possibilistic and probabilistic abstraction-based model checking michael huth computing imperial...
TRANSCRIPT
Possibilistic and probabilistic abstraction-based model checking
Michael Huth
Computing
Imperial College
London, United Kingdom
Outline of talk
need for abstraction modal quantitative systems possibilistic semantics probabilistic semantics specification of abstractions conclusions.
Need for abstraction
LTL model checking for finite-state Markov decision processes is [Courcoubetis & Yannakakis’95]
polymonial in model (which are big) and doubly exponential in formula.
Infinite-state models occur in practice. Aggressive abstraction techniques required for
model checking real-world designs.
Abstraction loci
Abstract the computation of a model check M |= , by approximating
the model M to M*; e.g. simulations [Larsen & Skou’91] the satisfaction relation |= to |=*, e.g compositional
conjunction [Baier et al.’00] the property to *, e.g. bounded model checking
[Clarke et al.’01]Combinations possible: e.g. make a probabilistic M non-
probabilistic [Vardi’85].
Soudness needed
Valid verfication certificates: positive abstract check M* |=* * M |= holds as well.
Valid refutation certificates: nevative abstract check M* |=* ¬ M |= ¬ holds, too.
Range of : full logic for sound mix of fairness & abstraction, safety & liveness, verification & refutation, etc.
Such a framework is well developed for qualitative systems: three-valued model checking [Larsen & Thomsen’88, Bruns & Godefroid’99].
Research aims
transfer two-valued & three-valued model checking to quantitative systems;
let probabilistic systems be a special instance of such a transfer; and
use transferred results to re-assess existing work on abstraction of probabilistic systems.
Modal quantitative systems
modal nature of non-determinism:“There are delays on the Bakerloo Line.” !=“There are no delays on the remaining lines.” transitions (s,) have type x [F P] - P partial order of quantities
- F -algebra on state set - [F P] = maps F P such that A in A’ (A) (A’) atomic observables and preimage operator are in F.
Examples
“neural” systems
- each s in is a stimulus ws in [0, - (A) is weighted sum of stimuli ws
Markov decision processes - P = [0,1] - all in transitions are probability measures - complete: non-determinism fully specified Choquet’s capacities, pCTL*, and weak bisimulation
[Desharnais et al.’02].
Concrete and abstract model
p
pq
q
s0
s3
s1
s2
.5 .25
.251/3
1/31/3
.5
.5
t0 = { s0, s1, s3 }
p? q?
2/3 1/3 Q Q
Q
Q
t1 = { s2 }
2/3
1/3
.25
.75 1/3
2/3
.5
.5
p (p = tt) is valid
p? (p = tt) is satisfiable
Qis special
Measurable navigation
a relation Q : 1 2 has measurable navigation: for all A in F1 and B in F2
A.Q in F2 and Q.B in F1
non-trivial property basis for relational abstraction/refinement works for finite quotients with measurable
equivalence classes.
Lifting relations to measures
For Q : with measurable navigation, define Qps : [F P] [F P] by
( in Qps iff for all A, B in F (A) (A.Q) and (B) (Q.B)
… a generalization of probabilistic (bi)simulation [Larsen & Skou’91].
Abstraction & refinement
A relation Q : with measurable navigation is a possibilistic refinement if (s,t) in Q implies
(t in Ra (s in Ra such that ) in Qps
(s in Rc (t in Rc such that ) in Qps
Ra = guaranteed transitions (e.g. Q above),Rc = possible transitions. //modal non-determinism
Possibilistic semantics
Quantitative logic: ::= tt | p | Z | Z. | ¬ | & | EX>r assertion checks s|=a consistency checks s|=c usual semantics, except for - s|=a ¬ iff not s|=c - s|=c ¬ iff not s|=a ; and
- s|=l EX>r iff (s in Rl : ({t | t|=l }) > r where l in {a, c}.
Soundness
We prove
{ s in | s|=l } in Ffor l in {a, c} and and use it to show:
“Q possibilistic refinement with (s,t) in Q, then 1. t|=a s|=a 2. s|=c t|=c // needed to prove 1.for all .”
Probabilistic semantics
probability measures for transitions Z. restricted to probabilistic EU same semantics except for EU possibilistic semantics “approximates”
probabilistic one sound probabilistic refinement: Q Qpr [Larsen
& Skou’91] Qpr = Qps for finite-state Markov decision processes.
Specification of abstraction
= state set of un-abstracted model, = finite target state set of abstract model:
1. specify left/right-total relation Q : A;2. determines an abstract model over A with
discrete algebra …3. … which makes Q into a refinement.
Understanding the lift
1. in [F P] Q (B) = (B.Q) well defined
2. Q) in Qps
3. ( in Qps Q
4. converse of 3. holds if Q is graph of a function5. finite state set of Markov decision process Qps
= Qpr & same abstractions… 4. holds if A is a finite set of measurable equivalence
classes, e.g. predicate abstraction w.r.t. finitely many measurable predicates.
Example re-visited
p
pq
q
s0
s3
s1
s2
.5 .25
.251/3
1/31/3
.5
.5
t0 = { s0, s1, s3 } |=a ¬EX >3/4 ¬EX>3/10¬p
p? q?
2/3 1/3 Q Q
Q
Q
t1 = { s2 }
2/3
1/3
.25
.75 1/3
2/3
.5
.5
Abstraction along the predicate ¬(¬p & ¬q)
only Qin Ra
Conclusions
transferred three-valued model checking to quantitative systems;
showed that probabilistic systems and Larsen & Skou simulations are a special instance of such a transfer;
re-assessed existing work on abstraction of probabilistic systems in this context; and
showed that this approach works for an important class of finite-state abstractions.