Miguel E. Andrés Radboud University, The Netherlands

Significant Diagnostic Significant Diagnostic Counterexamples in Probabilistic Counterexamples in Probabilistic

Model CheckingModel Checking

Pedro D’ArgenioFamaf, Argentina

Peter van RossumRadboud University, The Netherlands

2Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

j= : Reach

Classic Model Checking (Qualitative)Classic Model Checking (Qualitative)

MotivationMotivation

MODEL j= Á

CounterexamplesCounterexamples

(Not satisfaction)

3Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Quantitative Model Checking

MotivationMotivation

j=· p

I n this case the property is notsatis¯ed if p< 0;6.

Counterexamples (MORE COMPLEX)

, , …

Counterexamples (MORE COMPLEX)

, , …

Reach

4Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

MotivationMotivation

ProblemsProblems Not aqurate

evidences Similar evidences Low probability

evidences Infinite evidences

Proposed SolutionProposed Solution

j=· 0:5

How do we deal with Counterexamples (so far)

Reach

5Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

MotivationMotivation

j=· 0:5

Non Determinism is allowed

The property is satisfied if for every possible way to resolve the nondeterminism

the reachability probability is at most 0.5

Reach

6Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

7Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

8Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

BackgorundBackgorund

Discrete Time Markov Chains

DTMC=(S;s0;L ;P )

Finite Pathss0s1s3s0s1s1s3s0s1s1s1s3s0s1s1s1s1s3s0s1s1s1s1s1s3

Prob

0.20.10.050.0250.0125

² S is the ¯nite state space;² s0 2 S is the initial state;² L is a labeling function;² P : S £ S ! [0;1] is a stochastic matrix.

9Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

BackgroundBackground

Linear Temporal Logic (LTL)Sintaxis

Probabilistic SemanticD j=

. / pÁ , P r

D(Sat(Á)) ./ p ² ./ 2 f<;· ;>;¸ g

²Sat(Á) , f¾2 Paths(D) j ¾j=Ág

Á ::= V j : Á j Á^Á j ÁUÁ_ ;! ;§ ; and ¤ are syntactic sugar

Semantic¾j=

Dv , v 2 L(¾0)

¾j=D: Á , not(¾j=

DÁ)

¾j=DÁ^° , ¾j=

DÁ and ¾j=

D°

¾j=DÁU° , 9i ¸ 0:¾#i j=

D° and 80· j <i :¾#j j=

DÁ

10Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

BackgorundBackgorund

Counterexamples

Reachability property

Remember: D j=. / p

Á , P rD(Sat(Á)) ./ p

²D j=· p

Á: C µ Sat(Á) such that P r(C) > p

²D j=̧pÁ: C µ Sat(: Á) such that P r(C) > 1¡ p

C, Paths(D) , C 1 [ C 2C 1 , f½2Paths(D)j9i ¸ 0:½=s0(s1)is3gC 2 , f½2Paths(D)j9i ¸ 0:½=s0(s2)is4g

ExampleD j=

< 1§ (v1 _ v2)

11Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

12Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Solution Reduced Case Solution Reduced Case

D j=· p

§Ã

Counterexamples aregenerated for Ac(D)!!!

Preserves reachability probabilities!

D Ac(D)

Ac

TorrDjscc =Torrents Paths(Ac(D)) = Rails

P r(¾) = aP r(Torr(¾)) = a P r(¾) = a

We focus on:

13Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Solution Reduced Case Solution Reduced Case [SCC Analysis I][SCC Analysis I]

1) Identify SCCs2) Identify Input/Output states3) Compute reachability probability from input to output states

Red

uctio

n

14Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Solution Reduced Case Solution Reduced Case [SCC Analysis II][SCC Analysis II]

1) Identify SCCs2) Identify Input/Output States3) Compute reachability probability from input to output states

Ac

yclic

MC

Example

15Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Subsequences

Solution Reduced Case Solution Reduced Case [Rails and Torrents][Rails and Torrents]

Issues Freshness

Inertia

Subsequences* (Torrents)¾¹ ! ,¾v ! and Freshness and Inertia

f!

¾

s0s2s5s11s14 6́ s0s2s6s11s14

s0s2s6s14 6́ s0s2s6s11s14

¾v ! , exists such a function

S6S0 S2 S14

S5 S8S6S0 S2 S6 S14

16Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Torr(¾) , f ! 2 Paths(D) j ¾¹ ! g

Rails , Paths(Ac(D))

Solution Reduced Case Solution Reduced Case [Rails and Torrents][Rails and Torrents]

Torrents and Rails

We Generate Counterexamples on

the Acyclic Chain!!!

Theorem1)

S¾2Paths(A c(D )) Torr(¾) = Paths(D)

2) ¾6=¾0 ) Torr(¾) \ Torr(¾0) = ;3) P rA c(D )(¾) = P rD (Torr(¾))4) Ac(D) j=

· p§Ã if and only if D j=

· p§Ã

17Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

18Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

General Case General Case [Reduction to Reachability][Reduction to Reachability]

Reduction to Reachability

Á

ProbabilisticLTL

ModelChecker

MDP

LTL formula

./ ;p

Maximum Probabilities and Paths are related!!!

MDeterministic Rabin Automota

End Components

M jjAÁ

M j=. / p

Á

19Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

The calculation of a maximal probability on a reachability problem can be performed by solving a linear

minimization problem

General Case General Case [Reduction to Markov Chains I][Reduction to Markov Chains I]

Reduction to Markov Chains

Pt2S ¼1(t) ¢xt · xsPt2S ¼2(t) ¢xt · xs

...Pt2S ¼n(t) ¢xt · xs

where¿(s) = f¼1;¼2; : : : ;¼ng

Find fxs j s 2 Sg thatminimize

Ps2S xs

subject to thesetof constrains

for all s 2 S

20Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

General Case General Case [Reduction to Markov Chains II][Reduction to Markov Chains II]

Theorems:

C is a counterexample to M 0 j=· p

§Ã+

C is a counterexample to M j=· p

§Ã

M 0 j=· p

§Ã , M j=· p

§Ã

21Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

22Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Implementation Implementation [Computability][Computability]

Reduce to MC problemUsing the output from the minimization problem

[Bianco/de Alfaro] Reduce to acyclic MC

Tarjan or Kosaraju or Gabow Algorithm + steady state analysis

Generate counterexamples on an Acyclic MCK-SP problem [Han/Katoen]

23Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Implementation Implementation [Debugging Issues][Debugging Issues]

Torrent Representative

Expanding SCCs

Reachability to:1) Output States2) Goal States

EX

PA

ND

For Free!

TorRep(Tor) = argµmax! 2Tor

P r(! )¶

24Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

OverviewOverview

Motivation Background

Markov Chains LTL for probabilistic systems Counterexamples

Solution Reduced Case (Reachability and deterministic) Reduction to Acyclic (SCC analysis) Rails and Torrents

Solution General Case From general formulas to reachability From MDPs to MCs

Implementation Conclusion Future work

25Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

ConclusionConclusion

Counterexample generation for probabilistic LTL without restrictions

Show how to generalize counterexample generators on MC to MDP

Defined the notion of Torrents as collections of paths behaving similarly

Show how to compute Torrents-Counterexamples

26Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

Future workFuture work

Implementing a practical tool

Visualization of Torrents (Regular Expressions)

Case studies

Extension to Timed Systems

27Haifa Verification 2008 - October 28thIBM Haifa Research Lab - Israel

Miguel E. AndresRadboud University

QuestionsQuestions

Thanks for your attention!