1 / 31

Compositional Formal Verification using MOCHA

Compositional Formal Verification using MOCHA. PI: Tom Henzinger Student 1: Freddy Mang (game-theoretic methods) Student 2: Ranjit Jhala (probabilistic systems) UC Berkeley. Compositional Methods for Probabilistic Systems. Luca De Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley.

kaelem
Download Presentation

Compositional Formal Verification using MOCHA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compositional Formal Verification using MOCHA PI: Tom Henzinger Student 1: Freddy Mang (game-theoretic methods) Student 2: Ranjit Jhala (probabilistic systems) UC Berkeley

  2. Compositional Methods forProbabilistic Systems Luca De Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley

  3. Introduction • A lot of work on making model checking a viable industrial tool • Symbolic Model Checking • Assume-Guarantee based “Compositional” Reasoning • The work has focused on systems that can be modelled accurately using non-determinism • Loss of information: Many systems cannot be appropriately modelled e.g. Communication Protocols, Embedded Components • Goal: To extend MOCHA to model and verify systems with probabilistic behavior • Assume-Guarantee style reasoning for such systems Compositional Methods for Probababilistic Systems

  4. Compositional Models • System Model is Compositional if: • Systems can be composed to obtain more complex systems • System properties can be decomposed into component properties • For non-deterministic systems, the trace-based or linear-time view • Advantages: • Refinement is simply trace containment • Assume-Guarantee rule to decompose refinement proof • Simulation as algorithmically checkable sufficient criterion for checking refinement • We conservatively generalise the trace-based view to systems with both non-deterministic and probabilistic choice • Our approach inherits the advantages mentioned above Compositional Methods for Probababilistic Systems

  5. The Linear-time (Trace-based) View • Given a set of variables X: • X-state: A valuation of the variables in X • X-trace: A sequence of X-states • X-language: A set of X-traces • Given a system P with variables X, its semantics |[ P ]| is an X-language • Refinement corresponds to trace inclusion: • P ¹ Q if |[ P ]| µ |[ Q ]| Compositional Methods for Probababilistic Systems

  6. Benefits of Linear-time View • Parallel composition corresponds to set intersection: • |[ P k Q ]| = |[ P ]| Å |[ Q ]| • Assume-Guarantee rule to decompose refinement checks [Abadi & Lamport 94, Alur & Henzinger 99, McMillan 97] • To show P1k P2¹ Q1k Q2 it suffices to check P1k Q2¹ Q1 and Q1k P2¹ Q2 • Simulation is an algorithmically efficient sufficient condition for refinement Compositional Methods for Probababilistic Systems

  7. Probabilistic Systems • We wish to model transition systems that can make both Probabilistic and Non-deterministic choice • At a state, the system does the following: • Picks one of several available distributions (or moves) over next state non-deterministically • Picks a next state out randomly out of the chosen distribution Compositional Methods for Probababilistic Systems

  8. Related Work • A large body of work on the modelling and verification of probabilistic systems • Vardi 1985, Courcoubetis & Yannakakis 1989 • Basic Model : Markov Decision Processes • Defining the behaviour using schedulers • Several complicated “branching-time” models based on Process Algebras: [JL91], [LS90] • Models based on I/O Automata by Segala [Segala95] • Semantics described as Trace Distributions • Refinement as trace distribution inclusion • Our contribution: • First simple “linear-time” style model with compositional semantics that allow Assume-Guarantee reasoning • Generalize traces to bundles, demonstrate that many of the properties of linear-time models generalize to systems with probabilistic choice Compositional Methods for Probababilistic Systems

  9. Prob. Systems: Example • There are 2 possible behaviours arising from the non-deterministic choice at • ¼ , ¾ • ½ , ½ ½ ½ ¼ ¾ Compositional Methods for Probababilistic Systems

  10. Semantics of Probabilistic Systems • Given a set of variables X: • X-state: A valuation of the variables in X • X-Move: A distribution over X-states • X-trace: A sequence of X-states • X-bundle: A distribution over X-traces • X-Probabilistic Language: A set of X-bundles • Given a Probabilistic system P with variables X, its semantics |[ P ]| is an X-Probabilistic language • Refinement corresponds to bundle inclusion: • P ¹ Q if |[ P ]| µ |[ Q ]| Compositional Methods for Probababilistic Systems

  11. Semantics: dealing with choices • Non-deterministic, Probabilistic choice are “orthogonal” • Factor out non-determinism using schedulers [Derman70, Vardi 1985, Courcoubetis & Yannakakis 1989] • Given a scheduler, the execution is fully probabilistic • Outcome: A sequence of bundles of length i, 8 i > 0 • Semantics: Sum of the outcomes for all the different schedulers Compositional Methods for Probababilistic Systems

  12. ½ : , ½ : • ½ : , ½ : • ½ : , ½ : • ½ : , ½ : Schedulers: Example 1/2 1/2 4 Possible Schedulers, one outcome (bundle) for each Schedulers Outcomes (Bundles) Compositional Methods for Probababilistic Systems

  13. 1/2 1/2 Non-Det. Choice Vs Prob. Choice A B • Non-deterministic choice is more flexible than probabilistic choice • We want A ¹ B, but … Bundles of A Bundles of B ½ , ½ 1 1 1 Compositional Methods for Probababilistic Systems

  14. e , 1-e Non-Det. Choice Vs Prob. Choice 1/2 1/2 A B • Solution: Let the Scheduler be randomized • The scheduler of B can flip a coin to decide which nondeterministic choice to pick • The move of B is then the convex combination of its simple moves Bundles of B: For every e2 [0,1] In particular e= ½ matches A’s bundle Compositional Methods for Probababilistic Systems

  15. Concrete Model: Probabilistic Modules • Based on Reactive Modules [AH99] • State based model, each state corresponds to a valuation of the variables of the system • Probabilities enter in the update values of the variables • Module is made up of a set of Atoms • Each atom controls a set of variables • Atom: A set of guarded commands • At a state, out of the guards that are true (non-det choice) the system picks one command and updates variables using the distribution over next values of the command Compositional Methods for Probababilistic Systems

  16. Probabilistic Modules Transitions & Actions: Given X, Y, two sets of variables • Probabilistic Transition from X to Y is a pair (s,m) : X-state £ Y-move • Probabilistic Action from X to Y : A set of Probabilistic Transitions Atoms: • Atom A, has variables readX(A), ctrX(A) • A probabilistic Initial Action: initF(A) from ? to ctrX(A) • A probabilistic Update Action: updateF(A) from readX(A) to ctrX(A) Compositional Methods for Probababilistic Systems

  17. Module A Interface x,y External z Atom Ax controls x Init [] true-> ½ x:=0 ½ x:=1 Update [] true-> x’:= x [] y ->¼ x’:=:z ¾ x’= z Atom Ay controls y Init [] true-> y:=0 [] true-> y:=1 Update [] true-> y’:= z Probabilistic Modules Modules: • Declaration: 3 sets of variables extlX, intfX, privX • The observable variables or obsX = intfX [ extlX • Body: Finite set of Atoms, s.t. { ctrX(A) | A 2 Atoms } partitions intfX [ privX Compositional Methods for Probababilistic Systems

  18. Operations: Parallel Composition P1, P2 may be composed only if they have the same observables Result: P1k P2 where: • privX(P1k P2) = privX(P1) [ privX(P2) • intfX(P1k P2) = intfX(P1) [ intfX(P2) • extlX(P1k P2) = extlX(P1) [ extlX(P2) n intfX(P1k P2) • Atoms(P1k P2) = Atoms(P1) [ Atoms(P2) Compositional Methods for Probababilistic Systems

  19. Semantics: Schedulers & Outcomes Scheduler A scheduler s from X to Y: X-traces a Y-moves Outcome Given a scheduler s from X to X, Outcome(s) is the set of bundles bi where: bi(t) = bi-1(t(1)Lt(i-1)) £s(t(1)Lt(i-1))(t(i)) b0 = The “empty” bundle Compositional Methods for Probababilistic Systems

  20. Semantics: Atomic Schedulers Schedulers of a Module: • Based on the schedulers of each Atom Atom Schedulers: atomå(A) = set of all schedulers s from readX(A) to ctrX(A) s.t • (¢, s(e)) 2 initF(A) • (t(n),s(t)) 2 updateF(A) for all readX(A)-Traces t of length n Composing Atom Schedulers: For schedulers s1 from X1 to Y1, s2 from X2 to Y2, s.t. Y1Å Y2 = ? (s1£s2) : from X1[ X2 to Y1[ Y2 s.t. (s1£s2)(t) = s1(t[X1]) £s2(t[X2]) Compositional Methods for Probababilistic Systems

  21. Module Semantics Schedulers of P • extlå(P) = set of all schedulers from extlX(P) [ intfX(P) to extlX(P) • modå(P) = extlå(P) £PA 2 Atoms(P) atomå(A) Language of P • L(P) = [s2 modå(P) Outcome(s) Trace Semantics of P • |[ P ]| = L(P) Compositional Methods for Probababilistic Systems

  22. Module B Interface x,y Atom Axy controls x,y Init [] true-> x,y:=0,0 [] true-> x,y:=0,1 [] true-> x,y:=1,0 [] true-> x,y:=1,1 Atom Bx controls x Init [] true-> x:=0 [] true-> x:=1 Update [] . . . Atom By controls y Init [] true-> y:=0 [] true-> y:=1 Update [] . . . The Importance of Atoms Module A Interface x,y • A ± B because: • A has a bundle where x,y have correlated values { ½: 0,0 ½: 1,1} • In B’s bundle it is not possible to get correlation, despite complete non-det in each atom, as the schedulers are independent Compositional Methods for Probababilistic Systems

  23. Module Q Intf q Extl p Priv q_ Module P Intf p Extl q Priv p_ Atom Qatom controls q,q_ Init [] true-> ½ q,q_:=0,0 ½ q,q_:=0,1 Update [] true-> q’,q_’:= q_,q_ Atom Patom controls p,p_ Init [] true-> ½ p,p_:=0,0 ½ p,p_:=0,1 Update [] true-> p’,p_’:= p_,p_ Why Visibility Restrictions ? • Motivated by need to restrict the power of the environment • Environment must not be able to read Private variables • If the environment could then both P and Q could have a bundle: • { ½ pq = 00 ! 00, ½ pq =00 ! 11} • P k Q can have no such bundle • Thus semantics would not be compositional Compositional Methods for Probababilistic Systems

  24. Compositional Semantics Theorem: [Semantics of Parallel Composition] |[ P1k P2 ]| = |[ P1 ]| Å |[ P2 ]| • The behaviours of P1k P2 is the intersection of the behaviours of P1 and P2 Compositional Methods for Probababilistic Systems

  25. Refinement Between Modules Module Refinement P ¹ Q if: • intfX(P) ¶ intfX(Q) and extlX(P) ¶ extlX(Q) • |[ P ]| µ |[ Q ]| Compositional Methods for Probababilistic Systems

  26. Refinement Is Compositional Theorem: Refinement is Compositional • P k Q ¹ P • If P ¹ Q , then P k R ¹ Q k R Theorem: Assume-Guarantee If P1k Q2¹ Q1 and Q1k P2¹ Q2, then P1k P2¹ Q1k Q2 Compositional Methods for Probababilistic Systems

  27. Checking Refinement • Sufficient condition for bundle inclusion: • Probabilistic Simulation [JL91, SL95] suffices for two closed systems each with a single atom • We modify this relation to extend it to our setting (where there are visibility restrictions) • We use an algorithm based on that of [BEM99] to check atomic Simulation • This approach makes the decomposition of the proof mandatory Compositional Methods for Probababilistic Systems

  28. Simulation: Example ¼ ½ ½ ½ ¼ A B • The three states of B match the two states of A • The probabilities are distributed over the states • Each state of B “mimics” the state of A depending on how much the state of A’s weight is given to the state of B Compositional Methods for Probababilistic Systems

  29. Bundle Inclusion but not Simulation ½ ½ ½ ½ • Difficulty of computing bundle inclusion: • A distribution of states of one system is equivalent to a distribution of states of the other • Schedulers look at histories – can look at entire trace • Modularity brings some problems – thus the standard simulation does not work Compositional Methods for Probababilistic Systems

  30. Current Work • Algorithm to check Bundle Inclusion exactly • Implementation of this work – extending MOCHA to handle probabilistic systems • Case Studies: • Communication Protocols with probabilistic behaviour • Embedded Components with probabilistic environments • Logics for Specification: • Correctness and performance properties • Compositional reasoning Compositional Methods for Probababilistic Systems

  31. References • M. Abadi & L. Lamport 1994: • The existence of Refinement Mappings, TOPLAS • R. Alur & T. A. Henzinger 1999: • Reactive Modules, Formal Methods in System Design 1999 • K. L. McMillan 1999: • A Compositional Rule for Hardware Design Refinement, CAV97 • Derman 1970: • Markov Decision Processes • M. Vardi 1985: • Automatic Verif. of Probabilistic Concurrent Finite-State Programs, FOCS 85 • C. Courcoubetis & M. Yannakakis: • The Complexity of Probabilistic Verification, JACM 1995 • [BEM 99] C. Baier & B. Engelen & C. Majster-Paderborn: • Deciding Bisimilarity and Similarity for Probabilistic Processes, JCSS 1999 • [JL91] B. Jonsson & K. Larsen • Specification and Refinement of Probabilistic Processes, LICS 1991 Compositional Methods for Probababilistic Systems

More Related