock freedom)
19
DPh Symmetric Unfair Version
(Starvation freedom)
20
DPh Asymmetric Fair Version
(Deadlock freedom)
d 10-1 e 1.810-4 N 1257
21
DPh Asymmetric Fair Version
(Starvation freedom)
d 10-1 e 1.810-4 N 1257
22
Related Work

• Heimdahl et al.s Lurch debugger.
• Mihail Papadimitriou (and others) use random
  walks to sample system state space.
• Herault et al. use bounded model checking to
  compute an (e,d)-approx. for positive LTL.
• Probabilistic Model Checking of Markov Chains
  ETMCC, PRISM, PIOAtool, and others.

23
Conclusions

• QMC is first randomized, Monte Carlo algorithm
  for the classical problem of temporal-logic MC.
• Future Work Use BDDs to improve run time.
  Also, take samples in parallel!
• Open Problem Branching-Time Temporal Logic
  (e.g. CTL, modal mu-calculus).

24
Model Checking

Is system S a model of formula f?
25
Talk Outline

1. Model Checking
2. Randomized Algorithms
3. LTL Model Checking
4. Optimal Monte Carlo Estimation
5. Quantitative Model-Checking (QMC)
6. Implementation Results
7. Conclusions Open Problem

26
Model Checkings Fly in the OintmentState
Explosion
Symbolic MC (OBDDs) Symmetry Reduction Partial
Order Reduction Abstraction Refinement Bounded
Model Checking
Size of Ss state transition graph is O(2s)!
27
Randomized Algorithms

• Huge impact on CS (distributed) algorithms,
  complexity theory, cryptography, etc.
• Takes of next step algorithm may depend on random
  choice (coin flip).
• Benefits of randomization include simplicity,
  efficiency, and symmetry breaking.

28
Randomized Algorithms

• Monte Carlo may produce incorrect result but
  with bounded error probability.
• Example Rabins primality testing algorithm
• Las Vegas always gives correct result but
  running time is a random variable.
• Example Randomized Quick Sort

29
Emptiness Checking

• Checking non-emptiness is equivalent to finding
  an accepting cycle reachable from initial state
  (lasso).
• Double Depth-First Search (DDFS) algorithm can be
  used to search for such cycles, and this can be
  done on-the-fly!

30
Random Lasso (RL) Algorithm