430 likes | 565 Views
Performance Evaluation := (Process Algebra + Model Checking) x Markov Chains. Holger Hermanns and Joost-Pieter Katoen with contributions of Christel Baier, Ed Brinksma, Boudewijn Haverkort, Ulrich Herzog, Joachim Meyer-Kayser, Markus Siegle. and its stabilising unit.
E N D
Performance Evaluation := (Process Algebra + Model Checking)x Markov Chains Holger Hermanns and Joost-Pieter Katoen with contributions of Christel Baier, Ed Brinksma, Boudewijn Haverkort, Ulrich Herzog, Joachim Meyer-Kayser, Markus Siegle
and its stabilising unit A reactive, embedded system:The ‘Hubble Space Telescope’ A reactive, embedded system:The ‘Hubble Space Telescope’
Each gyroscope may fail (f). The telescope turns into sleep mode if less than 3 gyroscopes remain operational (s). Without operational gyro the telescope eventually crashes. The base station prepares a shuttle mission to repair the telescope (r). f f f f f f crash 6 5 4 3 2 1 s s f r sleep sleep f r A simple model of the Hubble
A model A stochastic model A continuous-time Markov model Prediction of the system behaviour Computer-assisted analysis of Correctness Performance Dependability on the basis of a model, instead of the real system f f f f f f crash 6 5 4 3 2 1 s s f r sleep sleep f r What is this? What is it good for?
Quantitative Verification Information technology is finally reaching a scale where probabilistic methods should play a larger role in system design. D. Tennenhouse, director research Intel Corp. Proactive Computing, Communications of the ACM, May 2000
Why probabilities? practically relevant for • deterministically unsolvableproblems: randomised distributed algorithms. • unreliable and unpredictable system behaviour: fault tolerant systems, ... • performance and dependability analysis: ‘quality of service’, ... • wheighting important (likely/frequent) and unimportant (unlikely/rare) aspects in the specification. • approximating large ‘populations’ of discrete structures
Each gyroscope posesses a failure rate f. To turn on sleep mode requires some time (s). Without operational gyroscope the telescope eventually crashes. The base station prepares a shuttle mission to repair the telescope (r). 6 f 5 f 4 f 3 f 2 f f crash 6 5 4 3 2 1 s s f r sleep sleep 2 f r A Markov model of the Hubble
Specification formalisms for CTMCs • stochastic Petri nets [Molloy] • Markovian queueing networks [Muppala & Trivedi] • stochastic automata networks [Plateau] • stochastic process algebra [Herzog et al] • probabilistic I/O automata [Stark et al] and many variants/combinations thereof.
(finite state) automata, all times are exponentially distributed, sojourn time in states are memory-less, very well investigated class of stochastic processes, widely used in practice, best guess, if only mean values are known, efficient and numerically stable algorithms for stationary and transient analysis are available. h • Pr(X >t) = e-ht Continuous-time Markov chains (CTMCs)
2 1 3 3 1 stationary (‘steady state’) probability Transient and Stationary Behaviour of CTMCs transient probability
Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications
Model Checking • Automated verification technique • Checks whether a given finite-state model satisfies a given requirement, by • systematic state-space exploration • effective means to combat the state-space explosion • Some model checkers: Spin, SMV, Mur, Uppaal • Application areas: • hardware verification (VHDL-code, ...) • software validation (storm surge barrier, ...) • software bug hunting (web server design, e-commerce, ...)
trueU = = CTL - Computation Tree Logic a branching-timetemporal logic powerful specification language for requirements widely used • state-formula: • true • a atomic proposition’ • 1 2 ‘and’ • ‘not’ • ‘for All paths’ • ‘there Exists a path’ • path-formula: • X ‘neXt’ • 1U 2 ‘Until’ • ‘eventually’ • ‘invariantly’ [Clarke & Emerson 83]
crash 6 5 4 3 2 1 =( 6Usleep) sleep sleep second iteration fourth iteration third iteration first iteration initialisation fifth iteration fixed point! Sat(6) Sat(6) Sat(sleep) Model checking CTL by example Given: a finite-state model and a CTL state-formula : Strategy: calculate recursively the sets for all sub-formulas of ssatisfies Sat()
Basic idea • specify a desired performance/reliability property using appropriate extension oftemporal logic, e.g., P<0.01(<10 error) , S<10-6(error), or similar • probability that an error occurs within 10 years is less than 1 % • probability that an error occurs in equilibrium is less than 10-6. • interpret and check these formulas on CTMCs
state-formula : • true • a atomic proposition • 1 2and • not • S~p() stationary probability • P~p() path probability CSL - Continuous Stochastic Logic CTLplus • probabilistic path-quantifier [Hansson and Jonsson] • probabilistic ‘time-bounded until’ [Aziz et al] • stationary probability quantifier • state-formula : • true • a atomic proposition • 1 2and • not • for all paths • there is a path • path-formula : • XItimed neXt • 1UI 2 timed Until • path-formula : • X neXt • 1U 2Until [Baier et al]
availability?S>p( (sleep crash)) gyroscope failure between 1993 and 1997?P>q([3,7] 6) sleep mode between 1997 and September 1999? Pr( sleepU[7,9.8]sleep) risk of a crash before 2010?P<10-2([0,20]crash) 0.6 0.5 0.4 0.3 0.2 0.1 crash 6 5 4 3 2 1 100 100 0.1 6 6 sleep sleep 0.2 A few requirements for the Hubble 1990
s P~p() iff state in at time t probability that “on the long run” the system is in a -state (when starting in s) Formal semantics of CSL (1) State formulas: • s a iff a L(s) • s 1 2 iff s i, i=1,2 • s iff s / requires -algebra and probability measure Prob on paths of CTMC • s S~p() iff
XI iff s1 and Formal semantics of CSL (2) Path formulas: interpretation over the paths (from state )in a CTMC state wins the race after time units, and so on • 1UI2iff
Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications
Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all sub-formulas of For the non-probabilistic fragment: as for CTL
matrix-vector multiplication system of linear equations system of linear equations steady state probability for s’ in the BSCC B Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all sub-formulas of Steady-state operator requires slight adaptations of standard methods for steady-state probabilities å ( ) iff s p s,s' p ~ S~p() s ' F where graph algorithm
BSCC B1 BSCC B2 An example S0.5 (P0.98( 1.5stable)) 2 1 3 3 s {unstable} {stable} {initial} {stable} 1
X • vector U is the least fixed point in [0,1] of • if s 2 then • if s / 1 2 then • if s 1 2 then iterative solution Model checking CSL Given: a CTMC and a CSL state-formula : Strategy: recursively compute the sets for all subformulas of P~p() Probabilistic state-formula with ‘neXt step’ X and ‘until’ U are treated as in the discrete-time case [Hansson & Jonsson] matrix-vector multiplication system of linear equations
x 0 t Ut-x 1 2 2 s s’ • values Ut are the least solution in [0,1] of • if s 2 then • if s / 1 2 then • if s 1 2 then Model checking ‘time-bounded until’ system of integral equations probability to move from s to s’ at time x t t-x
Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications
transient analysis determines a snapshot of the state probabilities at time t (if starting in state s at time 0) state-of-the-art: uniformisation numerically stable (relatively) easy to implement: boils down to iterative matrix-vector multiplications a priori calculation of number of iterations based on user-given accuracy on-the-fly steady-state detection possible Model checking ‘time bounded until’ Pr(s, 1UI 2) via transient analysis
transient probability distribution (s,t ): the (snapshot) probability at time t when starting in state s at time 0 • steady-state probability(s): • Chapman-Kolmogorov equation Transient analysis of CTMCs • in CSL expressed as: P~p([t,t]ats’) and S~p(ats’) • calculating transient probabilities:
Transient analysis of CTMCs • Techniques: Runge-Kutta and (more efficient and accurate): Uniformisation (“Jensen’s Method”) • Basic idea of uniformisation: • transform CTMC into a corresponding DTMC, • normalise transition rates w.r.t. shortest (average) residence time
different outgoing rates per state no self-loops *= + same outgoing “rate” * per state branching probabilities self-loops (mimic delays) CTMC DTMC / ( +) / ( +) + 0 1 2 0 1 2 + / ( +) / ( +) Uniformisation
probability distribution in DTMC aftern steps, starting from state s probability of n arrivals in [0,t] in a Poisson process with rate * • compute recursively • (Fox-Glynn) • matrix-vector multiplication • number of steps in DTMC • exact • computed • required accuracy Uniformisation (given stepping rate *) Round-off error can be calculated a priori:
1 2 12 s 1 2 1 2 Reduction to transient analysis Aim: ComputePr(s, 1UI2) via (...,...)
1 2 12 s’ (s,t) s’ (s,t) s 1 2 12 s 1 2 1 2 1 2 1 2 Lemma A Assume all 2-states are absorbing Pr(s, 1U[0,t]2) = 1 2 12 s 1 2 1 2
Pr(s, 1U[0,t]2) Pr(s, 1U[0,t]2) Pr(s, 1U[0,t]2) 1 2 12 s 1 2 12 1 2 1 2 12 12 s s s 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 = s’ (s,t ) Theorem 1 Pr(s, 1U[0,t]2) = then apply Lemma A
‘Bottom-up’ strategy along the property of interest, recursively collects states satisfying sub-formulae Ingredients: graph algorithms, and matrix-vector multiplication solvers for linear equation systems model transformations and uniformisation Worst-case time complexity: O(|formula| x (M.q.tmax + N2.81)) number of transitions M uniformisation rate q maximal time-bound tmax number of states N Model checking CSL
Two CTMCs are lumping equivalent, if they can mimic their cumulated rates stepwise, and stay bisimilar in doing so ifthen , such that = , 2 2 and vice versa, and so on Lumping Lumping ensures that cumulated (transient/steady)-state probabilities of equivalent states can be computed on the quotient CTMC
Two states in a CTMC are lumping equivalent if and only if they satisfy the same CSL-formulas Lumping and CSL (... if the bisimulation respects the state labelling)
Model Checking CTMCs • Continuous Stochastic Logic • Fixpoint Characterisations • Model Checking Algorithms • Extensions and Applications
T E MC2 The model checker • implemented in JAVA (version 1.2 with Swing) • about 8,000 lines of code, 15 man months • implements iterative numerical algorithms to solvelinear system of equations (standard) • uses backwards uniformisation for UI • uses dedicated algorithms for P=1() and P=0() • uses sparse data structures for matriceswww7.informatik.uni-erlangen.de/etmcc/
T E MC2 The model checker Tool Driver GUI CSL parser Property Manager S~p() P~p() Numerical Engine Linear systems of equations Numerical integration Backwards uniformisation Analysis Engine ( 1U 2) ( 1U 2) BSCC Verification parameters Model input State Space Manager Filter Result output Sat States Transitions Rates
Current developments • Application/case studies: • performance assessment of cyclic polling system • dependability analysis of a workstation cluster • performance and availability analysis of distributed database server • Extensions towards CTMCs with costs (rewards):“with probability at most 0.01 at most 10 jobs have been processed before the first error occurs” • extension of CSL has been defined • model checking combined reward- and time-bounded formulas? • Using symbolic data structures (MTBDDs) in Prism • Extension of model checking algorithms for Markov decision processes
CTMC algebra: compositional and abstract specification automated generation of CTMCs reduction and comparison of performance models CTMC model checking: specification language for performance properties automated verification technique with property-driven transformation allows model reduction Summary cross-fertilisation of formal verification and performance analysis techniques cross-fertilisation of formal specification and performance modeling techniques