Download
1 / 19
190 likes | 314 Views
Possibilistic and probabilistic abstraction-based model checking. Michael Huth Computing Imperial College London, United Kingdom. Outline of talk. need for abstraction modal quantitative systems possibilistic semantics probabilistic semantics specification of abstractions
E N D
Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom
Outline of talk • need for abstraction • modal quantitative systems • possibilistic semantics • probabilistic semantics • specification of abstractions • conclusions.
Need for abstraction LTL model checking for finite-state Markov decision processes is [Courcoubetis & Yannakakis’95] • polymonial in model (which are big) and • doublyexponential in formula. Infinite-state models occur in practice. Aggressive abstraction techniques required for model checking real-world designs.
Abstraction loci Abstract the computation of a model check M |=f, by approximating • the model M to M*; e.g. simulations [Larsen & Skou’91] • the satisfactionrelation|= to |=*, e.gcompositionalconjunction [Baier et al.’00] • the propertyf to f*, e.g. bounded model checking [Clarke et al.’01] Combinations possible: e.g. make a probabilistic M non-probabilistic [Vardi’85].
Soudness needed • Valid verfication certificates: positive abstract check M* |=* f* M |=f holds as well. • Valid refutationcertificates: nevative abstract check M* |=* ¬f* M |= ¬ fholds, too. • Rangeoff : full logic forsound mix of fairness & abstraction, safety & liveness, verification & refutation, etc. Such a framework is well developed for qualitative systems: three-valued model checking [Larsen & Thomsen’88, Bruns & Godefroid’99].
Research aims • transfer two-valued & three-valued model checking toquantitativesystems; • let probabilisticsystems be a specialinstance of such a transfer; and • use transferred results to re-assessexistingwork on abstraction of probabilistic systems.
Modal quantitative systems • modal nature of non-determinism: “There are delays on the Bakerloo Line.” != “There are no delays on the remaining lines.” • transitions (s,m) have type S x [F P] - P partial order of quantities - Fs-algebra on state set S - [F P] = maps m :F P such that A in A’ m(A) £ m(A’) • atomic observables and preimage operator are in F.
Examples • “neural” systems - each s in S is a stimulus ws in [0,w) - m(A) is weighted sum of stimuli ws • Markov decision processes - P = [0,1] - all mintransitionsare probability measures - complete: non-determinism fully specified • Choquet’scapacities,pCTL*, andweakbisimulation [Desharnais et al.’02].
Concrete and abstract model gQis special s0 t0 = { s0, s1, s3 } .5 a .25 p .5 p? q? .25 hQ 1/3 m 2/3 q .5 2/3 .75 1/3 s1 1/3 1/3 aQ mQ 1/3 g .5 .25 h pq 2/3 .5 gQ s3 s2 1/3 p @ (p = tt) is valid t1 = { s2 } p? @ (p = tt) is satisfiable
Measurable navigation • a relation Q : S1 S2has measurable navigation: for all A in F1 and Bin F2 A.Q in F2and Q.B in F1 • non-trivial property • basis for relational abstraction/refinement • works for finite quotients with measurable equivalence classes.
Lifting relations to measures For Q : S Swith measurable navigation, define Qps : [F P] [F P] by (m,h) in Qps iff for all A, B in F m(A) £h(A.Q) andh(B) £ m(Q.B) … a generalization of probabilistic (bi)simulation [Larsen & Skou’91].
Abstraction & refinement A relation Q : S S with measurable navigation is a possibilisticrefinement if (s,t) in Q implies • (t,h) in Ra $(s,m) in Ra such that (m,h) in Qps • (s,m) in Rc $(t,h) in Rc such that (m,h) in Qps Ra = guaranteed transitions (e.g. gQabove), Rc = possible transitions. //modal non-determinism
Possibilistic semantics Quantitative logic: • f::=tt | p | Z | mZ.f | ¬f | f & f | EX>r f • assertion checks s|=a f • consistency checks s|=c f • usualsemantics, exceptfor - s|=a ¬ fiff not s|=cf; - s|=c ¬ f iff not s|=a f; and - s|=l EX>r f iff $(s,m) in Rl : m({t | t|=l f}) > r where l in {a, c}.
Soundness Weprove { s in S | s|=l f} in F for l in {a, c} andfand use it to show: “Q possibilisticrefinementwith (s,t) in Q, then 1. t|=a f s|=a f 2. s|=c f t|=c f // needed to prove 1. for all f.”
Probabilistic semantics • probability measures for transitions • mZ.f restricted to probabilistic EU • same semantics except for EU • possibilistic semantics “approximates” probabilistic one • sound probabilistic refinement: Q Qpr [Larsen& Skou’91] • Qpr =Qps forfinite-stateMarkovdecisionprocesses.
Specification of abstraction S = state set of un-abstracted model, A = finite target state set of abstract model: • specify left/right-total relation Q : S A; • determines an abstract model over A with discrete s-algebra … • … which makes Q into a refinement.
Understanding the lift • m in [F P] mQ (B) = m(B.Q) welldefined • (m,mQ) in Qps • (m,h) in Qps h£mQ • converse of 3. holds if Q is graph of a function • S finite state set of Markov decision process Qps = Qpr & sameabstractions … 4. holdsif A isafinitesetofmeasurableequivalenceclasses, e.g. predicateabstraction w.r.t. finitely many measurable predicates.
Example re-visited s0 t0 = { s0, s1, s3 } |=a ¬EX >3/4 ¬EX>3/10¬p .5 a .25 p .5 p? q? .25 hQ 1/3 m 2/3 q .5 2/3 .75 1/3 s1 1/3 1/3 aQ mQ 1/3 g .5 .25 h pq 2/3 .5 gQ s3 s2 1/3 Abstraction along the predicate ¬(¬p & ¬q) t1 = { s2 } only gQin Ra
Conclusions • transferred three-valued model checking toquantitativesystems; • showedthat probabilisticsystems and Larsen & Skou simulations are a specialinstance of such a transfer; • re-assessedexistingwork on abstraction of probabilistic systems in this context; and • showed that this approach works for an important class of finite-state abstractions.
